Get The Latest Insights

By Jessica Ellis | March 31, 2020

The novel coronavirus is giving opportunistic threat actors new means of deploying malicious lures on unsuspecting targets. Today’s example shows the attacker leveraging the pandemic by offering guidance on how to avoid coronavirus scams. Unfortunately, it’s also a scam.

We are providing ongoing updates on coronavirus-themed attacks observed by the PhishLabs team. This post and others are meant to help the security community stay up-to-date on how threat actors are exploiting the pandemic. 


ursnif scam blacked out contact


This lure is targeting a large global financial institution.

Sender address: [email protected]



Clicking on the link redirects you to affmote[dot]com/WLGf4L49kgtfESv4u.php where the target is prompted to provide extra verification in order to access the document. This extra step serves a dual purpose for the attacker by keeping security researchers or bots from finding the malware rather than the intended victim.  


ursnif scam 2


Enabling the malicious Word document results in the download of Ursnif malware, a highly active and stealthy banking trojan. 


Screenshot from 2020-03-30 19-46-46 ursnif


The information that this particular lure promises is not unique in nature. Phishing attacks exploiting coronavirus information from health and government officials are spanning a variety of channels nowadays, and tips on how to avoid being a victim are everywhere. Attackers interested in capitalizing on the public’s need for COVID-19 updates need only to similarly look to authority figures on the subject, and mirror their messaging. 

For more intelligence on COVID-19 threats, see our ongoing coverage.

Additional Resources: