With much of the UK working from home due to COVID-19, malicious actors are taking advantage of the pandemic to find opportunities for distributing their malware to unsuspecting users.

Research by IT Security Company, Anomali, has generated more than 6,200 Indicators of Compromise (IOCs) and 16 distinct campaigns linked with 11 malicious actors or groups distributing 42 different malware families and employing 80 various MITRE ATT&CK techniques. This blog will give a high-level overview of campaigns and IOCs discovered by Anomali.

Secrutiny Cybersecurity - Infographic - 19 Related Cyber Attacks Survival Guide

First Observations

It wasn’t long after the emergence of the coronavirus disease in 2019 that the first reported COVID-19 themed cyber attack surfaced; since this announcement, Anomali researchers have seen a rapid increase in malware distribution via phishing and state-sponsored actors hoping to benefit from this outbreak. These malware families include:

– AZORult
– BabyShark
– CoronaVirus Ransomware
– CovidLock Android Malware
– Emotet
– Nanocore RAT
– TrickBot

Countries associated with these attacks include China, North Korea, Pakistan and Russia, respectively.

January 2020

TA542 (MUMMY SPIDER, Mealybug), the group behind Emotet, was one of the first reported threat groups to exploit COVID-19. Via malicious emails posing as disability welfare providers and public health centres, attackers lured victims into downloading an attachment entitled, Preventative Measures.

Devices infected with Emotet malware can deploy ransomware or drop other types of malware that steal sensitive information, including user credentials and browser history. This data is then used to send spam to other email accounts; therefore, the cycle of attacks continue.

Following on from this is LokiBot, a trojan-type malware which used emails purporting to provide vital COVID-19 protective measures.

February 2020

Early February two as-of-yet unattributed COVID-19 phishing campaigns were discovered distributing Remote Access Trojans (RATs), Nanocore (S0336) and Parallax.

If exploited, malicious actors can gain remote access for exfiltration of keystrokes, files, webcam feeds, and download and execute files.

Another phishing campaign focusing on alleged advice from the US Centers for Disease Control (CDC) was discovered during early February. This campaign hoodwinked victims by using compelling phishing emails claiming that CDC had “established a management system to coordinate a domestic and international public health response”. Other emails urged recipients to make bitcoin payments.

Alongside this was a phishing campaign spreading credential stealer, AZORult (S0344), which used shipping industry concerns as the theme. And another amplifying COVID-19 misinformation and conspiracy theories reportedly linked to the World Health Organisation (WHO), Australian Medical Association and US Centres for Disease Control and Prevention (CDC).

In late February, the Public Health Center of the Ministry of Ukraine was impersonated by a COVID-19 related spearphishing email with weaponised file attachment (T1193) and used as a delivery method for malware thought to be linked with the attacker known as Hade APT or TEMP.Armageddon.

It was an Anomali researcher, who publicly disclosed the China-based cyber group, Mustang Panda on February 27. A group which likely targeted Taiwanese users with malware designed to employ an executable for DLL side-loading and delivery of the Colbalt Strike. An isolated incident, BabyShark (a Microsoft Visual Basic script-based malware used by North Korean threat group Kimsuky), was found embedded inside a South Korean document responding to COVID-19.

March 2020

According to cyber security company, Checkpoint, COVID-19 themed domain registrations were 50% more likely to be fraudulent when compared to other issues, signalling a continuing growth for COVID-19 themed campaigns.

Early March:

  • Email security company Proofpoint discovered that a distributed computing project for disease research was leveraged as part of a phishing campaign, in which malicious actors circulated a new family named RedLine Stealer.
  • Anomali continued to observe Chinese threat group Mustang Panda, which exploited decoy documents associated with COVID-19 to target Taiwan and Vietnam, using Cobalt Strike and PlugX RATs payloads.


  • Malicious actors are using coronavirus maps to spread malware. Discovered by Reason Labs’ cyber security researcher, Shai Alfasi, the malware leverages the use of the maps in an attempt to steal credentials such as credit card details, passwords, usernames and other sensitive information stored on that users’ browser. One scam is mimicking a legitimate COVID-19 threat map by John Hopkins University.
  • Alongside this, Anomali discovered a malicious .Ink file that uses an infection chain similar to notorious APT groups, and one that may be connected to Korea-based threat group Higaisa.
  • The Mongolian public sector also fell victim to COVID-19 themed phishing emails linked to Vicious Panda.
  • The USA has seen an increase in attacks, including the Champaign-Urbana (Illinois) Public Health District, which fell victim of a ransomware attack using NetWalker.


  • Cyber security company, ESET claimed that a surge of 2,500 infections of two strains of malware was distributed in phishing emails within seven-hour period, all targeting Spain, Portugal, Czech Republic, Malaysia and Germany.

This is just an overview of Anomali’s findings over the past three months, existing customers of Anomali can access its entire body of research and all ongoing updates through its Anomali ThreatStream and Anomali Match portal.