Thousands of Zero-Day Spear Phishing Attacks Continue to Target Covid-19 Pharmaceuticals

Three days before the end of 2020 SlashNext Threat Labs observed a flurry of spear-phishing attacks targeting companies working to deliver Covid-19 vaccines and therapeutics to curb the pandemic. Many of these attacks continue and have been active during the first quarter of 2021 with more than 1,000 spear phishing domains belonging to the same threat actors in the last 90 days. In all cases, these attacks point to Office 365 log-in pages, hosted on legitimate domains, and have recently moved to azure websites.

“There are strong indicators these attacks are sourced from nation-states which can be correlated to reports on activities from North Korea and Iran attempting to access Covid-19 vaccine data and intellectual property.” Atif Mushtaq, Founder and CPO SlashNext

These spear-phishing attacks are targeting specific, high-value individuals working on Covid-19 vaccines or therapeutics. Spear phishing typically targets employees working in finance with a monetary motive. These high target attacks are targeting high-value employees with access to lab technology and intellectual property in an attempt to steal sensitive account credentials including executives working in innovation, clinical research, patents, and manufacturing.


First seen 02/16/2021 07:49:55 PM



Astra Group Credential Stealing Threat

First seen 02/23/2021 02:51:29 PM


Astra Zenica Webmail Phishing Threat

First seen 02/06/2021 08:05:58 PM

The following is a list of target titles:

Company Targeted Titles and Organizations
Optum Federal Solutions, OptumServe

Data Engineering – Optum Life Sciences


Advanced Technology Collaborative

Gilead Science Clinical Research

Manufacturing Operations

Development Operations at Gilead Sciences

Medical Affairs

Regulatory Operations

Global Specialty Lab Outsourcing

Patent Operations

Outsourced Manufacturing

Development at Gilead

Process Lead at Gilead Sciences

Novartis Global BioMedical Research

Novartis Institutes of Biomedical Research

Regulatory Affairs North America

Pharmaceuticals Counsel


Transformation and Innovation

Biomarker Coordination

Scientific Computing and Consulting

Biostatistics and Pharmacometrics

Translational Medicine

Drug Discovery

Astrazeneca National Intermediaries

Clinical Research

Global Operations



The following is a list of companies and a subset of phishing domains involved in this outbreak. Update March 24, 2021

Company Phishing Domain
Optum optum-2989[.]
Gilead Science gilead-fax16[.]apponline-8473[.]xyz
Integrated DNA Technologies idtdna-fax12[.]apponline-9234[.]xyz
Novartis novartis-fax78[.]apponline-2641[.]xyz
Abbott Laboratories abbott-9196[.]apponline-5673[.]xyz
Astrazeneca astrazeneca-fax34[.]apponline-1424[.]xyz




Johnson and Johnson its-fax83[.]
Pfizer pfizer-fax80[.]apponline-8473[.]xyz
Merck merckgroup-2585[.]apponline-8473[.]xyz








It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.