Cybercriminals, nation-states increasingly tailoring coronavirus spearphishing campaigns

Nefarious actors have been sending lures about coronavirus to spread malware for weeks, but hackers are starting to tailor their forgery emails more to local outbreaks to better trick victims.
coronavirus phishing scams
A microscopic image of the SARS-CoV-2 virus. (National Institute of Allergy and Infectious Diseases)

Cybercriminals and nation-state actors continue to exploit fears about the novel coronavirus, sending emails that look to be from legitimate health authorities to try delivering malware to victims, according to researchers at several different cybersecurity companies.

The campaigns are part of a growing trend of hackers taking advantage of the virus’s spread. While nefarious actors have been sending coronavirus-related lures for weeks, hackers are starting to tailor their forgery emails in order to better trick victims.

The lures, for instance, are increasingly borrowing from country-specific health authorities’ branding, according to Recorded Future research set to be published later Thursday, such as the Public Health Center of the Ministry of Health of Ukraine and China’s Ministry of Health. There have also been lures that come from senders that look to be working for the U.S. Centers for Disease Control and Prevention (CDC) and the U.S. State Department, or imitating the Mongolian Ministry of Health, according to BAE systems research seen by CyberScoop.

In Iran, where more than 400 people have already been killed as a result of the virus, government-backed hackers have been targeting victims with coronavirus-themed messages to spread spyware, according to Recorded Future. A campaign from the suspected Chinese government-linked hacking group Mustang Panda has also been using coronavirus lures to deliver malicious files, Recorded Future found.


Some malicious attachments have claimed to contain specific “information about safety measures and existing cases in your city,” according to Sophos research also shared with CyberScoop.

Hackers have been using lures linked with organizations that could also be issuing important information on reducing the virus’s spread, such as the United Nation’s Office of Human Management, according to Sophos. There have also been lures associated with World Health Organization (WHO), according to Sophos, Recorded Future, and Check Point.

A suspected group of Chinese government hackers has also been targeting Mongolian government officials by imitating senders from the Mongolian Ministry of Foreign Affairs in emails, according to Check Point research published Thursday. These attackers have been working to deliver malware that could provide them remote access to victim machines and screenshot capabilities.

Businesses that may be issuing information about how they are responding the virus’s spread. The branding of FedEx, for instance, has been leveraged in at least one campaign that tries distributing Lokibot malware, according to Fortinet.

The campaigns’ victims over the last two months have primarily been in Iran, Italy, the U.S., and Ukraine, according to Recorded Future. Some schemes have also targeted Brazil, Mexico, and Spain, according to ESET research. Each of these countries have confirmed cases of the coronavirus.


WHO officially designated the coronavirus as a pandemic Wednesday, and as infection continues to spread around the world, researchers suspect hackers will continue to use fears as fodder for phishing campaigns.

“We assess that as the number of COVID-19 cases, as well as publicity around the virus, rises globally, both cybercriminals and nation-state actors will increasingly exploit the crisis as a cyber attack vector,” Recorded Future researchers write.

Nation-state campaigns

  • In the Iranian scheme, which Certfa’s Chief Incident Response Officer, Nariman Gharib, first reported, Iran’s Health Ministry urged victims to download an application, ac19.apk, which it claims will help them track whether they have symptoms of the virus. In reality, it delivers spyware that can track the victim’s location and physical activity, according to Recorded Future.
  • In the case of the suspected Chinese government-linked hacking, a Windows shortcut (LNK) found in an online malware repository matched BAE Systems’ Mustang Panda YARA rules, which helps identify malware samples. These hackers eventually try to drop a Cobalt Strike stager, BAE Systems found.
  • According to FireEye research shared with CyberScoop, Chinese threat actors known as TEMP.Hex have been targeting Vietnam, the Philippines, and Taiwan with coronavirus-themed emails laced with Cobalt Strike. Other Chinese actors have been targeting Mongolian entities with the POISONIVY backdoor.
  • In another campaign, a nation-state backed group, Hades APT, which is believed to be behind the Russian-backed Olympic Destroyer attack that targeted the 2018 Winter Olympics, is also believed to have been using coronavirus-themed lures, according to Red Drip.

The links between this campaign and the Olympic Destroyer actors, however, are “tenuous,” according to BAE Systems.


“[W]e … would require more data to reach the same conclusion,” the researchers write in the brief. “However, the apparent targeting of Ukraine would fit with Olympic Destroyer and the Russian ‘Sandworm’ group who have been associated with it.”

The suspected Russian campaign has targets in Ukraine, where the actors have tried establishing remote control of victim machines by using coronavirus lures pretending to be from the Ministry of Health of Ukraine, according to Red Drip.

FireEye researchers have also found that an “espionage group that acts in support of Russian interests,” TEMP.Armageddon, has sent coronavirus spearphishing emails with malicious documents to Ukrainian entities in recent months.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts