Recent Posts

Recent Blog Posts

The PhishLabs Blog

COVID-19 Phishing Update: Email Posing as Scam Guidance Delivers Malware Instead

Posted by Jessica Ellis on Mar 31, '20

The novel coronavirus is giving opportunistic threat actors new means of deploying malicious lures on unsuspecting targets. Today’s example shows the attacker leveraging the pandemic by offering guidance on how to avoid coronavirus scams. Unfortunately, it’s also a scam.

We are providing ongoing updates on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic. 


ursnif scam blacked out contact


This lure is targeting a large global financial institution.

Sender address:



Clicking on the link redirects you to affmote[dot]com/WLGf4L49kgtfESv4u.php where the target is prompted to provide extra verification in order to access the document. This extra step serves a dual purpose for the attacker by keeping security researchers or bots from finding the malware rather than the intended victim.  


ursnif scam 2


Enabling the malicious Word document results in the download of Ursnif malware, a highly active and stealthy banking trojan. 


Screenshot from 2020-03-30 19-46-46 ursnif


The information that this particular lure promises is not unique in nature. Phishing attacks exploiting coronavirus information from health and government officials are spanning a variety of channels nowadays, and tips on how to avoid being a victim are everywhere. Attackers interested in capitalizing on the public’s need for COVID-19 updates need only to similarly look to authority figures on the subject, and mirror their messaging. 

For more intelligence on COVID-19 threats, see our ongoing coverage.

Additional Resources:

Topics: COVID-19

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all