ALERT: Ongoing malware campaign against NGOs

CyberPeace Institute

The CyberPeace Institute has recently detected that a number of NGOs have fallen victim to an ongoing malspam campaign.  If you think your NGO may have been affected, please reach out to us as our Assistance team and CyberPeace Builders program may be able to help. Contact us at: [email protected]

Further information on this malware

Following the compromise of the Microsoft Exchange servers, organizations’ email accounts are sending phishing emails containing malicious links to their partner organizations. The emails are in response to existing email threads and are normally written in the same language. The emails contain a short greeting followed by two URLs, the email ends with content from the original thread. 

Indicators of compromise (IoCs) from the cases the CyberPeace Institute has analysed have matched to IoCs published in TrendMicro’s article. Below is a sanitized example from TrendMicro of one of the emails; if you receive such an email do not click on the links!

Greeting! Our specialists composed desired document and I send it to you. Document can be found through this link:





Our analysis has shown that in at least one of the incidents the victim’s Microsoft Exchange server was compromised. We highly recommend those running an on-premise Microsoft Exchange server to ensure they have installed the latest version. 

If your server was compromised before the system was updated / patched, your server may still be compromised. If you suspect an infection, CIRCL.LU recommends:

  • re-installing every compromised server from scratch and then recovering and copying the data over.
  • Initiating a full incident response process including the security review of the system.
  • Checking out the guidance from Microsoft

More about the CyberPeace Builders

The CyberPeace Builders is a network of corporate volunteers providing free assistance to Non Governmental Organizations (NGOs) protecting vulnerable populations anywhere in the world. 

© Copyright 2023: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.


Support the CyberPeace Institute

Individual lives can be changed dramatically by the acts of cyber criminals. We need your support to assist victims of cyberattacks in the NGO, humanitarian and healthcare sectors.


Subscribe to our newsletter

Receive monthly news on what’s happening at the Institute: our impact, publications, events and important milestones.