{ "id": "c9c0bb26-9e0a-4b45-8166-37ef61f453ba", "created_at": "2026-04-06T00:13:46.460647Z", "updated_at": "2026-04-10T03:37:19.382184Z", "deleted_at": null, "sha1_hash": "df090232923b58f59f6de849f2c2be4a34f7f969", "title": "COVID-19 Phishing With a Side of Cobalt Strike - DomainTools | Start Here. Know Now.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 464355, "plain_text": "COVID-19 Phishing With a Side of Cobalt Strike - DomainTools |\r\nStart Here. Know Now.\r\nBy Joe Slowik\r\nArchived: 2026-04-05 13:35:06 UTC\r\nBackground\r\nMultiple adversaries, from criminal groups to state-directed entities, engaged in malicious cyber activity using COVID-19 pandemic themes since March 2020. Adversaries continue to leverage the pandemic, arguably the most significant\r\nissue globally as of this writing, in various ways. Yet the most persistent avenue remains using COVID-19 themes for\r\nbuilding malicious document files. Examples include lures associated with Cloud Atlas-linked activity and broader\r\ntargeting of health authorities.\r\nGiven the continued significance of the pandemic and persistent use of pandemic themes by adversaries, DomainTools\r\nresearchers continuously monitor for items leveraging COVID-19 content for malicious purposes. While conducting\r\nthis research, DomainTools analysts identified an interesting malicious document with what appeared to be unique\r\nstaging and execution mechanisms.\r\nInitial Phishing Document\r\nOn 23 March 2021, DomainTools researchers encountered the following suspicious Microsoft Excel file:\r\nName: Vaksin_COVID_19_top_10.xls\r\nMD5: 9de48973af4acb5f998731a527e8721d\r\nhttps://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#\r\nPage 1 of 11\n\nSHA256: 0be5cdea09936a5437e0fc5ef72703c4ce10c6ceb0734261d11b05b92aaba2ff\r\nInterestingly, recent and patched versions of Microsoft Office fail to open the file due to flagged security concerns. In\r\nolder versions, users are prompted to execute Visual Basic for Applications (VBA) macros on opening which executes\r\nthe following commands:\r\nThe above VBA macro executes the Microsoft findstr utility to look for several strings inside the document file, then\r\nredirects the output (the lines containing the strings, if found) to the file “C:userspubliccmd”. Finally, the script calls the\r\nMicrosoft FTP utility and passes the newly-created file “cmd”, to it for execution. At first, this appears confusing and of\r\nrather limited utility, until the XLS file is further examined.\r\nNested Command Execution\r\nViewing strings within the file, the following sequence appears:\r\nThe script works to extract commands embedded in the original spreadsheet to execute follow-on system commands. In\r\nthis case, the script writes the text string beginning with “TVNDRgAAAA” to a temporary file. The string is a base64-\r\nencoded object, which decodes to a Windows Cabinet file. The script unpacks the Cabinet file via the Expands utility,\r\nthen executes one of the contained files. The executed file has the following characteristics:\r\nName: Interupts.exe\r\nMD5: e6ca15e1e3044278ea91e32ae147964b\r\nSHA256: c30fa389edb7e67e76e1a23da32e6396334c9ec09a0fd120958a2c66e826b06c\r\nOn further examination, the executable is a signed, legitimate binary. Originally named “fsstm.exe,” the file is an\r\napplication from security company F-Secure. The executable is not alone within the Cabinet file though—three\r\nadditional files are inside:\r\nhttps://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#\r\nPage 2 of 11\n\nFSPMAPI.dll\r\n'~Vaksin_COVID_19_top_10.xls'\r\nwasmedic.NCEx.nu.etl\r\nThe first, a Dynamic Linked Library (DLL), matches the name for the F-Secure Management Agent library. However,\r\nwhile the legitimate library is signed by F-Secure, like “fsstm.exe”, the copy included in the Cabinet file is not. Instead,\r\nit appears that the DLL is a modified version of the legitimate library. Based on dynamic and behavioral analysis, when\r\nInterrupts.exe launches, it loads the unsigned FSPMAPI.dll library, a technique referred to as DLL Search Order\r\nHijacking. In this technique, an adversary takes advantage of the default search order for requested DLL’s by placing a\r\nDLL with the same name as the desired entity in a folder with higher priority in the DLL search order than the\r\nlegitimate item (if present). In this case, all items are written to the “c:userspubliccmd” location, and the legitimate (but\r\nrenamed) executable will load the modified (but properly named) DLL.\r\nWhen observed, execution loads the DLL which then accesses the file “wasmedic.NCEx.nu.etl”. The file consists of\r\nencoded instructions which are decoded by the DLL and then executed.\r\nPost-Execution Observations\r\nAs part of execution, three items take place:\r\nhttps://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#\r\nPage 3 of 11\n\n1. A decoy version of the document is displayed to the user, while other processes take place in the background.\r\n2. The malware establishes persistence on the victim machine through the creation of a “Run” key in the system\r\nregistry.\r\n3. The malicious binary begins communicating with adversary-controlled network infrastructure via domain\r\nfronting.\r\nThe decoy document ties in to the original name of the dropper document: information on COVID-19 vaccines. In this\r\ncase, the spreadsheet shows a list of available COVID-19 vaccines and their alleged rank in terms of safety.\r\nWhile this is displayed, the malware establishes a persistence mechanism via a Registry “Run” key for the current user:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\wbemgine\r\n\u003cPath to Extracted Cabinet Files\u003e\\Interupts.exe\r\nThe above will execute the “Interupts.exe” binary when the user under which the spreadsheet was originally opened\r\nlogs on. This will launch the sequence of events described here again, implying that the Command and Control (C2)\r\nitems detailed below are intended to serve as a check-in for receiving further commands or passing control over to an\r\nactive entity.\r\nNetwork Activity\r\nhttps://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#\r\nPage 4 of 11\n\nObserved network activity appears initially directed toward a legitimate Google-hosted resource, such as the following\r\ncaptured PCAP:\r\nHowever, further analysis of malware traffic and follow-on monitoring show that traffic is redirected to another\r\nresource, particularly either of the following subdomains of the same primary domain:\r\nSecurity[.]rabityli[.]com\r\nCenter[.]rabityli[.]com\r\nAt the time of analysis and using DomainTools Passive DNS (pDNS) information, both subdomains resolved to the\r\nsame IP address: 51.77.34[.]201.\r\nUnfortunately, registration details do not provide significant additional information for analysis or pivoting purposes:\r\nhttps://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#\r\nPage 5 of 11\n\nBased on the above information, we can identify possible adversary tendencies in the Registrar (Namecheap), Name\r\nServer (registrar-servers[.]com), and hosting (the IP address is hosted through OVH in Poland) but these on their own\r\nare too broad to draw any firm conclusions.\r\nFurther analysis of actual traffic and follow-on activity shows additional interesting activity which highlights adversary\r\noperations and tradecraft.\r\nCobalt Strike Activity\r\nReviewing behavior and network activity, the malware payload loaded and executed performs domain fronting using the\r\nlegitimate googlevideo[.]com domain in order to mask actual network traffic directed to the rabityli[.]com subdomains.\r\nSpecifically, the sample deploys Cobalt Strike Beacon using domain fronting via Google services for Command and\r\nControl (C2) and follow-on operations.\r\nDomainTools analysts identified and extracted the Cobalt Strike Beacon configuration allowing for further review and\r\nconfirmation of activity:\r\nhttps://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#\r\nPage 6 of 11\n\nThe configuration matches observed behaviors and identifies expected follow-on activity once the adversary takes\r\ncontrol of the implant. Among other observations:\r\nUse of fail-over C2 servers on the two observed subdomains off the same root domain, rabityli[.]com.\r\nConfiguration of the domain fronting activity through specified parameters reflecting YouTube and Google\r\nVideo services.\r\nSpecifying the Windows Compact tool as the temporary process for injecting further payloads as part of the\r\nCobalt Strike Malleable C2 profile.\r\nOverall functionality for the malicious document is now clear: provide a decoy document to the user which leverages a\r\nsigned binary and a modified DLL to execute a Cobalt Strike Beacon payload.\r\nPivoting to More Samples\r\nhttps://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#\r\nPage 7 of 11\n\nProper analysis cannot depend on a single sample for further research, such as linking the activity to a potential\r\nadversary or behavioral cluster. To learn more about this activity and its perpetrator, DomainTools analysts followed\r\nseveral investigative paths: looking at similarly-structured or -behaving documents, and identifying potential delivery\r\nvectors.\r\nFinding Similar Documents\r\nDomainTools analysts first looked for documents using similar infrastructure or techniques. Analysis of potentially\r\nlinked infrastructure shows no other samples currently associated with either the domains or IP address identified in the\r\nC2 activity described previously.\r\nShifting perspective, the document itself contains several interesting identifiers based on structure and function.\r\nSpecifically, there are string patterns of interest that can be used to identify additional samples: the sequence of hard-coded commands in the Shell portion of the VBA script; the “findstr” parameter of “TVNDRgAAAA” that corresponds\r\nto the embedded Cabinet file; and the Application.Wait parameter.\r\nSearching through several malware repositories, DomainTools researchers identified three additional samples through\r\nthe previously-mentioned criteria:\r\nSHA256\r\nFile\r\nName\r\nDate\r\nFirst\r\nObserved\r\nC2\r\n06e2d46bcc4498fe7272e073fa313a0f62fcef283ca4b107b8960896cfdb7601 N/A\r\n13 Jan\r\n2021\r\nN/A\r\n7bc5fb6bdf7e89e01b091bfaee8e16f476f8ee6c53d973c70f99f5eaa2b74eee\r\nDanh\r\nsach\r\nung\r\nvien Bo\r\nChinh\r\ntri va\r\nBan Bi\r\nthu\r\nkhoa\r\nXIII.xls\r\n07 Jan\r\n2021\r\nN/A\r\n729f12b7ca02aa43785645aa14c72f414d6336a13d14ed190d634b5724d00a08\r\nDanh\r\nsach\r\nung\r\nvien\r\nBCT va\r\nBBT\r\nkhoa\r\nXIII.xls\r\n23 Dec\r\n2020\r\nzarykon.com\r\nhttps://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#\r\nPage 8 of 11\n\nOf the three recovered samples that contain the same VBA, two are nonfunctional. The third, which first appears in late\r\nDecember 2020, utilizes the same functionality and methodology as the document described above, but with a different\r\nC2 destination: fril[.]zarykon[.]com and haikyu[.]zarykon[.]com at 185.225.17[.]201. Examined in DomainTools Iris,\r\nwe see the same generic registration patterns as for the previously-identified domain:\r\nThe combination of infrastructure similarities and document structure combine to link these items together as part of a\r\ncampaign running from at least December 2020 through March 2021.\r\nObserving Similar Delivery Vectors\r\nAdopting a different perspective, the original document was previously available for download at the following\r\nlocation:\r\nhttp://f14-group-zf[.]zdn[.]vn/84ee4531354cda12835d/6104412318511785684\r\nFirst, this implies that the original document was delivered via a malicious link (potentially sent through a phishing\r\nmessage) as opposed to via an attachment to a message. Second, the root domain—zdn[.]vn—appears to be a\r\nVietnamese hosting or Dynamic DNS (DDNS) provider. In this situation, “zdn[.]vn” would be a legitimate (if\r\npotentially untrustworthy) root domain, off of which an adversary could create subdomains for malicious purposes.\r\nLooking at links to the subdomain “f14-group-zf” off of the “zdn[.]vn” primary domain, DomainTools researchers\r\nidentified a further two documents:\r\nhttps://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#\r\nPage 9 of 11\n\nSHA256 File Name\r\nDate First\r\nObserved\r\nC2\r\n6a4f055a5f682ca6aa8791485e780fbe1bacef435e229c9b5040f53612a18720\r\nNHẬN XÉT\r\nTHỂ\r\nDỤC.xls\r\n02 Feb\r\n2021\r\nN/A\r\n3301b2d67a086ea0a53ff16e5428939d020b0aca9ff6d83fd4cc9b795141337d\r\nPGV TBC+\r\nNVKD (CN\r\nHBT\r\n2021).xls\r\n20 Jan\r\n2021\r\nN/A\r\nWhile both are macro-enabled and perform functions that look malicious, neither result in a complete exploitation chain\r\nleading to command and control activity or any other obvious activity. Given similar naming conventions and hosting as\r\nthe malicious documents analyzed previously, these items are obviously suspicious but at present they appear to be\r\nincomplete in functionality.\r\nPossible Links to “Goblin Panda”\r\nExamining the specific techniques deployed in the documents analyzed thus far, several items stand out as having long-standing precedents. Most notably, the execution pathway used leveraging the legitimate F-Secure file is not merely\r\nknown, but was previously observed in intrusions over five years prior.\r\nIn 2014, analysts at Verint documented a campaign using a modified version of media player software to deliver an\r\nsimilar loader via DLL path hijacking of the same F-Secure signed binary. In this case, the ultimate payload was a\r\nversion of PlugX malware. German government authorities later identified similar activity—again using the legitimate\r\nF-Secure binary as an initial execution mechanism—that same year.\r\nThe 2014 activity is interesting given the reflections in the current campaign, but the identified intrusions were never\r\nlinked to any entity. Other aspects of the current campaign bear resemblance to a specific threat actor: Goblin Panda.\r\nGoblin Panda is a threat actor linked to unspecified Chinese entities, and has been active in some form since at least\r\n2013. Goblin Panda operations include extensive phishing campaigns with a focus on Southeast Asian entities, although\r\nhistorically this actor has relied on Rich Text Format (RTF) documents. While also potentially associated with more\r\nambitious activities, the group appears focused on espionage operations with an emphasis on Southeast Asian countries\r\nsuch as Vietnam.\r\nAnother common artifact of historical Goblin Panda operations is the use of DLL search order hijacking. As\r\ndocumented by multiple entities, Goblin Panda frequently uses this technique to execute malicious payloads with a\r\ndegree of trust via the initial, signed executable. Although the specific F-Secure item is not previously observed in\r\nhistorical Goblin Panda operations, and the identified 2014 activity is not linked to the entity, the overall technique as a\r\nfollow-on from phishing is common.\r\nFinally, the oddity of leveraging older vulnerabilities and execution pathways—as seen in the malicious documents in\r\nthis campaign—is associated with previous Goblin Panda operations. As noted by Fortinet researchers, Goblin Panda\r\npreviously leveraged vulnerabilities over five years old as part of campaigns, with the likely understanding that intended\r\nvictim environments had not patched or moved on to more recent, secure software.\r\nhttps://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#\r\nPage 10 of 11\n\nCombined with targeting emphasis—two of the four lure documents identified are in Vietnamese, implying targeting of\r\nVietnam—the set of behaviors appears linked to historical Goblin Panda tendencies. Targeting is confirmed as official\r\nVietnamese government notifications exist alerting authorities to some of the documents identified in the previous\r\nanalysis.\r\nYet there remain concerns with drawing a direct link to Goblin Panda. For one, Goblin Panda is historically linked to\r\neither using weaponized RTF files or dropping payloads via OLE objects in Office documents, whereas the base64-\r\nencoded Cabinet file is a unique (and arguably more primitive) behavior. Additionally, while the documents analyzed in\r\nthis report utilize a fairly standard Registry “Run” key persistence mechanism, Goblin Panda previously utilized less\r\ncommon pathways such as weaponizing the startup folder for Microsoft Word. Finally, there are no existing examples of\r\nGoblin Panda activity leveraging Cobalt Strike as a post-intrusion tool.\r\nOverall the identified campaign contains some overlaps with previously identified behaviors and targeting associated\r\nwith Goblin Panda. However, other items almost appear to be a regression from Goblin Panda activities and diverge\r\nnoticeably from this group’s actions. Based on the available evidence, while some connection may exist between this\r\ncampaign and historical Goblin Panda activity, the current phishing campaign does not appear highly correlated with the\r\ngroup.\r\nConclusion\r\nCOVID-19 themed phishing and malicious documents will almost certainly remain a feature of the threat landscape for\r\nthe duration of the pandemic. In this specific case, COVID-19 lures—along with other items using medical themes—\r\nappear linked to intrusion activity targeting Vietnamese entities from late 2020 through early 2021. While the activity in\r\nquestion may be linked to Goblin Panda behaviors, at present insufficient evidence exists to make such a link\r\ndefinitively.\r\nOverall, defenders and analysts must continuously remain vigilant of opportunistic campaigns leveraging current event\r\nthemes and similar mechanisms. Furthermore, the use of Cobalt Strike in this activity highlights a continuing trend of\r\nvarious adversaries—from criminal actors to state-sponsored entities—migrating post-intrusion operations to this\r\nplatform. Finally, while the network infrastructure used in this campaign did not enable identification of additional,\r\nlinked infrastructure, analysis and examination of such items through domain enrichment at time of observation can\r\nidentify suspicious indicators in registrar and other characteristics which can enable more rapid discovery and response.\r\nSource: https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#\r\nhttps://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#" ], "report_names": [ "covid-19-phishing-with-a-side-of-cobalt-strike#" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434426, "ts_updated_at": 1775792239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/df090232923b58f59f6de849f2c2be4a34f7f969.pdf", "text": "https://archive.orkl.eu/df090232923b58f59f6de849f2c2be4a34f7f969.txt", "img": "https://archive.orkl.eu/df090232923b58f59f6de849f2c2be4a34f7f969.jpg" } }