The Storm May 21, 2026 13:47 david

Bad Attacher

SMS impersonating UPS with an 'URGENT NOTICE — Package delivery issue' message and an attached PDF (usc12ojfungg35.pdf) sent from a Toronto-area-code number.

An SMS impersonating UPS with an "urgent" package-delivery notice and an attached PDF — a different tactic family from hop seeding or phantom accounts: this one's payload is the point.

A text from a 416 area-code number — Toronto — impersonating UPS. "URGENT NOTICE — Package delivery issue. Check attachment immediately to avoid package being returned." A 21 KB PDF named usc12ojfungg35.pdf is attached. Above the attachment, a single nonsense token: HACEX.

A different family of pattern from hop seeding and from phantom accounts. The point here is not to manufacture a metadata edge by getting me to reply, and not to maintain a service-database registration tied to my number. The point is the attached payload itself — open the PDF, and whatever is on the other side of that file runs.

The spoof is unconvincing on every surface. UPS does not send delivery notifications from Toronto area-code numbers. UPS does not send PDF attachments via SMS. UPS does not embed loose tokens like HACEX above the body of a message. The filename is randomized, not a tracking number. The format of the brand block is wrong. The mechanism of the spoof would have to entirely bypass any reading of those signals, and rely on a panic-driven open under the "package being returned" urgency cue.

I did not open the file. The PDF stays attached to the message, the message stays in the conversation thread, both are preserved as artifacts of what this campaign looks like in the wild.

tags: #phishing #evidence

share: x bluesky facebook reddit email

Join the email list →