Malware
| 4.4.23 | Amadey | Amadey is a botnet that appeared around October 2018 and is being sold for about 500$ on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. | MALWARE | Malware |
| 4.4.23 | BabyShark | BabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator | MALWARE | Malware |
| 12.12.2025 | AshTag | Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite | MALWARE | MALWARE |
| 01.11.2025 | Airstalk | Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack | MALWARE | MALWARE |
| 21.10.2025 | COLDRIVER | To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER | MALWARE | Malware |
| 03.10.2025 | SORVEPOTEL | Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | MALWARE | Malware |
| 01.06.2025 | Poseidon Stealer and Payday Loader | Dark Partners: The crypto heist adventure of Poseidon Stealer and Payday Loader | MALWARE | MALWARE |
| 27.02.2025 | Winos 4.0 | Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan | MALWARE | MALWARE |
| 10.02.2025 | FINALDRAFT | From South America to Southeast Asia: The Fragile Web of REF7707 | MALWARE | Malware |
| 10.02.2025 | NAPLISTENER | NAPLISTENER: more bad dreams from developers of SIESTAGRAPH | MALWARE | Malware |
| 10.02.2025 | BadIIS | This blog post details our analysis of an SEO manipulation campaign targeting Asia. We also share recommendations that can help enterprises proactively secure their environment. | MALWARE | Malware |
| 10.02.2025 | ASPXSpy | ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. | MALWARE | Malware |
| 26.12.2024 | BellaCPP | BellaCPP: Discovering a new BellaCiao variant written in C++ | MALWARE | Malware |
| 23.07.2024 | SocGholish | Fake Browser Updates Lead to BOINC Volunteer Computing Software | MALWARE | Malware |
| 10.07.2024 | ViperSoftX | The Mechanics of ViperSoftX: Exploiting AutoIt and CLR for Stealthy PowerShell Execution | MALWARE | Malware |
| 18.03.2024 | SVG | Scalable Vector Graphics (SVG) files are a popular format for web graphics because they can be resized without losing quality. | MALWARE | Malware |
| 29.11.2023 | GCleaner | Deep Analysis of GCleaner | MALWARE | Malware |
| 14.09.2023 | BUGHATCH | According to Elastic, BUGHATCH is an in-memory implant loaded by an obfuscated PowerShell script that decodes and executes an embedded shellcode blob in its allocated memory space using common Windows APIs (VirtualAlloc, CreateThread, WaitForSingleObject). | MALWARE | Malware |
| 06.09.2023 | DUCKTAIL | According to Tony Lambert, this is a malware written in .NET. It was observed to be delivered using the .NET Single File deployment feature. | MALWARE | Malware |
| 24.08.2023 | Telekopye | Analysis of Telegram bot that helps cybercriminals scam people on online marketplaces | MALWARE | Malware |
| 11.08.2023 | Spyder | Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors | MALWARE | Malware |
| 11.08.2023 | ShadowPad | Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors | MALWARE | Malware |
| 11.08.2023 | FunnySwitch | RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale | MALWARE | Malware |
| 11.08.2023 | Brute Ratel C4 | Brute Ratel is a a Customized Command and Control Center for Red Team and Adversary Simulation | MALWARE | Malware |
| 02.08.2023 | HeadCrab | Known as HeadCrab, this advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions | MALWARE | Malware |
| 03.07.2023 | SVCReady | According to PCrisk, SVCReady collects information about the infected system such as username, computer name, time zone, computer manufacturer.. | MALWARE | Malware |
| 03.07.2023 | Matanbuchus | According to PCrisk, Matanbuchus is a loader-type malicious program offered by its developers as Malware-as-a-Service (MaaS). | MALWARE | Malware |
| 03.07.2023 | CargoBay | CargoBay is a newer malware family which was first observed in 2022 and is notable for being written in the Rust language. | MALWARE | Malware |
| 01.07.2023 | RustBucket | Bluenoroff’s RustBucket campaign | MALWARE | Malware |
| 24.06.2023 | DARKDEW | Mandiant associates this with UNC4191, this malware spreads to removable drives. | MALWARE | Malware |
| 24.06.2023 | BLUEHAZE | Mandiant associates this with UNC4191, this malware is a launcher for NCAT to establish a reverse tunnel. | MALWARE | Malware |
| 24.06.2023 | MISTCLOAK | Mandiant associates this with UNC4191, this malware decrypts and runs DARKDEW. | MALWARE | Malware |
| 24.06.2023 | WispRider | Camaro Dragon is a Chinese-based espionage threat actor whose operations are actively focused on Southeast Asian | MALWARE | Malware |
| 17.06.2023 | ChamelDoH | The malware, dubbed ChamelDoH by Stairwell, is a C++-based tool for communicating via DNS-over-HTTPS (DoH) tunneling. | MALWARE | Malware |
| 14.06.2023 | DoubleFinger | Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency | MALWARE | Malware |
| 13.06.2023 | Amadey | Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. | MALWARE | Malware |
| 08.06.2023 | PowerDrop | PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry | MALWARE | Malware |
| 03.06.2023 | Horabot | Cisco Talos has observed a threat actor deploying a previously unidentified botnet program Talos is calling “Horabot,”. | MALWARE | Malware |
| 03.06.2023 | MQsTTang | MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT | MALWARE | Malware |
| 03.06.2023 | RandomQuery | According to SentinelLabs, this is a VisualBasic-based malware that gathers system and file information and exfiltrates the data using InternetExplorer.Application or Microsoft.XMLHTTP objects. | MALWARE | Malware |
| 03.06.2023 | BabyShark | BabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. | MALWARE | Malware |
| 31.05.2023 | Lojack | ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains. | MALWARE | Malware |
| 17.05.2023 | POORTRY | According to Mandiant, POORTRY is a malware written as a driver, signed with a Microsoft Windows Hardware Compatibility Authenticode signature. | MALWARE | Malware |
| 05.05.2023 | LOBSHOT | Elastic Security Labs discovers the LOBSHOT malware | MALWARE | Malware |
| 28.04.2023 | BellaCiao | The name used by malware developers is BellaCiao, a reference to the Italian folk song about resistance fighting. | MALWARE | Malware |
| 26.04.2023 | RATel | Github Repository: RATel | MALWARE | Malware |
| 26.04.2023 | Tomiris | Tomiris called, they want their Turla malware back | MALWARE | Malware |
| 25.03.2023 | BLUEHAZE | Mandiant associates this with UNC4191, this malware is a launcher for NCAT to establish a reverse tunnel. | MALWARE | Malware |
| 25.03.2023 | MISTCLOAK | Mandiant associates this with UNC4191, this malware decrypts and runs DARKDEW. | MALWARE | Malware |
| 23.03.2023 | NAPLISTENER | This unique malware sample contains a C# class called MsEXGHealthd that consists of three methods: Main, SetRespHeader, and Listener. | MALWARE | Malware |
| 17.03.2023 | SILKLOADER | Malware | MALWARE | Malware |
| 13.03.2023 | KamiKakaBot | In February 2023, EclecticIQ researchers identified multiple KamiKakaBot malwares which are very likely used to target government entities in ASEAN (Association of Southeast Asian Nations) countries. | MALWARE | Malware |
| 11.03.2023 | GoBruteforcer | According to researchers with Palo Alto Networks' Unit 42, who first spotted it in the wild and dubbed it GoBruteforcer, the malware is compatible with x86, x64, and ARM architectures. | MALWARE | Malware |
| 10.03.2023 | LIGHTSHOW | In June 2022, Mandiant Managed Defense detected and responded to an UNC2970 phishing campaign targeting a U.S.-based technology company. | MALWARE | Malware |
| 10.03.2023 | LIGHTSHIFT | In part one on North Korea's UNC2970, we covered UNC2970’s tactics, techniques and procedures (TTPs) and tooling that they used over the course of multiple intrusions. In this installment, we will focus on how UNC2970 utilized Bring Your Own Vulnerable Device (BYOVD) to further enable their operations. | MALWARE | Malware |
| 10.03.2023 | PlugX | PlugX malware through the Chinese remote control programs Sunlogin and Awesun’s remote code execution vulnerability. | MALWARE | Malware |
| 02.03.2023 | SysUpdate | Sideloader used by EmissaryPanda | MALWARE | Malware |
| 02.03.2023 | GootLoader | Gootloader Malware Leads to Cobalt Strike and Hand-on-Keyboard Activity | MALWARE | Malware |
| 02.03.2023 | FAKEUPDATES | FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. | MALWARE | Malware |
| 14.02.2023 | ShadowPad | Tracking the entire iceberg: long-term APT malware C2 protocol emulation and scanning | MALWARE | Malware |
| 14.02.2023 | QUICKMUTE | QuickMute is a malware developed using the C/C++ programming language. Functionally provides download, RC4 decryption, and in-memory launch of the payload (waiting for a PE file with the export function "HttpsVictimMain"). To communicate with the management server, a number of protocols are provided, in particular: TCP, UDP, HTTP, HTTPS. | MALWARE | Malware |
| 11.02.2023 | BumbleBee | This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent "bumblebee" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google's Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads. | MALWARE | Malware |
| 09.02.2023 | GootLoader Update | THREAT ALERT: GootLoader - SEO Poisoning and Large Payloads Leading to Compromise | MALWARE | Malware |
| 09.01.2023 | GuLoader | Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software. | MALWARE | Malware |
| 28.06.2022 | Revive | In June 2022, a new Android banking trojan was discovered by the Cleafy TIR team. Since the lack of information and the absence of a proper nomenclature of this malware family, we decided to dub it as Revive to better track this family inside our internal Threat Intelligence taxonomy. | MALWARE | Malware |
| 14.06.2022 | PingPull | Unit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group. | MALWARE | Malware |
| 14.06.2022 | MicroBackdoor | Open-source lightweight backdoor for C2 communication. | MALWARE | Malware |
| 06.06.2022 | SVCReady | A previously unknown malware loader named SVCReady has been discovered in phishing attacks, featuring an unusual way of loading the malware from Word documents onto compromised machines. | MALWARE | Malware |
| 04.06.2022 | FakeUpdates | FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. | MALWARE | Malware |
| 31.05.2022 | IoT malware EnemyBot | Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices | MALWARE | Malware |
| 29.05.2022 | ChromeLoader | ChromeLoader might seem like a run-of-the-mill browser hijacker, but its peculiar use of PowerShell could spell deeper trouble. | MALWARE | Malware |
| 29.05.2022 | Browser Automation Frameworks | Lowering the Barrier of Entry for Malicious Actors.Free-to-use browser automation framework creates thriving criminal community | MALWARE | Malware |
| 20.05.2022 | NukeSped Backdoor | The North Korea-backed Lazarus Group has been observed leveraging the Log4Shell vulnerability in VMware Horizon servers to deploy the NukeSped (aka Manuscrypt) implant against targets located in its southern counterpart. | MALWARE | Malware |
| 20.05.2022 | Vidar Malware | In April 2022, ThreatLabz discovered several newly registered domains, which were created by a threat actor to spoof the official Microsoft Windows 11 OS download portal. We discovered these domains by monitoring suspicious traffic in our Zscaler cloud. | MALWARE | Malware |
| 11.05.2022 | Bumblebee malware | Identified by Proofpoint as the threat actor behind the Contact Forms campaign, TA578 also appears to be pushing ISO files for Bumblebee malware through thread-hijacked emails. | MALWARE | Malware |
| 08.05.2022 | Raspberry Robin malware | MALWARE | Malware | |
| 08.05.2022 | Kronos | MALWARE | Malware | |
| 08.05.2022 | GCleaner | MALWARE | Malware | |
| 08.05.2022 | NetDooka Malware | We recently encountered a fairly sophisticated malware framework that we named NetDooka after the names of some of its components. The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol. | MALWARE | Malware |
| 30.04.2022 | Bumblebee | Starting in March 2022, Proofpoint observed campaigns delivering a new downloader called Bumblebee. At least three clusters of activity including known threat actors currently distribute Bumblebee. | MALWARE | Malware |
| 30.04.2022 | PlugX | The threat group’s targeting shift could reflect a change in China’s intelligence collection requirements due to the war in Ukraine. | MALWARE | Malware |
| 30.04.2022 | Package Planting | Aqua’s Team Nautilus found a logical flaw in npm that allows threat actors to masquerade a malicious package as legitimate and trick unsuspecting developers into installing it. | MALWARE | Malware |
| 27.04.2022 | GOLDBACKDOOR | GOLDBACKDOOR, an artifact that shares technical overlaps with another malware named BLUELIGHT, which has been previously linked to the group. | MALWARE | Malware |
| 27.04.2022 | Fodcha | A rapidly expanding malware is entrapping routers, DVRs, and servers all over the web in order to launch Distributed Denial-of-Service (DDoS) attacks on over 100 victims every day. | MALWARE | Malware |
| 27.04.2022 | BotenaGo | BotenaGo is a relatively new malware written in Golang, Google’s open-source programming language. | MALWARE | Malware |
| 14.04.2022 | Tarrask | MALWARE | Malware | |
| 14.04.2022 | Industroyer malware | MALWARE | Malware | |
| 10.04.2022 | ShadowPad Malware | MALWARE | Malware | |
| 09.04.2022 | Denonia | MALWARE | Malware | |
| 09.04.2022 | Colibri | MALWARE | Malware | |
| 02.04.2022 | Jupyter | MALWARE | Malware | |
| 02.04.2022 | Wslink | MALWARE | Malware | |
| 05.06.2022 | WinDealer | An "extremely sophisticated" Chinese-speaking advanced persistent threat (APT) actor dubbed LuoYu has been observed using a malicious Windows tool called WinDealer that's delivered by means of man-on-the-side attacks. | MALWARE | Malware espionage |
| 06.04.2022 | El Machete, Lyceum, and SideWinder | MALWARE | Malware espionage | |
| 09.01.2023 | Shc Linux Malware | The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. | MALWARE | Malware Linux |
| 27.06.2022 | Matanbuchus Loader Resurfaces | Recently, Cyble Research Labs came across a Twitter post where a researcher observed this malware spreading through spam campaigns. Additionally, it downloads Cobalt Strike Beacons as payloads in compromised systems. | MALWARE | Malware loader |
| 08.05.2022 | BitRAT | MALWARE | Malware RAT | |
| 08.05.2022 | NjRAT | RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. | MALWARE | Malware RAT |
| 05.05.2022 | Remcos RAT | I haven't really looked into Remcos RAT lately, but I found an email with a password-protected Excel file attached to it.Further investigation revealed Remcos RAT 3.x activity remarkably similar to an infection chain reported by Fortinet last month. Today's diary reviews a Remcos RAT infection in my lab on Wednesday 2022-05-04. | MALWARE | Malware RAT |
| 10.04.2022 | BIOPASS RAT | MALWARE | Malware RAT | |
| 30.04.2022 | RedLine Stealer | At the start of the year, Bitdefender noticed a RIG Exploit Kit campaign using CVE-2021-26411 exploits found in Internet Explorer to deliver RedLine Stealer, a low-cost password stealer sold on underground forums. | MALWARE | Malware Stealer |
| 16.04.2022 | RedLine Stealer | MALWARE | Malware Stealer | |
| 14.04.2022 | Prometheus TDS | MALWARE | Malware Stealer | |
| 14.04.2022 | FFDroider | MALWARE | Malware Stealer | |
| 06.04.2022 | BlackGuard | MALWARE | Malware Stealer | |
| 02.04.2022 | Mars Stealer | MALWARE | Malware Stealer | |
| 02.04.2022 | Oski Stealer | MALWARE | Malware Stealer | |
| 21.11.2024 | FrostyGoop/BUSTLEBERM | Attacks on Ukraine’s Energy Infrastructure: Harm to the Civilian Population | MALWARE | MALWARE |