List of malware

3PARA RAT
3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda.

4H RAT
4H RAT is malware that has been used by Putter Panda since at least 2007.

ABK
ABK is a downloader that has been used by BRONZE BUTLER since at least 2019.

ADVSTORESHELL
ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally...

ANDROMEDA
ANDROMEDA is commodity malware that was widespread in the early 2010's and continues to be observed...

ASPXSpy
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version....

AcidRain
AcidRain is an ELF binary targeting modems and routers using MIPS architecture. AcidRain is associated...

Action RAT
Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least...

Agent Tesla
Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least...

Agent.btz
Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly...

Akira
Akira ransomware, written in C++, is most prominently (but not exclusively) associated with the a ransomware-as-a-service...

Amadey
Amadey is a Trojan bot that has been used since at least October 2018.

Anchor
Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on selected...

Apostle
Apostle is malware that has functioned as both a wiper and, in more recent versions, as ransomware....

AppleJeus
AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency...

AppleSeed
AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and...

Aria-body
Aria-body is a custom backdoor that has been used by Naikon since approximately 2017.

Astaroth
Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout...

Attor
Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadable...

AuTo Stealer
AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target...

AuditCred
AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.

AutoIt backdoor
AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The...

Avaddon
Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at...

Avenger
Avenger is a downloader that has been used by BRONZE BUTLER since at least 2019.

AvosLocker
AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS)...

Azorult
Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has...

BACKSPACE
BACKSPACE is a backdoor used by APT30 that dates back to at least 2005.

BADCALL
BADCALL is a Trojan malware variant used by the group Lazarus Group.

BADFLICK
BADFLICK is a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 that targeted...

BADHATCH
BADHATCH is a backdoor that has been utilized by FIN8 since at least 2019. BADHATCH has been used to...

BADNEWS
BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name...

BBK
BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.

BBSRAT
BBSRAT is malware with remote access tool functionality that has been used in targeted compromises.

BFG Agonizer
BFG Agonizer is a wiper related to the open-source project CRYLINE-v.5.0. The malware is associated...

BISCUIT
BISCUIT is a backdoor that has been used by APT1 since as early as 2007.

BLACKCOFFEE
BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013.

BLINDINGCAN
BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least...

BLUELIGHT
BLUELIGHT is a remote access Trojan used by APT37 that was first observed in early 2021.

BONDUPDATER
BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting...

BOOSTWRITE
BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used...

BOOTRASH
BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that...

BPFDoor
BPFDoor is a Linux based passive long-term backdoor used by China-based threat actors. First seen in...

BS2005
BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011.

BUBBLEWRAP
BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when...

BUSHWALK
BUSHWALK is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file...

Babuk
Babuk is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators...

BabyShark
BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated...

BackConfig
BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.

Backdoor.Oldrea
Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least...

Bad Rabbit
Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017....

BadPatch
BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.

Bandook
Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at...

Bankshot
Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security...

Bazar
Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily...

BendyBear
BendyBear is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server....

Bisonal
Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector...

BitPaymer
BitPaymer is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. BitPaymer...

Black Basta
Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS)...

BlackCat
BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS)...

BlackEnergy
BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to...

BlackMould
BlackMould is a web shell based on China Chopper for servers running Microsoft IIS. First reported in...

Bonadan
Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active since...

BoomBox
BoomBox is a downloader responsible for executing next stage components that has been used by APT29...

BoxCaon
BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against...

Brave Prince
Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains...

Briba
Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts.

Bumblebee
Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including...

Bundlore
Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as...

CALENDAR
CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic.

CARROTBAT
CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used...

CCBkdr
CCBkdr is malware that was injected into a signed version of CCleaner and distributed from CCleaner's...

CHIMNEYSWEEP
CHIMNEYSWEEP is a backdoor malware that was deployed during HomeLand Justice along with ROADSWEEP ransomware,...

CHOPSTICK
CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012...

COATHANGER
COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023...

CORALDECK
CORALDECK is an exfiltration tool used by APT37.

CORESHELL
CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and...

CaddyWiper
CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukraine...

Cadelspy
Cadelspy is a backdoor that has been used by APT39.

Calisto
Calisto is a macOS Trojan that opens a backdoor on the compromised machine. Calisto is believed to have...

CallMe
CallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny...

Cannon
Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018.

Carbanak
Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended...

Carberp
Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp's...

Carbon
Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information...

Cardinal RAT
Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal...

Catchamas
Catchamas is a Windows Trojan that steals information from compromised systems.

Caterpillar WebShell
Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.

ChChes
ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations...

Chaes
Chaes is a multistage information stealer written in several programming languages that collects login...

Chaos
Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed,...

CharmPower
CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least...

Cheerscrypt
Cheerscrypt is a ransomware that was developed by Cinnamon Tempest and has been used in attacks against...

Cherry Picker
Cherry Picker is a point of sale (PoS) memory scraper.

China Chopper
China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network...

Chinoxy
Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign,...

Chrommme
Chrommme is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first...

Clambling
Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least...

Clop
Clop is a ransomware family that was first observed in February 2019 and has been used against retail,...

CloudDuke
CloudDuke is malware that was used by APT29 in 2015.

Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary...

Cobian RAT
Cobian RAT is a backdoor, remote access tool that has been observed since 2016.

CoinTicker
CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components...

ComRAT
ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The...

Comnie
Comnie is a remote backdoor which has been used in attacks in East Asia.

Conficker
Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the...

Conti
Conti is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. Conti has been deployed...

CookieMiner
CookieMiner is mac-based malware that targets information associated with cryptocurrency exchanges as...

CosmicDuke
CosmicDuke is malware that was used by APT29 from 2010 to 2015.

CostaBricks
CostaBricks is a loader that was used to deploy 32-bit backdoors in the CostaRicto campaign.

CozyCar
CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its...

CreepyDrive
CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and...

CreepySnail
CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.

Crimson
Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.

CrossRAT
CrossRAT is a cross platform RAT.

Crutch
Crutch is a backdoor designed for document theft that has been used by Turla since at least 2015.

Cryptoistic
Cryptoistic is a backdoor, written in Swift, that has been used by Lazarus Group.

Cuba
Cuba is a Windows-based ransomware family that has been used against financial institutions, technology,...

Cuckoo Stealer
Cuckoo Stealer is a macOS malware with characteristics of spyware and an infostealer that has been in...

Cyclops Blink
Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since...

DCSrv
DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though...

DDKONG
DDKONG is a malware sample that was part of a campaign by Rancor. DDKONG was first seen used in February...

DEADEYE
DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has variants...

DEADWOOD
DEADWOOD is wiper malware written in C++ using Boost libraries. DEADWOOD was first observed in an unattributed...

DEATHRANSOM
DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential overlap...

DOGCALL
DOGCALL is a backdoor used by APT37 that has been used to target South Korean government and military...

DRATzarus
DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and...

DUSTPAN
DUSTPAN is an in-memory dropper written in C/C++ used by APT41 since 2021 that decrypts and executes...

DUSTTRAP
DUSTTRAP is a multi-stage plugin framework associated with APT41 operations with multiple components....

Dacls
Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.

DanBot
DanBot is a first-stage remote access Trojan written in C# that has been used by HEXANE since at least...

DarkComet
DarkComet is a Windows remote administration tool and backdoor.

DarkGate
DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated...

DarkTortilla
DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least...

DarkWatchman
DarkWatchman is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations;...

Daserf
Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean,...

DealersChoice
DealersChoice is a Flash exploitation framework used by APT28.

Denis
Denis is a Windows backdoor and Trojan used by APT32. Denis shares several similarities to the SOUNDBITE...

Derusbi
Derusbi is malware used by multiple Chinese APT groups. Both Windows and Linux variants have been observed....

Diavol
Diavol is a ransomware variant first observed in June 2021 that is capable of prioritizing file types...

Dipsind
Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM.

Disco
Disco is a custom implant that has been used by MoustachedBouncer since at least 2020 including in campaigns...

DnsSystem
DnsSystem is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net,...

Dok
Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install...

Doki
Doki is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed...

DownPaper
DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware.

Downdelph
Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances...

Dridex
Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated...

DropBook
DropBook is a Python-based backdoor compiled with PyInstaller.

Drovorub
Drovorub is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that...

Dtrack
Dtrack is spyware that was discovered in 2019 and has been used against Indian financial institutions,...

Duqu
Duqu is a malware platform that uses a modular approach to extend functionality after deployment within...

DustySky
DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015.

Dyre
Dyre is a banking Trojan that has been used for financial gain.

ECCENTRICBANDWAGON
ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first...

EKANS
EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been...

ELMER
ELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16.

EVILNUM
EVILNUM is fully capable backdoor that was first identified in 2018. EVILNUM is used by the APT group...

Ebury
Ebury is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts developed...

Ecipekac
Ecipekac is a multi-layer loader that has been used by menuPass since at least 2019 including use as...

Egregor
Egregor is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers...

Elise
Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of...

Emissary
Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans...

Emotet
Emotet is a modular malware variant which is primarily used as a downloader for other malware variants...

EnvyScout
EnvyScout is a dropper that has been used by APT29 since at least 2021.

Epic
Epic is a backdoor that has been used by Turla.

EvilBunny
EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for...

EvilGrab
EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass...

Exaramel for Linux
Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF...

Exaramel for Windows
Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked...

Explosive
Explosive is a custom-made remote access tool used by the group Volatile Cedar. It was first identified...

FALLCHILL
FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace,...

FELIXROOT
FELIXROOT is a backdoor that has been used to target Ukrainian victims.

FIVEHANDS
FIVEHANDS is a customized version of DEATHRANSOM ransomware written in C++. FIVEHANDS has been used...

FLASHFLOOD
FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable...

FLIPSIDE
FLIPSIDE is a simple tool similar to Plink that is used by FIN5 to maintain access to victims.

FRAMESTING
FRAMESTING is a Python web shell that was used during Cutting Edge to embed into an Ivanti Connect Secure...

FYAnti
FYAnti is a loader that has been used by menuPass since at least 2020, including to deploy QuasarRAT....

FakeM
FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic.

FatDuke
FatDuke is a backdoor used by APT29 since at least 2016.

Felismus
Felismus is a modular backdoor that has been used by Sowbug.

Ferocious
Ferocious is a first stage implant composed of VBS and PowerShell scripts that has been used by WIRTE...

FinFisher
FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government...

Final1stspy
Final1stspy is a dropper family that has been used to deliver DOGCALL.

Flagpro
Flagpro is a Windows-based, first-stage downloader that has been used by BlackTech since at least October...

Flame
Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely...

FlawedAmmyy
FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy...

FlawedGrace
FlawedGrace is a fully featured remote access tool (RAT) written in C++ that was first observed in late...

FoggyWeb
FoggyWeb is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information...

FrameworkPOS
FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that...

FruitFly
FruitFly is designed to spy on mac users .

FunnyDream
FunnyDream is a backdoor with multiple components that was used during the FunnyDream campaign since...

Fysbis
Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.

GLASSTOKEN
GLASSTOKEN is a custom web shell used by threat actors during Cutting Edge to execute commands on compromised...

GLOOXMAIL
GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic.

GRIFFON
GRIFFON is a JavaScript backdoor used by FIN7.

Gazer
Gazer is a backdoor used by Turla since at least 2016.

Gelsemium
Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main...

GeminiDuke
GeminiDuke is malware that was used by APT29 from 2009 to 2012.

Get2
Get2 is a downloader written in C++ that has been used by TA505 to deliver FlawedGrace, FlawedAmmyy,...

Gold Dragon
Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South...

GoldFinder
GoldFinder is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised...

GoldMax
GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly...

GoldenSpy
GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldenSpy...

Goopy
Goopy is a Windows backdoor and Trojan used by APT32 and shares several similarities to another backdoor...

Gootloader
Gootloader is a Javascript-based infection framework that has been used since at least 2020 as a delivery...

Grandoreiro
Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service...

GravityRAT
GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind...

Green Lambert
Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat...

GreyEnergy
GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities...

GrimAgent
GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020;...

GuLoader
GuLoader is a file downloader that has been used since at least December 2019 to distribute a variety...

H1N1
H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims....

HALFBAKED
HALFBAKED is a malware family consisting of multiple components intended to establish persistence in...

HAMMERTOSS
HAMMERTOSS is a backdoor that was used by APT29 in 2015.

HAPPYWORK
HAPPYWORK is a downloader used by APT37 to target South Korean government and financial victims in November...

HARDRAIN
HARDRAIN is a Trojan malware variant reportedly used by the North Korean government.

HAWKBALL
HAWKBALL is a backdoor that was observed in targeting of the government sector in Central Asia.

HDoor
HDoor is malware that has been customized and used by the Naikon group.

HELLOKITTY
HELLOKITTY is a ransomware written in C++ that shares similar code structure and functionality with...

HIDEDRV
HIDEDRV is a rootkit used by APT28. It has been deployed along with Downdelph to execute and hide that...

HOMEFRY
HOMEFRY is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with...

HOPLIGHT
HOPLIGHT is a backdoor Trojan that has reportedly been used by the North Korean government.

HTTPBrowser
HTTPBrowser is malware that has been used by several threat groups. It is believed to be of Chinese...

HUI Loader
HUI Loader is a custom DLL loader that has been used since at least 2015 by China-based threat groups...

Hacking Team UEFI Rootkit
Hacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence...

Hancitor
Hancitor is a downloader that has been used by Pony and other information stealing malware.

Helminth
Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that...

HermeticWiper
HermeticWiper is a data wiper that has been used since at least early 2022, primarily against Ukraine...

HermeticWizard
HermeticWizard is a worm that has been used to spread HermeticWiper in attacks against organizations...

Heyoka Backdoor
Heyoka Backdoor is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been...

Hi-Zor
Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign...

HiddenWasp
HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of...

Hikit
Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial...

Hildegard
Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency...

HotCroissant
HotCroissant is a remote access trojan (RAT) attributed by U.S. government entities to malicious North...

Hydraq
Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation...

HyperBro
HyperBro is a custom in-memory backdoor used by Threat Group-3390.

HyperStack
HyperStack is a RPC-based backdoor used by Turla since at least 2018. HyperStack has similarities to...

IMAPLoader
IMAPLoader is a .NET-based loader malware exclusively associated with CURIUM operations since at least...

INC Ransomware
INC Ransomware is a ransomware strain that has been used by the INC Ransom group since at least 2023...

IPsec Helper
IPsec Helper is a post-exploitation remote access tool linked to Agrius operations. This malware shares...

ISMInjector
ISMInjector is a Trojan used to install another OilRig backdoor, ISMAgent.

IceApple
IceApple is a modular Internet Information Services (IIS) post-exploitation framework, that has been...

IcedID
IcedID is a modular banking malware designed to steal financial information that has been observed in...

Industroyer
Industroyer is a sophisticated malware framework designed to cause an impact to the working processes...

Industroyer2
Industroyer2 is a compiled and static piece of malware that has the ability to communicate over the...

InnaputRAT
InnaputRAT is a remote access tool that can exfiltrate files from a victim’s machine. InnaputRAT...

InvisiMole
InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013....

Ixeshe
Ixeshe is a malware family that has been used since at least 2009 against targets in East Asia.

JCry
JCry is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.

JHUHUGIT
JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware....

JPIN
JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Dipsind...

JSS Loader
JSS Loader is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by FIN7 since...

Janicab
Janicab is an OS X trojan that relied on a valid developer ID and oblivious users to install it.

Javali
Javali is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily...

KARAE
KARAE is a backdoor typically used by APT37 as first-stage malware.

KEYMARBLE
KEYMARBLE is a Trojan that has reportedly been used by the North Korean government.

KEYPLUG
KEYPLUG is a modular backdoor written in C++, with Windows and Linux variants, that has been used by...

KGH_SPY
KGH_SPY is a modular suite of tools used by Kimsuky for reconnaissance, information stealing, and backdoor...

KOCTOPUS
KOCTOPUS's batch variant is loader used by LazyScripter since 2018 to launch Octopus and Koadic and,...

KOMPROGO
KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management....

KONNI
KONNI is a remote access tool that security researchers assess has been used by North Korean cyber actors...

KOPILUWAK
KOPILUWAK is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since...

Kasidet
Kasidet is a backdoor that has been dropped by using malicious VBA macros.

Kazuar
Kazuar is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework....

Kerrdown
Kerrdown is a custom downloader that has been used by APT32 since at least 2018 to install spyware from...

Kessel
Kessel is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials...

Kevin
Kevin is a backdoor implant written in C++ that has been used by HEXANE since at least June 2020, including...

KeyBoy
KeyBoy is malware that has been used in targeted campaigns against members of the Tibetan Parliament...

Keydnap
This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor...

KillDisk
KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable....

Kinsing
Kinsing is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other...

Kivars
Kivars is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by BlackTech...

Kobalos
Kobalos is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. Kobalos has...

Komplex
Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner...

Kwampirs
Kwampirs is a backdoor Trojan used by Orangeworm. Kwampirs has been found on machines which had software...

LIGHTWIRE
LIGHTWIRE is a web shell written in Perl that was used during Cutting Edge to maintain access and enable...

LITTLELAMB.WOOLTEA
LITTLELAMB.WOOLTEA is a backdoor that was used by UNC5325 during Cutting Edge to deploy malware on targeted...

LOWBALL
LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based...

Latrodectus
Latrodectus is a Windows malware downloader that has been used since at least 2023 to download and execute...

LightNeuron
LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least...

Linfo
Linfo is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts.

Linux Rabbit
Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August...

LiteDuke
LiteDuke is a third stage backdoor that was used by APT29, primarily in 2014-2015. LiteDuke used the...

LitePower
LitePower is a downloader and second stage malware that has been used by WIRTE since at least 2021.

Lizar
Lizar is a modular remote access tool written using the .NET Framework that shares structural similarities...

LoFiSe
LoFiSe has been used by ToddyCat since at least 2023 to identify and collect files of interest on targeted...

LoJax
LoJax is a UEFI rootkit used by APT28 to persist remote access software on targeted systems.

LockerGoga
LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks...

Lokibot
Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed...

LookBack
LookBack is a remote access trojan written in C++ that was used against at least three US utility companies...

LoudMiner
LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The...

Lucifer
Lucifer is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally...

LunarLoader
LunarLoader is the loader component for the LunarWeb and LunarMail backdoors that has been used by Turla...

LunarMail
LunarMail is a backdoor that has been used by Turla since at least 2020 including in a compromise of...

LunarWeb
LunarWeb is a backdoor that has been used by Turla since at least 2020 including in a compromise of...

Lurid
Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks...

MESSAGETAP
MESSAGETAP is a data mining malware family deployed by APT41 into telecommunications networks to monitor...

MURKYTOP
MURKYTOP is a reconnaissance tool used by Leviathan.

MacMa
MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files...

MacSpy
MacSpy is a malware-as-a-service offered on the darkweb .

Machete
Machete is a cyber espionage toolset used by Machete. It is a Python-based backdoor targeting Windows...

Mafalda
Mafalda is a flexible interactive implant that has been used by Metador. Security researchers assess...

Manjusaka
Manjusaka is a Chinese-language intrusion framework, similar to Sliver and Cobalt Strike, with an ELF...

MarkiRAT
MarkiRAT is a remote access Trojan (RAT) compiled with Visual Studio that has been used by Ferocious...

Matryoshka
Matryoshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It...

Maze
Maze ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to...

MechaFlounder
MechaFlounder is a python-based remote access tool (RAT) that has been used by APT39. The payload uses...

MegaCortex
MegaCortex is ransomware that first appeared in May 2019. MegaCortex has mainly targeted industrial...

Melcoz
Melcoz is a banking trojan family built from the open source tool Remote Access PC. Melcoz was first...

Metamorfo
Metamorfo is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been...

Meteor
Meteor is a wiper that was used against Iranian government organizations, including Iranian Railways,...

MgBot
MgBot is a modular malware framework exclusively associated with Daggerfly operations since at least...

Micropsia
Micropsia is a remote access tool written in Delphi.

Milan
Milan is a backdoor implant based on DanBot that was written in Visual C++ and .NET. Milan has been...

Miner-C
Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and...

MiniDuke
MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple...

MirageFox
MirageFox is a remote access tool used against Windows systems. It appears to be an upgraded version...

Mis-Type
Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.

Misdat
Misdat is a backdoor that was used in Operation Dust Storm from 2010 to 2011.

Mispadu
Mispadu is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service...

Mivast
Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach.

MobileOrder
MobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic....

MoleNet
MoleNet is a downloader tool with backdoor capabilities that has been observed in use since at least...

Moneybird
Moneybird is a ransomware variant written in C++ associated with Agrius operations. The name "Moneybird"...

Mongall
Mongall is a backdoor that has been used since at least 2013, including by Aoqin Dragon.

MoonWind
MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.

More_eggs
More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable...

Mori
Mori is a backdoor that has been used by MuddyWater since at least January 2022.

Mosquito
Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer,...

MultiLayer Wiper
MultiLayer Wiper is wiper malware written in .NET associated with Agrius operations. Observed samples...

NDiskMonitor
NDiskMonitor is a custom backdoor written in .NET that appears to be unique to Patchwork.

NETEAGLE
NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants...

NETWIRE
NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by...

NGLite
NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel....

NKAbuse
NKAbuse is a Go-based, multi-platform malware abusing NKN (New Kind of Network) technology for data...

NOKKI
NOKKI is a modular remote access tool. The earliest observed attack using NOKKI was in January 2018....

Naid
Naid is a trojan used by Elderwood to open a backdoor on compromised hosts.

NanHaiShu
NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to...

NanoCore
NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal...

NativeZone
NativeZone is the name given collectively to disposable custom Cobalt Strike loaders used by APT29 since...

NavRAT
NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed...

Nebulae
Nebulae Is a backdoor that has been used by Naikon since at least 2020.

Neoichor
Neoichor is C2 malware used by Ke3chang since at least 2019; similar malware families used by the group...

Nerex
Nerex is a Trojan used by Elderwood to open a backdoor on compromised hosts.

Net Crawler
Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading...

NetTraveler
NetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance...

Netwalker
Netwalker is fileless ransomware written in PowerShell and executed directly in memory.

Nidiran
Nidiran is a custom backdoor developed and used by Suckfly. It has been delivered via strategic web...

NightClub
NightClub is a modular implant written in C++ that has been used by MoustachedBouncer since at least...

Nightdoor
Nightdoor is a backdoor exclusively associated with Daggerfly operations. Nightdoor uses common libraries...

Ninja
Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control...

NotPetya
NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017....

OLDBAIT
OLDBAIT is a credential harvester used by APT28.

OSInfo
OSInfo is a custom tool used by APT3 to do internal discovery on a victim's computer and network.

OSX/Shlayer
OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.

OSX_OCEANLOTUS.D
OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to...

ObliqueRAT
ObliqueRAT is a remote access trojan, similar to Crimson, that has been in use by Transparent Tribe...

OceanSalt
OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and...

Octopus
Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic...

Okrum
Okrum is a Windows backdoor that has been seen in use since December 2016 with strong links to Ke3chang....

Olympic Destroyer
Olympic Destroyer is malware that was used by Sandworm Team against the 2018 Winter Olympics, held in...

OnionDuke
OnionDuke is malware that was used by APT29 from 2013 to 2015.

OopsIE
OopsIE is a Trojan used by OilRig to remotely execute commands as well as upload/download files to/from...

Orz
Orz is a custom JavaScript backdoor used by Leviathan. It was observed being used in 2014 as well as...

OutSteel
OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has...

OwaAuth
OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to...

P.A.S. Webshell
P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that...

P2P ZeuS
P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements...

P8RAT
P8RAT is a fileless malware used by menuPass to download and execute payloads since at least 2020.

PACEMAKER
PACEMAKER is a credential stealer that was used by APT5 as early as 2020 including activity against...

PHOREAL
PHOREAL is a signature backdoor used by APT32.

PITSTOP
PITSTOP is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during Cutting Edge...

PLAINTEE
PLAINTEE is a malware sample that has been used by Rancor in targeted attacks in Singapore and Cambodia....

PLEAD
PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia...

POORAIM
POORAIM is a backdoor used by APT37 in campaigns since at least 2014.

POSHSPY
POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary...

POWERSOURCE
POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly...

POWERSTATS
POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater.

POWERTON
POWERTON is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a...

POWRUNER
POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server.

PS1
PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.

PULSECHECK
PULSECHECK is a web shell written in Perl that was used by APT5 as early as 2020 including against Pulse...

PUNCHBUGGY
PUNCHBUGGY is a backdoor malware used by FIN8 that has been observed targeting POS networks in the hospitality...

PUNCHTRACK
PUNCHTRACK is non-persistent point of sale (POS) system malware utilized by FIN8 to scrape payment card...

Pandora
Pandora is a multistage kernel rootkit with backdoor functionality that has been in use by Threat Group-3390...

Pasam
Pasam is a trojan used by Elderwood to open a backdoor on compromised hosts.

Pay2Key
Pay2Key is a ransomware written in C++ that has been used by Fox Kitten since at least July 2020 including...

Pcexter
Pcexter is an uploader that has been used by ToddyCat since at least 2023 to exfiltrate stolen files....

Penquin
Penquin is a remote access trojan (RAT) with multiple versions used by Turla to target Linux systems...

Peppy
Peppy is a Python-based remote access Trojan, active since at least 2012, with similarities to Crimson....

Pikabot
Pikabot is a backdoor used for initial access and follow-on tool deployment active since early 2023....

Pillowmint
Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.

PinchDuke
PinchDuke is malware that was used by APT29 from 2008 to 2010.

PingPull
PingPull is a remote access Trojan (RAT) written in Visual C++ that has been used by GALLIUM since at...

PipeMon
PipeMon is a multi-stage modular backdoor used by Winnti Group.

Pisloader
Pisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its...

Playcrypt
Playcrypt is a ransomware that has been used by Play since at least 2022 in attacks against against...

PlugX
PlugX is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups....

PoetRAT
PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been used...

PoisonIvy
PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.

PolyglotDuke
PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been...

Pony
Pony is a credential stealing malware, though has also been used among adversaries for its downloader...

PowGoop
PowGoop is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used...

Power Loader
Power Loader is modular code sold in the cybercrime market used as a downloader in malware families...

PowerDuke
PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft...

PowerLess
PowerLess is a PowerShell-based modular backdoor that has been used by Magic Hound since at least 2022....

PowerPunch
PowerPunch is a lightweight downloader that has been used by Gamaredon Group since at least 2021.

PowerShower
PowerShower is a PowerShell backdoor used by Inception for initial reconnaissance and to download and...

PowerStallion
PowerStallion is a lightweight PowerShell backdoor used by Turla, possibly as a recovery access tool...

Prestige
Prestige ransomware has been used by Sandworm Team since at least March 2022, including against transportation...

Prikormka
Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly...

ProLock
ProLock is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least...

Proton
Proton is a macOS backdoor focusing on data theft and credential access .

Proxysvc
Proxysvc is a malicious DLL used by Lazarus Group in a campaign known as Operation GhostSecret. It has...

Psylo
Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics...

Pteranodon
Pteranodon is a custom backdoor used by Gamaredon Group.

PyDCrypt
PyDCrypt is malware written in Python designed to deliver DCSrv. It has been used by Moses Staff since...

Pysa
Pysa is a ransomware that was first used in October 2018 and has been seen to target particularly high-value...

QUADAGENT
QUADAGENT is a PowerShell backdoor used by OilRig.

QUIETCANARY
QUIETCANARY is a backdoor tool written in .NET that has been used since at least 2022 to gather and...

QUIETEXIT
QUIETEXIT is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has...

QakBot
QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since...

QuietSieve
QuietSieve is an information stealer that has been used by Gamaredon Group since at least 2021.

RAPIDPULSE
RAPIDPULSE is a web shell that exists as a modification to a legitimate Pulse Secure file that has been...

RARSTONE
RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX.

RATANKBA
RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting...

RCSession
RCSession is a backdoor written in C++ that has been in use since at least 2018 by Mustang Panda and...

RDAT
RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified...

RDFSNIFFER
RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legitimate...

REvil
REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service...

RGDoor
RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor...

RIPTIDE
RIPTIDE is a proxy-aware backdoor used by APT12.

ROADSWEEP
ROADSWEEP is a ransomware that was deployed against Albanian government networks during HomeLand Justice...

ROCKBOOT
ROCKBOOT is a Bootkit that has been used by an unidentified, suspected China-based group.

ROKRAT
ROKRAT is a cloud-based remote access tool (RAT) used by APT37 to target victims in South Korea. APT37...

RTM
RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). Newer versions...

Raccoon Stealer
Raccoon Stealer is an information stealer malware family active since at least 2019 as a malware-as-a-service...

Ragnar Locker
Ragnar Locker is a ransomware that has been in use since at least December 2019.

Raindrop
Raindrop is a loader used by APT29 that was discovered on some victim machines during investigations...

RainyDay
RainyDay is a backdoor tool that has been used by Naikon since at least 2020.

Ramsay
Ramsay is an information stealing malware framework designed to collect and exfiltrate sensitive documents,...

Raspberry Robin
Raspberry Robin is initial access malware first identified in September 2021, and active through early...

RawPOS
RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has...

Reaver
Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims...

RedLeaves
RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the...

RegDuke
RegDuke is a first stage implant written in .NET and used by APT29 since at least 2017. RegDuke has...

Regin
Regin is a malware platform that has targeted victims in a range of industries, including telecom, government,...

Remexi
Remexi is a Windows-based Trojan that was developed in the C programming language.

RemoteCMD
RemoteCMD is a custom tool used by APT3 to execute commands on a remote system similar to SysInternal's...

Remsec
Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily...

Revenge RAT
Revenge RAT is a freely available remote access tool written in .NET (C#).

Rifdoor
Rifdoor is a remote access trojan (RAT) that shares numerous code similarities with HotCroissant.

Rising Sun
Rising Sun is a modular backdoor that was used extensively in Operation Sharpshooter between 2017 and...

RobbinHood
RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city...

RogueRobin
RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#.

RotaJakiro
RotaJakiro is a 64-bit Linux backdoor used by APT32. First seen in 2018, it uses a plugin architecture...

Rover
Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email...

Royal
Royal is ransomware that first appeared in early 2022; a version that also targets ESXi servers was...

RunningRAT
RunningRAT is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter...

Ryuk
Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since...

S-Type
S-Type is a backdoor that was used in Operation Dust Storm since at least 2013.

SDBbot
SDBbot is a backdoor with installer and loader components that has been used by TA505 since at least...

SEASHARPEE
SEASHARPEE is a Web shell that has been used by OilRig.

SHARPSTATS
SHARPSTATS is a .NET backdoor used by MuddyWater since at least 2019.

SHIPSHAPE
SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable...

SHOTPUT
SHOTPUT is a custom backdoor used by APT3.

SHUTTERSPEED
SHUTTERSPEED is a backdoor used by APT37.

SLIGHTPULSE
SLIGHTPULSE is a web shell that was used by APT5 as early as 2020 including against Pulse Secure VPNs...

SLOTHFULMEDIA
SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated...

SLOWDRIFT
SLOWDRIFT is a backdoor used by APT37 against academic and strategic victims in South Korea.

SLOWPULSE
SLOWPULSE is a malware that was used by APT5 as early as 2020 including against U.S. Defense Industrial...

SMOKEDHAM
SMOKEDHAM is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used...

SNUGRIDE
SNUGRIDE is a backdoor that has been used by menuPass as first stage malware.

SOUNDBITE
SOUNDBITE is a signature backdoor used by APT32.

SPACESHIP
SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable...

SQLRat
SQLRat is malware that executes SQL scripts to avoid leaving traditional host artifacts. FIN7 has been...

STARWHALE
STARWHALE is Windows Script File (WSF) backdoor that has been used by MuddyWater, possibly since at...

STEADYPULSE
STEADYPULSE is a web shell that infects targeted Pulse Secure VPN servers through modification of a...

SUGARDUMP
SUGARDUMP is a proprietary browser credential harvesting tool that was used by UNC3890 during the C0010...

SUGARUSH
SUGARUSH is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address....

SUNBURST
SUNBURST is a trojanized DLL designed to fit within the SolarWinds Orion software update framework....

SUNSPOT
SUNSPOT is an implant that injected the SUNBURST backdoor into the SolarWinds Orion software update...

SUPERNOVA
SUPERNOVA is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the...

SVCReady
SVCReady is a loader that has been used since at least April 2022 in malicious spam campaigns. Security...

SYNful Knock
SYNful Knock is a stealthy modification of the operating system of network devices that can be used...

SYSCON
SYSCON is a backdoor that has been in use since at least 2017 and has been associated with campaigns...

Saint Bot
Saint Bot is a .NET downloader that has been used by Saint Bear since at least March 2021.

Sakula
Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout...

SamSam
SamSam is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required...

Samurai
Samurai is a passive backdoor that has been used by ToddyCat since at least 2020. Samurai allows arbitrary...

Sardonic
Sardonic is a backdoor written in C and C++ that is known to be used by FIN8, as early as August 2021...

SeaDuke
SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor...

Seasalt
Seasalt is malware that has been linked to APT1's 2010 operations. It shares some code similarities...

ServHelper
ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically...

Seth-Locker
Seth-Locker is a ransomware with some remote control capabilities that has been in use since at least...

ShadowPad
ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSarang...

Shamoon
Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of...

Shark
Shark is a backdoor malware written in C# and .NET that is an updated version of Milan; it has been...

SharpDisco
SharpDisco is a dropper developed in C# that has been used by MoustachedBouncer since at least 2020...

SharpStage
SharpStage is a .NET malware with backdoor capabilities.

ShimRat
ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple...

Sibot
Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system...

SideTwist
SideTwist is a C-based backdoor that has been used by OilRig since at least 2021.

Siloscape
Siloscape is malware that targets Kubernetes clusters through Windows containers. Siloscape was first...

Skeleton Key
Skeleton Key is malware used to inject false credentials into domain controllers with the intent of...

Skidmap
Skidmap is a kernel-mode rootkit used for cryptocurrency mining.

Small Sieve
Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable...

Smoke Loader
Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has...

Snip3
Snip3 is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and...

SocGholish
SocGholish is a JavaScript-based loader malware that has been used since at least 2017. It has been...

Socksbot
Socksbot is a backdoor that abuses Socket Secure (SOCKS) proxies.

SodaMaster
SodaMaster is a fileless malware used by menuPass to download and execute payloads since at least 2020....

SombRAT
SombRAT is a modular backdoor written in C++ that has been used since at least 2019 to download and...

SoreFang
SoreFang is first stage downloader used by APT29 for exfiltration and to load other malware.

Spark
Spark is a Windows backdoor and has been in use since as early as 2017.

SpeakUp
SpeakUp is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January...

Spica
Spica is a custom backdoor written in Rust that has been used by Star Blizzard since at least 2023.

SpicyOmelette
SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at least...

Squirrelwaffle
Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email campaigns...

SslMM
SslMM is a full-featured backdoor used by Naikon that has multiple variants.

Starloader
Starloader is a loader component that has been observed loading Felismus and associated tools.

StoneDrill
StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European...

StreamEx
StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed...

StrifeWater
StrifeWater is a remote-access tool that has been used by Moses Staff in the initial stages of their...

StrongPity
StrongPity is an information stealing malware used by PROMETHIUM.

Stuxnet
Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems...

Sykipot
Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims...

SynAck
SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017....

Sys10
Sys10 is a backdoor that was used throughout 2013 by Naikon.

SysUpdate
SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.

T9000
T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary...

TAINTEDSCRIBE
TAINTEDSCRIBE is a fully-featured beaconing implant integrated with command modules used by Lazarus...

TDTESS
TDTESS is a 64-bit .NET binary backdoor used by CopyKittens.

TEARDROP
TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations...

TEXTMATE
TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along...

TINYTYPHON
TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The...

TSCookie
TSCookie is a remote access tool (RAT) that has been used by BlackTech in campaigns against Japanese...

TURNEDUP
TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware.

TYPEFRAME
TYPEFRAME is a remote access tool that has been used by Lazarus Group.

Taidoor
Taidoor is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain...

TajMahal
TajMahal is a multifunctional spying framework that has been in use since at least 2014. TajMahal is...

Tarrask
Tarrask is malware that has been used by HAFNIUM since at least August 2021. Tarrask was designed to...

ThiefQuest
ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems....

ThreatNeedle
ThreatNeedle is a backdoor that has been used by Lazarus Group since at least 2019 to target cryptocurrency,...

TinyTurla
TinyTurla is a backdoor that has been used by Turla against targets in the US, Germany, and Afghanistan...

TinyZBot
TinyZBot is a bot written in C# that was developed by Cleaver.

Tomiris
Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to download...

Torisma
Torisma is a second stage implant designed for specialized monitoring that has been used by Lazarus...

TrailBlazer
TrailBlazer is a modular malware that has been used by APT29 since at least 2019.

TrickBot
TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible...

Trojan.Karagany
Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source code...

Trojan.Mebromi
Trojan.Mebromi is BIOS-level malware that takes control of the victim before MBR.

Truvasys
Truvasys is first-stage malware that has been used by PROMETHIUM. It is a collection of modules written...

Turian
Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs,...

UBoatRAT
UBoatRAT is a remote access tool that was identified in May 2017.

UPPERCUT
UPPERCUT is a backdoor that has been used by menuPass.

USBStealer
USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped...

USBferry
USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks...

Umbreon
A Linux rootkit that provides backdoor access and hides from defenders.

Unknown Logger
Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the...

Uroburos
Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's...

Ursnif
Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated...

VBShower
VBShower is a backdoor that has been used by Inception since at least 2019. VBShower has been used as...

VERMIN
VERMIN is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original...

VPNFilter
VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection...

Valak
Valak is a multi-stage modular malware that can function as a standalone information stealer or downloader,...

VaporRage
VaporRage is a shellcode downloader that has been used by APT29 since at least 2021.

Vasport
Vasport is a trojan used by Elderwood to open a backdoor on compromised hosts.

VersaMem
VersaMem is a web shell designed for deployment to Versa Director servers following exploitation. Discovered...

Volgmer
Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been...

WARPWIRE
WARPWIRE is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration...

WEBC2
WEBC2 is a family of backdoor malware used by APT1 as early as July 2006. WEBC2 backdoors are designed...

WINDSHIELD
WINDSHIELD is a signature backdoor used by APT32.

WINERACK
WINERACK is a backdoor used by APT37.

WIREFIRE
WIREFIRE is a web shell written in Python that exists as trojanized logic to the visits.py component...

WannaCry
WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than...

WarzoneRAT
WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly...

WastedLocker
WastedLocker is a ransomware family attributed to Indrik Spider that has been used since at least May...

Waterbear
Waterbear is modular malware attributed to BlackTech that has been used primarily for lateral movement,...

WellMail
WellMail is a lightweight malware written in Golang used by APT29, similar in design and structure to...

WellMess
WellMess is lightweight malware family with variants written in .NET and Golang that has been in use...

WhisperGate
WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple...

Wiarp
Wiarp is a trojan used by Elderwood to open a backdoor on compromised hosts.

WinMM
WinMM is a full-featured, simple backdoor used by Naikon.

WindTail
WindTail is a macOS surveillance implant used by Windshift. WindTail shares code similarities with Hack...

Wingbird
Wingbird is a backdoor that appears to be a version of commercial software FinFisher. It is reportedly...

Winnti for Linux
Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems....

Winnti for Windows
Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple groups...

Wiper
Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and...

Woody RAT
Woody RAT is a remote access trojan (RAT) that has been used since at least August 2021 against Russian...

XAgentOSX
XAgentOSX is a trojan that has been used by APT28 on OS X and appears to be a port of their standard...

XCSSET
XCSSET is a macOS modular backdoor that targets Xcode application developers. XCSSET was first observed...

XTunnel
XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was...

Xbash
Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been...

YAHOYAH
YAHOYAH is a Trojan used by Tropic Trooper as a second-stage backdoor.

ZIPLINE
ZIPLINE is a passive backdoor that was used during Cutting Edge on compromised Secure Connect VPNs for...

ZLib
ZLib is a full-featured backdoor that was used as a second-stage implant during Operation Dust Storm...

Zebrocy
Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several...

ZeroCleare
ZeroCleare is a wiper malware that has been used in conjunction with the RawDisk driver since at least...

ZeroT
ZeroT is a Trojan used by TA459, often in conjunction with PlugX.

Zeroaccess
Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for...

Zeus Panda
Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exfiltration....

Zox
Zox is a remote access tool that has been used by Axiom since at least 2008.

ZxShell
ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, particularly...

ZxxZ
ZxxZ is a trojan written in Visual C++ that has been used by BITTER since at least August 2021, including...

adbupd
adbupd is a backdoor used by PLATINUM that is similar to Dipsind.

build_downer
build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.

ccf32
ccf32 is data collection malware that has been used since at least February 2019, most notably during...

down_new
down_new is a downloader that has been used by BRONZE BUTLER since at least 2019.

gh0st RAT
gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple...

hcdLoader
hcdLoader is a remote access tool (RAT) that has been used by APT18.

httpclient
httpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality,...

iKitten
iKitten is a macOS exfiltration agent .

jRAT
jRAT is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of...

macOS.OSAMiner
macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed...

metaMain
metaMain is a backdoor used by Metador to maintain long-term access to compromised machines; it has...

njRAT
njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors...

pngdowner
pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence...

xCaon
xCaon is an HTTP variant of the BoxCaon malware family that has used by IndigoZebra since at least 2014....

yty
yty is a modular, plugin-based malware framework. The components of the framework are written in a variety...

zwShell
zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring...