Connect with us

Hi, what are you looking for?



Researchers Track Coronavirus-Themed Cyberattacks

Cybercriminals have always used crises and natural disasters to fuel their social engineering activities. The COVID-19 (Coronavirus) pandemic is a massive human crisis, and criminals have been quick to take advantage. People are afraid, and fear is a primary social engineering tool.

Cybercriminals have always used crises and natural disasters to fuel their social engineering activities. The COVID-19 (Coronavirus) pandemic is a massive human crisis, and criminals have been quick to take advantage. People are afraid, and fear is a primary social engineering tool.

Researchers from Cybereason Nocturnus have been tracking the rise and variety of such attacks, which now include phishing, fake apps and ransomware. Phishing has followed the spread of COVID-19 infections, fake apps are targeting the growing number of home workers, and ransomware is targeting healthcare organizations.

Like the virus itself, phishing campaigns started in China aimed primarily at Chinese-speaking targets. As the virus spread worldwide, so the campaigns followed to Japan, South Korea, Europe and other infected areas. South Korea was one of the first infected countries, and was quickly targeted by multiple coronavirus-themed phishing attacks. Other attacks included scareware pretending to be ransomware.

As the pandemic spread to Europe, so followed the criminals; especially to Italy and Italian speakers. Typically, their phishing emails would pretend to come from health officials offering health advice on the virus. One found in the U.S. claims to be ‘Distributed vis [clue!] the CDC Health Alert Network’.

Most commonly, say the Nocturnus researchers, “an array of malware was distributed by these ‘coronavirus’ campaigns, including Emotet, RemcomRAT, ParallaxRAT, HawkEye, TrickBot, Agent Tesla and more.”

Beyond phishing, criminals have targeted home workers with fake apps offering coronavirus information, and false VPNs taking advantage of corporate advice to stay home and use VPNs. Reason Labs’ Shai Alfasi found a fake ‘coronavirus map’ ( offering information on the spread of the pandemic, but hiding an AZORult-related infostealer. 

The Nocturnus team found a fake website (fil24[.]xyz) claiming to provide various legitimate VPN installers and installers for other programs like Facebook and Instagram. Attempts to download a VPN, however, simply leads to f444[.]xyz and malware.

There is also an ongoing campaign leveraging a multi-lingual malicious website with a fake World Health Organization app. The app is titled, ‘Ways to Get Rid of Coronavirus’, adding the social engineering triggers of trust and authenticity to the fear trigger. The app doesn’t get rid of Coronavirus, it simply infects the user with the Cerberus banking trojan.

Advertisement. Scroll to continue reading.

While much of the current activity is directed against individuals, organizations are also targeted — especially when an APT is behind the campaign. Check Point found an APT campaign targeting the Mongolian public sector, while Malwarebytes reported on a Pakistan-based APT36 campaign using fake Indian government emails to probably target Indian entities.

Ransomware is being used against organizations and individuals. On March 16, 2020, CyberArk security researcher Shaked Reiner reported a new ransomware actually called CoronaVirus, being distributed via a fake website (WiseCleaner[.]best) that pretends to be the legitimate The fake website downloads both the Kpot information stealer and the CoronaVirus ransomware.

On March 13, 2020, it was reported that the Czech Republic’s second-largest hospital, the University Hospital Brno, which has a major COVID-19 research laboratory, was hit by ransomware. “Due to the malware attack,” comments Nocturnus, “the entire IT network of the clinic was shut down, affecting additional departments across the hospital.”

Healthcare institutions are a prime target during healthcare crises. “Healthcare workers are an easy target during times of crisis,” comments Nocturnus. “This makes them a prime target for phishing attacks, and unfortunately, we expect attackers will continue to take advantage of the situation and continue to target healthcare organizations with destructive attacks.”

The coronavirus pandemic has spawned a coronavirus malware epidemic, where everyone and every organization is a potential target.

Related: Meet Domen, a New and Sophisticated Social Engineering Toolkit 

Related: Exploiting People Instead of Software: Attackers Love for Human Interaction 

Related: Social Engineering: Attackers’ Reliable Weapon 

Related: Understand More About Phishing Techniques to Reduce Your Digital Risk

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.