COVID-19 phishing and malware surge

Overview

On 8 April 2020, CISA and the UK's National Cyber Security center (NCSC) issued joint advisory AA20-099A warning that both cybercriminals and nation-state threat actors are weaponizing COVID-19 pandemic fears to conduct cyber attacks. The advisory documents widespread credential phishing, malware distribution, SMS-based lures, and remote work infrastructure exploitation targeting enterprises during the global shift to distributed operations.

threat environment During the Pandemic

The advisory describes a dramatically elevated threat environment created by pandemic conditions:

• Expanded attack surface: Rapid deployment of remote access infrastructure created new vulnerabilities as organizations focus ond business continuity over security controls.
• Fear-based social engineering: COVID-19 anxiety creates effective lure material for phishing campaigns, with users more likely to click links promising health information or economic relief.
• Dual threat actors: Both financially motivated criminals and nation-state espionage actors are exploiting the pandemic, though with different objectives.
• Reduced security oversight: IT and security teams face operational challenges supporting remote workforces, potentially reducing detection and response capabilities.

Phishing Campaign Tactics

Threat actors are using pandemic themes across multiple phishing vectors:

• Health authority impersonation: Emails spoofing the WHO, CDC, or national health agencies with malicious attachments or credential harvesting links.
• HR/employer communications: Fake internal messages about return-to-work policies, salary impacts, or benefits changes designed to harvest corporate credentials.
• Government relief programs: Lures exploiting economic stimulus programs to capture personal or financial information from individuals.
• Supplier notifications: Business email compromise campaigns using pandemic supply chain disruptions as pretexts for fraudulent payment redirection.
• Video conferencing invitations: Malicious meeting invitations mimicking Zoom, Teams, or WebEx to deliver malware or capture credentials.

Malware Distribution Campaigns

COVID-19 themes are being used to distribute various malware families:

• Remote access trojans: COVID-19 themed documents and spreadsheets delivering RATs that provide persistent access to compromised systems.
• Information stealers: Malware designed to capture credentials, browser data, and cryptocurrency wallet information from infected endpoints.
• Ransomware: Both targeted and opportunistic ransomware operators using pandemic themes for initial access before encryption deployment.
• Mobile malware: Malicious Android applications masquerading as COVID-19 tracking apps, health information resources, or contact tracing tools.
• Banking trojans: Financial malware targeting online banking sessions, particularly as consumers shift to digital banking during lockdowns.

SMS and Mobile Threats

Text-based attacks (smishing) present particular risks during the pandemic:

• Delivery notifications: Fake package tracking messages exploiting increased online shopping during stay-at-home orders.
• Government alerts: Spoofed emergency alerts or official notifications directing recipients to credential harvesting sites.
• Health notifications: Fake exposure notifications or test results linking to malicious applications or data collection forms.
• Financial alerts: Bank and credit card fraud alerts directing users to attacker-controlled sites.

Remote Work Infrastructure Exploitation

Adversaries are actively targeting the infrastructure supporting remote operations:

• VPN vulnerabilities: Exploitation of known vulnerabilities in Citrix ADC (CVE-2019-19781), Pulse Secure (CVE-2019-11510), Fortinet (CVE-2018-13379), and Palo Alto (CVE-2019-1579) VPN appliances.
• RDP exposure: Scanning and credential attacks against Remote Desktop Protocol services exposed to support remote work.
• VTC hijacking: "Zoom-bombing" and unauthorized access to video conferencing sessions lacking adequate authentication controls.
• Cloud service targeting: Attacks against cloud email, file sharing, and collaboration platforms handling increased remote traffic.
• Home network compromise: Targeting of residential network equipment to enable man-in-the-middle attacks or pivot to corporate resources.

APT and Nation-State Activity

The advisory notes that advanced persistent threat groups are also exploiting pandemic conditions:

• Healthcare targeting: APT groups conducting espionage against healthcare and research organizations involved in COVID-19 response.
• Vaccine research: Attempted theft of vaccine development data, clinical trial information, and treatment protocols.
• Government operations: Targeting of government agencies coordinating pandemic response for intelligence collection.
• Supply chain intelligence: Reconnaissance of medical supply chains and critical infrastructure supporting pandemic response.

Recommended Defensive Measures

If you are affected, implement full defenses against pandemic-themed attacks:

• Multi-factor authentication: Enforce MFA across all remote access vectors including VPNs, cloud applications, and email access.
• VPN patching: Immediately verify patch status for all VPN and remote access appliances, particularly those with known exploited vulnerabilities.
• Email security: Enhance email filtering for COVID-19 themed phishing, implement banner warnings for external messages, and enable advanced threat protection features.
• Endpoint protection: Ensure endpoint security agents remain updated on remote devices and implement behavioral detection for document-based malware.
• User awareness: Conduct targeted training on pandemic-themed social engineering, including phishing simulations using current lure techniques.

Threat Hunting Recommendations

Security operations teams should early hunt for pandemic-themed compromises:

• Email analysis: Search mailboxes for COVID-19 keywords, suspicious sender domains, and attachment types commonly used in campaigns.
• Domain monitoring: Track newly registered domains containing pandemic-related terms for potential use in attacks.
• Network indicators: Monitor for traffic to known malicious infrastructure documented in the advisory and subsequent threat intelligence.
• Behavioral analysis: Detect anomalous authentication patterns, particularly from residential IP ranges or during unusual hours.
• Application monitoring: Identify unauthorized applications or browser extensions installed during the remote work transition.

Video Conferencing Security

If you are affected, implement controls to prevent meeting hijacking and related attacks:

• Require meeting passwords and waiting rooms for all video conferences
• Limit screen sharing capabilities to hosts or designated presenters
• Distribute meeting links through secure channels rather than public posts
• Enable participant authentication where supported by the platform
• Record and review meetings for sensitive discussions

Incident Response Preparation

Your security team should prepare for pandemic-related incidents:

• Update incident response playbooks to address remote workforce scenarios
• Establish communication channels that function when employees are distributed
• Pre-position containment capabilities for endpoints outside the corporate network
• Document escalation procedures for pandemic-themed attacks requiring specialized response

Summary

Advisory AA20-099A highlights the opportunistic nature of cyber threat actors exploiting global crises to advance their objectives. The combination of expanded attack surface from remote work, effective social engineering material from pandemic fears, and operational challenges facing security teams creates elevated risk requiring improved vigilance. If you are affected, immediately implement the recommended controls while maintaining awareness of evolving pandemic-themed threats throughout the crisis period.

More on this topic

Further reading from our research library.

Cybersecurity · Credibility 90/100 · September 19, 2023

CISA Launches Secure Our World Cyber Awareness Campaign — September 19, 2023

CISA’s Secure Our World awareness campaign, launched 19 September 2023, sets four behavioral pillars that boards must fold into governance metrics while security, HR, and privacy teams execute training, technology, and…

Cybersecurity · Credibility 73/100 · April 22, 2020

DOJ, FBI, and Secret Service cut down hundreds of COVID-19 scam domains

Justice Department, FBI, Secret Service, and domain registrars jointly dismantled hundreds of pandemic-themed scam sites, giving CISOs a roadmap for takedown escalation, cross-sector intelligence sharing, and remote-work…

Cybersecurity · Credibility 73/100 · March 20, 2020

FBI warns of COVID-19 fraud and phishing schemes

FBI IC3 issued a PSA about rising COVID-19 scams, including phishing, fake charities, and malware-laced telework offers, urging organizations to harden email defenses and verify pandemic-related solicitations.

Cybersecurity · Credibility 92/100 · March 13, 2020

CISA enterprise VPN security guidance

On 13 March 2020 CISA released guidance for securing enterprise VPN infrastructure as remote work increased during the COVID-19 pandemic. The guidance addresses critical vulnerabilities, authentication requirements, and…

Cybersecurity · Credibility 88/100 · January 29, 2020

ENISA Threat Landscape 2019 report

ENISA published its 2019 Threat Landscape report highlighting top attack vectors like phishing, ransomware, and supply-chain compromises with recommendations for operators and policymakers. The analysis provides an…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

April 8, 2020

Coverage pillar

Cybersecurity

Source credibility

73/100 — medium confidence

Topics

CISA · COVID-19 · Phishing

Sources cited

3 sources (cisa.gov, iso.org)

Reading time

5 min

Source material

1. AA20-099A: COVID-19 Exploited by Malicious Cyber Actors
2. CISA Alerts Archive — CISA
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization