Threat actors have continued to use COVID-19 as subject to lure recipients into downloading malware. One such campaign spreads Lemon Duck cryptocurrency-mining malware. The malware comes as attachment to the spam, usually named urgent.doc. These attachments contain a script file readme.js. Once infected with the malware, it has its own mailer script that it uses to propagate to other recipients. It does this by scraping the user’s MS Outlook contact list and sends emails with the malicious attachment. This routine adds legitimacy to the email sent as it now comes from a trusted or known source, making the next recipient click on the attachments. A multi-layered approach to security is needed for campaigns like this.