A remote access trojan (RAT) and infostealer created using the open-source software LaZagne that follows mouse movements and clicks, logs keystrokes, records the output of the webcam and screen, and obtains credentials stored inside the system. It is available for purchase on a Tor network site.
A trojan used to target Wincor Nixdorf ATMs and empty the machines of all their banknotes.
ATM trojan malware used against a Brazilian bank's ATMs to steal customer's bank card numbers and account security codes.
A remote access trojan (RAT) that targets personnel and organizations related to South Korea or the video games industry, distributes malware through Google Drive, obtains its C2 address from GitHub, and uses Microsoft Windows Background Intelligence Transfer Service (BITS) to maintain persistence.
A trojan malware family whose activity dates back to at least 2013. A version discovered in November 2017 incorporates steganography techniques and can collect C2 information via GitHub, obscuring its C2 infrastructure and evading detection.
Terdot is a banking trojan that can also be used to steal information or as a backdoor. It is based on the Zeus banking trojan, can operate a local Man-in-the-Middle proxy server to steal credentials and uses a Domain Generation Algorithm (DGA) to generate domains for its C2 server making it more difficult to track, block, and infiltrate.
A backdoor trojan used by HIDDEN COBRA since at least 2013 to maintain a presence on and further exploitation of the networks of organizations in the government, financial, automotive, and media industries.
A RAT used by HIDDEN COBRA since at least 2016 to exploit and maintain a presence on the networks of organizations within the aerospace, telecommunications, and finance industries.
A type of malware used concurrently with SunOrcal malware since at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants that communicate using either HTTP or raw TCP connections. The malware's final payload masquerades as a control panel link (CPL) file.
A banking trojan that conducts redirection attacks by installing a local proxy to redirect users to clone sites. It also conducts web injection attacks by injecting browser processes to show fake content over top of the legitimate page, to steal users' financial data.
A trojan used by APT28 as a first-stage malware deployed for conducting reconnaissance on a network before dropping a second-stage malware. The trojan profiles the victim by pulling host information and is often delivered via malicious email attachments in spearphishing emails.
A backdoor trojan used by the cyberespionage group REDBALDKNIGHT. The trojan allows threat actors to execute shell commands, download and upload data, take screenshots, and log keystrokes. It uses steganography to evade detection and retrieve a second-stage backdoor from its C2 server.
A trojan that can take repeated screenshots of a user's desktop quickly and has been used to aid threat actors in cyber-heists.
An infostealer trojan sold as a PHP control panel on an underground hacking forum since mid-July 2017. Users can rent FormBook for $29 per week, $59 per month, or $99 for three months or they can purchase it by paying a one-time fee of $299.
A remote access trojan (RAT) that communicates with its C2 server via Gmail to evade detection.
A remote access trojan used by a China-linked APT group to target Vietnamese organizations. It can upload, download, search for, delete, modify, copy, and rename files, among other capabilities.
A banking trojan whose code is taken from the Neutrino PoS malware and NukeBot trojan. It mines the Monero crytocurrency and can inject code into web pages and take screenshots.
A backdoor trojan associated with the China-linked cyber espionage group, DragonOK. The trojan allows threat actors to access the targeted system remotely and log keystrokes, capture screenshots, and access remote shell, among other capabilities.
A remote access trojan advertised for free on dark web forums as a trojan builder kit. Its author injected the trojan with a backdoor module that retrieves C2 information from a URL controlled by the author, allowing them to control all of the systems infected by the Cobian trojan generated via the builder kit.
A sophisticated backdoor trojan used by the Turla APT group as a second-stage backdoor. It avoids detection by wiping files securely, changing the strings and randomizing markers via different backdoor versions and uses its own customized library for 3DES and RSA encryption.