惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
Simon Willison's Weblog
Simon Willison's Weblog
H
Help Net Security
F
Fortinet All Blogs
H
Heimdal Security Blog
S
Schneier on Security
L
LangChain Blog
博客园 - Franky
酷 壳 – CoolShell
酷 壳 – CoolShell
NISL@THU
NISL@THU
P
Palo Alto Networks Blog
J
Java Code Geeks
博客园 - 【当耐特】
The Last Watchdog
The Last Watchdog
W
WeLiveSecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Vulnerabilities – Threatpost
I
InfoQ
Recorded Future
Recorded Future
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
CERT Recently Published Vulnerability Notes
T
Tenable Blog
腾讯CDC
C
Check Point Blog
量子位
M
MIT News - Artificial intelligence
GbyAI
GbyAI
罗磊的独立博客
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
B
Blog
小众软件
小众软件
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
C
CXSECURITY Database RSS Feed - CXSecurity.com
Stack Overflow Blog
Stack Overflow Blog
P
Proofpoint News Feed
P
Privacy & Cybersecurity Law Blog
V2EX - 技术
V2EX - 技术
T
Threatpost
Engineering at Meta
Engineering at Meta
Attack and Defense Labs
Attack and Defense Labs
T
Tailwind CSS Blog
S
Securelist
The Cloudflare Blog
博客园 - 叶小钗
L
LINUX DO - 最新话题
T
Troy Hunt's Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
爱范儿
爱范儿

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
Malicious actors leverage Coronavirus Disease 2019 fear to increase business
2020-03-19 · via Intel 471 Blog

By the Intel 471 Intelligence Analysis team.

Our lives continue to be inundated with emails, mobile applications and websites that promise to deliver critical information related to the Coronavirus Disease 2019 (COVID)-19 pandemic threatening millions of people across the globe. Fear surrounding the disease has been exploited by attackers with adverse intentions who have launched campaigns including business email compromise (BEC), phishing and malicious domains. These domains can be used to push disinformation, malware, ransomware, steal passwords or personal information and by possible nation-state hackers to conduct reconnaissance. For example, the cybersecurity digital magazine SC Media reported an Android application was available at coronavirusapp[.]site. The app later was dubbed the CovidLock Android ransomware and claimed to provide access to real-time virus tracking. However, the app instead was found to be disguised ransomware that locked victims’ phones using a screen-lock attack.

Several open source reports claimed similar phishing campaigns leveraged the recent COVID-19 outbreak and widespread fear of the virus for personal gain. These phishing campaigns were used in attacks targeting individuals in the U.K and U.S, via highly enticing links in emails from attackers that impersonated departments of the U.S. government, health officials, university personnel and the World Health Organization (WHO) warning of new infections reported in the local area and providing safety measures.

Themed malware campaigns arise

Intel 471 observed similar instances of phishing campaigns advertised in the underground. On Feb. 22, 2020, a newcomer to the Russian-speaking underground offered to sell a “new exploit” and coronavirus “phishing method” that leveraged the COVID-19 outbreak as bait. The actor stated the exploit would load a functional online map of the COVID-19 infected areas with additional data. The map was promoted as interactive, resizable and allegedly contained real-time data from the WHO and other sources. The actor assumed users would mistake the malware as an actual map, open and forward it on to friends and naturally increase the malware’s infection rate. According to the malware description provided by the actor, the loader was fully undetectable (FUD) and could bypass Windows Defender anti-virus software. The actor also claimed the malware supported all Windows versions from Windows XP and newer, although it required a version of Java Runtime Environment (JRE) software be installed on the system. The malware with the actor’s code-signing certificate was priced at US $700 and an unsigned malware sample was priced at US $200.

An example of a Coronavirus Disease 2019 (COVID)-19 themed Hancitor malware drop in a screenshot from the Twitter account @malware_traffic March 16, 2020.

An example of a Coronavirus Disease 2019 (COVID)-19 themed Hancitor malware drop in a screenshot from the Twitter account @malware_traffic March 16, 2020.

An example of malicious command and control (C2) domain IP addresses deploying the DanaBot banking trojan from Coronavirus Disease 2019 (COVID)-19 themed domains in a screenshot from the twitter account @James_inthe_box March 16, 2020.

An example of malicious command and control (C2) domain IP addresses deploying the DanaBot banking trojan from Coronavirus Disease 2019 (COVID)-19 themed domains in a screenshot from the twitter account @James_inthe_box March 16, 2020.

Separately, several operators of notable malware groups utilized COVID-19 themed attacks, including AZORult, DanaBot, Emotet, Hancitor and Smokeloader. Based on information provided in open sources, the Intel 471 malware intelligence team independently observed known hashed malicious files downloaded from known malicious domains that used a command issued by a controller. These events linked the Hancitor and Smokeloader campaigns based on files dropped and the command and control (C2) infrastructure. Additionally, we observed AZORult utilized malignant COVID-19 themed C2 infrastructure to exfiltrate victim data.

An example of a process graph related to the malicious corona-virus-map[.

An example of a process graph related to the malicious corona-virus-map[.

net domain in a screenshot from the twitter account @malwrhunterteam March 16, 2020.]

The advantageous methods employed by threat actors substantiates the increased importance of being highly suspicious of communications not verified by official sources which appear to provide information or goods related to the ongoing pandemic.

GIRs
1.1.1 Ransomware malware
1.1.2 Mobile malware
1.1.3 Remote access trojan (RAT) malware
1.1.4 Banking trojan malware
1.2.5 Spamming services
4.4.1 Phishing
6.2.4 Europe
6.2.7 North America

Sources

[1] 16March2020 SC Media article: Password found to rescue victims of malicious COVID-19 tracker app

[2] 01Feb2020 Bleeping Computer article: Coronavirus Phishing Attacks Are Actively Targeting the US

[3] 16March2020 ARS Technica article: The Internet is drowning in COVID-19-related malware and phishing scams

[4] 16March2020 Twitter post: @malware_traffic

https://twitter.com/malware_traffic/status/1239629010377887746

[5] 31Jan2020 TrendMicro blog: Emotet Uses Coronavirus Scare in Latest Campaign, Targets Japan

[6] 16March2020 Twitter post: @James_inthe_box

https://twitter.com/James_inthe_box/status/1239705819995729920

[7] 16March2020 Twitter post: @malwrhunterteam

https://twitter.com/malwrhunterteam/status/1239628249136758786