{ "id": "b22f0696-df17-420e-b47e-ca0afedd7172", "created_at": "2026-04-06T00:06:19.641819Z", "updated_at": "2026-04-10T03:36:33.759165Z", "deleted_at": null, "sha1_hash": "e2634f0395353cffdb76c3cd8472c821dcc65828", "title": "COVID-19 Themes Are Being Utilized by Threat Actors of Varying Sophistication", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3114964, "plain_text": "COVID-19 Themes Are Being Utilized by Threat Actors of Varying\r\nSophistication\r\nBy Anomali Threat Research\r\nArchived: 2026-04-05 12:41:00 UTC\r\nThreat actors are utilizing the global spread of COVID-19 (Coronavirus) to conduct malicious activity. As the world\r\nresponds to this threat in various ways, actors are attempting to use the chaos to their advantage.\r\nOverviewDetailsAPT ActivityLure DocumentsTechnical AnalysisHigaisa ActivityMobile\r\nMalwareIOCsConclusionEndnotes\r\nAuthored by: Gage Mele, Parthiban R., and Tara Gould\r\nThe Tactics, Techniques and Procedures (TTPs) Are Known but the Content Is Coronavirus-Themed\r\nOverview\r\nThreat actors are utilizing the global spread of COVID-19 (Coronavirus) to conduct malicious activity. As the world\r\nresponds to this threat in various ways, actors are attempting to use the chaos to their advantage. COVID-19 is being\r\nweaponized for scare tactics by threat actors for conducting malicious activity utilizing different Tactics, Techniques, and\r\nProcedures (TTPs). While the majority of observations made by Anomali Threat Research (ATR) are commodity\r\n(purchasable and widely distributed) campaigns and malware. ATR identified that the Higaisa and Mustang Panda Advanced\r\nPersistent Threat (APT) groups have been utilizing Coronavirus-themed lures in their campaigns.\r\nIn addition to machine-targeted campaigns, ATR also identified COVID-19-themes targeting Android mobile devices. One\r\nof the samples is utilizing a fully functional Coronavirus infection-tracking application while the SpyNote Remote Access\r\nhttps://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication\r\nPage 1 of 8\n\nTrojan (RAT) runs in the background. Another is a phishing campaign that uses a fake Adobe Flash update and COVID-19\r\nrelated URLs to install the Cerberus banking trojan. While some of these malware are commodity and may be more obvious\r\nmalicious attempts, actors will likely continue to abuse these themes to install various malware families, some of which will\r\nbe discussed below.\r\nDetails\r\nThe current activity being reported on open sources consists of threat actors using COVID-19 as part of phishing campaigns,\r\nboth in email subject and content as well as attachments.[1] These kind of virus-themed campaigns began almost\r\nimmediately after the 41 cases of COVID-19 were reported on by the World Health Organization on December 31, 2019.[2]\r\nBy January and February 2020, Coronavirus-themed lures were widespread with assistance from the Emotet botnet.[3] The\r\nmalware used in these campaigns can vary because many distribution methods are offered for purchase and utilized by\r\nnumerous actors, however, there have been some instances of Advanced Persistent Threat (APT) actors attempting to\r\ncapitalize on the COVID-19 outbreak.\r\nIn mid-March 2020, Check Point Research published their findings regarding a campaign targeting the Mongolian public\r\nsector utilizing Coronavirus-themed lure documents.[4] This RTF activity also coincides with RTF activity identified by\r\nATR.[5] APTs frequently use relevant themes as lures, and ATR has also identified such groups attempting to capitalize on\r\nCoronavirus-related events.\r\nAPT Activity\r\nATR observed a campaign beginning in late February through mid-March 2020, that we believe is being conducted by the\r\nChina-based APT group, Mustang Panda. The group is utilizing decoy documents related to COVID-19 to target Taiwan and\r\nVietnam. Mustang Panda is continuing to use Cobalt Strike and PlugX RAT as their final payloads. This activity aligns with\r\nMustang Panda TTPs previously identified by ATR.[6]\r\nLure Documents\r\nDocument title - 02-21-1.docx\r\nHash - 6d994c64c17ce50cbb333c8b4bcbd8e0\r\nChen Chien-jen Facebook Discussion\r\nFigure 1 - Chen Chien-jen Facebook Discussion\r\nThe document file above is describing a post on Facebook written by Chen Chien-jen, current Vice President of the Republic\r\nof China and former Vice President of Taiwanese research institution, Academia Sinica. The post discusses community\r\ntransition [of Coronavirus] and the United States’ (US) Centers for Disease Control (CDC) listing of countries for it,\r\nspecifically Taiwan. Taiwan’s Foreign Ministry subsequently demanded removal from said listing.\r\nDocument title - 03-01-1.docx\r\nHash - 7f0a1bdde14ea1f3085b43bdadcfb146\r\nCOVID-19 Questions\r\nFigure 2 - COVID-19 Questions\r\nFigure 2 contains text that was translated to English, likely from Chinese due to Mustang Panda being China-based, because\r\nof the spelling and grammar errors that would be uncommon for a native speaker. The text poses questions about\r\nneutralizing COVID-19 with varying levels of sophistication.\r\nDocument title - Chi Thi cua thu tuong nguyen xuan phuc.doc\r\nHash - 13d61974d2db537bdb0504cfc53b74a7\r\nVietnamese Government Meeting Article from March 3, 2020\r\nFigure 3 - Vietnamese Government Meeting Article from March 3, 2020\r\nThe document in Figure 3 is an article discussing a meeting held by Vietnamese Prime Minister Nguyen Xuan Phuc that was\r\nheld on March 3, 2020. Other government officials attending the meeting spoke of unity in these times and how\r\napproximately 3,000 have been placed in isolation and are under the care of the army. Other topics include overall\r\nCoronavirus prevention measures and updates on travel restrictions. The article is publicly available at\r\nwww.cantho.gov[.]vn, and was likely taken by Mustang Panda from this source as observed by ATR in previous campaigns\r\nconducted by the group.\r\nTechnical Analysis\r\nhttps://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication\r\nPage 2 of 8\n\nThe above mentioned three RAR (compressed files) files each contain a Windows Shortcut (.lnk) file. The .lnk files being\r\nutilized by Mustang Panda typically contain an embedded HTA file with VBscript, once executed, will drop and open the\r\ndecoy document while the malicious activity of the payload runs in the background. ATR observed PlugX and Cobalt Strike\r\nbeing delivered as the primary payloads throughout the campaign.\r\n.lnk files\r\nTable 1 - .lnk file metadata\r\nFileMD5 LinkModifiedDate FileSize NameString CommandLineArgs\r\nNetBios\r\nName\r\nFC00964131A8C9407BA77484E724FC9D 7/14/2009 1:14 301568 02-21-1.lnk\r\n/c\r\nf%windir:~-3,1%%PUBLIC:~-9,1%\r\n%x in (%temp%=%cd%) do\r\nf%windir:~-3,1%%PUBLIC:~-9,1%\r\n/f delims==\" %i in ('dir \"%x--21-\r\n1.lnk\" /s /b') do start %TEMP:~-2\r\nwin-67od36i8f4\r\n0F794D6C6646A260558E9D638AE060C9 7/14/2009 1:14 301568 03-01-1.lnk\r\n/c\r\nf%windir:~-3,1%%PUBLIC:~-9,1%\r\n%x in (%temp%=%cd%) do\r\nf%windir:~-3,1%%PUBLIC:~-9,1%\r\n/f delims==\" %i in ('dir \"%x--01-\r\n1.lnk\" /s /b') do start %TEMP:~-2\r\ncia-at28--\r\nplanc\r\nA4B7FE08900074B6A103D2CF36730421 11/21/2010 3:24 302592\r\nChi Thi cua\r\nthu tuong\r\nnguyen xuan\r\nphuc.lnk\r\n/c\r\nf%windir:~-3,1%%PUBLIC:~-9,1%\r\n%x in (%temp%=%cd%) do\r\nf%windir:~-3,1%%PUBLIC:~-9,1%\r\n/f delims==\" %i in ('dir \"%xChi Thi\r\ncua thu tuong nguyen xuan\r\nphuc.lnk\" /s /b') do start\r\n%TEMP:~-2\r\nwin-gnhs1vcenrt\r\nPayload Analysis\r\nMustang Panda has used the well known adversary emulation tool called Cobalt Strike as the final payload for the following\r\nsamples 02-21-1.lnk and 03-01-1.lnk. The group has utilized the malleable Command and Control (C2) feature in Cobalt\r\nStrike tool to mask the malicious traffic behind a legitimate DNS request to code.jquery.com. The samples mentioned above\r\nuse 123.51.185[.]75 as their final C2.\r\nTwo notable changes from Mustang Panda previous campaigns identified by ATR are:\r\nChange in directory C:UsersPublicMusic where the payload is dropped\r\nUsage of the legitimate executable tencentsoso.exe that is used for DLL side loading\r\nThe sample Chi Thi cua thu tuong nguyen xuan phuc.lnk uses PlugX as its final payload. Once executed it drops three\r\nfiles in the directory C:ProgramDataMicrosoft Malware Protectionydy. The unescapp.exe is a legitimate executable that\r\nis signed by “ESET, spol. s r.o.” and it is being abused for DLL hijacking technique to execute http_dll.dll which decodes\r\nand loads the malicious payload http_dll.dat. Upon execution of the payload it reaches out to the C2 domain\r\nvietnam[.]zing[.]photos and it resolves to 104.160.44[.]85.\r\nDropped File Location\r\nFigure 4 - Dropped File Location\r\nATR attributes this activity to Mustang Panda based on the TTPs, targeted countries, and usage of malware families that all\r\nhave been previously attributed to the group.[7]\r\nHigaisa Activity\r\nCovid.pdf.lnk - 21a51a834372ab11fba72fb865d6830e\r\nOn March 15, 2020, ATR identified a malicious .lnk file that utilizes an infection chain similar to other known APT groups.\r\nThis campaign was found to use C2 infrastructure that overlaps with the Korea-based APT group, Higaisia. The lure\r\ndocument, dropped by the .lnk file, was downloaded from the World Health Organization website, and is likely being used\r\nto target English-speaking individuals and entities.\r\nhttps://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication\r\nPage 3 of 8\n\nThe .lnk uses a multi stage process to deliver a decory PDF document (Figure 5) and the final payload PlugX and it reaches\r\nout to C2 motivation[.]neighboring[.]site and it resolves to 69.172.75[.]223. PlugX is a Remote Access Trojan (RAT) that is\r\ncommonly used by China-based threat actors.\r\nWorld Health Organization Situation Report\r\nFigure 5 - World Health Organization Situation Report\r\nTechnical Analysis\r\nThe .lnk file contains an embedded blob of base64 encoded content. Inspecting the .lnk metadata, it appears that the actor\r\nhas modified them, for example the following fields have been tampered, creation time, Machine ID and MAC address as\r\nshown in Figure 6.\r\n.lnk Metadata\r\nFigure 6 - .lnk Metadata\r\nUpon execution of the .lnk file, the following commands were run in the background,\r\n /c copy \"20200308-sitrep-48-covid-19.pdf.lnk\" %tmp%\\g4ZokyumBB2gDn.tmp /y\u0026 for /r C:\\Windows\\System32\\ %i in\r\nThe file cSi1r0uywDNvDu.tmp is a Windows cabinet (.cab) file. The contents of the cabinet file is shown in Figure 7\r\nbelow.\r\nContents of Cabinet File\r\nFigure 7 - Contents of Cabinet File\r\nThe contents of the cabinet file are extracted using built in windows executable file extract.exe and they are renamed as\r\nshown in Figure 8.\r\nRenamed Cabinet File Contents\r\nFigure 8 - Renamed Cabinet File Contents\r\nThe JavaScript, 9sOXN6Ltf0afe7.js, performs multiple operations like copying and renaming files, and it uses the living off\r\nthe land technique to execute the VBscript file WsmPty.xsl using cscript.exe.\r\n[8]\r\n The VBscript is responsible for creating\r\npersistence and it executes the further payloads by abusing the legitimate executable msostyle.exe. Upon its execution it\r\nloads the file oinfo12.ocx (.dll) and it further loads and executes wordcnvpxy.exe (PlugX). The malware reaches out to the\r\nC2 URL motivation[.]neighboring[.]site/01/index.php.\r\nFigure 9 and 10 below depicts the overlapping evidence, as mentioned above. The C2 IP, 69.172.75[.]223, was previously\r\nused by Higaisa and reported on in late February, 2020.[9]\r\nHigaisa C2 Overlap\r\nFigure 9 - Higaisa C2 Overlap\r\nHigaisa Sample Communication to IP\r\nFigure 10 - Higaisa Sample Communication to IP (https://community.riskiq.com/search/69.172.75.223)\r\nMobile Malware\r\nAPK title - Avist.apk\r\nHash - 107169ae6951a5cba57d2a0cd274e28fadf5c73d73e91a386f15cf4dc35edd38\r\nThis Android application is fully-functional and will update overall COVID-19 statistics as a normal application would.\r\nWhile the user installs the COVID-19 tracking application, the SpyNote RAT is downloaded in the background.\r\nInstallation Request\r\nFigure 11 - Installation Request\r\nFunctional COVID-19 Application Appearance\r\nFigure 12 - Functional COVID-19 Application Appearance\r\nAPK title - UpdateFlashPlayer_11_5_1.apk\r\nHash - F57a44bec2f7af2da443f068edb0a743f9625ac3a9d686393bacb8e72274b5de\r\nThe Android banking Trojan, Cerberus has been utilizing the attention around the Coronavirus outbreak as an opportunity to\r\npush their malware. Using various websites including coronaviruscovid-19-information[.]com and covid19-info[.]online\r\n(among others) to trick users into downloading the Cerberus trojan. Navigating to one of these websites prompts the visitor\r\nhttps://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication\r\nPage 4 of 8\n\nto download Cerberus that masquerades as an Adobe Flash Player update. Once installed, Cerberus’ primary objective is to\r\nsteal financial information, however, the trojan can be manipulated depending on the actor’s objective.\r\nCoronavirus-related URL Prompting for Adobe Flash Player Update (Cerberus)\r\nFigure 13 - Coronavirus-related URL Prompting for Adobe Flash Player Update (Cerberus)\r\nIOCs\r\nDomains / IPs/ URLs\r\n104.160.44[.]85\r\n123.51.185[.]75\r\n69.172.75[.]223\r\nvietnam[.]zing[.]photos\r\nmotivation[.]neighboring[.]site\r\nhttp://vietnam.zing.photos:443/update?wd=df07d8ba\r\nmotivation[.]neighboring[.]site/01/index.php\r\nHashes\r\nFile Name MD5 Hash\r\nHttp_dll.dat 0DE06292C0010A4E8F453806373E68D4\r\nhttp_dll.dll 415591D11CF6AEB940AC92C904A1F26A\r\n02-21-1.rar A0D41E87BF259CE882C4977D79FA806A\r\n03-01-1.rar 24AF885E38D7CA7912824F2470E5E6BE\r\nChi Thi cua thu tuong nguyen xuan phuc.rar 60C89B54029442C5E131F01FF08F84C9\r\n02-21-1.lnk FC00964131A8C9407BA77484E724FC9D\r\n03-01-1.lnk 0F794D6C6646A260558E9D638AE060C9\r\nChi Thi cua thu tuong nguyen xuan phuc.lnk A4B7FE08900074B6A103D2CF36730421\r\n3UDBUTNY7YstRc.tmp 83D04F21515C7E6316F9CD0BB393A118\r\n486AULMsOPmf6W.tmp 371E896D818784934BD1456296B99CBE\r\n9sOXN6Ltf0afe7.js 4F8FF5E70647DBC5D91326346C393729\r\ncSi1r0uywDNvDu.tmp EEFEB76D26338E09958AAE5D81479178\r\nMiZl5xsDRylf0W.tmp C1D8966FA1BD7AEE41B2C4AD731407D3\r\noGhPGUDC03tURV.tmp 37f78b1ad43959a788162f560bdc9c79\r\nCovid.pdf.lnk 21a51a834372ab11fba72fb865d6830e\r\nCovid.zip a89607c9515caeb1d784439a1ee1f208\r\nWordcnvpxy.exe fd648c3b7495abbe86b850587e2e5431\r\n20200308-sitrep-48-covid-19.pdf FAF5EF01F4A9BF2ABA7EDE67DCC5A2D4\r\ncovid-19.jar 13c26ea1dc3a2fee403a7913f6f66c03\r\ncovid-precautions .exe 45a0797b74db206615e92050ecf7b31e\r\nBasic_protection.pdf c9184430cfd1e72ff9213e67f73b06c2\r\nfile2.exe ec517204fbcf7a980d137b116afa946d\r\nCoronaVirus_Video-11032020BRTORS2VYLLOC8NTR7DA79YIM6.vbs\r\n0a648ccc4c7ce4f4315adc22878c49c2\r\nOfficial communication by Ferribiella Italy-CORONAVIRUS\r\n11.03.2020_EN.exe\r\n405f2f6fa2077552fa848bb740bd5ffd\r\nCORONA TREATMENT.doc 4efc395c3cd44646e2bfb9680932b811\r\nlogday.dll 4efc395c3cd44646e2bfb9680932b811\r\nhttps://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication\r\nPage 5 of 8\n\nCoronavirus_disease_COVID-19__773315073441331.doc 8ff6621ecf76a5632dc7ca459f3e5a89\r\n卫生部指令.docx 3519b57181da2548b566d3c49f2bae18\r\n武汉旅行信息收集申请表.xlsm b08dc707dcbc1604cfd73b97dc91a44c\r\nPOEA HEALTH ADVISORY re-2020 Novel Corona Virus.pdf.exe f59c558d9b33a25ac8b32f495f6fd035\r\nCOVID-19_Tracker.exe 595149b8dcab35fde269a86d0bd74756\r\nAvist.apk 660159f431b5f8ec8c4fed0298168d1a\r\nhttps://covid19-info[.]online/UpdateFlashPlayer_11_5_1.apk 3382348f9618058dde3aacffcb34982e\r\nCorona Virus Advice For Public____________________pdf.exe 8a228725fe66ab52a62eb44687ad0680\r\nSt John of God Health Care (COVID-19) Notice.pdf 19fda4048f29fbf6e0c9e0a4b8bd0946\r\nDownload PDF File - Coronavirus Disease 2019 Controls scr e7fab8e420dd74157bc4dcc5ab396dc8\r\nOther Coronavirus-themed Hashes\r\na70a55e62c963d58817e5087fe9fe7e3\r\n3a2438dd2c13c48ce7867a9ebefc9e5a\r\n9ca4f31fb9707adc43d9b7e630b2cf26\r\nfb525e13cb82ea91b9d7576e3078674c\r\ndc0d41af833054bc8fd6fa3894fed188\r\na61ab959038859f3a185ab688271894c\r\ne53ce7efb47a1ea67fa8df6621f2294b\r\n98051bcea1ec152a80c6acaa4e46a069\r\nf908dc8852f659dd43a8dc25f3d74c2e\r\n62a5677e30343bc14078b97148d67036\r\n71b3db4cf0a03c8650c140e023a06793\r\nbb512de5decd3a2428407660ff57678c\r\n2e1ea39e25dde32a9a36078ac59db814\r\n1e85dd017cd9f9d856e5943e8824009e\r\n3bc7a303e48a39b0582cb6aa888b6f49\r\ne5ce3207e8e7019bd0f0963956267128\r\naf5ce343c7e4c64319c658c87b85f9a6\r\n002e017b97eda9eaae523a0a9a518d84\r\n26b95d45df0744d11cf1d91f5629ba87\r\n2d79034d853b32423b1e06c3f27bfc61\r\n0fb5cc4ac25234239d291e40b47c98d3\r\nfc20439e60e168f7bc5b1afd0a31e015\r\nb0ef3735aaf9ea9de69848d7131c6942\r\na0045f26111de6b079dc0bffd5aef4e6\r\n4b30f50d1a8f8c12bca8fd436c1469fd\r\nb3f496ce13ff6fed1048399e1fc89403\r\n7b4a3d320a888059a6328a61f21d9095\r\n8bd336d4dcdc4f45a9a5c72d5791f6a8\r\n55879cddb0e18c34aaa992d24690e0e7\r\n320cde0e1b34e03f0ea393a0483b6798\r\nConclusion\r\nThreat actors are opportunistic and will continuously update themes of their malicious campaigns in whichever way they\r\nbelieve will increase the chances of completing an objective. Commodity malware will change to whatever themes are\r\nrelevant to the current period in time. As discussed in this report, threat actors are still utilizing TTPs known about and\r\ndiscussed in the security community, it is only the content of social engineering documents that has changed.\r\nThe Coronavirus effect is world-wide and increasingly affecting individuals in real life and online. We hope everyone is\r\ndoing their best to stay safe during these times. Additional information on the Coronavirus can be found on the following\r\nwebsites:\r\nhttps://www.cdc.gov/coronavirus/2019-ncov/index.html\r\nhttps://www.gov.uk/guidance/coronavirus-covid-19-information-for-the-public\r\nEndnotes\r\nhttps://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication\r\nPage 6 of 8\n\n[1]\r\n CISA, “Defending Against COVID-19 Cyber Scams,” US-CERT, accessed March 17, 2020, published March 6, 2020,\r\nhttps://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams; Insikt Group,\r\n“Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide,” Recorded Future, accessed March 17, 2020,\r\npublished March 12, 2020,  https://go.recordedfuture.com/hubfs/reports/cta-2020-0312-2.pdf.\r\n[2]\r\n “Rolling updates on Coronavirus disease (COVID-19),” World Health Organization, accessed March 17, 2020, published\r\nMarch 18, 2020, https://www.who.int/emergencies/diseases/novel-coronavirus-2019/events-as-they-happen.\r\n[3]\r\n Nick Biasini and Edmund Brumghin, “Threat actors attempt to capitalize on coronavirus outbreak,” Cisco Talos Blog,\r\naccessed March 17, 2020, published February 13, 2020, https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html; “January 2020’s Most Wanted Malware: Coronavirus-themed spam spread malicious Emotet malware,”\r\nCheck Point Blog, accessed March 17, 2020, published February 13, 2020, https://blog.checkpoint.com/2020/02/13/january-2020s-most-wanted-malware-coronavirus-themed-spam-spreads-malicious-emotet-malware/.\r\n[4]\r\n “January 2020’s Most Wanted Malware: Coronavirus-themed spam spread malicious Emotet malware,” Check Point\r\nBlog.\r\n[5]\r\n Anomali Threat Research Team, “Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor\r\nVulnerability Since Late 2018,” Anomali Blog, accessed March 17, 2020, published July 3, 2019,\r\nhttps://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018.\r\n[6]\r\n Anomali Threat Research Team, “China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector\r\nOrganizations,” Anomali Blog, accessed March 17, 2020, published October 7, 2019, https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations.\r\n[7]\r\n Anomali Threat Research Team, “China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector\r\nOrganizations,” Anomali Blog.\r\n[8]\r\n “/ winrm.vbs,” Living Off The Land Binaries and Scripts (and also Libraries), accessed March 20, 2020, https://lolbas-project.github.io/lolbas/Scripts/Winrm/.\r\n[9]\r\n “Higaisa” Recent Attack Activity Report,” Tencent Security Threat Intelligence Center, accessed March 18, 2020,\r\npublished February 27, 2020, https://s.tencent.com/research/report/895.html.\r\nIran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now\r\nhttps://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication\r\nPage 7 of 8\n\nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\r\nThe Iran Cyber Threat Machine Isn’t Slowing Down — Here’s What CISOs Need to Know Now\r\nSource: https://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication\r\nhttps://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication\r\nPage 8 of 8\n\nhttps://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication \nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\nThe Iran Cyber Threat Machine Isn’t Slowing Down -Here’s What CISOs Need to Know Now\nSource: https://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication \n Page 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication" ], "report_names": [ "covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "873919c0-bc6a-4c19-b18d-c107e4aa3d20", "created_at": "2023-01-06T13:46:39.138138Z", "updated_at": "2026-04-10T02:00:03.227223Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [], "source_name": "MISPGALAXY:Higaisa", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "30c9c492-afc6-4aa1-8fe6-cecffed946e0", "created_at": "2022-10-25T15:50:23.400822Z", "updated_at": "2026-04-10T02:00:05.350302Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [ "Higaisa" ], "source_name": "MITRE:Higaisa", "tools": [ "PlugX", "certutil", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433979, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e2634f0395353cffdb76c3cd8472c821dcc65828.pdf", "text": "https://archive.orkl.eu/e2634f0395353cffdb76c3cd8472c821dcc65828.txt", "img": "https://archive.orkl.eu/e2634f0395353cffdb76c3cd8472c821dcc65828.jpg" } }