{
	"id": "db125202-22a1-4cc8-892e-ad7c0c58178c",
	"created_at": "2026-04-06T00:07:13.124155Z",
	"updated_at": "2026-04-10T13:11:36.362357Z",
	"deleted_at": null,
	"sha1_hash": "409050d0e580c6418f154666220179bbf4480fea",
	"title": "Netwalker Ransomware Infecting Users via Coronavirus Phishing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1554671,
	"plain_text": "Netwalker Ransomware Infecting Users via Coronavirus Phishing\r\nBy Lawrence Abrams\r\nPublished: 2020-03-21 · Archived: 2026-04-05 17:45:49 UTC\r\nAs if people did not have enough to worry about, attackers are now targeting them with Coronavirus (COVID-19) phishing\r\nemails that install ransomware.\r\nWhile we do not have access to the actual phishing email being sent, MalwareHunterTeam was able to find an attachment\r\nused in a new Coronavirus phishing campaign that installs the Netwalker Ransomware.\r\nNetwalker is a ransomware formerly called Mailto that has become active recently as it targets the enterprise and\r\ngovernment agencies. Two widely reported attacks related to Netwalker are the ones on the Toll Group and the Champaign\r\nUrbana Public Health District (CHUPD) in Illinois.\r\nhttps://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe new Netwalker phishing campaign is using an attachment named \"CORONAVIRUS_COVID-19.vbs\" that contains an\r\nembedded Netwalker Ransomware executable and obfuscated code to extract and launch it on the computer.\r\nVBS Attachment\r\nWhen the script is executed, the executable will be saved to %Temp%\\qeSw.exe and launched.\r\nNetwalker Executable\r\nOnce executed, the ransomware will encrypt the files on the computer and append a random extension to encrypted file\r\nnames.\r\nHead of SentinelLabs Vitali Kremez, the research division of SentinelOne, told BleepingComputer that this version of the\r\nransomware specifically avoids terminating the Fortinet endpoint protection client.\r\nWhen asked why they would do that, Kremez stated it may be to avoid detection.\r\n\"I suppose it might be because they have already disabled the anti-virus functionality directly from the customer admin\r\npanel; however, they do not want to trip an alarm by terminating the clients,\" Kremez told BleepingComputer.\r\nhttps://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/\r\nPage 3 of 5\n\nWhen done, victims will find a ransom note named [extension]-Readme.txt that contains instructions on how to access the\r\nransomware's Tor payment site to pay the ransom demand.\r\nNetwalker Ransom Note\r\nUnfortunately, at this time there is no known weakness in the ransomware that would allow victims to decrypt their files for\r\nfree.\r\nInstead, victims will need to either restore from backup or recreate the missing files.\r\nCoronavirus attacks have become common\r\nDue to the ongoing Coronavirus pandemic, threat actors have actively started using the outbreak as a theme for their\r\nphishing campaigns and malware.\r\nWe have seen the TrickBot trojan using text from Coronavirus related news stories to evade detection, a ransomware called\r\nCoronaVirus, the data-stealing FormBook malware spread through phishing campaigns, and even an email extortion\r\ncampaign threatening to infect your family with Coronavirus.\r\nThis has led to the US Cybersecurity and Infrastructure Security Agency (CISA) to issue warnings about the rise of\r\nCoronavirus-themed scams and the World Health Organization (WHO) to release warnings of phishing scams impersonating\r\ntheir organization.\r\nAs threat actors commonly take advantage of topics that spread anxiety and fear, everyone must be more diligent than ever\r\nagainst suspicious emails and the promotion of programs from unknown sources.\r\nhttps://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/\r\nhttps://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/"
	],
	"report_names": [
		"netwalker-ransomware-infecting-users-via-coronavirus-phishing"
	],
	"threat_actors": [],
	"ts_created_at": 1775434033,
	"ts_updated_at": 1775826696,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/409050d0e580c6418f154666220179bbf4480fea.pdf",
		"text": "https://archive.orkl.eu/409050d0e580c6418f154666220179bbf4480fea.txt",
		"img": "https://archive.orkl.eu/409050d0e580c6418f154666220179bbf4480fea.jpg"
	}
}