noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Adam Smith

Representatives Smith and Bacon and Senators Hirono and Collins Lead[...]
Florida Department of State

Secretary Byrd Designates Plant City Main Street as Florida Main Street[...]
University of Wisconsin-Madison

A global hub for Hollywood history

Technology

AMF - Financial Markets Authority of the French Republic

09/22/2025 | News release | Distributed by Public on 09/22/2025 09:49

The Autorité des marchés financiers (AMF) is warning professionals about the extensive fraudulent and malicious use of its name engaging people into running a malicious[...]

The Autorité des marchés financiers (AMF) is warning professionals about the extensive fraudulent and malicious use of its name engaging people into running a malicious computer program.

The AMF has been informed that a number of players, both regulated and unregulated by the AMF, have received emails impersonating the AMF, inviting them to visit fraudulent sites. To date, two different instances of impersonation have been observed, with no factual evidence to confirm or deny that they originate from the same hostile actor.

Please note that the French version of this news was published on May, 19th.

Technical investigations are still underway, but the evidence known to date for each scenario are as follows:

For the first scenario:

The content of the email states « Yesterday, documents that have been sent for review. Please confirm that you have received them »;

Technical elements are the following:
- Observed period by the AMF of reception of these fraudulent emails: during the day of the 13/05/2025, around 11:51;
- Email subject: « Subject: Notice of code violation | Law n°35 of 2007» ;
- Technical sender of the mail: « autoritemarchesfinanciersfr[at] amf-france.org.transmen.ro»;
- The sender of the email, a certain Madam « Fremont », would be allegedly an employee of the AMF as « Administrative Director ». The AMF states here that this person, whom identity has been spoofed, is not an employee of the AMF.

For the second scenario:

The received email mentions an alleged « training session dedicated to financial directors of public and private sectors » about « regulatory and financial stakes » for which the recipient is invited to click on a malicious link (marked in red here) and which allegedly contain « details about this training session: agenda, registration modalities, schedule and venue »

After clicking on the links, the victim is redirected to a website prompting him to download an alleged PDF file. This alleged PDF file is actually a ZIP archive containing a Windows automation script in VBScript (Visual Basic Scripting Edition) format. If executed, this script carries out silent and invisible actions without the victim's knowledge:
- The download and execution of an initial file named « pull.pdf », which is actually a Windows script file in WSH (Windows Script Host) format;
- The execution of this « pull.pdf » script results in:
  - The download and execution of a file called « trm », which is actually a ZIP archive containing two remote access programs: Netbird and OpenSSH;
  - The installation of both remote access programs;
  - The creation and addition of a system user with administrative privileges, named « user », whose password is set to « Bs@202122 »;
  - The activation of the Windows Remote Desktop Protocol (RDP) feature.
Through a series of malicious actions, this phishing attack impersonating the AMF aims to install multiple remote access capabilities on the victim's workstation in order to take control of it, thereby enabling intrusion into the Information System.

The ultimate purpose of this attack method is not yet known, but it most likely falls within the various threats documented by ANSSI (https://cyber.gouv.fr/tendances-les-cybermenaces), including financially motivated attacks (such as ransomware), espionage, and destabilization.
The technical indicators are the following:
- Observed period by the AMF of reception of these fraudulent emails: during the day of 05/15/2025, around 7:50 AM;
- Email subject: « AMF INVITATION - Training on Regulatory and Financial Issues »;
- The sender of the email is allegedly a certain Madam « Rochon », allegedly an AMF employee, which is false;
  
  Since at least one individual appears to correspond to this identity, we do not wish to disclose her first name, which is therefore replaced by 'XXX' in the technical sender marker of the email: « XXX-rochon-863563468397286976298728[at] notarius.net »;
- Links to malicious websites:
  - « https://googl-6c11f[.]firebaseapp[.]com/scan/file-846873865383[.]html »
  - « http://192[.]3[.]95[.]152/cloudshare/atr/trm »
  - « http://192[.]3[.]95[.]152/cloudshare/atr/pull.pdf »
  - « http://192[.]3[.]95[.]152/cloudshare/»
  - « http://192[.]3[.]95[.]152/ »
- Malicious IP address : « 192[.]3[.]95[.]152 » ;
- Malicious files' names with their cryptographic fingerprint SHA-256:
  - « Scan_15052025-736574.zip »: 4219f334ea58e32281e474fbbad020e6a0fb67a9ed11e250f240231505ce5220
  - « Scan_15052025-736574.vbs » : f04b4532952bd0dd5a6a47ed8710f89519cdf8f0b8392d560e359bb466ccab38
  - « pull.pdf » : d34b190baccd02b6b61e349f2cad4bfed5c0c38855ac70ec4063294dbed9c939
  - « trm » : 96a6802d147b381a41efd46d972689662dd8babeb5a4d4cb2c37548c4d28bded

The AMF urges professionals who receive such emails related to these scenarios to:

Conduct a retrospective search on their information system; for this, the brackets "[" and "]" included in the technical details above should be removed;
Avoid clicking on the fraudulent links in the message and do not execute any malicious software, to prevent any risk of infection;
Implement appropriate technical blocking measures;
And contact the AMF Epargne Info Service team, indicating the subject as follows:
- for the first scenario: "LOI35";
- for the second scenario: "ROCHON";
- preferably via the form on the website https://www.amf-france.org/fr/signaler-une-arnaque-ou-une-anomalie
- or by phone at 01 53 45 62 00, Monday to Friday from 9:00 AM to 12:30 PM.

The AMF forwards this information to the public prosecutor.

AMF - Financial Markets Authority of the French Republic published this content on September 22, 2025, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on September 22, 2025 at 15:50 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]

Back

View original format