Mailboxes of users are being hit with a spam in which scammers are impersonating DHL Express’ courier service.

According to AVLab the subject of the message informs about the shipment number and implies that it is a international shipping – “DHL Customs Agency – Shipment No. …”. Later users are informed that courier already made an attempt to deliver the package and are asked to make a payment.

Message contains no attachment, instead malware is delivered through a hyperlink to site hxxp://dr-dastmardi.ir/bxicnv/rwzmevq.php. If the receiver of the message decides to click on the provided link a ZIP archive will be downloaded.

Experts from the AVLab have identified that by this cybercriminals are trying to infect victim’s system with a downloader, which then downloads additional malware.