Threat Intel | Cyber Attacks Leveraging the COVID-19/CoronaVirus Pandemic

At Sentinel Labs, we have been closely tracking adversarial behavior as it pertains to COVID-19/Coronavirus. To date, we have observed a significant number of malware campaigns, spam campaigns, and outright scams that are preying on the fears and uncertainties of the global population.

Updates are tagged in-line with respective dates within each section of this post.

September 2020

[September 9, 2020]

On August 27, the Health Sector Cybersecurity Coordination Center (HC3) released report ID: 202008271653.  This report details a specific phishing campaign used to distribute the Agent Tesla RAT.  The lure in the emails is centered around updates to COVID-specific PPE (Personal Protection Equipment).  We have seen similar campaigns running since late April / early May, and these current example do not stray far from the standard template.   The emails contain a RAR’d or Gzip’d attachments that install the Agent Tesla RAT upon execution.

During the first week of September, we observed multiple campaigns delivering the Sepulcher trojan.  The phishing emails appear to be sent from the World Health Organization, claiming to contain updated technical and geographical guidance around Coronavirus safety measures. As with the Agent Tesla campaigns, these have been ongoing for several months, and the general templates have changed only slightly in the following months.

Following the same theme and cadence we continue to observe campaigns spreading the Lemon Duck cryptomining trojan via Coronavirus-themed phishing emails.  Lemon Duck is a primarily “file-less” cryptomining trojan which is also able to spread via Eternalblue.  Phishing emails will typically be disguised as messages from the WHO, or as more ‘conspiracy’-minded messages with subjects similar to “The Truth of COVID-19” or “What you have not been told about CORONAVIRUS”.


August 2020

[August 21, 2020]

Throughout July and August 2020, we have continued to observe malicious actors leveraging COVID-19 as a social-engineering lure.  In addition, prominent malware families continue to spread though COVID-19-themed messages and/or websites.


The rise of so called ‘contact tracing’ applications have provided malware authors with yet another easily exploitable path to infection.  One such example was observed in the form of CryCryptor.  CryCryptor is focused on Canadian citizens, capitalizing on the recent announcement of a nation-wide tracing app, named “COVID Alert”.  Victims are instructed to contact the attacker via email following the encryption of common file types on the infected device.

We have continued to observe Ransomware campaigns leveraging COVID-19 as a lure.  NetWalker, in particular, has been highly prolific in this area.  There has also not been any observable slowdown in the targeting of medical facilities/entities.  NetWalker, Maze, and Snake have all successfully targeted Healthcare and medical facilities over the last 2 months.  In fact, of all the industries represented on NetWalker’s victim shaming blog, the most prevalent is Healthcare.

As our time w/ this pandemic progresses, and our medical and science experts gather more data on COVID-19, they also become larger and more valuable targets.  In July 2020, The United States Department of Justice, along with other authorities, release details surrounding an extended campaign targeting COVID-19 research data.   Authorities involved have attributed campaigns aimed at COVID-19 research data to both Chinese and Russian-backed actors.  One such advisory specifically covers the use of CVE-2019-11510 (Pulse Secure VPN) to gain initial access into targeted environments.


June 2020

[June 12, 2020]

We continue to observe the use of COVID-19 as a lure in malicious Android applications.  This has been somewhat amplified in the uptick in publishing of ‘contact tracking’ or ‘contact tracing’ applications.  The Anubis and SpyNote trojan families have been particularly prolific in this area.  Both Anubis and SpyNote have been identified in contact tracing apps aimed at various locales (ex: Indonesia, Iran, Russia, Italy).  Both trojan families aim to extract sensitive or personal information from the target device.  Malicious functionality in these trojanized contact-tracing applications includes:

  • Full access to SMS data and activity
  • Injection and visibility into other applications (ex: banking applications and password vaults)
  • Keylogging
  • Voice, Screen, and Camera recording and exfiltration
  • Access to critical device information and system details

These types of malicious apps have been observed in official app stores/distribution channels, as well as ‘less-than-official’ app stores.  We encourage all users to be extra critical of what apps they install, and where they are installing from.  It is not always enough to ensure that you are squiring Android applications from the ‘official’ Google store.

The rise of unemployment and the need for medical/sick leave has brought about a new angle for COVID-related social engineering lures.  Criminals have increased the use of weaponized medical leave forms, PTO requests and resume/CV forms and templates in an effort to further spread malware.  In recent weeks, Trickbot, ZLoader and other high-profile malware families have been embracing these particular vectors.  Weaponized forms are spread via email, primarily as Word documents, however we have observed alternate file formats as well (ex: ISO).  Researchers at Checkpoint have expanded on these campaigns in recent weeks as well.

On June 11, the FBI released PSA (Public Service Announcement) 1-061120-PSA.  This bulletin details the use of fraudulent shipping and insurance fees being charged by criminal actors.  Opportunistic actors are citing false COVID-19-related updates to shipping laws, regulations, and requirements as justification for charging the unnecessary fees.  According to the PSA, “Examples of this criminal activity include demanding fraudulent COVID-19 insurance fees after the purchase for the delivery of live pets from online U.S. websites. An additional example includes criminal actors fraudulently collecting “refundable” maritime insurance fees, citing fake COVID-19 laws.”.   Per the FBI’s guidelines, we encourage all to be extra careful and always avoid giving any personal information to non-trusted companies or individuals.  Verify all charges related to shipping and processing upon any transaction and be particularly wary of any new or unnecessary charges tied to COVID-19 laws and regulations.

Criminals are continuing to target government entities and task forces directly tied to COVID research and PPE production.  IBM’s X-Force recently documented a wide-spread campaign targeting ~40 critical organizations in an effort to disrupt operations and extract sensitive information.  Spearphishing emails were sent to high-level executives at the targeted organizations, which included an unnamed German corporation tied to procurement of personal protective equipment.  These attacks serve as a reminder on just how successful email-based distribution of malware still is.  Email / Phishing / Spearphishing remains to be the most effective method of malware distribution.

May 2020

[May 28, 2020]

The fuckunicorn ransomware “family” was observed in a typo-squatting campaign focused on the Italian Federation of Pharmacists.  The legitimate domain serves timely information on Covid-19 to the Italian community.  The ransomware campaign crafted a malicious website mimicking the IFP site, along with a slight variation of the IFP site domain name.  Similar to past attacks, users are lured into downloading the ransomware which masquerades as a Covid “dashboard tracker”.  This threat was also highlighted by @JAMES_MHT on May 25th.  The ransomware itself is based on the aging open source ransomware “kit” Hidden Tear. As a result, the ransomware is non-complex, easy to analyze, and should pose little issue when it comes to detection and prevention.  Keeping with the theme, the ransomware note is also in Italian.

From May 21st onward, we observed multiple COVID-themed spam campaigns distributing the Warzone RAT (Remote Access Trojan).  The malicious spam messages were crafted to exploit CVE-2017-11882.  The remote code execution flaw is specific to Microsoft Word Equation Editor.  Once exploited, the Warzone RAT payload is downloaded and installed.

We have also observed multiple COVID-themed spam campaigns spreading the IcedID trojan.  These are rather generic maldocs which contain obfuscated VB/Macros which retrieve a specially-crafted .PNG image file.  The malware is subsequently extracted from the .PNG images and launched.

The Johns Hopkins Center continues to be a valuable lure for potential attackers.  Microsoft recently disclosed details around a COVID-themed phishing campaign which leads to installation of the NetSupport Manager RAT.  These campaigns are reportedly very prolific, and leverage maliciously-crafted Excel documents to facilitate the delivery of the malware.  Most of the samples we have observed follow a predictable naming convention (ex: covid_usa_nyt_*) where “*” is replaced with a series of four numbers (ex: covid_usa_nyt_8072.xls). The Excel documents, which contain updated information and statistics around Coronavirus, contain macros which download and launch the malware.  Microsoft states that there are “hundreds of unique Excel files” used by the campaign, however they all communicate with the same C2 server.  The NetSupport infections are particularly problematic as they download and install multiple additional components post-infection.

[May 20, 2020] The last 2 weeks have seen an increased number of  COVID-themed campaigns from both Trickbot and Formbook.  The Formbook campaigns have been targeting educational institutions, via phishing messages with a trojanized application for teachers.  Formbook. like other stealers, is focused on harvesting sensitive data.  Recent Trickbot phishing emails have been masquerading as official details around the Family Medical Leave Act and other similar (and timely) lures.

On May 11th, twitter user @cocaman tweeted information on a COVID-themed dropper for HimeraLoader.  Similar to the previously mentioned Trickbot campaigns, the HimeraLoader-centric attacks utilize the FMLA as a lure, prompting victims to open a malicious Word document, leading to the installation of the malware.  Upon installation, the malware will create a schedule task for persistance, as well as drop additional components.

On May 17th, @JAMESWT_MHT, along with @malwrhunterteam noted a new variant of MBRLocker dubbed “CoViper”.  This variant displays Coronavirus-related warnings after the host has been infected and rebooted.

On May 14th, the MalwareHunterTeam noted a new Node.js-based trojan spreading with the help of COVID-themed lures.  Initial delivery appears to have been via phishing email, with .jar attachments (Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar).  Upon execution, the .jar (a downloader) retrieves additional malware, written in Note.js.   Once infected, the attackers have RAT-like control over the targeted host.  Persistance is achieved via an entry in the registry ‘run’ key (HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun).

With regards to mobile platforms, we continue to see malicous apps, disguised as Covid-releated resources, being seeded though multiple outlets.  These are all primarily infostealer trojans or other similar spyware.  One such example was discovered simply named “Covid.apk” with the package name “DZ.Eagle.Master” (or variants thereof).  These trojans are engineered to harvest and transmit personal information.

On May 14, Microsoft announced a new initiative to provide COVID-19-themed IOCs/indicators via a free feed.  These indicators are automatically wrapped into various Microsoft-base protection technologies.  However, environments that utilize other vendors are able to leverage the IOCs as needed.  The hash-based IOCs cover multiple file and threat types, and are readily available via the Microsoft Graph Security API and the Azure Sentinel GitHub.  Enterprise customers using MISP can easily imp0rt/ingest the data as well.

Credential-harvesting spam/phish campaigns and COVID-themed ransomware for Android top the highlights for this week’s update.  Attackers are employing a few novel lures in their phishing campaigns, as well as modifying some well-known ones (ex: FedEx and UPS phishing lures).

Early in the week, the FBI issues Flash Alert MI-000124-MW, covering specific indicators for COVID-19 phishing email campaigns.   The listed indicators cover more of what has been observed over the last few months.  That is, generic phishing emails enticing victims with COVID-based details including “Updated COVID Tracking Details” , “Updated WHO Recommendations for COVID-19” and similar.   The covered campaigns have primarily been engineered for credential harvesting.  Some utilize commodity malware, where others simply redirect to weaponized phishing sites.  We have observed the following families tied to the malware-based campaigns:

  • Lokibot
  • Agent Tesla (MITRE S0331)
  • AZORult (MITRE S0344)
  • Adwind
  • Generic exploitation of CVE-2017-11882

Throughout the last few weeks, we have seen an uptick in the use of UPS or FedEx-based lures used in phishing campaigns.  While this alone is not new, these tried-and-true lures have been modified for the current times.  Combining these methods within the context of ‘shipping delays’ due to the pandemic is more novel.  Generally, these messages claim to be from FedEx, UPS, or DHL, prompting the victim for action due to a shipping delay resulting from Coronavirus.  A majority of these are redirect-based credential harvesters, however many do also contain malicious attachments.

We have also seen a slightly new theme in the form of fake employment termination messages.  These are targeted messages, which cite the pandemic as the cause for the victim’s termination from their respective company.

Associated malware includes:

  • Remcos RAT (MITRE S0332)
  • Bsymem

Cyber criminals are still taking advantage of the pandemic to spread ransomware, including on Android.   In the last few weeks, we have observed multiple instances of the SLocker trojan.  This is a very basic “locker” which masquerades as an informative application for Coronavirus.  Once installed, the malicious application will block user activity, requesting payment (PayNet).  When infected, users are met with the following (translated) message:

Congratulations!Your phone is blocked! You have 20 minutes to enter the code, otherwise the phone will not turn on again …Don’t see this as an arbitrary message, it will be difficult for you 🙁Unlock passwordExact timeTo unlock the code, call +998 998 910 312 Make 8000 paynet and get the code. (Don’t ask for the code without Paynet, I won’t tell you anyway)


Behavior varies across different versions and flavors of Android.

April 2020

[April 27, 2020]

Attacks/campaigns using COVID-themed lures has continued to increase over the last week.  We continue to observe increasing amounts of malicious messages and websites preying on the fear and uncertainty around the pandemic.  There has been an overall increase in pure credential-harvesting, many of which are referencing U.S. government stimulus payments and small-business loan packages.  In that category, multiple campaigns have been observed which directly masquerade as the United States Small Business Association (SBA).

This particular example was part of a widespread campaign used to spread Remcos RAT. (MITRE S0332).  Remcos is a full-feature RAT capable of harvesting credentials, sensitive documents and information, as well as compromise basic functionality (keylogging, microphone access, screenshots, webcam control) and beyond.   There are similar attacks focused on non-United States countries and financial entities as well


In mid-April, we observed a variant of the Anyplace RAT as it was uploaded to multiple malware sample collection repositories.

The Anyplace RAT campaign masquerades as an official communication from Epay, providing updates on their current operating abilities.  Like Remcos, Anyplace is a full-featured remote access trojan.  Upon execution, the dropper and primary executable are written to c:Program Files (x86cdc.

The actors behind Trickbot have continued in their prolific ways throughout the last month.  We have observed multiple spam campaigns spreading Trickbot (along with additional subsequent threats).  Many of the lures are centered around false DocuSign forms hosted on Google Docs, or shared directly as an attachment.  When the documents are opened, the embedded macros run, leading to the Trickbot infection.

Rounding out some of the latest highlights, we have continued to observe malware campaigns utilizing more ‘commodity’ families (Loki, Tesla, Gomorrah).  As with previous examples, COVID-themed attachments or email lures play a major role in these attacks.  In one such example, we have Tesla Keylogger disguising itself as an image of “protective face masks”.


This is a lure which is repeated frequently in Tesla Keylogger campaigns.

As a reminder, beyond the onslaught of malware and attacks that we all battle with every day, the outright scams associated with COVID-19 have not slowed down.

There are many low-sophistication scammers out there using current events for quick financial gain.  Continue to be hyper-aware and cautiously-critical.

[April 14, 2020] In mid-April, we observed a short-lived COVID-themed ransomware attack.  Spam email messages, containing COVID-themed malicious word documents were used to drop a ransomware payload based on HiddenTear (open source ransomware)

Once opened, the document drops the ransomware into ~AppDataLocal and executes it.  When executed the ransomware attempts to contact the C2 server for additional components (desktop image) and communicates data on the victim host.  Encrypted files are renamed with a “.locked20” extension.

[April 14, 2020] HiddenTear is a long-standing open source ransomware framework.  SentinelOne Endpoint Protection detects and prevents all malicious activities associated with this threat.

[April 14, 2020] In early April, several Android-focused campaigns were observed spreading the Anubis and Cerberus banking trojans to victims seeking additional information on Coronavirus in their area.  Many were specifically targeted towards users in Italy and China.  The malicious apps claim to track and inform users of COVID-specific updates for their region (a very common lure).  Often times, the data in the app will be legitimate (redirection) but the app will request permissions beyond what is needed or required, allowing it to exfiltrate personal data to the remote location of their choice.

[April 14, 2020] In late March, a wide-spread phishing campaign was observed using COVID-themed email messages masquerading as notifications from the “Department of Health”. The email messages contained a malicious link which leads victims to a page designed to harvest Outlook/Office credentials.  Email sender and subject examples are below:

  • Sender: “Department of Health” <department[.]health-pandemic[@]zacks[.]com> 
  • Subject: “HIGH ALERT: COVID-19 cases surpassed 300,000 globally”.

[April 14, 2020] Fake charity and donation scams have become more and more frequent since the onset of the pandemic.  Criminals are constantly pivoting though COVID-themed lures while preying on the fear and uncertainty looming over the population.  An example of one such scam (“Lina Charity Foundation”) can be seen below.  These messages are distributed en masse.  In the example below, we have removed the supplied banking details.  The groups behind these do often include these details (Bank name, Address, Swift codes, IBAN numbers) in order to enable their victims to complete the fraudulent donations / transfers.

[April 14, 2020] Throughout late March/early April, multiple COVID-themed Ursnif campaigns were observed.   Traditionally, Ursnif is utilized for information theft and data exfiltration. This includes credential harvesting, banking information and similar. Malicious messages arrive with malicious Word documents.  When opened (and macros run) the documents will execute scripts to pull additional components from a removed server.  Through multiple stages of obfuscated JavaScript, VBS scripts and/or PowerShell, the final Ursnif payload is written to the victim host.

[April 6, 2020] In early-to-mid-March 2020, Redline Stealer was distributed via a spam campaign using Coronavirus-themed lures.  Victims were enticed into downloading and installing a trojanized version of the “Folding@home” client software.

[April 6, 2020] When choosing to download the malicious software, users are presented with the trojanized “foldingathomeapp.exe” executable.  Redline Stealer is a well-known commodity malware which can pilfer browser information, credential sets, as well as user and system information.

Throughout March 2020, the Qbot banking trojan was distributed via aggressive spam campaigns.  Victims are enticed via messages which claim to link to refreshed PPE supplies (ex: masks & gloves).  When following the malicious links, users are led to the Qbot trojan in either EXE or ZIP archive form.

[April 6, 2020] Attackers have been leveraging the United States Stimulus Relief package to entice users into following malicious links which ultimately lead to leakage of personal data in multiple forms.  We have observed email and SMS-based campaigns which offer updated information around the stimulus bill, or promise short term loans with the victims expected stimulus to be used as collateral.

These attacks are ongoing and we encourage users to be extra cautious when interacting with COVID-related emails and SMS/TXT messages.

[Update April 1, 2020] On April 1st, a new, multifaceted, malware emerged which leverages the Coronavirus in an attempt to target the emotions of their victims.  When executed, the dropper will deposit numerous scripts and dependent files. The threat then proceeds to make a number of configuration changes which negatively affect the security posture of the infected host.  The infection routine requires a reboot due to the changes to UAC. After reboot, additional payloads are executed, resulting in the display of an image of the Coronavirus adorned with additional messages following the theme.

In some scenarios, an additional payload will execute which is responsible for overwriting the machine’s MBR (Master Boot Record). The user is then presented with a simple message on a dull grey background, with their access to local data restricted.

Note: SentinelOne Endpoint detects and prevents all artifacts and behaviors associated with Wiper.coronavirus

March 2020

Malware authors are continuing to utilize COVID/Coronavirus as a lure.  We have seen ongoing activity from the malware families outlined in this original post, including AdWind, LokiBot, NetSupport RAT, Tesla Keylogger, and Kpot.  We have also observed additional malware families joining in on the exploitation of fear around COVID-19.

[March 31, 2020] Coronavirus-themed email messages are used to spread the Hawkeye trojan.  Hawkeye is a long-standing credential stealing trojan. In recent campaigns users are targeted via spam messages claiming a “cure” in China and Italy (ex: CORONA VIRUS CURE FOR CHINA, ITALY)

[March 31, 2020] Actors behind the Metamorfo (Casbaneiro) trojan launched a COVID-19-themed spam campaign to spread their malware.  Similar to other uses of this lure, victims are enticed to follow a malicious link to receive “more or updated information” on COVID-19 in their region.  The malicious links lead to a malicious MSI installer which downloads additional malware and establishes persistent C2 communications.

[March 31, 2020] Coronavirus-themed email campaign used to spread the Nanocore trojan.  Victims are enticed with misinformation tied to an update on COVID-19 vaccines. Malicious downloads are named following this theme (ex: “Covid-19 Vaccine.gz”)

[March 31, 2020] Late in March, we observed the Sphinx banking trojan, which is largely based on leaked source code for Zeus, began to aggressively spread via email with COVID-themed messages.   In some observed cases victims were enticed to complete a form related to receiving government assistance during the outbreak. The malicious document then proceeds to drop and execute a VBS script.  This script establishes C2 communication channels, and downloads additional executable payloads. Beyond the COVID-themed lures, the functionally is largely unchanged with regards to data inception via web injects.

In mid-March 2020, a new family of Android ransomware, CovidLock, began targeting users via malicious app (APK) downloads. The malicious apps were hosted on sites masquerading as hosts for valid real-time information tracking apps. Upon infection, the ransomware tricks users into providing full device control via misleading permissions request dialogs. The malware sets itself to load upon device startup and leads to a lock-screen style ransom request. This specific family utilizes Pastebin to aid in the construction of the displayed ransom notes.

In early March 2020, the APT group Mustang Panda (China) utilized multiple spam campaigns to deliver implants. Spam messages made use of multiple COVID-19-themed lures. Malicious documents were used to execute additional scripts, and leverage subsequent LOTL tactics to retrieve and launch payloads.

In mid-March 2020, we observed multiple websites hosting fake versions of WiseCleaner utilities. These sites were used to distribute the Kpot Infostealer trojan, along with a new ransomware family dubbed “CoronaVirus”. From the fake WiseCleaner-themed sites, a malicious version of “WSHSetup.exe” was used to download both the CoronaVirus ransomware along with Kpot Infostealer. Once-infected, a customized ransom message is displayed at boot, prior to the loading of Windows. Victims are instructed to email attackers, as opposed to interacting with them via a payment portal site.

The Kpot Infostealer trojan is coupled with the ransomware in order to harvest cryptocurrency wallets, browser data and credential sets. The requested ransom is typically ~$50.00 USD.

In mid-March, NetWalker ransomware campaigns were observed attacking multiple targets classified under Health and Human Services offices (ex: the Illinois Champaign-Urbana Public Health District).  The malware was delivered via email with malicious VBS attachments.  Upon launch, the malware proceeds to encrypt targeted file types as well as disabling known anti-virus products (if found).

February 2020

In early February 2020, multiple COVID-19/Coronavirus-themed phishing campaigns were tracked, targeting primarily the shipping and logistics industry. The phishing campaigns were used to spread the AZORult trojan to high-value targets in the shipping sector. Some message samples contained malicious Microsoft Office documents designed to exploit CVE-2017-11882. CVE-2017-11882 is a memory corruption vulnerability in Equation Editor. Successful exploitation allows for the execution of arbitrary code across affected versions of Microsoft Office.

In early February 2020, a massive COVID-19/Coronavirus-themed phishing campaign targeted large swaths of Office 365 users. The motive behind these campaigns was basic credential harvesting. Victims were urged to open malicious attachments which were disguised as updates on COVID-19 patterns in their local areas. Most observed samples masquerading as updates from the “Centers for Disease Control and Prevention”. Attackers took advantage of ‘look-a-like’ domains for added authenticity (ex: cdc-gov[.]org)

In early February 2020, we tracked COVID-19/Coronavirus-themed spam campaigns spreading LokiBot, specifically targeting Chinese entities. Spam messages were seen masquerading as updates from the ‘Ministry of Health in the People’s Republic of China’. Messages were written in English but appear to have been written by a non-native English speaker. The LokiBot malware was distributed in these messages in the form of RAR archives (with .arj extensions).

In mid-February 2020, multiple malicious websites were constructed to deliver the Grandoreio banking trojan. Multiple weaponized sites were utilized, primarily targeting users in Mexico, Spain, and Brazil. The sites utilized a ‘video player’ download-style lure to entice victims into executing the Grandoreio payloads.

In mid-February, the “Corona Virus Map Phishing Kit” was advertised for sale in various underground forums. The kit ranged in price from $200 USD to $700 USD. Buyers are able to customize the kit to embed their own payloads or force a redirection (upon execution of the trojanized map EXE) to remote payloads. The malicious map executable masquerades as legitimate map data from Johns Hopkins University.  Indeed a picture (in this case an interactive map) is worth a thousand words, with attackers offering up the ability to load payloads to victims that visit this nefarious coronavirus spread map:

In late February 2020, we observed COVID-19/Coronavirus-themed spam campaigns targeting users in the Ukraine. Spam messages are disguised as updates from the ‘Center for Public Health of the Ministry of Health of Ukraine’. The messages claim to contain updated information for the public pertaining to COVID-19/Coronavirus. Initial waves of the campaign were used to distribute various dropper and downloader trojans.

In late February 2020, COVID-19/Coronavirus-themed spam emails were used to distribute the Tesla Keylogger. Spam messages were constructed via a customized phishing kit. Observed samples are disguised as updates from ‘The Centers for Disease Control’. Victims are enticed into following malicious links in order to access informational “updates for their area”.

In late February 2020, we observed a spam campaign targeting South Korean entities. The spam campaigns were used to distribute BabyShark implants, often associated with the cyber operations of North Korea. Malicious attachments were disguised as official updates on South Korea’s response to COVID-19.

In late February 2020, multiple spam campaigns were observed distributing the FormBook. malware. Messages were disguised as updates from FedEx on their current plans for dealing with issues and delays around COVID-19.

In late February 2020, Trickbot campaigns were tracked, primarily targeting Italian entities. Spam messages were constructed with a customized phishing kit, and redirected victims to Trickbot payloads.

January 2020

In late January 2020, we observed Coronavirus-themed Emotet spam campaigns, primarily targeting Japanese entities. Message templates for the spam runs were updated frequently (as is normal with Emotet). That being said, most messages masquerade as “urgent notifications which urge the victims to open malicious email attachments. The malicious attachments are disguised as updated information briefings on COVID-19 patients in their particular region.

Update (Friday, March 27th)

Covid themed campaigns have started to slow this week, while criminals were quick to capitalize on the news heavy topic of ‘Covid-19’ for their campaigns we suspect this slow down will continue due in part to the current situation where many countries, cities, and provinces have started to order “stay at home” or “shelter in place” orders. These orders could impact local governments and businesses in a way that will slow down a criminal’s ability to move money. We are still following to see what the effect will be on the underground economy as the global economy becomes more turbulent.

This is a concerning time for our industry and the public at large. We are in the midst of a global health crisis. In such times, we all need to be working together and ensuring that everyone has the most accurate and reliable data. We all want assurance that we can trust the resources available to us. Anything counter to that is destructive and potentially harmful to society. However, we all know that cybercriminals and sophisticated adversaries seize opportunities like this to further their own cause. This not only leads to the usual barrage of complications inherent to any cyber attack or event, but in this case it can translate to real harm to those we love and protect.

Domain Registration and Squatting

From the onset of the SARS-CoV-2 virus’s spread, opportunistic cyber-criminals have taken to proactively registering relevant domain names for malicious use. According to data from Recorded Future, “Beginning on January 12, the number of domain registrations started to increase, with an additional large spike on February 12”.

While domain registration alone is not proof of ill-intent, it is a reminder that we need to be extra cautious when interacting with “COVID” and “Coronavirus” related domains.

To provide some context, consider the following data:

Registered domains including “coronavirus” in the last 7 days = 5762
Registered domains including “covid” in the last 7 days = 6155
Registered domains including “covid-19” in the last 7 days = 934
Registered domains including “covid19” in the last 7 days = 3098

image of domains registered with covid in the name
Src: DN Pedia

In the more scam-centric realm, registered domains including “coronacure” in the last 7 days = 934.

image of Registered domains including "coronacure" in the last 7 days
Src: DN Pedia

Some of these domains claim to offer medical supplies at exorbitant prices; would-be buyers pay up-front and take their chances as to whether they will ever see a delivery.

image of scam advert for a Covid Test

It is important to note that these numbers do not account for typo-squatting or subtly-varied names (homographic attacks), or numerical-replacement variants (aka ‘hackerese).


Emergence of Blatant Scams

Multiple dark web (.onion) sites claim to sell COVID-19/Coronavirus supplies (masks, sanitization and cleaning supplies) directly for BTC (bitcoin). These are outright scams, which just collect BTC and deliver nothing to their victims. To add insult to injury, we have also seen sites reporting to sell non-existent vaccines, charging $5000.

image of scamvert selling medical masks

Scammy COVID-19 supply sellers

image of another scam related to medical supply sales

image of scamvert selling fake coronavirus tests

Infrastructure & Misinformation Attacks

On Monday, March 16 an attempted DDoS attack was carried out against the US Health and Human Services Department. While the HHS infrastructure remained “fully operational” there was a perceived strain on the targeted systems given the increased activity. The attack comes at a critical time given the current influx of requests to their site (and services) seeking information and updates around protection against COVID-19. In this situation, the HHS was prepared. According to an HHS spokesman, “while preparing and responding to COVID-19, HHS put extra protections in place”. 

image of tweet about DDoS attack on health service provider

In addition to the DDoS attempt on HHS, we have seen a flurry of social media campaigns specifically crafted to spread misinformation, and increase paranoia around the Coronavirus pandemic. There appear to be multiple, ongoing misinformation campaigns across all social media platforms (ex: Twitter, Facebook, Telegram). 

image of fake health alert about Covid-19
For this reason, we all need to be extra careful and ultra-discerning. The NSC has been quick to alert on and clarify most of these attempts, but again they are ongoing. It is recommended that the public continually monitor the NSC (and other official outlets) for accurate data and updates, as well as alerts on misinformation campaigns.

image of tweet from NSC

Supply & Lockdown Effects on the Criminal Element

Cyber criminals can be affected by the societal impacts of COVID-19 as well. Perhaps as a ‘positive’ side-effect, some underground vendors are having to cease operations due to increased risk or limited supplies.

image of message from online drug dealers about problems due to Covid-19

image of Dutch drug sellers claiming problems about supply and distribution because of covid 19



The psychology of fear, uncertainty, and doubt is a powerful weapon. Criminals have become more advanced in their understanding of manipulating human emotion to achieve a targeted action. Social engineering is based on the premise that I can get a victim to take action the victim believes to be trusted, but which is actually malicious, using manipulation, influence, and deceit. It can also be based on downright intimidation, authority, and extortion. The net result is a victim taking actions they otherwise never would have in the absence of social engineering.

Nation-state actors have long relied upon social engineering to achieve targeted goals for espionage, system compromise, election influence, and social media manipulation.

While this is still very much a ‘living’ situation, Sentinel Labs has already observed the ability for enterprising cybercriminals to capitalize on the fear and uncertainty of the general public. As is the case with any large and newsworthy event, our adversaries have no scruples when it comes to social engineering and malware distribution. Nothing is out of bounds, and the main difference with the current climate is that the stakes are much higher. It is enough of a challenge to get accurate data and information from known-and-reputable sources. The criminal element further muddies the water and makes our attempts to protect our loved ones (and selves) that much more of a challenge.


Sentinel Labs will be posting updates and details as they become available at

This post draws out critical lessons we can learn from both cyber and biological threats:

The Line Between Biological & Cyber Threats Has Never Been So Thin | What Can We Learn & What Should We Do?

In addition, the US-CERT/CISA has posted a list of additional resources which can assist in avoiding COVID-19-related scams and attacks. They cover cyber-hygiene recommendations and link additional helpful resources as well:

US-CERT: Defending Against COVID-19 Cyber Scams
CISA Insights: Risk Management for Novel Coronavirus (COVID-19) (Note: PDF)
CISA Alert (AA20-099A) – COVID-19 Exploited by Malicious Cyber Actors

Indicators of Compromise

Zeus Sphinx

Zeus Sphinx

Zeus Sphinx

Zeus Sphinx

Zeus Sphinx

Zeus Sphinx
























Generic Downloader/Dropper 


RedLine Stealer

Ransom20 (COVID-Themed HiddenTear ransomware)















Credential Harvesting

Credential Harvesting













Tesla Keylogger


Agent Tesla





SLocker (Android)





CoViper (MBRLocker)


SpyAgent (Android)

SpyAgent (Android)

Fuckunicorn (Ransomware)

CVE-2017-11882 Exploit (Word Document)

Warzone RAT



IcedID (.PNG)


NetSupport RAT

NetSupport RAT

NetSupport RAT

NetSupport RAT

NetSupport RAT

SpyNote / CovidSpy (Android)

SpyNote / CovidSpy (Android)

SpyNote / CovidSpy (Android)

SpyNote / CovidSpy (Android)

ZLoader (maldoc)

Agent Tesla

CryCryptor (Android)

CryCryptor (Android)

CryCryptor (Android)

CryCryptor (Android)

CryCryptor (Android)

Agent Tesla

Sepulcher Trojan