Malware 

4.4.23  Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about 500$ on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.  MALWARE Malware
4.4.23  BabyShark BabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator  MALWARE Malware
12.12.2025 AshTag Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite MALWARE MALWARE
01.11.2025 Airstalk Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack MALWARE MALWARE
21.10.2025 COLDRIVER To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER MALWARE Malware
03.10.2025 SORVEPOTEL  Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users MALWARE Malware
01.06.2025 Poseidon Stealer and Payday Loader Dark Partners: The crypto heist adventure of Poseidon Stealer and Payday Loader MALWARE MALWARE
27.02.2025 Winos 4.0 Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan MALWARE MALWARE
10.02.2025 FINALDRAFT From South America to Southeast Asia: The Fragile Web of REF7707 MALWARE Malware
10.02.2025 NAPLISTENER NAPLISTENER: more bad dreams from developers of SIESTAGRAPH MALWARE Malware
10.02.2025 BadIIS This blog post details our analysis of an SEO manipulation campaign targeting Asia. We also share recommendations that can help enterprises proactively secure their environment.  MALWARE Malware
10.02.2025 ASPXSpy ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. MALWARE Malware
26.12.2024 BellaCPP BellaCPP: Discovering a new BellaCiao variant written in C++ MALWARE Malware
23.07.2024 SocGholish Fake Browser Updates Lead to BOINC Volunteer Computing Software MALWARE Malware
10.07.2024 ViperSoftX The Mechanics of ViperSoftX: Exploiting AutoIt and CLR for Stealthy PowerShell Execution MALWARE Malware
18.03.2024 SVG Scalable Vector Graphics (SVG) files are a popular format for web graphics because they can be resized without losing quality. MALWARE Malware
29.11.2023 GCleaner Deep Analysis of GCleaner MALWARE Malware
14.09.2023 BUGHATCH According to Elastic, BUGHATCH is an in-memory implant loaded by an obfuscated PowerShell script that decodes and executes an embedded shellcode blob in its allocated memory space using common Windows APIs (VirtualAlloc, CreateThread, WaitForSingleObject).  MALWARE Malware
06.09.2023 DUCKTAIL According to Tony Lambert, this is a malware written in .NET. It was observed to be delivered using the .NET Single File deployment feature.  MALWARE Malware
24.08.2023 Telekopye Analysis of Telegram bot that helps cybercriminals scam people on online marketplaces  MALWARE Malware
11.08.2023 Spyder Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors MALWARE Malware
11.08.2023 ShadowPad Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors MALWARE Malware
11.08.2023 FunnySwitch RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale MALWARE Malware
11.08.2023 Brute Ratel C4 Brute Ratel is a a Customized Command and Control Center for Red Team and Adversary Simulation  MALWARE Malware
02.08.2023 HeadCrab Known as HeadCrab, this advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions MALWARE Malware
03.07.2023 SVCReady According to PCrisk, SVCReady collects information about the infected system such as username, computer name, time zone, computer manufacturer.. MALWARE Malware
03.07.2023 Matanbuchus According to PCrisk, Matanbuchus is a loader-type malicious program offered by its developers as Malware-as-a-Service (MaaS). MALWARE Malware
03.07.2023 CargoBay CargoBay is a newer malware family which was first observed in 2022 and is notable for being written in the Rust language. MALWARE Malware
01.07.2023 RustBucket Bluenoroff’s RustBucket campaign MALWARE Malware
24.06.2023 DARKDEW Mandiant associates this with UNC4191, this malware spreads to removable drives. MALWARE Malware
24.06.2023 BLUEHAZE Mandiant associates this with UNC4191, this malware is a launcher for NCAT to establish a reverse tunnel. MALWARE Malware
24.06.2023 MISTCLOAK Mandiant associates this with UNC4191, this malware decrypts and runs DARKDEW. MALWARE Malware
24.06.2023 WispRider Camaro Dragon is a Chinese-based espionage threat actor whose operations are actively focused on Southeast Asian MALWARE Malware
17.06.2023 ChamelDoH The malware, dubbed ChamelDoH by Stairwell, is a C++-based tool for communicating via DNS-over-HTTPS (DoH) tunneling. MALWARE Malware
14.06.2023 DoubleFinger  Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency MALWARE Malware
13.06.2023 Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. MALWARE Malware
08.06.2023 PowerDrop PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry MALWARE Malware
03.06.2023 Horabot Cisco Talos has observed a threat actor deploying a previously unidentified botnet program Talos is calling “Horabot,”. MALWARE Malware
03.06.2023 MQsTTang MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT MALWARE Malware
03.06.2023 RandomQuery According to SentinelLabs, this is a VisualBasic-based malware that gathers system and file information and exfiltrates the data using InternetExplorer.Application or Microsoft.XMLHTTP objects.  MALWARE Malware
03.06.2023 BabyShark BabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. MALWARE Malware
31.05.2023 Lojack ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains.  MALWARE Malware
17.05.2023 POORTRY According to Mandiant, POORTRY is a malware written as a driver, signed with a Microsoft Windows Hardware Compatibility Authenticode signature. MALWARE Malware
05.05.2023 LOBSHOT Elastic Security Labs discovers the LOBSHOT malware MALWARE Malware
28.04.2023 BellaCiao The name used by malware developers is BellaCiao, a reference to the Italian folk song about resistance fighting. MALWARE Malware
26.04.2023 RATel Github Repository: RATel MALWARE Malware
26.04.2023 Tomiris Tomiris called, they want their Turla malware back MALWARE Malware
25.03.2023 BLUEHAZE Mandiant associates this with UNC4191, this malware is a launcher for NCAT to establish a reverse tunnel.  MALWARE Malware
25.03.2023 MISTCLOAK Mandiant associates this with UNC4191, this malware decrypts and runs DARKDEW.  MALWARE Malware
23.03.2023 NAPLISTENER This unique malware sample contains a C# class called MsEXGHealthd that consists of three methods: Main, SetRespHeader, and Listener.  MALWARE Malware
17.03.2023 SILKLOADER  Malware MALWARE Malware
13.03.2023 KamiKakaBot In February 2023, EclecticIQ researchers identified multiple KamiKakaBot malwares which are very likely used to target government entities in ASEAN (Association of Southeast Asian Nations) countries.  MALWARE Malware
11.03.2023 GoBruteforcer According to researchers with Palo Alto Networks' Unit 42, who first spotted it in the wild and dubbed it GoBruteforcer, the malware is compatible with x86, x64, and ARM architectures.  MALWARE Malware
10.03.2023 LIGHTSHOW  In June 2022, Mandiant Managed Defense detected and responded to an UNC2970 phishing campaign targeting a U.S.-based technology company.  MALWARE Malware
10.03.2023 LIGHTSHIFT  In part one on North Korea's UNC2970, we covered UNC2970’s tactics, techniques and procedures (TTPs) and tooling that they used over the course of multiple intrusions. In this installment, we will focus on how UNC2970 utilized Bring Your Own Vulnerable Device (BYOVD) to further enable their operations.  MALWARE Malware
10.03.2023 PlugX PlugX malware through the Chinese remote control programs Sunlogin and Awesun’s remote code execution vulnerability. MALWARE Malware
02.03.2023 SysUpdate Sideloader used by EmissaryPanda MALWARE Malware
02.03.2023 GootLoader Gootloader Malware Leads to Cobalt Strike and Hand-on-Keyboard Activity MALWARE Malware
02.03.2023 FAKEUPDATES FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them.  MALWARE Malware
14.02.2023 ShadowPad Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning MALWARE Malware
14.02.2023 QUICKMUTE QuickMute is a malware developed using the C/C++ programming language. Functionally provides download, RC4 decryption, and in-memory launch of the payload (waiting for a PE file with the export function "HttpsVictimMain"). To communicate with the management server, a number of protocols are provided, in particular: TCP, UDP, HTTP, HTTPS.  MALWARE Malware
11.02.2023 BumbleBee This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent "bumblebee" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google's Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads.  MALWARE Malware
09.02.2023 GootLoader Update THREAT ALERT: GootLoader - SEO Poisoning and Large Payloads Leading to Compromise MALWARE Malware
09.01.2023 GuLoader Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software.  MALWARE Malware
28.06.2022 Revive In June 2022, a new Android banking trojan was discovered by the Cleafy TIR team. Since the lack of information and the absence of a proper nomenclature of this malware family, we decided to dub it as Revive to better track this family inside our internal Threat Intelligence taxonomy.  MALWARE Malware
14.06.2022 PingPull Unit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.  MALWARE Malware
14.06.2022 MicroBackdoor Open-source lightweight backdoor for C2 communication. MALWARE Malware
06.06.2022 SVCReady A previously unknown malware loader named SVCReady has been discovered in phishing attacks, featuring an unusual way of loading the malware from Word documents onto compromised machines.  MALWARE Malware
04.06.2022 FakeUpdates FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. MALWARE Malware
31.05.2022 IoT malware EnemyBot Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices MALWARE Malware
29.05.2022 ChromeLoader ChromeLoader might seem like a run-of-the-mill browser hijacker, but its peculiar use of PowerShell could spell deeper trouble.  MALWARE Malware
29.05.2022 Browser Automation Frameworks  Lowering the Barrier of Entry for Malicious Actors.Free-to-use browser automation framework creates thriving criminal community MALWARE Malware
20.05.2022 NukeSped Backdoor The North Korea-backed Lazarus Group has been observed leveraging the Log4Shell vulnerability in VMware Horizon servers to deploy the NukeSped (aka Manuscrypt) implant against targets located in its southern counterpart.  MALWARE Malware
20.05.2022 Vidar Malware In April 2022, ThreatLabz discovered several newly registered domains, which were created by a threat actor to spoof the official Microsoft Windows 11 OS download portal. We discovered these domains by monitoring suspicious traffic in our Zscaler cloud. MALWARE Malware
11.05.2022 Bumblebee malware Identified by Proofpoint as the threat actor behind the Contact Forms campaign, TA578 also appears to be pushing ISO files for Bumblebee malware through thread-hijacked emails.  MALWARE Malware
08.05.2022 Raspberry Robin malware   MALWARE Malware
08.05.2022 Kronos   MALWARE Malware
08.05.2022 GCleaner   MALWARE Malware
08.05.2022 NetDooka Malware We recently encountered a fairly sophisticated malware framework that we named NetDooka after the names of some of its components. The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol. MALWARE Malware
30.04.2022 Bumblebee  Starting in March 2022, Proofpoint observed campaigns delivering a new downloader called Bumblebee. At least three clusters of activity including known threat actors currently distribute Bumblebee. MALWARE Malware
30.04.2022 PlugX  The threat group’s targeting shift could reflect a change in China’s intelligence collection requirements due to the war in Ukraine. MALWARE Malware
30.04.2022 Package Planting Aqua’s Team Nautilus found a logical flaw in npm that allows threat actors to masquerade a malicious package as legitimate and trick unsuspecting developers into installing it. MALWARE Malware
27.04.2022 GOLDBACKDOOR GOLDBACKDOOR, an artifact that shares technical overlaps with another malware named BLUELIGHT, which has been previously linked to the group. MALWARE Malware
27.04.2022 Fodcha A rapidly expanding malware is entrapping routers, DVRs, and servers all over the web in order to launch Distributed Denial-of-Service (DDoS) attacks on over 100 victims every day. MALWARE Malware
27.04.2022 BotenaGo BotenaGo is a relatively new malware written in Golang, Google’s open-source programming language. MALWARE Malware
14.04.2022 Tarrask   MALWARE Malware
14.04.2022 Industroyer malware   MALWARE Malware
10.04.2022 ShadowPad Malware   MALWARE Malware
09.04.2022 Denonia   MALWARE Malware
09.04.2022 Colibri   MALWARE Malware
02.04.2022 Jupyter    MALWARE Malware
02.04.2022 Wslink   MALWARE Malware
05.06.2022 WinDealer An "extremely sophisticated" Chinese-speaking advanced persistent threat (APT) actor dubbed LuoYu has been observed using a malicious Windows tool called WinDealer that's delivered by means of man-on-the-side attacks. MALWARE Malware espionage
06.04.2022 El Machete, Lyceum, and SideWinder MALWARE Malware espionage
09.01.2023 Shc Linux Malware The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. MALWARE Malware Linux
27.06.2022 Matanbuchus Loader Resurfaces Recently, Cyble Research Labs came across a Twitter post where a researcher observed this malware spreading through spam campaigns. Additionally, it downloads Cobalt Strike Beacons as payloads in compromised systems. MALWARE Malware loader
08.05.2022 BitRAT   MALWARE Malware RAT
08.05.2022 NjRAT RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. MALWARE Malware RAT
05.05.2022 Remcos RAT I haven't really looked into Remcos RAT lately, but I found an email with a password-protected Excel file attached to it.Further investigation revealed Remcos RAT 3.x activity remarkably similar to an infection chain reported by Fortinet last month. Today's diary reviews a Remcos RAT infection in my lab on Wednesday 2022-05-04. MALWARE Malware RAT
10.04.2022 BIOPASS RAT   MALWARE Malware RAT
30.04.2022 RedLine Stealer At the start of the year, Bitdefender noticed a RIG Exploit Kit campaign using CVE-2021-26411 exploits found in Internet Explorer to deliver RedLine Stealer, a low-cost password stealer sold on underground forums. MALWARE Malware Stealer
16.04.2022 RedLine Stealer   MALWARE Malware Stealer
14.04.2022 Prometheus TDS   MALWARE Malware Stealer
14.04.2022 FFDroider   MALWARE Malware Stealer
06.04.2022 BlackGuard   MALWARE Malware Stealer
02.04.2022 Mars Stealer   MALWARE Malware Stealer
02.04.2022 Oski Stealer   MALWARE Malware Stealer
21.11.2024 FrostyGoop/BUSTLEBERM Attacks on Ukraine’s Energy Infrastructure: Harm to the Civilian Population MALWARE MALWARE