AgentTesla is an advanced RAT which functions as a keylogger and password stealer and has been active since 2014. AgentTesla can monitor and collect the victim's keyboard input and system clipboard, and can record screenshots and exfiltrate credentials for a variety of software installed on a victim's machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is sold on various online markets and hacking forums.


AlienBot is a banking Trojan for Android, sold underground as Malware-as-a-Service (MaaS). It supports keylogging, dynamic overlays for credentials theft, as well as SMS harvesting for 2FA bypass. Additional remote control capabilities are provided using a TeamViewer module.


Discovered in 2020, Bazar Loader and Bazar Backdoor are used in the initial stages of infection by the WizardSpider cybercrime gang. The loader is responsible for fetching the next stages, and the backdoor is meant for persistence. The infections are usually followed by a full-scale ransomware deployment, using Conti or Ryuk.


Cryptobot is an advanced cryptominer that collects the victim’s wallet and account information upon infection. In December 2021 Cryptobot was observed in a campaign that targeted users with a pirated copy of the Windows operating system.


Cl0p is a ransomware that was first discovered in early 2019 and mostly targets large firms and corporations. During 2020, Cl0p operators began exercising a double-extortion strategy, where in addition to encrypting the victim's data, the attackers also threaten to publish stolen information unless ransom demands are met. In 2021 Cl0p ransomware was used in numerous attacks where the initial access was gained by utilizing zero-day vulnerabilities in the Accellion File Transfer Appliance.


anabot is a modular banking Trojan written in Delphi that targets the Windows platform. The malware, which was first observed in 2018, is distributed via malicious spam emails. Once a device is infected, the malware downloads updated configuration code and other modules from the C&C server. Available modules include a “sniffer” to intercept credentials, a “stealer” to steal passwords from popular applications, a “VNC” module for remote control, and more.


Darkgate is a multifunction malware active since December 2017 which combines ransomware, credential stealing, and RAT and cryptomining abilities. Targeting mostly the Windows OS, DarkGate employs a variety of evasion techniques.


Dridex is a Banking Trojan turned botnet, that targets the Windows platform. It is delivered by spam campaigns and Exploit Kits, and relies on WebInjects to intercept and redirect banking credentials to an attacker-controlled server. Dridex contacts a remote server, sends information about the infected system, and can also download and execute additional modules for remote control.


Emotet is an advanced, self-propagating and modular Trojan. Emotet was once used to employ as a banking Trojan, and now is used as a distributer for other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, Emotet can also be spread through phishing spam emails containing malicious attachments or links.


FluBot is an Android malware distributed via phishing SMS messages (Smishing), most often impersonating logistics delivery brands. Once the user clicks the link inside the message, they are redirected to the download of a fake application containing FluBot. Once installed the malware has various capabilities to harvest credentials and support the Smishing operation itself, including uploading of the contacts list, as well as sending SMS messages to other phone numbers.


FlyTrap is an Android Trojan built to steal Facebook credentials, location, email address, IP and more. The Trojan originally spread via fake Android apps on Google Play, encouraging the users to login to their Facebook account. At this stage FlyTrap uses JavaScript injection to hijack the session, and sends its details to the C&C server, allowing the attackers to gain access to the Facebook account, from a remote location.


FormBook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.


Known since 2011, Glupteba is a Windows backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.


Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is displaying ads, but it also can gain access to key security details built into the OS.


IcedID is a banking Trojan which first emerged in September 2017. It spreads by mail spam campaigns and often uses other malwares like Emotet to help it proliferate. IcedID uses evasive techniques like process injection and steganography, and steals user financial data via both redirection attacks (installs a local proxy to redirect users to fake-cloned sites) and web injection attacks.


Discovered in 2020, Kinsing is a Golang cryptominer with a rootkit component. Originally designed to exploit Linux systems, Kinsing was installed on compromised servers by abusing vulnerabilities on internet facing services. Later in 2021 a Windows variant of the malware was developed as well, allowing the attackers to increase their attack surface.


LemonDuck is a cryptominer first discovered in 2018, which targets Windows systems. It has advanced propagation modules, including sending malspam, RDP brute-forcing and mass-exploitation via known vulnerabilities such as BlueKeep. Over time it was observed to harvest emails and credentials, as well as to deliver other malware families, like Ramnit.


LokiBot is commodity infostealer for Windows. It harvests credentials from a variety of applications, web browsers, email clients, IT administration tools such as PuTTY, and more. LokiBot has been sold on hacking forums and believed to have had its source code leaked, thus allowing for a range of variants to appear. It was first identified in February 2016.


Mirai is an infamous Internet-of-Things (IoT) malware that tracks vulnerable IoT devices, such as web cameras, modems and routers, and turns them into bots. The botnet is used by its operators to conduct massive Distributed Denial of Service (DDoS) attacks. The Mirai botnet first surfaced in September 2016 and quickly made headlines due to some large-scale attacks including a massive DDoS attack used to knock the entire country of Liberia offline, and a DDoS attack against the Internet infrastructure firm Dyn, which provides a significant portion of the United States internet's infrastructure.


Mylobot is a sophisticated botnet that first emerged in June 2018 and is equipped with complex evasion techniques including anti-VM, anti-sandbox, and anti-debugging techniques. The botnet allows an attacker to take complete control of the user's system, downloading any additional payload from its C&C.


NanoCore is a Remote Access Trojan that targets Windows operating system users and was first observed in the wild in 2013. All versions of the RAT contain basic plugins and functionalities such as screen capture, crypto currency mining, remote control of the desktop and webcam session theft.


NSRMiner is a cryptominer that surfaced around November 2018, and was mainly spread in Asia, specifically Vietnam, China, Japan and Ecuador. After the initial infection, it uses the famous EternalBlue SMB exploit to propagate to other vulnerable computers in internal networks and eventually starts mining the Monero (XMR) Cryptocurrenc


Pegasus is a highly sophisticated spyware which targets Android and iOS mobile devices, developed by the Israeli NSO group. The malware is offered for sale, mostly to government-related organizations and corporates. Pegasus can leverage vulnerabilities which allow it to silently jailbreak the device and install the malware. The malware infects its targets via several means: Spear phishing SMS messages which contains a malicious link or URL redirect, without any action required from the user (“Zero Click”), and more. The app features multiple spying modules such as screenshot taking, call recording, access to messaging applications, keylogging and browser history exfiltration.


Phorpiex is a botnet (aka Trik) that has been active since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns


Qbot AKA Qakbot is a banking Trojan that first appeared in 2008. It was designed to steal a user’s banking credentials and keystrokes. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection.


Raccoon infostealer was first observed in April 2019. This infostealer targets Windows systems and is sold as a MaaS (Malware-as-a-Service) in underground forums.It is a simple infostealer capable of collecting browser cookies, history, login credentials, crypto currency wallets and credit card information.

Ragnar Locker

Ragnar Locker is a ransomware first discovered in Dec. 2019. It deploys sophisticated evasion techniques including deployment as a virtual machine on targeted systems to hide its activity. Ragnar was used in an attack against Portugal’s national electric company in a double-extortion act where the attackers published sensitive data stolen from the victim.


Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts. The Trojan uses both hardcoded domains as well as domains generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules.

RedLine Stealer

RedLine Stealer is a trending Infostealer and was first observed in March 2020. Sold as a MaaS (Malware-as-a-Service), and often distributed via malicious email attachments, it has all the capabilities of modern infostealer - web browser information collection (credit card details, session cookies and autocomplete data), harvesting of cryptocurrency wallets, ability to download additional payloads, and more.


Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windowss UAC security and execute malware with high-level privileges.


The oldest and best known of the currently operating Exploit Kits, RigEK has been around since mid-2014. Its services are offered for sale on hacking forums and the TOR Network. Some “entrepreneurs” even re-sell low-volume infections for those malware developers not yet big enough to afford the full-fledged service. RigEK has evolved over the years to deliver anything from AZORult and Dridex to little-known ransomware and cryptominers.


Rubyminer was first seen in the wild in January 2018 and targets both Windows and Linux servers. Rubyminer seeks vulnerable web servers (such as PHP, Microsoft IIS, and Ruby on Rails) to use for cryptomining, using the open source Monero miner XMRig.


Ryuk is a ransomware used by the TrickBot gang in targeted and well-planned attacks against several organizations worldwide. The ransomware was originally derived from the Hermes ransomware, whose technical capabilities are relatively low, and includes a basic dropper and a straight-forward encryption scheme. Nevertheless, Ryuk was able to cause severe damage to targeted organizations, forcing them to pay extremely high ransom payments in Bitcoin. Unlike common ransomware, systematically distributed via massive spam campaigns and Exploit Kits, Ryuk is used exclusively in tailored attacks.


REvil (aka Sodinokibi) is a Ransomware-as-a-service which operates an “affiliates” program and was first spotted in the wild in 2019. REvil encrypts data in the user’s directory and deletes shadow copy backups to make data recovery more difficult. In addition, REvil affiliates use various tactics to spread it, including through spam and server exploits, as well as hacking into managed service providers (MSP) backends, and through malvertising campaigns that redirect to the RIG Exploit Kit.

Snake Keylogger

Snake Keylogger is a modular .NET keylogger/infostealer. Surfaced around late 2020, it grew fast in popularity among cyber criminals. Snake is capable of recording keystrokes, taking screenshots, harvesting credentials and clipboard content. It supports exfiltration of the stolen data by both HTTP and SMTP protocols.


SparrowDoor is an advanced backdoor used by the FamousSparrow APT group to spy on hotels, governments and more. It was spotted exploiting the Microsoft Exchange ProxyLogon vulnerability around March 2021. The backdoor is loaded using DLL Hijacking combined with a legitimate binary, to help bypass AV products.


SunBurst is the backdoor that was planted within SolarWinds’s Orion IT management software during 2020, as part of the infamous supply chain attack, hitting thousands of organizations worldwide. It is a persistent backdoor that provided attackers with an initial foothold within the organizations. If the infected machines passed all the requirements, and did not contain various blacklisted services or AV software, Sunburst would later deploy additional memory implants (like TearDrop) for command execution and lateral movement capabilities


Triada which was first spotted in 2016, is a modular backdoor for Android which grants admin privileges to download another malware. Its latest version is distributed via adware development kits in WhatsApp for Android.


Trickbot is a modular banking Trojan, attributed to the WizardSpider cybercrime gang. Mostly delivered via spam campaigns or other malware families such as Emotet and BazarLoader. Trickbot sends information about the infected system and can also download and execute arbitrary modules from a large array of available modules, including a VNC module for remote control and an SMB module for spreading within a compromised network. Once a machine is infected, the threat actors behind this malware, utilize this wide array of modules not only to steal banking credentials from the target PC, but also for lateral movement and reconnaissance on the targeted organization itself, prior to delivering a company-wide targeted ransomware attack.


Ursnif is a variant of the Gozi banking Trojan for Windows, whose source code has been leaked online. It has man-in-the-browser capabilities to steal banking information and credentials for popular online services. In addition, it can steal information from local email clients, browsers and cryptocurrency wallets. Finally, it can download and execute additional files on the infected system.


Vidar is an infostealer that targets Windows operating systems. First detected at the end of 2018, it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar is sold on various online forums and used as a malware dropper to download GandCrab ransomware as its secondary payload.


WannaMine is a sophisticated Monero crypto-mining worm that spreads the EternalBlue exploit. WannaMine implements a spreading mechanism and persistence techniques by leveraging the Windows Management Instrumentation (WMI) permanent event subscriptions.


xHelper is an Android malware which mainly shows intrusive popup ads and notification spam. It is very hard to remove once installed due to its reinstallation capabilities. First observed in March 2019, xHelper has now infected more than 45,000 devices.


XMRig is open-source CPU mining software used to mine the Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victims’ devices.


Zloader is a banking malware which uses webinjects to steal credentials and private information, and can extract passwords and cookies from the victim’s web browser. It downloads VNC that allows the threat actors to connect to the victim’s system and perform financial transactions from the user’s device. First seen in 2016, the Trojan is based on leaked code of the Zeus malware from 2011. In 2020, the malware is very popular among threat actors and includes many new variants.


Z0Miner, first observed in November 2020 is a cryptominer which was found on thousands of servers exploited by Oracle’s WebLogic Server Remote Code Execution flaw. The group behind Z0miner has since been taking advantage of the Atlassian Confluence RCE vulnerability (CVE-2021-26084), to infect additional servers.

More from logo

Check Point Prevents Theft of Crypto Wallets on OpenSea, the World’s Largest NFT Marketplace

After seeing reports of stolen crypto wallets triggered by free airdropped NFTs, Check Point Research (CPR) investigated OpenSea, the world’s largest NFT marketplace. The investigation led to the discovery of critical security vulnerabilities on OpenSea’s platform that, if exploited, could have led hackers to hijack user accounts and steal entire crypto wallets of users, by sending malicious NFTs.

Scammers used Google Ads to Steal ~ $500k Worth of Crypto

Check Point Research (CPR) warns of scammers using Google Ads to steal crypto wallets, after seeing hundreds of thousands of dollars’ worth of crypto taken from victims this past weekend. Scammers are placing ads at the top of Google Search that imitate popular wallet brands, such as Phantom App and MetaMask, to trick users into giving up their wallet passphrase and private key.

Security Flaws in Atlassian’s Platform Led to Account Takeover in One Click

Check Point Research (CPR) finds security flaws in Atlassian, a platform used by 180,000 customers worldwide to engineer software and manage projects. With just one click, an attacker could have used the flaws get access to the Atlassia’s publish Jira system and get sensitive information such as security issues on Atlassian cloud, Bitbucket and on premise products.

Amazon Kindle Vulnerabilities Could Have Led Threat Actors to Device Control and Information Theft

Check Point Research (CPR) found security flaws in Amazon Kindle, the world’s most popular e-reader. By tricking victims into opening a malicious e-book, a threat actor could have leveraged the flaws to target specific demographics and take full control of a Kindle device, opening a path to stealing information stored.

  • Victims would need to simply open a single malicious e-book to trigger the exploitation
  • CPR was concerned the security flaws could allow targeting of specific demographics
  • CPR responsibly discloses its findings to Amazon, who went on to deploy a fix
  • Tens of millions of Kindles are estimated to be sold since 2007 debut

Threat Intelligence: Driving the Future of Security


As predicted, in a year that began with the fallout from one of the most devastating supply chain attacks in history, we’ve seen threat actors grow in confidence and sophistication. By the end of the year, this culminated in the Log4j vulnerability exploit, which yet again caught the security community off guard and brought to the fore the sheer level of risk inherent to software supply chains. In the months between, we saw cloud services under attack, threat actors increasing their focus on mobile devices, the Colonial Pipeline held to ransom, and the resurgence of one of the most dangerous botnets in history.

But it’s not all doom and gloom. We also saw cracks in the ransomware ecosystem widen in 2021, as governments and law enforcement agencies around the world resolved to take a tougher stance on ransomware groups in particular. Instead of relying on reactive and remedial action, some shocking events woke governments up to the fact that they needed to take a more pre-emptive, proactive approach to dealing with cyber risk. That same philosophy extends to businesses too, who can no longer afford to take a disjointed, siloed, reactionary approach to dealing with threats. They need 360-degree visibility, real-time threat intelligence, and a security infrastructure that can be mobilized in an effective, joined-up manner.