A remote access trojan (RAT) that communicates with its C2 server via Gmail to evade detection.
A remote access trojan used by a China-linked APT group to target Vietnamese organizations. It can upload, download, search for, delete, modify, copy, and rename files, among other capabilities.
A banking trojan whose code is taken from the Neutrino PoS malware and NukeBot trojan. It mines the Monero crytocurrency and can inject code into web pages and take screenshots.
A backdoor trojan associated with the China-linked cyber espionage group, DragonOK. The trojan allows threat actors to access the targeted system remotely and log keystrokes, capture screenshots, and access remote shell, among other capabilities.
A remote access trojan advertised for free on dark web forums as a trojan builder kit. Its author injected the trojan with a backdoor module that retrieves C2 information from a URL controlled by the author, allowing them to control all of the systems infected by the Cobian trojan generated via the builder kit.
A sophisticated backdoor trojan used by the Turla APT group as a second-stage backdoor. It avoids detection by wiping files securely, changing the strings and randomizing markers via different backdoor versions and uses its own customized library for 3DES and RSA encryption.
A sophisticated backdoor trojan known for its use by the advanced persistent threat (APT) Turla, an alleged Russian government-associated espionage group.
A backdoor trojan used by the Turla APT group and written using the Microsoft .NET Framework, proving the threat actors with complete access to the compromised devices and the ability to remotely load plugins for additional capabilities.
A backdoor trojan used by the Turla advanced persistent threat (APT) group as a first-stage backdoor to conduct reconnaissance.
An entirely fileless trojan malware likely infecting users' devices via malicious websites or a malware downloader and injected into the system via an autostart registry entry. It is mostly targeting users in the Asia-Pacific region.
Infy, later developed into Foudre, is an information-stealing trojan, using a keylogger and clipboard captures to steal data from targets in governments, businesses, and private citizens mainly in Iran, the United States, and Iraq.
An advanced, modular trojan that has infected victims, undetected, for about five years. Despite its advanced capabilities, the threat actors seem to be financially-motivated, using the malware for adware purposes. Most victims are Russian-speaking users.
A basic backdoor trojan written in the Qt coding framework and targeting Windows computers.
A credential-stealing trojan available for purchase online, mainly targeting Russian-speaking users. It is believed to be distributed via executables in emails and via file hosting sites. It can target multiple applications, including several browsers, to steal credentials.
A click-fraud trojan targeting Windows computers. Currently, the most infections are occurring in Germany and the US.
A trojan targeting Mac OSX, typically distributed via email and uses a persistent pop-up to obtain a victim's password. It then gains administrative privileges and downloads the Tor client, redirecting traffic through Tor and allowing the threat actors to intercept all outgoing traffic.
A cryptocurrency mining trojan targeting the Mac operating system (OSX). It was the second-most widespread Mac malware variant in June 2017, accounting for 21.6 percent of all detections.
A trojan targeting Mac OS X systems first reported on in May 2015, packaged as an application bundle masquerading as an Adobe Flash Player update. A separate OceanLotus variant discovered in June 2017 is distributed via a ZIP file, likely sent as an attachment in an email.
A remote access trojan (RAT) written in the Delphi programming language that can remotely control infected systems. It has been used in a spear phishing campaign targeting Palestinians, specifically Palestinian law enforcement agencies.
A RAT and the first known MaaS targeting Mac users, available for free or as a paid, advanced version on a Dark Web forum. The malware has capabilities including: capture screenshots, log keystrokes, record voice, retrieve clipboard content, retrieve browsing data, obtain iCloud photos, retrieve any files and data, encrypt the entire user directory, disguise the malware as a legitimate file, and access emails and social network accounts.