Security Experts:

Connect with us

Hi, what are you looking for?



Russian Cyberspies Use COVID-19 Vaccine Lures to Deliver Malware

The Russia-linked cyberspy group known as Zebrocy has adopted COVID-19 vaccine-related lures in a recently observed phishing campaign, threat detection and response company Intezer reported on Wednesday.

The Russia-linked cyberspy group known as Zebrocy has adopted COVID-19 vaccine-related lures in a recently observed phishing campaign, threat detection and response company Intezer reported on Wednesday.

Initially detailed in 2018, Zebrocy is believed to be associated with the infamous Russian state-sponsored hacking group Sofacy (also tracked as APT28, Fancy Bear, Pawn Storm, Sednit, and Strontium).

In September 2020, QuoINT security researchers revealed that Zebrocy attacks on countries associated with the North Atlantic Treaty Organization (NATO) had continued. One month later, the United States Cyber Command (USCYBERCOM) shared new malware samples associated with the group.

In November, Intezer’s security researchers observed Zebrocy phishing emails carrying lure documents about Chinese pharmaceutical company Sinopharm International Corporation, which has reached phase three clinical trials for a COVID-19 vaccine.

The documents were served as part of a Virtual Hard Drive (VHD) file that required Windows 10 to be opened without Microsoft’s hypervisor, Hyper-V. The employed malware was heavily obfuscated, the researchers say.

Initially, the adversary delivered the Zebrocy malware’s Delphi variant to the victims, but in mid-November the attackers switched to using the Go version instead.

First used in 2015, the Zebrocy malware functions as a downloader, but is also capable of collecting and exfiltrating information from the infected systems before fetching and executing a next stage payload.

The Delphi version of the malware was the first to be used in attacks, with AutoIT, C++, C#, Delphi, Go, and VB.NET samples discovered afterwards. To date, Zebrocy has been observed mainly in attacks targeting governments and commercial organizations in a large number of countries in Europe, Asia, Africa, and the Middle East.

The VHD file used in the recent attacks appears to have been created on November 20, 2020. It includes a PDF document (containing presentation slides about Sinopharm International Corporation) and an executable posing as a Word document.

The Chinese company referenced in the PDF has been working on a COVID-19 vaccine. Currently in phase three clinical trials, the vaccine has already been given to approximately one million people.

“It may not come as a surprise that the threat group behind Zebrocy is using COVID-19-themed related lures when many vaccines are about to get approved for use. The group is known to use current events as part of their phishing lures,” Intezer points out.

The second file, the Go version of Zebrocy, collects information such as hostname and the path to the TEMP folder and sends it to the command and control (C&C) server. It also includes screenshot functionality, which the author has implemented directly into it, instead of relying on an external library. Screenshots are uploaded to the C&C, which may respond with the next stage payload.

During their investigation, Intezer’s security researchers discovered another Go version of Zebrocy, used in previous attacks, as well as a second VHD file that was uploaded to VirusTotal in October, and which was dropping the Delphi version of the malware. The PDF lure in this file was written in Russian.

“With these recent phishing lures, it’s clear that COVID-19 themed attacks are still a threat and we might see more as vaccines become available to the general public. It’s important that companies use defense-in-depth strategies to protect against threats. Employers should also ensure employees are trained on detecting and reacting to phishing attempts,” Intezer concludes.

Related: FBI, NSA Share Details on New ‘Drovorub’ Linux Malware Used by Russia

Related: Russia Denies Microsoft Claims of Healthcare Cyber Attacks

Related: U.S. Hospitals Warned of Imminent Ransomware Attacks From Russia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...