{ "id": "8c0232db-265f-4369-841d-62d42acb8d54", "created_at": "2026-04-06T00:13:30.60882Z", "updated_at": "2026-04-10T13:12:19.67354Z", "deleted_at": null, "sha1_hash": "b0bb336120c7807536ee223bc9d5805caa610885", "title": "Cyber Crime During the Covid Pandemic | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2999934, "plain_text": "Cyber Crime During the Covid Pandemic | Proofpoint US\r\nBy March 18, 2020 Axel F, Sam Scholten\r\nPublished: 2020-03-18 · Archived: 2026-04-05 18:03:39 UTC\r\nOverview\r\nProofpoint researchers have tracked attackers leveraging the coronavirus pandemic since January 29. This blog serves as an\r\nupdate of the overall threat landscape and includes selected examples to highlight what we are seeing.\r\nCurrently, attackers are using coronavirus themes for nearly all types of attacks, including (but not limited to) business email\r\ncompromise (BEC), credential phishing, malware, and spam email campaigns.\r\nThe targeting of these attacks has ranged from extremely broad to narrowly focused and campaign volumes have fluctuated\r\nbetween small and large. Attribution includes both well-known and unknown threat actors. Some of the well-known threat\r\nactors include TA505 and TA542.\r\nWe’ve observed attacks around the world, most notably in Italy, the Czech Republic, Japan, United States, Canada,\r\nAustralia, and Turkey. In addition to English, attackers have used Italian, Czech, Japanese, Spanish, and French languages\r\nwithin their messages.\r\nWhile all industries have been targeted, we’ve seen specific targeting of healthcare, education, manufacturing, media,\r\nadvertising, and hospitality organizations in certain campaigns.\r\nAttackers are actively abusing the names and logos of many companies and organizations within these campaigns in an\r\nattempt to manipulate recipients. Of particular note is the spoofing and brand abuse of national and international health\r\norganizations around the world, including the World Health Organization (WHO), the United States Centers for Disease\r\nControl (CDC), and Canadian and Australian national health organizations. \r\nThreat actors have launched coronavirus campaigns to spread remote access Trojans (RATs),  keyloggers, information\r\nstealers, and bankers.  We are also seeing credential phishing campaigns with this theme.  For example, we observed\r\nattempts to harvest credentials for Facebook, DocuSign, Microsoft Outlook Web Access (OWA), Microsoft OneDrive, and\r\nuniversities around the world. \r\nWe expect attackers will continue to leverage coronavirus themes in their attacks for some time to come. Proofpoint\r\nresearchers will continue to track closely and provide updates on our blog and through our Threat Insight Twitter handle.\r\nBelow are several notable examples of what we’ve seen.\r\nBEC Attempt: “People tested positive downtown so I can’t go out right now”\r\nKey Points: BEC attackers use the claim of positive coronavirus tests in their area to start email conversation.\r\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 1 of 17\n\nBEC Attempt Summary:\r\nThis BEC email attempts to capitalize on current events and the global shift towards quarantine to prevent further spreading\r\nof coronavirus. BEC actors often try to convey a sense of urgency or immediate need. In this attack, the urgency is present in\r\nthe subject line used here: \"Urgent Reply needed about corona virus\"[SIC].   \r\nBEC attacks are often delivered in stages. The first email sent is typically innocuous, meaning that they do not contain the\r\nattacker's end goal. The attackers craft plausible scenarios in hopes the recipient will reply. Once they’re on the hook, the\r\nattacker will send their true ask. (I need you to buy gift cards, wire transfer funds, etc.) \r\nThese coronavirus-themed BEC attacks often come with spoofed display names, which are likely real people known to the\r\nrecipient. In the body of this message, the actor attempts to eliminate the possibility of voice-verification, in hopes of\r\nensuring a higher success rate, by saying their phone is \"faulty at the moment.\" \r\nCredential Phish: Microsoft Office\r\nKey Points: Attackers use credible, customized, fake internal emails for credential phishing attacks targeting the healthcare\r\nindustry.\r\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 2 of 17\n\nMicrosoft Office Credential Phish Summary:\r\nThese specific Coronavirus cyber attacks targeted companies in the healthcare industry. Our researchers found that the\r\nemails were highly customized to each target to increase their credibility. They claimed to be from the targeted company's\r\nactual president and used the targeted company name and president’s name multiple times in the email.\r\nThe messages conveyed information about halting all travel to China and contained an attached Word document with a link\r\ninside of it. If a user clicked the link, they would be brought to a spoofed Microsoft Office branded credential phishing site\r\nthat asks for email login and password.\r\nCredential Phish: Outlook Web Access (OWA)\r\nKey Points: Attackers use an employee survey about coronavirus to target Outlook Web Access credentials.\r\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 3 of 17\n\nOutlook Web Access Credential Phish Summary:\r\nThese Coronavirus cyber threats claim to be from an organization’s IT department and poses as an awareness and education\r\nemail for employees around coronavirus. The email asks the recipient to click on the link to take a survey and register for a\r\nhealth safety awareness seminar. If a recipient clicks the link, they’re taken to a credential phishing page that asks for their\r\nOutlook Web Access (OWA) credentials.\r\nCredential Phish: Italian Email Credential Phish\r\nKey Points: Attackers use an Italian language lure around the spread of coronavirus to capture email credentials.\r\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 4 of 17\n\nItalian Email Credential Phish Summary:\r\nOn February 26, 2020, Proofpoint researchers observed an email credential phishing campaign targeting Italy.  It was written\r\nin Italian language and urged recipients to protect themselves as the virus was spreading and many were infected.  If they\r\nclicked on the URL in the email, they were presented with an email credential phishing page.  The credential phishing\r\nlanding page also used custom coronavirus-themed graphics. \r\nMalware: Ostap / The Trick Banker\r\nKey Points: Campaigns targeting Italy and Czech Republic with WHO lures.\r\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 5 of 17\n\nOstap / The Trick Banker Malware Summary:\r\nIn March 2020, we’ve seen multiple instances of attackers attempting to deliver malicious Word macro documents in Italy\r\nand Czech Republic. These emails claim to come from local medical professionals, for example, “Dr. Penelope Marchetti\r\n(World Health Organization - Italy)” with an attachment that contains an update on infection cases in their area.\r\nIf the recipient enables macros from the attachment, the documents would drop and run Ostap JavaScript downloader, which\r\nin these instances downloaded The Trick “red5” banker.\r\nTo note, Italy is currently one of the most targeted regions we’ve observed within this attack theme, with multiple malware\r\nand phishing threat actors attempting to deliver malicious emails using Coronavirus lures.\r\nMalware: Get2 Downloader\r\nKey Points: Threat actor TA505 targets pharmaceutical and manufacturing industries in the United States.\r\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 6 of 17\n\nGet2 Downloader Malware Summary:\r\nOn March 10, 2020, Proofpoint researchers observed thousands of emails primarily targeting pharmaceutical and\r\nmanufacturing companies in United States. The emails claimed to contain information about how to “protect your friends”\r\nfrom coronavirus and urged the recipient to click on a link.\r\nIf the recipient clicked on the link, they would be taken to a web page where they had to click on another link, which would\r\nthen download a malicious Excel document. After downloading the malicious Excel document, if the recipient also enabled\r\nmacros, the macros executed an embedded Get2 loader. Get2 typically downloads SDBbot RAT.\r\nWhile the email lure is simple and not particularly compelling compared to others we observed, this campaign was\r\ndistributed by TA505, a threat actor tracked by Proofpoint. The group is known for their large campaigns, experimentation\r\nwith a variety of delivery mechanisms, and distribution of ransomware, bankers, and RATs.\r\n \r\nMalware: Urnsif Banker\r\nKey Points: Threat actor TA564, who regularly targets Canada, launches email campaign targeting “parents and guardians”\r\nand spoofs Public Health Agency of Canada.\r\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 7 of 17\n\nUrnsif Banker Malware Summary:\r\nProofpoint researchers observed on March 10, 2020 an email campaign targeting Canadian users claiming to be from the\r\nPublic Health Agency of Canada. It addressed \"parents and guardians\" with an update from the spoofed health agency. This\r\nclearly sought to leverage parents’ emotions about their children’s wellbeing and increase the attack’s success rate.\r\nThe email contained a URL, linking to a compressed Microsoft Word document (named Coronavirus_disease_COVID-19__461657952561561.doc) with macros. If the recipient enabled the macros, they would download and install Ursnif\r\nbanker.\r\nWe attribute this activity to threat actor TA564. This threat actor typically targets Canada with false shipping lures, such as\r\nCanadaPost and DHL, and have attempted to deliver Ursnif, DanaBot, and Nymaim in the past.\r\nMalware: GuLoader and Agent Tesla\r\nKey Points: Campaign exploits Equation Editor vulnerabilities to load GuLoader and Agent Tesla.\r\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 8 of 17\n\nGuLoader and Agent Tesla Malware Summary:\r\nProofpoint researchers found this email, dated March 5, 2020, that seeks to capitalize on fears around the spread of\r\ncoronavirus in the United States. It contained a message about affected areas in America (and the European continent),\r\nincluding shops. The malicious attachment titled “COVID 19_List_cities_names.xlam” supposedly contained a list of\r\nimpacted city names.\r\nWhen the recipient opened the malicious attachment, it attempted to exploit Equation Editor vulnerabilities to download\r\nGuLoader, which in turn would download Agent Tesla.\r\nMalware: Remcos\r\nKey Points: Campaign impersonating Philippines Customs to deliver Remcos.\r\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 9 of 17\n\nRemos Malware Summary: \r\nOn March 16, 2020 Proofpoint researchers observed an email campaign targeting various international companies. The\r\nemails impersonated the Philippines customs agency and claimed to contain information about new regulation of imports as\r\nwell as suspended goods. This was an interesting lure since trade suspensions and regulations have potentially greater\r\nimpact compared to even travel restrictions.\r\nThese emails contained Microsoft OneDrive URLs leading to a compressed Remcos RAT executable.\r\nSpam: Pandemic Survival Course\r\nKey Points: Spam campaign promoting a survival course containing everything you supposedly need to know about the\r\ncoronavirus pandemic for $37.\r\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 10 of 17\n\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 11 of 17\n\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 12 of 17\n\nPandemic Survival Course Spam Summary:\r\nIn March 2020, Proofpoint researchers observed multiple spam campaigns peddling an informational course for US$37. The\r\nrecipient must first watch a 30+ minute long video before getting the link to purchase the course.\r\nThe email and the video try to seed fear, uncertainty, and doubt into the recipient about the government's ability to respond\r\nto the situation. They describe a coming pandemic and other events (millions of people dead, forced quarantine by the\r\nmilitary, drug companies experimenting on humans with vaccines and so on).\r\nThe course supposedly offers information around dozens of topics such as: How to make a hazmat suit; should you own a\r\ngun; how to keep the army out of your home; what to do if urban warfare breaks out; what to do if an infected neighbor\r\nknocks on your door. We did not verify what happens after the payment, but we recommend to everyone to keep their money\r\nand not take the bait.\r\nSpam: Coronavirus Testing Kit\r\nKey Points: Spam campaign asking media and advertising companies to promote a malicious website that supposedly sells\r\ntesting kits in exchange for US$100.\r\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 13 of 17\n\nCoronavirus Testing Kit Spam Summary:\r\nIn early March, Proofpoint researchers observed a small spam campaign targeting media and advertising companies in the\r\nUnited States. The email did not try to get the recipient to open the malicious URL, but instead asked the recipients to spread\r\na website URL to their audience. Specifically, it asked them to place the URL and a short message on top of their most\r\nrecent YouTube video description. The sender offered a payment of $100 in exchange for this.\r\nThe website, coronavirusmedicalkit[.]com, offered to sell free COVID-19 testing kits. However, at the end of the ordering\r\nprocess a $10 fee was added (likely for shipping). As Better Business Bureau put it, a lot of times “these phony sellers take\r\nvictims’ money and never deliver anything at all…These sites use tricks like limited time deals to entice you into ordering\r\nmore.” This campaign is interesting because we do not often see direct outreach like this via email.\r\nSpam: Masks\r\nKey Points: One of the most common spam types with Coronavirus as a lure are offers for masks.\r\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 14 of 17\n\nMasks Spam Summary:\r\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 15 of 17\n\nThe sale of masks is one of the most popular types of spam campaigns capitalizing on the coronavirus situation by volume.\r\nIn this example, the email urged recipients to act urgently while supplies last. It offers to sell mask for $49 each. Once again,\r\nas the BBB article puts it, recipients are likely to never receive anything if they pay.\r\nConclusion\r\nThis sampling shows just how broad and diverse the Coronavirus cyber threat landscape has become. Attackers of all kinds\r\nacross the globe are now using coronavirus for nearly every type of attack possible.\r\nThese examples are just a fraction of what our researchers have seen. We are continuing to monitor closely and will continue\r\nto update with notable changes in attacks, attacker tactics, or trends in the threat landscape.\r\nIndicators of Compromise (IOCs)\r\nIOC IOC Type Description\r\n4616c3a50e0393ababc925b496f04f3687664e9d1c4b7966485a7a9124047214 SHA256\r\nWord document delivered\r\nin the Italian Ostap\r\ncampaign in 2020-03-12\r\nhxxp[:]//www[.]agt[.]net/~mnpicker/2jgmu9r/h9a6kn.html URL\r\nExample URL leading to\r\nGet2 on 2020-03-10\r\nhxxp[:]//adsign[.]lk/wp-admin/tkennedy.php?t=[Redacted Base64] URL\r\nExample URL leading to\r\nTordal on 2020-03-11\r\nhxxp[:]//davidrothphotography[.]com/zHzrr URL\r\nExample URL leading to\r\nUrsnif on 2020-03-10\r\nhxxps[:]//bitbucket[.]org/example123321/download/downloads/foldingathomeapp.exe URL\r\nURL hosting RedLine on\r\n2020-03-07\r\n4f630d3622d1e17c75aac44090b3b5bd47d5b2ae113434cde5708bbb7cffef49 SHA256\r\nCOVID\r\n19_List_cities_names.xlam\r\nattachment leading to\r\nGuLoader \u0026 AgentTesla\r\non 2020-03-05\r\nc9a8dd42a46e2c6849564576f96db6741ad0036726f98d7b43641907f953d3f3 SHA256\r\n“Rapport sur les\r\ncoronavirus.doc”\r\nattachment leading to Ave\r\nMaria of 2020-03-06\r\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 16 of 17\n\nhxxps[:]//toyswithpizzazz[.]com[.]au/service/coronavirus URL OWA phish on 2020-03-03\r\nWww[.]pandemicsurvival[.]bid Hostname\r\n\"Pandemic Survival\"\r\nCourse Spam on 2020-03-\r\n07\r\ncoronavirusmedicalkit[.]com Domain\r\n“Coronavirus Testing Kit\r\nSpam on 2020-03-04\r\ngroundsnack[.]icu Domain Mask Spam on 2020-03-1\r\nSource: https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nhttps://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update" ], "report_names": [ "coronavirus-threat-landscape-update" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434410, "ts_updated_at": 1775826739, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b0bb336120c7807536ee223bc9d5805caa610885.pdf", "text": "https://archive.orkl.eu/b0bb336120c7807536ee223bc9d5805caa610885.txt", "img": "https://archive.orkl.eu/b0bb336120c7807536ee223bc9d5805caa610885.jpg" } }