A sophisticated phishing campaign dubbed “Power Parasites” has been actively targeting global energy giants and major brands since 2024, according to a comprehensive threat report released this week.

The ongoing campaign primarily exploits the names and branding of prominent energy companies including Siemens Energy, Schneider Electric, EDF Energy, Repsol S.A., and Suncor Energy through elaborately crafted investment scams and fraudulent job opportunities.

The attackers have established an extensive network of over 150 active domains designed to impersonate legitimate companies, primarily targeting individuals across Asian countries including Bangladesh, Nepal, and India.

Victims are approached through a combination of deceptive websites, social media groups, and Telegram channels, often with localized content in English, Portuguese, Spanish, Indonesian, Arabic, and Bangla to increase effectiveness.

Silent Push researchers identified that the threat actors employ a “spray and pray” methodology, simultaneously abusing multiple brand names while deploying numerous websites to maximize victim outreach.

The campaign’s infrastructure analysis revealed that the attackers utilize domain names containing keywords like “SE” (representing Siemens Energy) and “AMD” (for Advanced Micro Devices) combined with various domain suffixes, creating patterns such as “sehub.top” and “amd-biz.mom”.

The primary infection vectors involve social engineering through two distinct approaches. In the investment scam variant, victims are lured with promises of high returns through fake investment platforms supposedly backed by reputable energy companies.

Meanwhile, the job scam variant entices victims with fraudulent employment opportunities at well-known corporations, requiring applicants to provide sensitive personal and financial information including bank account details, identification documents, and void checks during the “onboarding” process.

Infection Mechanism and Technical Infrastructure

The Power Parasites campaign employs an intricate technical infrastructure designed for maximum reach and minimal detection.

Analysis of the deceptive websites reveals a consistent template pattern across domains, with login pages featuring an “Invite code” field-a classic technique used in investment scams to create a false sense of exclusivity.

The campaign’s promotion has extended to YouTube, where videos directing potential victims to malicious domains like “se-renewables.info” are published with enticing titles in multiple languages.

One such video, translated from Bangla, promised viewers they could “Earn free money from new sites,” demonstrating the attackers’ multilingual targeting strategy.

Technical fingerprinting conducted by security researchers uncovered that these phishing sites employ shared characteristics across their infrastructure, allowing them to rapidly deploy new domains when others are taken down.

The campaign also leverages Telegram channels containing “siemensenergy” in their names to distribute malicious links, though many have since been banned or deleted.

Siemens Energy has already published warnings about the fraudulent activities, explicitly stating they “do not operate any investment platforms” and “do not ask for fees prior/during/after the application process.”

Similarly, Repsol Energy has established a Fraud Alert page cautioning about schemes that use artificial intelligence to impersonate their executive team.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy