Fake "Corona Antivirus" distributes BlackNET remote
administration tool | Malwarebytes Labs
By Threat Intelligence Team
Published: 2020-03-22 · Archived: 2026-04-05 20:05:27 UTC
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 2 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 3 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 4 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 5 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 6 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 7 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 8 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 9 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 10 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 11 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 12 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 13 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 14 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 15 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 16 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 17 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 18 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 19 of 1696

The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 20 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 21 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 22 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 23 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 24 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 25 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 26 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 27 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 28 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 29 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 30 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 31 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 32 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 33 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 34 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 35 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 36 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 37 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 38 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 39 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 40 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 41 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 42 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 43 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 44 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 45 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 46 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 47 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 48 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 49 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 50 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 51 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 52 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 53 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 54 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 55 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 56 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 57 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 58 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 59 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 60 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 61 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 62 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 63 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 64 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 65 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 66 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 67 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 68 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 69 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 70 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 71 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 72 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 73 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 74 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 75 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 76 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 77 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 78 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 79 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 80 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 81 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 82 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 83 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 84 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 85 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 86 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 87 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 88 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 89 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 90 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 91 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 92 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 93 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 94 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 95 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 96 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 97 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 98 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 99 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 100 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 101 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 102 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 103 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 104 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 105 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 106 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 107 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 108 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 109 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 110 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 111 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 112 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 113 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 114 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 115 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 116 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 117 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 118 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 119 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 120 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 121 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 122 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 123 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 124 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 125 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 126 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 127 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 128 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 129 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 130 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 131 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 132 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 133 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 134 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 135 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 136 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 137 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 138 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 139 of 1696

The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 140 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 141 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 142 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 143 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 144 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 145 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 146 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 147 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 148 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 149 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 150 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 151 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 152 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 153 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 154 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 155 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 156 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 157 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 158 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 159 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 160 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 161 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 162 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 163 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 164 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 165 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 166 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 167 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 168 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 169 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 170 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 171 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 172 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 173 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 174 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 175 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 176 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 177 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 178 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 179 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 180 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 181 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 182 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 183 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 184 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 185 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 186 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 187 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 188 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 189 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 190 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 191 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 192 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 193 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 194 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 195 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 196 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 197 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 198 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 199 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 200 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 201 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 202 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 203 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 204 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 205 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 206 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 207 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 208 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 209 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 210 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 211 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 212 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 213 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 214 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 215 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 216 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 217 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 218 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 219 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 220 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 221 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 222 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 223 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 224 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 225 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 226 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 227 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 228 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 229 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 230 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 231 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 232 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 233 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 234 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 235 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 236 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 237 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 238 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 239 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 240 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 241 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 242 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 243 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 244 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 245 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 246 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 247 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 248 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 249 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 250 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 251 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 252 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 253 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 254 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 255 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 256 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 257 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 258 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 259 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 260 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 261 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 262 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 263 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 264 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 265 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 266 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 267 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 268 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 269 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 270 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 271 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 272 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 273 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 274 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 275 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 276 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 277 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 278 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 279 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 280 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 281 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 282 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 283 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 284 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 285 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 286 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 287 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 288 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 289 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 290 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 291 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 292 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 293 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 294 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 295 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 296 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 297 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 298 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 299 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 300 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 301 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 302 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 303 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 304 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 305 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 306 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 307 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 308 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 309 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 310 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 311 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 312 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 313 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 314 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 315 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 316 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 317 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 318 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 319 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 320 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 321 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 322 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 323 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 324 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 325 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 326 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 327 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 328 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 329 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 330 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 331 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 332 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 333 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 334 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 335 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 336 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 337 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 338 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 339 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 340 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 341 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 342 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 343 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 344 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 345 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 346 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 347 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 348 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 349 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 350 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 351 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 352 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 353 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 354 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 355 of 1696

The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 356 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 357 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 358 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 359 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 360 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 361 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 362 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 363 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 364 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 365 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 366 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 367 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 368 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 369 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 370 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 371 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 372 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 373 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 374 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 375 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 376 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 377 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 378 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 379 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 380 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 381 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 382 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 383 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 384 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 385 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 386 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 387 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 388 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 389 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 390 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 391 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 392 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 393 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 394 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 395 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 396 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 397 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 398 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 399 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 400 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 401 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 402 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 403 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 404 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 405 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 406 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 407 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 408 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 409 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 410 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 411 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 412 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 413 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 414 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 415 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 416 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 417 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 418 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 419 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 420 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 421 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 422 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 423 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 424 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 425 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 426 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 427 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 428 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 429 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 430 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 431 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 432 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 433 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 434 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 435 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 436 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 437 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 438 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 439 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 440 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 441 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 442 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 443 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 444 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 445 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 446 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 447 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 448 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 449 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 450 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 451 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 452 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 453 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 454 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 455 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 456 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 457 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 458 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 459 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 460 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 461 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 462 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 463 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 464 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 465 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 466 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 467 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 468 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 469 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 470 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 471 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 472 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 473 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 474 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 475 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 476 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 477 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 478 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 479 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 480 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 481 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 482 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 483 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 484 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 485 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 486 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 487 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 488 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 489 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 490 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 491 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 492 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 493 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 494 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 495 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 496 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 497 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 498 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 499 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 500 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 501 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 502 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 503 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 504 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 505 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 506 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 507 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 508 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 509 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 510 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 511 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 512 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 513 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 514 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 515 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 516 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 517 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 518 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 519 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 520 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 521 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 522 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 523 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 524 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 525 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 526 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 527 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 528 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 529 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 530 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 531 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 532 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 533 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 534 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 535 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 536 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 537 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 538 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 539 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 540 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 541 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 542 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 543 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 544 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 545 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 546 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 547 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 548 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 549 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 550 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 551 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 552 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 553 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 554 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 555 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 556 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 557 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 558 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 559 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 560 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 561 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 562 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 563 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 564 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 565 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 566 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 567 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 568 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 569 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 570 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 571 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 572 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 573 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 574 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 575 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 576 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 577 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 578 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 579 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 580 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 581 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 582 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 583 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 584 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 585 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 586 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 587 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 588 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 589 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 590 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 591 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 592 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 593 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 594 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 595 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 596 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 597 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 598 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 599 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 600 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 601 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 602 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 603 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 604 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 605 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 606 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 607 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 608 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 609 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 610 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 611 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 612 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 613 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 614 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 615 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 616 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 617 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 618 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 619 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 620 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 621 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 622 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 623 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 624 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 625 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 626 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 627 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 628 of 1696

The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 629 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 630 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 631 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 632 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 633 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 634 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 635 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 636 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 637 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 638 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 639 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 640 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 641 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 642 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 643 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 644 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 645 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 646 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 647 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 648 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 649 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 650 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 651 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 652 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 653 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 654 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 655 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 656 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 657 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 658 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 659 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 660 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 661 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 662 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 663 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 664 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 665 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 666 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 667 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 668 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 669 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 670 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 671 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 672 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 673 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 674 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 675 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 676 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 677 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 678 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 679 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 680 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 681 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 682 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 683 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 684 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 685 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 686 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 687 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 688 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 689 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 690 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 691 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 692 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 693 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 694 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 695 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 696 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 697 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 698 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 699 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 700 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 701 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 702 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 703 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 704 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 705 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 706 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 707 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 708 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 709 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 710 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 711 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 712 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 713 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 714 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 715 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 716 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 717 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 718 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 719 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 720 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 721 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 722 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 723 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 724 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 725 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 726 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 727 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 728 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 729 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 730 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 731 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 732 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 733 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 734 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 735 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 736 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 737 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 738 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 739 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 740 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 741 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 742 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 743 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 744 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 745 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 746 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 747 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 748 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 749 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 750 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 751 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 752 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 753 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 754 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 755 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 756 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 757 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 758 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 759 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 760 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 761 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 762 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 763 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 764 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 765 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 766 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 767 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 768 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 769 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 770 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 771 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 772 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 773 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 774 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 775 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 776 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 777 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 778 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 779 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 780 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 781 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 782 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 783 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 784 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 785 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 786 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 787 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 788 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 789 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 790 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 791 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 792 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 793 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 794 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 795 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 796 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 797 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 798 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 799 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 800 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 801 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 802 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 803 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 804 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 805 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 806 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 807 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 808 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 809 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 810 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 811 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 812 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 813 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 814 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 815 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 816 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 817 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 818 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 819 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 820 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 821 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 822 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 823 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 824 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 825 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 826 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 827 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 828 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 829 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 830 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 831 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 832 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 833 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 834 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 835 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 836 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 837 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 838 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 839 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 840 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 841 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 842 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 843 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 844 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 845 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 846 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 847 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 848 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 849 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 850 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 851 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 852 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 853 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 854 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 855 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 856 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 857 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 858 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 859 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 860 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 861 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 862 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 863 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 864 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 865 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 866 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 867 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 868 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 869 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 870 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 871 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 872 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 873 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 874 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 875 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 876 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 877 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 878 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 879 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 880 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 881 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 882 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 883 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 884 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 885 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 886 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 887 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 888 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 889 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 890 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 891 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 892 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 893 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 894 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 895 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 896 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 897 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 898 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 899 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 900 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 901 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 902 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 903 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 904 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 905 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 906 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 907 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 908 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 909 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 910 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 911 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 912 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 913 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 914 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 915 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 916 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 917 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 918 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 919 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 920 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 921 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 922 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 923 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 924 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 925 of 1696

The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 926 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 927 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 928 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 929 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 930 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 931 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 932 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 933 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 934 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 935 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 936 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 937 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 938 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 939 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 940 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 941 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 942 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 943 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 944 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 945 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 946 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 947 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 948 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 949 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 950 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 951 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 952 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 953 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 954 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 955 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 956 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 957 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 958 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 959 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 960 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 961 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 962 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 963 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 964 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 965 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 966 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 967 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 968 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 969 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 970 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 971 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 972 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 973 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 974 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 975 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 976 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 977 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 978 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 979 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 980 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 981 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 982 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 983 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 984 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 985 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 986 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 987 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 988 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 989 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 990 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 991 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 992 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 993 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 994 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 995 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 996 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 997 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 998 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 999 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1000 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1001 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1002 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1003 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1004 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1005 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1006 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1007 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1008 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1009 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1010 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1011 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1012 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1013 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1014 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1015 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1016 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1017 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1018 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1019 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1020 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1021 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1022 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1023 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1024 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1025 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1026 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1027 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1028 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1029 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1030 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1031 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1032 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1033 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1034 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1035 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1036 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1037 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1038 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1039 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1040 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1041 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1042 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1043 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1044 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1045 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1046 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1047 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1048 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1049 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1050 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1051 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1052 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1053 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1054 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1055 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1056 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1057 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1058 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1059 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1060 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1061 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1062 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1063 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1064 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1065 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1066 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1067 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1068 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1069 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1070 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1071 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1072 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1073 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1074 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1075 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1076 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1077 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1078 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1079 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1080 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1081 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1082 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1083 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1084 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1085 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1086 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1087 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1088 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1089 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1090 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1091 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1092 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1093 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1094 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1095 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1096 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1097 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1098 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1099 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1100 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1101 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1102 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1103 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1104 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1105 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1106 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1107 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1108 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1109 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1110 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1111 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1112 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1113 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1114 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1115 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1116 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1117 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1118 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1119 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1120 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1121 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1122 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1123 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1124 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1125 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1126 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1127 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1128 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1129 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1130 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1131 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1132 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1133 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1134 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1135 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1136 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1137 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1138 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1139 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1140 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1141 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1142 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1143 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1144 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1145 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1146 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1147 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1148 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1149 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1150 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1151 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1152 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1153 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1154 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1155 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1156 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1157 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1158 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1159 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1160 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1161 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1162 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1163 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1164 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1165 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1166 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1167 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1168 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1169 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1170 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1171 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1172 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1173 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1174 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1175 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1176 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1177 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1178 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1179 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1180 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1181 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1182 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1183 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1184 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1185 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1186 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1187 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1188 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1189 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1190 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1191 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1192 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1193 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1194 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1195 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1196 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1197 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1198 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1199 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1200 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1201 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1202 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1203 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1204 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1205 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1206 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1207 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1208 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1209 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1210 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1211 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1212 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1213 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1214 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1215 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1216 of 1696

The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1217 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1218 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1219 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1220 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1221 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1222 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1223 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1224 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1225 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1226 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1227 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1228 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1229 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1230 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1231 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1232 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1233 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1234 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1235 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1236 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1237 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1238 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1239 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1240 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1241 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1242 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1243 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1244 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1245 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1246 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1247 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1248 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1249 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1250 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1251 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1252 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1253 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1254 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1255 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1256 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1257 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1258 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1259 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1260 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1261 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1262 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1263 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1264 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1265 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1266 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1267 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1268 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1269 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1270 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1271 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1272 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1273 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1274 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1275 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1276 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1277 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1278 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1279 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1280 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1281 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1282 of 1696

The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1283 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1284 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1285 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1286 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1287 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1288 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1289 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1290 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1291 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1292 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1293 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1294 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1295 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1296 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1297 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1298 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1299 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1300 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1301 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1302 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1303 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1304 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1305 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1306 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1307 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1308 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1309 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1310 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1311 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1312 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1313 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1314 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1315 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1316 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1317 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1318 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1319 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1320 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1321 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1322 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1323 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1324 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1325 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1326 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1327 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1328 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1329 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1330 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1331 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1332 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1333 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1334 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1335 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1336 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1337 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1338 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1339 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1340 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1341 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1342 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1343 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1344 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1345 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1346 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1347 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1348 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1349 of 1696

The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1350 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1351 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1352 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1353 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1354 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1355 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1356 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1357 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1358 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1359 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1360 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1361 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1362 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1363 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1364 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1365 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1366 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1367 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1368 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1369 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1370 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1371 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1372 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1373 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1374 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1375 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1376 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1377 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1378 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1379 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1380 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1381 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1382 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1383 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1384 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1385 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1386 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1387 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1388 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1389 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1390 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1391 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1392 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1393 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1394 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1395 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1396 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1397 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1398 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1399 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1400 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1401 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1402 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1403 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1404 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1405 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1406 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1407 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1408 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1409 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1410 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1411 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1412 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1413 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1414 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1415 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1416 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1417 of 1696

The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1418 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1419 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1420 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1421 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1422 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1423 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1424 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1425 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1426 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1427 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1428 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1429 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1430 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1431 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1432 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1433 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1434 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1435 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1436 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1437 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1438 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1439 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1440 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1441 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1442 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1443 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1444 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1445 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1446 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1447 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1448 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1449 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1450 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1451 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1452 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1453 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1454 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1455 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1456 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1457 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1458 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1459 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1460 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1461 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1462 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1463 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1464 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1465 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1466 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1467 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1468 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1469 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1470 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1471 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1472 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1473 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1474 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1475 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1476 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1477 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1478 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1479 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1480 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1481 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1482 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1483 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1484 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1485 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1486 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1487 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1488 of 1696

The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1489 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1490 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1491 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1492 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1493 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1494 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1495 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1496 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1497 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1498 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1499 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1500 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1501 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1502 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1503 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1504 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1505 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1506 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1507 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1508 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1509 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1510 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1511 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1512 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1513 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1514 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1515 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1516 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1517 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1518 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1519 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1520 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1521 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1522 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1523 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1524 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1525 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1526 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1527 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1528 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1529 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1530 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1531 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1532 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1533 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1534 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1535 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1536 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1537 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1538 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1539 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1540 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1541 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1542 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1543 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1544 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1545 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1546 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1547 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1548 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1549 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1550 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1551 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1552 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1553 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1554 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1555 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1556 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1557 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1558 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1559 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1560 of 1696

The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1561 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1562 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1563 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1564 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1565 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1566 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1567 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1568 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1569 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1570 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1571 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1572 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1573 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1574 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1575 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1576 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1577 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1578 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1579 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1580 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1581 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1582 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1583 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1584 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1585 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1586 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1587 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1588 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1589 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1590 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1591 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1592 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1593 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1594 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1595 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1596 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1597 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1598 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1599 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1600 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1601 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1602 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1603 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1604 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1605 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1606 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1607 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1608 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1609 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1610 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1611 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1612 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1613 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1614 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1615 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1616 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1617 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1618 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1619 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1620 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1621 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1622 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1623 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1624 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1625 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1626 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1627 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1628 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1629 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1630 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1631 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1632 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1633 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1634 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1635 of 1696

The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1636 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1637 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1638 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1639 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1640 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1641 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1642 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1643 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1644 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1645 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1646 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1647 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1648 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1649 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1650 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1651 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1652 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1653 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1654 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1655 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1656 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1657 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1658 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1659 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1660 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1661 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1662 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1663 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1664 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1665 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1666 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1667 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1668 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1669 of 1696

hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1670 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1671 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1672 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1673 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1674 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1675 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1676 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1677 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1678 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1679 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1680 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1681 of 1696

Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1682 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1683 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1684 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1685 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1686 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1687 of 1696

app is running.
Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1688 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1689 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1690 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Scammers and malware authors are taking advantage of the coronavirus crisis in full swing. We have seen a
number of spam campaigns using COVID-19 as a lure to trick people into installing a variety of malware, but
especially data stealers.
As more of us work from home, the need to secure your computer, especially if you are connecting to your
company’s network, becomes more important. However, you should be extra careful of bogus security software,
especially if it tries to use the coronavirus as a selling point.
Corona antivirus: 100% fake
The latest scam we found is a website (antivirus-covid19[.]site) advertising “Corona Antivirus -World’s best
protection.” That’s right, scammers are trying to get you to install a digital antivirus that supposedly protects
against the actual COVID-19 virus infecting people across the world.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1691 of 1696

To add to the nonsense, the site goes on by adding:
Our scientists from Harvard University have been working on a special AI development to combat the
virus using a windows app. Your PC actively protects you against the Coronaviruses (Cov) while the
app is running.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1692 of 1696

Infected victims added to BlackNET RAT
Upon installing this application, your computer will be infected with malware. The file, packed with the
commercial packer Themida turns your PC into a bot ready to receive commands:
hxxps[://]instaboom-hello[.]site//connection[.]php?data=[removed] hxxps[://]instaboom-hello[.]site//g
The command and control server hosted at instaboom-hello[.]site reveals the control panel for the BlackNET
botnet.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1693 of 1696

The full source code for this toolkit was published on GitHub a month ago. Some of its features include:
Deploying DDOS attacks
Taking screenshots
Stealing Firefox cookies
Stealing saved passwords
Implementing a keylogger
Executing scripts
Stealing Bitcoin wallets
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1694 of 1696

Choose the right protection
During this period, it is important to stay safe both at home and online. The number of scams we have seen during
these past few weeks shows that criminals will take advantage of any situation, no matter how dire it is.
We recommend that you keep your computer up to date and use extra caution when downloading new programs.
Beware of instant notifications and other messages, even if they appear to come from friends.
Malwarebytes users were already protected even though we had not seen this malware sample before, thanks to
our Machine learning engine.
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1695 of 1696

We also informed CloudFlare since the threat actors were abusing their service and they took immediate action to
flag this website as a phish.
Indicators of compromise
Malicious site
antivirus-covid19[.]site
Bogus corona antivirus
antivirus-covid19[.]site/update.exe
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
C2 panel
instaboom-hello[.]site
Source: https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
Page 1696 of 1696