{
	"id": "86867c18-6d1b-407f-bec8-01e4cfcef4de",
	"created_at": "2026-04-06T01:30:10.385099Z",
	"updated_at": "2026-04-10T13:12:01.775849Z",
	"deleted_at": null,
	"sha1_hash": "bb176c590e209d0178b78b3d72a42dbe296416e4",
	"title": "New [F]Unicorn ransomware hits Italy via fake COVID-19 infection map",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2182300,
	"plain_text": "New [F]Unicorn ransomware hits Italy via fake COVID-19 infection map\r\nBy Ionut Ilascu\r\nPublished: 2020-05-26 · Archived: 2026-04-06 00:49:08 UTC\r\nA new ransomware threat called [F]Unicorn has been encrypting computers in Italy by tricking victims into downloading a\r\nfake contact tracing app that promises to bring real-time updates for COVID-19 infections.\r\nThe attacker used convincing social engineering that made it look like the malicious executable was delivered by the Italian\r\nPharmacist Federation (FOFI).\r\nPowerful social engineering\r\nOn Monday, the Computer Emergency Response Team (CERT) from the Agency for Digital Italy (AgID) released an\r\nadvisory about an indigenous ransomware threat called [F]Unicorn that spreads through the country.\r\nhttps://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nIt lands on the victim system under the guise of the contact tracing app Immuni for mobile devices, which the Italian\r\ngovernment announced would be released at the end of the month.\r\nCERT-AgID received a sample of the malware from security researcher JamesWT_MHT and analyzed it along with the\r\nsocial engineering technique that deceive users into downloading and installing the ransomware.\r\nUsers are lured with an email in Italian informing that a beta release of Immuni for PC is available to fight the spread of\r\nCOVID-19. From the text of the message, the targets are pharmacies, universities, doctors, and other entities fighting the\r\nnew coronavirus contagion.\r\nThe attacker also cloned the FOFI website and registered a domain name similar to the original. However, they used\r\n“fofl.it,“ with a lowercase ”L“ as the last character that is easily confused with the lowercase ‘i’ used in the legitimate\r\ndomain name.\r\nAn email sample from tech consultant Dottor Marc, shows that the message ends with download links and contact\r\ninformation that combines email addresses from the attacker and FOFI.\r\nWhen executed, the malware shows a fake dashboard with COVID-19 information allegedly from the Center for Systems\r\nScience and Engineering at Johns Hopkins University.\r\nWhile users are watching the map, the [F]Unicorn starts encrypting data on the system. According to analysis published by\r\nCERT AgID, the malware scans /Desktop, /Links, /Contacts, /Documents, /Downloads, /Pictures, /Music, /OneDrive, /Saved\r\nGames, /Favorites, /Searches, and /Videos for the following file types:\r\n.Txt, .jar, .exe, .dat, .contact, .settings, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv,. py, .sql, .m\r\nFiles encrypted with [F]Unicorn get a new extension as seen in the image below:\r\nhttps://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/\r\nPage 3 of 5\n\nUsers learn that their files have been locked from a ransom note written in Italian, which indicates an Italian author. The\r\noddity of the message aside, the ransom note asks victims to pay EUR 300 in three days or the data would be lost.\r\nA bitcoin address is provided along with an email address to contact the attacker with the proof of the payment. There are no\r\ntransactions recorded for the given wallet.\r\nTranslated, the ransom note reads this:\r\nThe long snake on Asceplio's staff has rebelled, and a new era is about to come!\r\nThis is your chance to redeem yourself after years of sins and abuses.\r\nIt's up to you to choose. Within 3 days the pledge to pay you will have to or the fire of Prometheus will cancel your data\r\nAfter the paid pledge you will receive the solution to put out Prometheus' fire. Go from\r\npolice or calling technicians will be of no use, no human being can help you.\r\nAccording to CERT-AgID, the password for encrypting the files is sent in clear text to the attacker, so it can be retrieved\r\nfrom the network traffic logs.\r\nhttps://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/\r\nPage 4 of 5\n\nDottor Marc says that [F]Unicorn is the work of a novice attacker with little technical knowledge, who used the code from a\r\npreviously seen ransomware.\r\nTheir analysis also shows that the email address in the ransom note is invalid so there is no possibility to send the attacker\r\nthe payment proof. This is another reason for victims not to pay.\r\nSecurity researcher MalwareHunterTeam told BleepingComputer that it is heavily based on Hidden Tear. The author made\r\nsome changes here and there, one component being the panel, where CSS and HTML code was modified.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/\r\nhttps://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/"
	],
	"report_names": [
		"new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map"
	],
	"threat_actors": [],
	"ts_created_at": 1775439010,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bb176c590e209d0178b78b3d72a42dbe296416e4.pdf",
		"text": "https://archive.orkl.eu/bb176c590e209d0178b78b3d72a42dbe296416e4.txt",
		"img": "https://archive.orkl.eu/bb176c590e209d0178b78b3d72a42dbe296416e4.jpg"
	}
}