{
	"id": "ce8da28b-c40b-4515-8747-28a87f8e5d14",
	"created_at": "2026-04-06T00:19:53.974438Z",
	"updated_at": "2026-04-10T03:36:36.651623Z",
	"deleted_at": null,
	"sha1_hash": "9a30faa90743dc47e204062e1d31c61ee88e1a8a",
	"title": "Hackers are still running coronavirus-related campaigns, CrowdStrike warns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38982,
	"plain_text": "Hackers are still running coronavirus-related campaigns,\r\nCrowdStrike warns\r\nBy Shannon Vavra\r\nPublished: 2020-06-24 · Archived: 2026-04-05 17:36:37 UTC\r\nAlthough many municipalities around the world have begun to ease up on stay-at-home orders, hackers are still\r\nrunning spearphishing and disinformation campaigns taking advantage of the pandemic.\r\nAdam Meyers, CrowdStrike’s Vice President of Intelligence, says nation-state and criminal spearphishing\r\ncampaigns that leverage COVID-19 themed lures are still on the rise.\r\n“We’ve been seeing an increase of … behavior of social engineering where they’re impersonating things like the\r\nWHO, CDC, HHS, hospitals, healthcare [entities], and even insurance companies to entice people to click links or\r\nto click on on phishing [and] open files,” Meyers said Wednesday while speaking at the virtual CrowdStrike’s\r\nFal.Con for Public Sector Conference, produced by FedScoop and CyberScoop. “This is an increasing problem\r\nand it demonstrates that the threat actors have found an unprecedented level of awareness around COVID-19…\r\nand they’re taking advantage of that and they’re capitalizing on it.”\r\nHackers working for China, Russia, Iran, North Korea, Pakistan, and India, as well as hacktivists and criminals,\r\nhave each been using COVID-19 themed lures to either seek out information on coronavirus vaccines or collect\r\ninformation on how to respond to the pandemic, says Meyers.\r\nThe FBI and Department of Homeland Security have alleged that Chinese government hackers in particular have\r\nbeen targeting medical research entities focused on finding vaccines or treatments for COVID-19.\r\nAnd as the pandemic continues to roil economies around the world, hackers are also continuing to spoof\r\ngovernment relief packages in their spearphishing efforts, Meyers said.\r\n“We’ve seen them spoofing things like the U.S. Small Business Administration, the IRS, Her Majesty’s Revenue\r\nand Customs, the government of Canada, the government of France, and again sending a link or attachment,\r\nsaying, ‘Hey, we have a package for you … sign this digitally and we’ll send you the money right away,’” Meyers\r\nsaid.\r\nRansomware actors have also been running pandemic-related hacking campaigns, Meyers said, including\r\nTraveling Spider, which has been impersonating healthcare organizations, and Circus Spider, the actors behind\r\nNetWalker ransomware, which generally targets hospitals in the U.S. and Spain.\r\nJust in the last several days, hackers behind NetWalker said they had attacked a Philadelphia-area health system.\r\nOne active ransomware actor, which CrowdStrike refers to as Graceful Spider, is known to engage in leaking\r\nstolen victim data in order to force payment, an increasingly popular tactic among ransomware campaigns,\r\nMeyers said.\r\nhttps://www.cyberscoop.com/coronavirus-hacking-disinformation-ransomware-spearphishing/\r\nPage 1 of 2\n\nEfforts to run information operations about the pandemic that paint China in a positive light are ongoing, Meyers\r\nadded. Some “manufactured videos” depicting Italians singing “thank you, China” from their balconies have\r\ncirculated online, for example. Chinese efforts to spread disinformation about the pandemic have also included\r\ncampaigns questioning the origin of the coronavirus, which is believed to have originated in China, and cracking\r\ndown on dissent online, according to CrowdStrike.\r\nSocial media bots, which have alphanumeric handles and were dormant for long periods before spreading pro-China messages, have recently amplified official Chinese posts, such as those from Chinese embassies, Meyers\r\nadded.\r\n“That’s pretty much a red flag in terms of influence operations on [platforms] like Twitter,” Meyers said.\r\nSource: https://www.cyberscoop.com/coronavirus-hacking-disinformation-ransomware-spearphishing/\r\nhttps://www.cyberscoop.com/coronavirus-hacking-disinformation-ransomware-spearphishing/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.cyberscoop.com/coronavirus-hacking-disinformation-ransomware-spearphishing/"
	],
	"report_names": [
		"coronavirus-hacking-disinformation-ransomware-spearphishing"
	],
	"threat_actors": [
		{
			"id": "53201ab8-30d2-4722-816e-f914604e78df",
			"created_at": "2022-10-25T16:07:23.466825Z",
			"updated_at": "2026-04-10T02:00:04.620188Z",
			"deleted_at": null,
			"main_name": "Circus Spider",
			"aliases": [],
			"source_name": "ETDA:Circus Spider",
			"tools": [
				"Koko Ransomware",
				"MailTo",
				"NetWalker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8b7faa58-947b-4530-ab1f-250a0370aabf",
			"created_at": "2022-10-25T16:07:24.34248Z",
			"updated_at": "2026-04-10T02:00:04.945921Z",
			"deleted_at": null,
			"main_name": "Traveling Spider",
			"aliases": [
				"Gold Mansard"
			],
			"source_name": "ETDA:Traveling Spider",
			"tools": [
				"7-Zip",
				"AdFind",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Nefilim",
				"Nemty",
				"Nephilim",
				"Network Password Recovery",
				"PsExec",
				"smbtool"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1c76f1b6-a05b-4dba-82ea-07011b47c6cd",
			"created_at": "2023-01-06T13:46:39.201507Z",
			"updated_at": "2026-04-10T02:00:03.244851Z",
			"deleted_at": null,
			"main_name": "TRAVELING SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:TRAVELING SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "373d61cc-32a0-4c0c-b48b-ff9e3f1357ac",
			"created_at": "2023-01-06T13:46:39.222456Z",
			"updated_at": "2026-04-10T02:00:03.250483Z",
			"deleted_at": null,
			"main_name": "CIRCUS SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:CIRCUS SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434793,
	"ts_updated_at": 1775792196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a30faa90743dc47e204062e1d31c61ee88e1a8a.pdf",
		"text": "https://archive.orkl.eu/9a30faa90743dc47e204062e1d31c61ee88e1a8a.txt",
		"img": "https://archive.orkl.eu/9a30faa90743dc47e204062e1d31c61ee88e1a8a.jpg"
	}
}