North Korea’s Lazarus group is likely behind a planned coronavirus-related phishing campaign taking aim at more than 5 million businesses and people in the U.S. and five other countries June 21.

“The hacking campaign involved using phishing emails under the guise of local authorities in charge of dispensing government-funded Covid-19 support initiatives,” researchers at Cyfirma wrote in a blog post, describing a set of email templates aimed at accounts each country that they viewed. “These phishing emails are designed to drive recipients to fake websites where they will be deceived into divulging personal and financial information.”

The six countries targeted – India, Singapore, the U.S., the U.K., Japan and South Korea – share a common trait, the researchers said, explaining all “have announced significant fiscal support to individuals and businesses in their effort to stabilize their pandemic-ravaged economies.” Lazarus’s scheme is to impersonate government and other entities that oversee disbursing those funds.

In the U.S., for example, the hackers have reportedly curated 1.4 million email IDs and plan to send them emails through a spoofed USDA account that asks them to provide personal information so they can receive a (fake) direct payment of $1,000.

The researchers said that while they hadn’t seen phishing or impersonated sites defined in the templates, their research indicates the hackers will set that up during the next 24 hours.

While large-scale phishing campaigns are an everyday occurrence and lists of emails are available on the dark web for bitcoin, Ilia Kolochenko, founder and CEO at ImmuniWeb, cast doubt on the supposed Lazarus campaign, saying it was more likely the work of script kiddies rather than a nation-state actor.

“Professional cybercriminals will unlikely discuss their upcoming hacking campaigns in a visible manner unless they aim to build a smoke screen a raise a false alert,” said Kolochenko. “Moreover, targeting enterprises with COVID-19 today borders to absurd, virtually all organizations now have internal memos or policies saying to distrust all and any COVID-19 related communications from any source.”