GootKit

A trojan used by a select group of threat actors to conduct online banking fraud attacks targeting consumer and business bank accounts. These actors infiltrate the accounts, steal credentials, and manipulate banking sessions to eventually take over the bank accounts and transfer cash from the victim account to one under their control.

Cardinal

A remote access trojan (RAT) discovered by Palo Alto Networks in 2017 and has been active for over two years. It is delivered via a downloader, known as Carp, and uses malicious macros in Microsoft Excel documents to compile embedded C# programming language source code into an executable that runs and deploys the Cardinal RAT.

ROKRAT

A remote access trojan (RAT) that leverages a malicious Hangual Word Processor (HWP) document sent in spearphishing emails to infect hosts. This trojan can be used to execute commands, move a file, remove a file, kill a process, download and execute a file, upload documents, capture screenshots, and log keystrokes.

MoonWind

A trojan first identified in a campaign against Thai organizations from mid-to-late 2016. It collects victims' hostname, username, Windows version, IP address, current time, RAM amount, number of total drives, number of removable drives, and unique victim identifier and can execute arbitrary code, kill processes, gather basic system information, log keystrokes, and install additional malware.

Winnti

Winnti is a trojan typically used by a Chinese advanced persistent threat (APT) group of the same name. It has been used to targeted many nations, with a focus on Southeast Asian organizations in the video gaming sector; however, more recently, the trojan has been used in attacks targeting organizations in other sectors.