Researchers has identified five separate campaigns that have been run between November of 2019 and January 2020 that shared similar payloads, packing code, and command and control servers. Users in Europe, the Middle East, and the Republic of Korea were the victims of these campaigns. They have dubbed the threat-group behind these attacks “RATicate”. The group’s latest campaign, according to researchers, uses the COVID-19 pandemic as a lure to gain victims. This campaign abused the Nullsoft Scriptable Install System (NSIS) to generate the malware installers for this campaign. Of the multiple files dropped by this installer, only two were key to the infection. It is believed that the additional files are used to confuse analysts and throw off sandbox analysis. Some of the RATs and info-stealers installed during this campaign included Lokibot, Betabot, Formbook, and AgentTesla. In total, Researchers discovered thirty-eight NSIS installer samples they believed were part of this campaign. The infection vector was via an email sent to potential victims. Attached was either an archive file with the NSIS installer or a weaponized XLS / RTF document that downloaded the NSIS installer. These activated when the victim clicked on the attachment.