Researchers observed a COVID-19 themed spear-phishing email targeted towards co-operative banks in India. Appearing to come from a large Indian bank and aimed towards smaller co-operative banks, the body of the email claims that the attached file contains information regarding measures related to COVID-19. The attachment is a ZIP archive masquerading as a spreadsheet or PDF. Inside the archive is a JAR file that similarly attempts to hide as a spreadsheet or PDF. This JAR file acts as a first-stage, dropping and executing the second-stage JAR. It also establishes persistence via a Registry Run key. The second-stage payload is the Adwind jRAT and provides the main malicious functionality. It communicates with its C2 server on a non-standard port. Once connected to its C2, it can receive a variety of commands that provide extensive remote access capabilities. Specifically, it can download and execute additional payloads, capture screenshots, provide remote desktop access, perform file operations, and more.