A new spam campaign, discovered by MalwareHunterTeam and reported to Abuse.ch, falsely claims that payment for a government contract was not paid due to incorrect banking information. If the recipient opens the attachment, their computer will be infected with malware. The new malware, named QNodeService, makes use of the legitimate and popular software framework Node.js. QNodeService is a remote access trojan that also steals passwords. The email asks the user to examine an attached document for accuracy, and claims that if they do not, the proposed payment will be sent to the coronavirus disaster relief funds. Attached to the email is an archive called “contract payment.zip” that contains a file named “Contract Payment.jar.” When executed, this Java Archive (JAR) file will download QNodeService and a script called wizard.js and store their packages in a folder on the infected system. According to a report by TrendMicro, once this is installed it has full control over the victim’s computer and can steal all of its current data.