{ "id": "b216e6f0-2071-45be-a0b9-6e8135f17375", "created_at": "2026-04-06T00:17:51.450741Z", "updated_at": "2026-04-10T03:29:38.446169Z", "deleted_at": null, "sha1_hash": "2530e51b50eb69060aa03fba7832e9858fded3cd", "title": "Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4897089, "plain_text": "Malicious Attackers Target Government and Medical Organizations\r\nWith COVID-19 Themed Phishing Campaigns\r\nBy Adrian McCabe, Vicky Ray, Juan Cortes\r\nPublished: 2020-04-14 · Archived: 2026-04-05 22:56:20 UTC\r\nExecutive Summary\r\nDespite prior reporting by various sources indicating that some cyber threat attacker activity may subside in some respects\r\nduring the COVID-19 pandemic, Unit 42 has observed quite the opposite with regard to COVID-19 themed threats,\r\nparticularly in the realm of phishing attacks.\r\nWhile the various COVID-19 themed phishing campaigns observed by Unit 42 are numerous, this blog seeks to provide a\r\nthorough picture and solid technical analysis of the cross-section between the various types of COVID-19 themed threats\r\norganizations may be facing during the ongoing pandemic. Specifically, we address a ransomware variant (EDA2) observed\r\nin attacks on a Canadian government healthcare organization and a Canadian medical research university, as well as an\r\ninfostealer variant (AgentTesla) observed in attacks against various other targets (e.g, a United States defense research\r\nentity, a Turkish government agency managing public works, a German industrial manufacturing firm, a Korean chemical\r\nmanufacturer, a research institute located in Japan and medical research facilities in Canada).\r\nNone of the malware samples mentioned in this blog were successful in reaching their intended targets. Our threat\r\nprevention platform with WildFire detects activity associated with these threat groups while simultaneously updating the\r\n‘malware’ category within the URL Filtering solution for malicious and/or compromised domains that have been identified.\r\nRansomware Campaign\r\nCampaign Overview\r\nBetween March 24, 2020 at 18:25 UTC and March 26 at 11:54 UTC, Unit 42 observed several malicious emails sent from\r\nthe spoofed address noreply@who[.]int (actual sender IP address at the time of the attack was 176.223.133[.]91) to several\r\nindividuals associated with a Canadian government health organization actively engaged in COVID-19 response efforts, and\r\na Canadian university conducting COVID-19 research. The emails all contained a malicious Rich Text Format (RTF)\r\nphishing lure with the file name 20200323-sitrep-63-covid-19.doc, (SHA256:\r\n62d38f19e67013ce7b2a84cb17362c77e2f13134ee3f8743cbadde818483e617), which, when opened with a vulnerable\r\napplication, attempted to deliver a ransomware payload using a known shared Microsoft component vulnerability, CVE-2012-0158.\r\nIt is interesting to note that even though the file name clearly references a specific date (March 23, 2020), the file name was\r\nnot updated over the course of the campaign to reflect current dates. It is also interesting that the malware authors did not\r\nattempt to make their lures appear legitimate in any way; it is clear from the first page of the document that something is\r\namiss.\r\nhttps://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/\r\nPage 1 of 7\n\nFigure 1. Ransomware phishing lure\r\nSHA256 Subjects Spoofed Sender File name C2 Domain\r\n62d38f19e67013ce7b2a84cb17362c77e2f13134ee3f8743cbadde818483e617\r\nCoronavirus\r\ndisease\r\nCOVID19\r\nnoreply@who[.]int\r\n20200323-\r\nsitrep-63-\r\ncovid-19.doc\r\nwww.tempinfo.\r\nTable 1. Ransomware campaign attributes\r\nPost-Infection\r\nOnce opened with vulnerable document viewing software, the malicious attachment drops a ransomware binary to disk at\r\nC:\\Users\\\u003cvictim username\u003e\\AppData\\Local\\svchost.exe, then executes it. It is worth mentioning that the dropped binary\r\nhas the hidden attribute set, and has an Adobe Acrobat icon.\r\nWhen the ransomware binary is executed, an HTTP GET request for the resource tempinfo.96[.]lt/wras/RANSOM20.jpg is\r\ninitiated. This image is the main ransomware infection notification displayed to the victim:\r\nhttps://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/\r\nPage 2 of 7\n\nFigure 2. Ransomware image download network traffic\r\nFigure 3. Ransomware notification image\r\nThis image is then saved to disk at C:\\Users\\\u003cvictim username\u003e\\ransom20.jpg, and is subsequently set as the victim user’s\r\ndesktop wallpaper. At the time of the attack, the domain tempinfo.96[.]lt resolved to the IP address 31.170.167[.]123.\r\nAfter the image is downloaded, an HTTP POST request to the resource www.tempinfo.96[.]lt/wras/createkeys.php is made\r\ncontaining the user name and host name of the victim. Of particular note is that connectivity to the remote host is first\r\nchecked via use of HTTP 100 Continue prior to the malware transmitting the host details:\r\nFigure 4. Network traffic, victim host detail transfer\r\nOnce the remote command and control (C2) server successfully receives the victim’s details, it then proceeds to create a\r\ncustom key based on the username/hostname details and sends the key back to the infected host for further processing. Once\r\nthe key is received from the C2 server, the infected host then initiates an HTTP POST request to the resource\r\nwww.tempinfo.96[.]lt/wras/savekey.php containing its hostname and the main decryption key for the host, which is, in itself,\r\nAES encrypted:\r\nhttps://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/\r\nPage 3 of 7\n\nFigure 5. Network traffic, ransomware key exchange\r\nAt this point, encryption of the victim’s files begins. This particular ransomware binary is configured to encrypt files with\r\nthe following file extensions:\r\n\".abw\", \".aww\", \".chm\", \".dbx\", \".djvu\", \".doc\", \".docm\", \".docx\", \".dot\", \".dotm\", \".dotx\", \".epub\", \".gp4\", \".ind\", \".indd\",\r\n\".key\", \".keynote\", \".mht\", \".mpp\", \".odf\", \".ods\", \".odt\", \".ott\", \".oxps\", \".pages\", \".pdf\", \".pmd\", \".pot\", \".potx\", \".pps\",\r\n\".ppsx\", \".ppt\", \".pptm\", \".pptx\", \".prn\", \".prproj\", \".ps\", \".pub\", \".pwi\", \".rtf\", \".sdd\", \".sdw\", \".shs\", \".snp\", \".sxw\", \".tpl\",\r\n\".vsd\", \".wpd\", \".wps\", \".wri\", \".xps\", \".bak\", \".bbb\", \".bkf\", \".bkp\", \".dbk\", \".gho\", \".iso\", \".json\", \".mdbackup\", \".nba\",\r\n\".nbf\", \".nco\", \".nrg\", \".old\", \".rar\", \".sbf\", \".sbu\", \".spb\", \".spba\", \".tib\", \".wbcat\", \".zip\", \"7z\", \".dll\", \".dbf\"\r\nThe encryption algorithm is fairly simple, and, when encrypted, files are renamed with a .locked20 extension:\r\nFigure 6. Ransomware encryption source code\r\nAdditionally, this ransomware binary has a particularly substantial limitation; it is hardcoded to only encrypt files and\r\ndirectories that are on the victim’s desktop.\r\nFigure 7. Ransomware encryption initiation source code\r\nThreat Identification\r\nFrom the code structure of the binary and the host based and network based behaviors of the ransomware, Unit 42 has\r\ndetermined that the ransomware variant used in this attack is EDA2, an open-source ransomware variant associated with a\r\nlarger, parent ransomware family called HiddenTear.\r\nAdditional information on this ransomware variant can be found here.\r\nAgentTesla Campaign\r\nhttps://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/\r\nPage 4 of 7\n\nIt is not a surprise to see malspam actors also taking advantage of the ongoing COVID-19 pandemic crisis and using\r\nCOVID-19 as a lure to entice victims to click on malicious attachments and infect their systems. Figure 9 gives an example\r\nof one such malspam campaign with a COVID-19 lure.\r\nFigure 8. Malspam email with COVID-19 lure delivering AgentTesla\r\nSHA256 Subjects Sender File name Initial\r\nfd4b4799079cdd970eec3884bef4771624a55297086041fd4e7fcefb1a86d08e\r\n67b44bbf3f69e170f1e8ddea8d992dc83cfd351f06a28338b37dc16ad74826ef\r\n14f6b1979ccc5d29c7b143009472d1edcfcdf0025bc2fa84ee445f17f091dd9a\r\n590f84008dfd489fbf98d83e281fbb38c40d890169a9dbd482ff1f184cfb0970\r\nCOVID-19\r\nSupplier\r\nNotice\r\nshipping@liquidroam.com\r\nCOVID-19\r\nSupplier\r\nNotice/COVID-19 Supplier\r\nNotice.jpg.exe\r\nCorporate\r\nadvisory\r\nCoronaVirus\r\n(Covid-19)/Corporate\r\nadvisory Co\r\nftp[.]lo\r\n157[.]2\r\nTable 2. AgentTesla campaign attributes\r\nFigure 10 shows the campaign flow where the email shipping@liquidroam[.]com was used to send the malspam emails to a\r\nnumber of our customers from healthcare, pharmaceutical, government industries among others. After further analysis of the\r\nattachments we found that the samples were droppers delivering variants of the AgentTesla malware family. AgentTesla is\r\nan info-stealing malware which has been around since 2014. Since AgentTesla has been sold in multiple forums commonly\r\nvisited by cyber criminals, it’s use has significantly grown in the past years and has been one of the top malware family of\r\nchoice of the SilverTerrier threat actor, infamous for BEC campaigns. More details on the SilverTerrier campaigns can be\r\nfound in the recent Unit 42 update here.\r\nhttps://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/\r\nPage 5 of 7\n\nFigure 9. Maltego chart of the AgentTesla campaign\r\nAll the associated samples connected to the same C2 domain for exfiltration- ftp[.]lookmegarment[.]com. Our analysis also\r\nshows that the AgentTesla samples had hard coded credentials used to communicate with the C2 over FTP. Figure 11 shows\r\nthe exfiltration over FTP, where the C2 is running a Pure-FTPd server.\r\nFigure 11. Network traffic, exfiltration\r\nIt is also important to note that the email sender domain, liquidroam[.]com, and the C2 domain, lookmegarment[.]com, are\r\nlegit business domains providing sales of electric skateboards and garment textiles, respectively. It is likely that the domains\r\nhave been compromised and their infrastructure being used in the wider campaign of the cyber criminals.\r\nConclusion\r\nThe objective of this blog was to give a deeper understanding on some of the types of cybercrime campaigns being faced by\r\nmultiple critical industries dealing with the urgent and critical response efforts of the COVID-19 pandemic. It is clear from\r\nthese cases that the threat actors who profit from cybercrime will go to any extent, including targeting organizations that are\r\nin the front lines and responding to the pandemic on a daily basis.\r\nWhile this blog specifically focused on two campaigns, Unit 42 is tracking multiple campaigns with COVID-19 themes\r\nbeing used by threat actors on a daily basis and this trend is likely going to continue for weeks to come. We will continue\r\nupdating the Unit 42 blog with new findings and observations on how the ongoing COVID-19 pandemic is being leveraged\r\nby cyber criminals for illicit profit.\r\nPalo Alto Networks customers are already protected from the mentioned threats by:\r\nDeploying Threat ID 1114703, 2878137, 2855181, 2850820, 2811429, 2888946\r\nWildfire successfully classifies the samples as malware\r\nC2 domains are classified as malicious in DNS Security\r\nIOCs\r\nRansomware Campaign:\r\nRTF Phishing Lure: 62d38f19e67013ce7b2a84cb17362c77e2f13134ee3f8743cbadde818483e617\r\nhttps://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/\r\nPage 6 of 7\n\nAdditional related RTF Lure (origin unknown):\r\n42f04025460e5a6fc16d6182ee264d103d9bcd03fffd782c10f0b2e82b84f768\r\nRansomware Binary:\r\n2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326\r\nMailing Infrastructure:\r\n176.223.133[.]91\r\nC2:\r\ntempinfo.96[.]lt\r\n31.170.167[.]123\r\nAgentTesla Campaign:\r\nAgentTesla Samples:\r\nfd4b4799079cdd970eec3884bef4771624a55297086041fd4e7fcefb1a86d08e\r\n67b44bbf3f69e170f1e8ddea8d992dc83cfd351f06a28338b37dc16ad74826ef\r\n14f6b1979ccc5d29c7b143009472d1edcfcdf0025bc2fa84ee445f17f091dd9a\r\n590f84008dfd489fbf98d83e281fbb38c40d890169a9dbd482ff1f184cfb0970\r\n408bd4ffdff006738289dc51f1e51b00662508628ef8bb6147e3d88d4740ec4b\r\nC2:\r\nftp[.]lookmegarment[.]com\r\n157[.]245.78[.]47\r\nSource: https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/\r\nhttps://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/" ], "report_names": [ "covid-19-themed-cyber-attacks-target-government-and-medical-organizations" ], "threat_actors": [ { "id": "aa57c036-b3e5-4bc4-83b8-cac8498b6c24", "created_at": "2023-01-06T13:46:38.589041Z", "updated_at": "2026-04-10T02:00:03.03199Z", "deleted_at": null, "main_name": "SilverTerrier", "aliases": [], "source_name": "MISPGALAXY:SilverTerrier", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ecff5c60-4f8b-4d7c-9784-f279eb056518", "created_at": "2022-10-25T15:50:23.49538Z", "updated_at": "2026-04-10T02:00:05.40672Z", "deleted_at": null, "main_name": "SilverTerrier", "aliases": [ "SilverTerrier" ], "source_name": "MITRE:SilverTerrier", "tools": [ "NanoCore", "Agent Tesla", "NETWIRE", "DarkComet", "Lokibot" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434671, "ts_updated_at": 1775791778, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2530e51b50eb69060aa03fba7832e9858fded3cd.pdf", "text": "https://archive.orkl.eu/2530e51b50eb69060aa03fba7832e9858fded3cd.txt", "img": "https://archive.orkl.eu/2530e51b50eb69060aa03fba7832e9858fded3cd.jpg" } }