{
	"id": "6fe0261b-1cfb-47ee-bbf8-779a54e2bfc7",
	"created_at": "2026-04-06T00:13:21.245067Z",
	"updated_at": "2026-04-10T13:11:57.604517Z",
	"deleted_at": null,
	"sha1_hash": "1023b412b24277a4bfdb593af37f39198062c086",
	"title": "TA505 Malware - New Coronavirus Cyber Attacks | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 563289,
	"plain_text": "TA505 Malware - New Coronavirus Cyber Attacks | Proofpoint US\r\nPublished: 2020-03-16 · Archived: 2026-04-02 11:43:52 UTC\r\nProofpoint researchers are continuing to monitor malicious threat actor activity surrounding COVID-19. To date,\r\nthe cumulative volume of coronavirus-related email lures now represents the greatest collection of attack types\r\nunited by a single theme that our team has seen in years, if not ever. We’ve observed credential phishing,\r\nmalicious attachments, malicious links, business email compromise (BEC), fake landing pages, downloaders,\r\nspam, and malware, among others, all leveraging coronavirus lures.\r\nOver the past week, the team observed a campaign from TA505, the group behind Locky ransomware and the\r\nDridex banking Trojan, that uses a coronavirus lure as part of a downloader campaign targeting the U.S.\r\nhealthcare, manufacturing, and pharmaceuticals industries.\r\nThe team also found a separate coronavirus-themed campaign that uses a downloader, targets the healthcare\r\nindustry, and demands Bitcoin payment. Indicating a potential future shift in the attack landscape, the downloaders\r\nused in the above two campaigns are sometimes seen as a first stage payload before ransomware is later\r\ndownloaded and installed on a victim’s machine. Ransomware is typically delivered as either second or later stage\r\npayload.\r\nWe’ve additionally seen TA564 using coronavirus emails to target Canadian users by spoofing the Public Health\r\nAgency of Canada in an attempt to deliver Ursnif.\r\nNew TA505 Malware and Campaign Examples\r\nAs everyone around the world continues to search online for the latest developments and news around\r\ncoronavirus, Proofpoint researchers have observed TA505, the group behind the Locky ransomware, using a\r\ncoronavirus lure in an attempt to deliver a downloader to a victim’s computer. Once delivered, attackers can then\r\ndownload additional types of malware including banking Trojans and ransomware. TA505 is known as one of the\r\nmost significant financially motivated threat actors due to the extraordinary volumes of messages they send. \r\nFigure one below shows an email from one of the attempted TA505 Coronavirus attacks purporting to contain\r\ninformation to help protect users’ friends from the virus, urging readers to click the link provided.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack\r\nPage 1 of 4\n\nFigure 1 TA505 Coronavirus FAQ Lure\r\n  We have also separately seen coronavirus-themed emails with downloaders targeting healthcare organizations\r\nthat request Bitcoin payments. Figure 2 below shows an email offering coronavirus remedies in exchange for\r\nBitcoin.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack\r\nPage 2 of 4\n\nFigure 2 Coronavirus Campaign Requesting Bitcoin for Remedy\r\nWe’ve also seen TA564 using coronavirus emails targeting Canadian users by spoofing the Public Health Agency\r\nof Canada in an attempt to deliver Ursnif. Ursnif is a common banking Trojan that can steal stored data, including\r\npasswords, from banking websites via web injections, proxies, and VNC connections.\r\nFigure 3 below shows an email addressing “parents and guardians,” with a reported update from the Public Health\r\nAgency of Canada’s Medical Officer of Health, listing the individual’s correct name.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack\r\nPage 3 of 4\n\nFigure 3 Fake Public Health Agency of Canada Lure\r\nSummary of TA505 Coronavirus Attacks\r\nWe anticipate TA505 malware attackers will continue to leverage COVID-19 (as detailed in our new Redline\r\nStealer Threat Insight blog) as it develops further worldwide and will also likely pursue potential targets who are\r\nnow being asked to work from home. Stay vigilant for malicious emails regarding remote access and fake\r\ncorporate websites, all aimed at ensnaring teleworkers. When working remotely, be sure to use a secure Wi-Fi\r\nconnection, protect your VPN log-in, use strong passwords, think twice about clicking on links, and confirm all\r\ntransactions are authentic.  \r\nWe’ll continue posting future TA505 attack news as well as coronavirus campaigns and insights on our threat\r\nresearch Twitter account: https://twitter.com/threatinsight. You can also review additional coronavirus-themed\r\ncampaign examples on conspiracy theories and global shipping concerns in our previous posts.\r\nSource: https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack"
	],
	"report_names": [
		"ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack"
	],
	"threat_actors": [
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4",
			"created_at": "2022-10-25T15:50:23.5188Z",
			"updated_at": "2026-04-10T02:00:05.26565Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"TA505",
				"Hive0065",
				"Spandex Tempest",
				"CHIMBORAZO"
			],
			"source_name": "MITRE:TA505",
			"tools": [
				"AdFind",
				"Azorult",
				"FlawedAmmyy",
				"Mimikatz",
				"Dridex",
				"TrickBot",
				"Get2",
				"FlawedGrace",
				"Cobalt Strike",
				"ServHelper",
				"Amadey",
				"SDBbot",
				"PowerSploit"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434401,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1023b412b24277a4bfdb593af37f39198062c086.pdf",
		"text": "https://archive.orkl.eu/1023b412b24277a4bfdb593af37f39198062c086.txt",
		"img": "https://archive.orkl.eu/1023b412b24277a4bfdb593af37f39198062c086.jpg"
	}
}