The Autorité des marchés financiers (AMF) is warning professionals about the extensive fraudulent and malicious use of its name engaging people into running a malicious[...]

The AMF has been informed that a number of players, both regulated and unregulated by the AMF, have received emails impersonating the AMF, inviting them to visit fraudulent sites. To date, two different instances of impersonation have been observed, with no factual evidence to confirm or deny that they originate from the same hostile actor.

Technical investigations are still underway, but the evidence known to date for each scenario are as follows:

For the first scenario:

• Technical elements are the following:
  • Observed period by the AMF of reception of these fraudulent emails: during the day of the 13/05/2025, around 11:51;
  • Email subject: « Subject: Notice of code violation | Law n°35 of 2007» ;
  • Technical sender of the mail: « autoritemarchesfinanciersfr[at] amf-france.org.transmen.ro»;
  • The sender of the email, a certain Madam « Fremont », would be allegedly an employee of the AMF as « Administrative Director ». The AMF states here that this person, whom identity has been spoofed, is not an employee of the AMF.

For the second scenario:

• After clicking on the links, the victim is redirected to a website prompting him to download an alleged PDF file. This alleged PDF file is actually a ZIP archive containing a Windows automation script in VBScript (Visual Basic Scripting Edition) format. If executed, this script carries out silent and invisible actions without the victim's knowledge:

  • The download and execution of an initial file named « pull.pdf », which is actually a Windows script file in WSH (Windows Script Host) format;
  • The execution of this « pull.pdf » script results in:
    • The download and execution of a file called « trm », which is actually a ZIP archive containing two remote access programs: Netbird and OpenSSH;
    • The installation of both remote access programs;
    • The creation and addition of a system user with administrative privileges, named « user », whose password is set to « Bs@202122 »;
    • The activation of the Windows Remote Desktop Protocol (RDP) feature.

  Through a series of malicious actions, this phishing attack impersonating the AMF aims to install multiple remote access capabilities on the victim's workstation in order to take control of it, thereby enabling intrusion into the Information System.

  The ultimate purpose of this attack method is not yet known, but it most likely falls within the various threats documented by ANSSI (https://cyber.gouv.fr/tendances-les-cybermenaces), including financially motivated attacks (such as ransomware), espionage, and destabilization.

• The technical indicators are the following:
  • Observed period by the AMF of reception of these fraudulent emails: during the day of 05/15/2025, around 7:50 AM;
  • Email subject: « AMF INVITATION - Training on Regulatory and Financial Issues »;

  • The sender of the email is allegedly a certain Madam « Rochon », allegedly an AMF employee, which is false;

    Since at least one individual appears to correspond to this identity, we do not wish to disclose her first name, which is therefore replaced by 'XXX' in the technical sender marker of the email: « XXX-rochon-863563468397286976298728[at] notarius.net »;

  • Links to malicious websites:
    • « https://googl-6c11f[.]firebaseapp[.]com/scan/file-846873865383[.]html »
    • « http://192[.]3[.]95[.]152/cloudshare/atr/trm »
    • « http://192[.]3[.]95[.]152/cloudshare/atr/pull.pdf »
    • « http://192[.]3[.]95[.]152/cloudshare/»
    • « http://192[.]3[.]95[.]152/ »
  • Malicious IP address : « 192[.]3[.]95[.]152 » ;
  • Malicious files' names with their cryptographic fingerprint SHA-256:
    • « Scan_15052025-736574.zip »: 4219f334ea58e32281e474fbbad020e6a0fb67a9ed11e250f240231505ce5220
    • « Scan_15052025-736574.vbs » : f04b4532952bd0dd5a6a47ed8710f89519cdf8f0b8392d560e359bb466ccab38
    • « pull.pdf » : d34b190baccd02b6b61e349f2cad4bfed5c0c38855ac70ec4063294dbed9c939
    • « trm » : 96a6802d147b381a41efd46d972689662dd8babeb5a4d4cb2c37548c4d28bded

The AMF urges professionals who receive such emails related to these scenarios to:

• Conduct a retrospective search on their information system; for this, the brackets "[" and "]" included in the technical details above should be removed;
• Avoid clicking on the fraudulent links in the message and do not execute any malicious software, to prevent any risk of infection;
• Implement appropriate technical blocking measures;
• And contact the AMF Epargne Info Service team, indicating the subject as follows:
  • for the first scenario: "LOI35";
  • for the second scenario: "ROCHON";
  • preferably via the form on the website https://www.amf-france.org/fr/signaler-une-arnaque-ou-une-anomalie
  • or by phone at 01 53 45 62 00, Monday to Friday from 9:00 AM to 12:30 PM.

The AMF forwards this information to the public prosecutor.