Analysis Summary

Since 2024, a sophisticated phishing campaign known as "Power Parasites" has been actively targeting global energy giants such as Siemens Energy, Schneider Electric, EDF Energy, Repsol S.A., and Suncor Energy. The attackers exploit the brands of these companies to orchestrate investment scams and fake job offers, deceiving victims into revealing sensitive information. Over 150 active domains have been set up to impersonate legitimate companies, with the primary focus on individuals from Asian countries like Bangladesh, Nepal, and India. To enhance credibility, the campaign employs localized content in languages such as English, Portuguese, Spanish, Indonesian, Arabic, and Bangla.

According to the Researcher, the threat actors use a "spray and pray" approach, aggressively deploying numerous websites and abusing multiple well-known brand names simultaneously. Domains are crafted with recognizable keywords such as “SE” (Siemens Energy) and “AMD” (Advanced Micro Devices), combined with various suffixes (e.g., “sehub.top,” “amd-biz.mom”) to appear convincing. Victims are approached through deceptive websites, social media groups, and Telegram channels. In investment scams, individuals are promised high returns through fake investment platforms, while the job scams manipulate applicants into surrendering personal and financial information under the guise of onboarding formalities.

The Power Parasites campaign operates a technically sophisticated infrastructure that ensures maximum reach while minimizing detection. Their phishing websites share consistent templates, often featuring an “Invite code” field to foster a sense of exclusivity. Attackers also promote these fake platforms via YouTube videos in multiple languages, luring potential victims to domains like “se-renewables.info.” Security researchers found shared technical fingerprints across these sites, enabling the attackers to swiftly set up new domains when old ones are shut down. Telegram channels impersonating brands, particularly Siemens Energy, have also been used to distribute malicious links.

In response to the ongoing attacks, companies like Siemens Energy and Repsol S.A. have issued public warnings, stressing that they do not offer investment platforms nor demand any fees during the hiring process. Repsol has further highlighted the use of AI-driven impersonation tactics targeting their executives. Despite some malicious Telegram channels being banned or deleted, the Power Parasites campaign remains active, demonstrating an aggressive and adaptive phishing strategy that continues to pose significant risks to individuals worldwide.

Impact

• Sensitive Information Theft
• Financial Loss

Indicators of Compromise

Domain Name

• sehub.top
• se-renewables.info
• sem-energy.net
• se-biz.bid
• se-hubs.xyz
• sehub.info
• se-biz.cfd
• amdtop.info
• amd-biz.vip
• amdbusiness.me
• amd-biz.mom
• amdbizs.top

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly publish fraud alerts and warnings on official websites and social media about ongoing scams.
• Continuously track suspicious domains impersonating brands and collaborate with hosting providers to quickly shut them down.
• Use domain monitoring services to detect unauthorized use of brand names and logos early.
• Train employees and inform customers about common phishing tactics, including fake investment platforms and job scams.
• Clearly communicate legitimate recruitment practices and policies (e.g., never requesting payment, never asking for personal banking information).
• Issue fraud warnings in multiple languages to match the regions and languages targeted by the attackers.
• Implement verified social media accounts and official verification on hiring and investment communications.
• Use AI-based threat intelligence tools to detect and flag fake websites and phishing content more rapidly.
• Encourage victims and organizations to report phishing incidents to cybersecurity authorities and law enforcement.
• Actively watch platforms like Telegram, YouTube, and Facebook for malicious channels/groups impersonating the brand.
• Recommend applying for jobs only through official company websites or trusted job portals.
• Require and promote the use of 2FA on corporate accounts and systems to reduce the risk of account compromise.