TEMU phishing attacks using spyware up 112% in the run up to Christmas

James Dyer | 21st Dec 2023

As the most downloaded app in the world right now, the number of TEMU impersonation emails has increased by 112% since October 1st, 2023. As discounts and spending-based reward coupons form a substantial part of TEMU’s awareness campaigns, the company is reportedly spending $2bn annually on marketing.

As the brand continues to grow in popularity, cybercriminals are increasingly leveraging it to lend authenticity to their spoofing attempts. In the run up to Christmas, Egress’ Threat Intelligence team has seen a 112% spike in attacks impersonating TEMU. Hackers are recycling these themes to encourage users to click on malicious links. What happens next depends on where in the world the victim is located.

Quick attack summary

  • Vector and type: Email phishing
  • Techniques: Brand impersonation
  • Payload: Link based/ standard IPV4 IP address
  • Targets: North America and Asia Pacific
  • Platform: Microsoft 365

These attacks use a range of social engineering tactics to impersonate the brand and convince targets to click on the phishing links. For targets clicking in North America, the UK or Europe, they would be taken to a webpage with an input box requesting an email address. This page does not use any TEMU branding or colors. Instead, the only detail on the page is an unassociated brand mention of Zaaama.org in the top left corner. Should the user enter their email address, it’s sent in plain text format to a server in Venezuela. The server sends a request back to the user asking them to enable access to the device’s camera and microphone which ultimately enables spyware on their machine.

Targets in Russia, Japan and China are taken to a page that features a WeChat QR code. This is not a malicious QR code and no attempt is made to install spyware. The lack of malicious payload in this instance could be down to a number of reasons but we most commonly see a lack of desire from hackers to attack people from their own countries, so they send them a benign webpage.

What do the attacks look like?

TEMU impersonation attack email

TEMU phishing email featuring link to website engineered to enable spyware, pictured with anti-phishing banners from Egress Defend.


Although not an exact replica, the phishing emails leverage several elements from the TEMU brand. The phishing email uses the TEMU logo, as well as a font very similar to that of official TEMU emails. The concept of mystery boxes is also an authentic tactic used by TEMU to encourage higher sales and the cybercriminal’s decision to leverage it is an example of social engineering.

Our Threat Intelligence team determined that 62% of the TEMU emails that they analyzed link to the same Microsoft IP address. While all websites have corresponding IP addresses, the attacker did not link to Zaaama.org but instead inputted the raw IP address. However, depending on where in the world the user is when they access the link, they will be shown to a different landing page.

TEMU attack IP address

IP address information from the analyzed TEMU attacks.


Our researchers connected to virtual private networks (VPNs) to confirm this and found users were sent to one of two landing pages. If the recipient accessed the email from North America, the United Kingdom, or Europe, they would be taken to the following screen:

Credential harvest site - TEMU attack

Page linked to in the TEMU phishing email, note the lack of TEMU branding and introduction of Zaama.org.


Should the target enter their email address, it is then sent in plain text format to a Microsoft hosted server in Venezuela. This is the first step of cybercriminals installing spyware on a user's device. That server in Venezuela then sends a request back to the target’s device, prompting them to enable the website to access to their webcam and microphone.

Cybercriminals are likely deploying this tactic to silently watch their victims as they enter personal details, login credentials or banking/payment card information, and carry out other activities, which can be remotely recorded. While this attack doesn’t include keyboard tracking, hackers can still harvest typed information via the webcam thanks to typing patterns. They can also copy card information if it’s shown in view of the webcam. This type of information harvesting leaves no traces, and the victim often never knows that they have been hit.

In the recipient accessed the email link from Russia, China or Japan, they would be taken to this page: 

QR code from TEMU attack, obscured.

Legitimate QR code linking to the authentic WeChat app for users in China, Russia, and Japan.


WeChat is a popular social media network and WhatsApp alternative from China that is popular in Eastern countries. This QR code links directly to WeChat and is not considered malicious. No spyware is attempted to be enabled. We commonly see a reluctance to target users in specific countries, based on the nationality of the attacker.

Subject lines, display names, and sender addresses

Below are some examples of the formats of subject lines, display names, and email addresses being used in the TEMU phishing emails we analyzed.

Subject lines:

  • You have won an Temu Pallets
  • Your chance to receive a FREE Temu Pallets
  • CONGRATULATIONS! You are the lucky online winner of a brand new Sweepstakes Temu Pallets entry!
  • Your parcel (#US48715192) containing the following product cannot be delivered: Temu Pallets
  • Get Rewarded for Your Opinion: Take Our Survey!
  • Temu Mystery Box Exclusive Rewards For You
  • You have won an [Temu-Pallet]

Display names:

  • Temu Department
  • @Temu.
  • Temu Mystery Box
  • Temu-'Shipment'
  • Temu Pallets
  • 'Temu Rewards’
  • Temu Pallets Winner

Email addresses:

  • services@ional.co.uk
  • amtinalom@att.net
  • 164001@r4a-1.deped.gov.ph
  • Rewards-kBX@TemuPalletsBjdzEGlzH.com
  • Rewards-Mxj@TemuPalletsLVolmHbqS.com
  • Rewards-O3g@TemuPalletsnCAmRnREG.com
  • win@zLRC0UV-TemuPallet.com
  • Rewards-Knh@TemuPalletsBgmljZPPS.com

Egress analysis: Social engineering and spyware

In the US alone, TEMU has over 80 million active users. In September 2023, the app was downloaded over 40 million times. TEMU’s immense popularity and brand awareness drives mean that even if the hackers are only successful 1% of the time, the total pool of potential targets grows daily – with every new download of the app.

Social engineering

Cybercriminals often use social engineering to psychologically manipulate their targets into performing a specific action. In the TEMU examples, the cybercriminals leverage a tactic used in the authentic TEMU emails – giving away free items and offering discount codes for friends and family. As a result, users may not hesitate to follow the link or scan the QR code.

TEMU has used social media for advertising and brand awareness with targeted content, influencer marketing, and a referral program offering users discounts in exchange for sharing content on the company and the items it sells. Cybercriminals are weaponizing this information and crafting realistic phishing attacks that tap into the general public’s awareness of the TEMU referral program.

Basing their impersonation attacks on similarly minimalistic email formats from the legitimate brand means that these types of attacks look real.

The use of spyware

Spyware refers to any software designed to obtain information in a covert way and export that data without consent. In the case of these TEMU phishing emails, spyware is enabled when the victim follows the prompt and grants the website access to their camera and microphone.

For users in Russia, China and Japan, the QR code that opens once they click on the link in the TEMU impersonation email is not malicious. It simply opens the WeChat app, and no spyware is attempted to be installed. It would not be suitable for users in North America and Europe as the app is not as popular and it's likely the victim will not have the app installed on their devices.

Cybercriminals with access to the victims’ camera and microphone can take the information they collect in a number of ways. They can live record from your camera and use the videos and images they collect in a blackmail or sextortion scenario. They can also create deepfakes, recording your voice or likeness to make a fake version to access your bank or correspond with your business contacts to extract data or leverage financial gain. This method can go undetected for long periods and there is a direct correlation between the amount of data they collect and the quality of the deepfakes they can produce.

The use of a single IP address

As an identifier for devices and websites, an IP address is not a particularly compromising piece of information but in the hands of cybercriminals, this can be a different story. In the TEMU attacks that we analyzed, 62% linked to the same IP address, which corresponded to a webpage under the zaaama.org address.

Zaaama.org is a legitimate website that cybercriminals have added the above ‘submit your application now’ page to collect information and enable webcam and microphone access. The attackers did not design the Zaaama.org page with any TEMU branding.

Steps you can take to prevent falling victim to the latest TEMU attacks

With phishing emails getting more sophisticated, it can be incredibly difficult for individuals to detect brand impersonation attacks. If you receive a TEMU mystery box message to your inbox, instead of following the link in the email, go to the official TEMU website or app, login and check for any discounts or free gifts via your profile page.

Like all phishing campaigns, there are tell-tale signs to look out for. Always check the sender’s email address carefully and ensure there are no domain variations or spelling mistakes. Criminals will often use domain variations, as seen in the Black Friday attacks we analyzed, so be sure to check the domain too.

These types of advanced attacks are designed to get through existing defenses and appear legitimate within the inbox. They therefore require more advanced anti-phishing technology to detect, one that is capable of inspecting aspects like domain age and email authentication procedures. As an integrated cloud email security solution, Egress Defend uses linguistic analysis to detect impersonation attempts, analyzes hidden details like origin IP location, uses machine learning and deploys a holistic approach to threat detection in order to detect even the most advanced phishing attacks.