{
	"id": "a4fc6561-fd9b-4aed-b561-68f59f6a59c6",
	"created_at": "2026-04-06T00:08:56.580396Z",
	"updated_at": "2026-04-10T03:21:08.238583Z",
	"deleted_at": null,
	"sha1_hash": "2175ef2623ca649b39c7920d6a2020f7d283de28",
	"title": "Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors - Cisco Umbrella",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 551095,
	"plain_text": "Navigating Cybersecurity During a Pandemic: Latest Malware and\r\nThreat Actors - Cisco Umbrella\r\nBy Andrea Kaiser, Shyam Sundar Ramaswami\r\nPublished: 2020-04-01 · Archived: 2026-04-05 15:09:52 UTC\r\nThe coronavirus (COVID-19) outbreak tops all the news, google searches, and social media alerts for good reason.\r\nGlobally, we need to stay informed of the latest news with this health crisis. However, it’s also in the news due to\r\nmalicious threat actors using COVID-19 as a lure to trick people into giving up account credentials, or to\r\ndownload malware.\r\nIn this blog post, we’re going to discuss the latest ways that we’ve seen threat actors using the current health crisis\r\nin malicious campaigns, and the increase in Internet requests related to COVID-19 material.\r\nMass Information\r\nThreat actors often use the latest world events, popular news headlines, holidays etc. as themes for malware\r\ncontent in order to stay relevant and entice victims to visit malicious websites or open malicious attachments in\r\nemail. Given the global reach and urgency of the current health crisis, it’s not surprising that COVID-19 has\r\nbecome a means for threat actors to deliver their latest malicious content.\r\nEarlier this month, Brian Krebs reported on the use of fake coronavirus live update style maps to spread the\r\nAzorUlt information stealing trojan. The public is very interested in staying up to date on where the latest\r\nCOVID-19 cases are happening around the world. If we use Cisco Umbrella Investigate to look at the amount of\r\nquery traffic seen on our resolvers going to one of these domains hosting a malicious live update map, you can see\r\na spike in requests to this domain starting on March 11th, and continuing to gain more queries and maintain a\r\nsteady flow of requests.\r\nhttps://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors\r\nPage 1 of 9\n\nInvestigate shows query traffic to a domain hosting a malicious COVID-19 map\r\nA Surge in New Domains\r\nWe have certainly seen a surge in Internet requests to domains that include the word ‘covid’ or ‘corona’ over the\r\npast two months. On February 19, our enterprise customers made 562,144 queries to 8,080 unique domains\r\ncontaining these keywords. We saw an increase of 1,907% in requests being made by March 19th, from\r\n11,287,190 requests, across 47,059 domains containing these keywords. 4% of these 47k domains were blocked as\r\nmalicious sites.\r\nBelow is a list of popular keywords we’ve seen used together with corona, virus, and covid for new domain\r\nregistrations:\r\nwuhan\r\nclinics\r\nlab\r\ntests\r\nselftestkit\r\npurchase kits\r\nhelpline\r\nhttps://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors\r\nPage 2 of 9\n\nA domain for sale using the keywords covid-19-wuhan\r\nMalspam Attacks\r\nThreat actors continue to use email as an infection method, with malicious documents or embedded malicious\r\nlinks. One approach is disguising the email as coming from the World Health Organization.\r\nThe emails state that the attachment contains important safety measures as directed from the WHO. These\r\nattachments have been seen to be an archive file, pdf, or doc.\r\nSome of the malware threats that we’re tracking associated with COVID-19 scams are highlighted below.\r\nKpot\r\nDescription: Kpot is an information stealer that steals user data and account credentials. It is very easily available\r\nin various underground forums for a price of around $100 USD.\r\nNanocore\r\nDescription: NanoCore RAT is a Remote Access Trojan which was first spotted in 2013. Since then, it has been\r\navailable on the Dark Web. This trojan can be modified by its users as per their needs. The malware is capable of\r\nregistry editing, process control, upgrade, file transfer, keylogging, and password stealing.\r\nGuloader\r\nDescription: GuLoader is a downloader, written partly in VB6, which typically stores its encrypted payloads on\r\nGoogle Drive or Microsoft OneDrive. It is usually distributed as a portable executable (PE) file that is often\r\nobserved embedded in a container file such as an .iso or .rar file. It is used predominantly to download Remote\r\nAccess Trojans (RATs) and information stealers such as Agent Tesla, FormBook, NanoCore RAT, Netwire RAT,\r\nRemcos RAT, Ave Maria/Warzone RAT and Parallax RAT.\r\nhttps://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors\r\nPage 3 of 9\n\nTrickbot\r\nDescription: TrickBot was first seen in 2016 and is a banking trojan with advanced browser manipulation\r\ntechniques, server-side injections and redirection techniques. It has most famously been associated with malspam\r\nspread through the Emotet botnet and Trickbot’s Command and Control servers have been seen as IOCs during\r\ninvestigations of Ryuk ransomware infections. Trickbot has the ability to steal email credentials and address book\r\ninformation that is used to send malspam from the affected accounts. In 2020, Trickbot began to target Microsoft\r\nEntra ID DCs and bypass Windows UAC elevated privlege alerts. Trickbot can spread laterally through an internal\r\nnetwork.\r\nFormbook\r\nDescription: Formbook is a trojan information stealer spread through malspam with malicious document or\r\narchive attachments. It was first observed in 2017. It operates with the Malware-as-a-service (MaaS) model\r\nmaking it easy for cyber criminals to operate.\r\nNetwire\r\nDescription: NetWire is a remote access trojan (RAT) which is widely used by cybercriminals since 2012.\r\nNetWire has a built-in keylogger that can capture inputs from peripheral devices such as USB card readers. Other\r\ntargets include credentials for online accounts and applications such as email, property management systems\r\n(PMS), and internet browsers. Other sensitive information typed by the user, including Social Security numbers,\r\nphone numbers, addresses, and birthdates can also be compromised. It was used in attacks against banks and\r\nhealthcare companies and scammers to remotely control infected systems.\r\nMetaMorfo\r\nDescription: Metamorfo is a banking trojan first seen in April 2018. Metamorfo’s primary target location at the\r\nonset was Brazil. Today, it’s targets have spread to USA, Chile, Spain, Mexico and others. The trojan gathers\r\nfinancial information, credit card numbers, and personal data.\r\nMetaMorfo: ‘Important Information’\r\nWe’re going to look into a malspam campaign that dropped the MetaMorfo payload.\r\nThe targets of this malspam campaign were primarily Brazilian citizens. The emails contained a malicious\r\nattachment when opened that would lead to the download of a zip archive. This file starts the malicious process to\r\ndrop MetaMorfo onto the victim’s system.\r\nhttps://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors\r\nPage 4 of 9\n\nEnglish Translation:\r\nDear User,\r\n• Read the conversation history that was sent to this email with WhatsApp Conversation at: 03/25/2020.txt\r\nThe hyperlink leads to:\r\nhxxp://www.servicosfcporto[.]com/upcloud7?WhatsApp_Historico_de_Conversas?whatsapphistorico/index.html?\r\nvisualizar=c06e8cf10aeaf00c33360d2b2bfb6792\r\nOne of the dropper/redirect domains redirecting to download malicious content from Dropbox\r\nhttps://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors\r\nPage 5 of 9\n\nA 301 call redirect from one of the observed domains to download content from Dropbox\r\nCisco Umbrella was able to detect the redirect/dropper domains used in this campaign with intelligence from our\r\nstatistical models. We convicted the domain when we saw a suspicious spike in query traffic and other dns factors.\r\nFor a deeper look into the statistical models that caught this campaign and others like it, please see some presented\r\nresearch here by Dhia Mahjoub.\r\nhttps://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors\r\nPage 6 of 9\n\nInvestigate shows a spike in query traffic from a dropper/redirect domain\r\nAllowing the MetaMorfo trojan to execute in a sandbox reveals a command and control server resolving to the\r\nfollowing ip addresses:\r\nInvestigate shows the IP addresses associated with this command and control server\r\nWe had the following top countries requesting these malicious domains on our resolvers:\r\nRequestor geo distribution:\r\nBrazil , US, Canada, China, Italy, Poland, Singapore, Russia, Ireland\r\nConclusion\r\nThreat actors will use what works to increase malware infections, and the current COVID-19 pandemic is no\r\ndifferent. Although it may seem urgent given the current circumstances, it’s best to treat any attachments or links\r\nreceived from unknown or even known individuals with caution before clicking.\r\nCisco continues to track malicious campaigns themed toward COVID-19 along with the many other tactics used\r\nby cyber criminals. Our statistical models analyze over 200 billion Internet requests per day, convicting malicious\r\ninfrastructure before it can be used in attack campaigns. We can also help you better protect all of your remote\r\nusers with Cisco Umbrella.\r\nTo learn more, check out this blog or start a free trial today.\r\nFor up to date information on how Cisco is following the latest in malware campaigns around COVID-19 scams,\r\nplease refer to the following articles:\r\nhttps://blog.talosintelligence.com/2020/03/covid-19-pandemic-threats.html\r\nhttps://blog.talosintelligence.com/2020/03/covid-19-relief-package.html\r\nhttps://support.umbrella.com/hc/en-us/articles/360041720451\r\nIOCS:\r\nUris:\r\n/upcloud4\r\n/upcloud5\r\nhttps://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors\r\nPage 7 of 9\n\n/upcloud7\r\n/online8\r\n/update2\r\nDropper/Redirects:\r\nacalvet[.]com\r\nacbras[.]com\r\narjoflor[.]com\r\narjoflos[.]com\r\nbergadimspower[.]com\r\nberkesteermaster[.]com\r\ncontatoonline1[.]com\r\nfamartil[.]com\r\noawyri[.]com\r\noawyr[.]com\r\nparnerimcarpich[.]com\r\nqpfhd[.]com\r\nrjmwqf[.]com\r\nrstmir[.]com\r\nservicosfcporto[.]com\r\nsirdexs[.]com\r\nMetaMorfo C\u0026C:\r\nMegasena1.duckdns[.]org\r\nIPs:\r\nhxxp://35.192.198[.]16:80/_nomedia.tar\r\n94.177.160[.]157\r\n149.248.55[.]177\r\n80.211.255[.]177\r\nhttps://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors\r\nPage 8 of 9\n\nHashes:\r\n0461143b7daa61fc403f551a705774c4125793316a141135ffaa165a87586a52\r\nFf9a59d4aace29b9274029f5573f41a91b2493e7f64e976da2dff4e2298fdd44\r\nSource: https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors\r\nhttps://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors"
	],
	"report_names": [
		"navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors"
	],
	"threat_actors": [],
	"ts_created_at": 1775434136,
	"ts_updated_at": 1775791268,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2175ef2623ca649b39c7920d6a2020f7d283de28.pdf",
		"text": "https://archive.orkl.eu/2175ef2623ca649b39c7920d6a2020f7d283de28.txt",
		"img": "https://archive.orkl.eu/2175ef2623ca649b39c7920d6a2020f7d283de28.jpg"
	}
}