Researchers have published their analysis of a COVID-19 themed email campaign. The email subject and body are related to the sale of face masks and thermometers, which were in short supply earlier this year. The body includes the company logo and details for a legitimate chemical manufacturer or import/export business. Along with changing the spoofed company, the attackers also rotated the sender IP address and attachment hash to avoid systems detecting known malicious indicators. Attached to these emails was a GZ archive masquerading as a PDF that supposedly contains details on ordering face masks. Contained within the archive is an executable file that, upon execution, installs the Agent Tesla RAT. After initial check in with the C2 server, it waits to receive commands to be executed on the victim host. One of the main functionalities of Agent Tesla is the ability to steal passwords from various applications. Gathered credentials and other sensitive information are then exfiltrated to the C2 server via SMTP.