Software & Malware

Highly organized RaaS that leaked its own playbook in 2022. Responsible for attacks on the Irish Hea…

Ransomware exploiting Exchange vulnerabilities and Fortinet flaws, targeting municipalities, legal f…

Ransomware active since 2023, targeting SMBs with a retro 1980s-themed leak site. Uses double-extort…

Prolific RaaS disrupted by FBI in January 2023. Targeted over 1,500 victims including hospitals and …

Ransomware group operating a public Telegram channel for victim data leaks, targeting healthcare and…

Prolific RaaS platform, one of the most active ransomware families globally. Features cross-platform…

RaaS believed to be a Conti successor, targeting critical infrastructure including healthcare and ma…

Ransomware that transitioned to pure extortion model after a decryptor was published. Targets critic…

One of the most frequently submitted ransomware families to ID Ransomware, targeting home users and …

Ransomware targeting critical infrastructure including financial institutions and government agencie…

First major ransomware written in Rust, operated as RaaS under the ALPHV brand. Known for triple-ext…

Ransomware used by TA505/FIN11 in large-scale zero-day exploitation campaigns against file transfer …

Ransomware targeting healthcare and government, known for auctioning victim data on its leak site.

Ransomware targeting US critical infrastructure including healthcare, believed to be connected to fo…

Ransomware that hides inside virtual machines to evade detection. Disrupted by Europol in 2023.

Ransomware group specializing in targeting education and healthcare sectors, known for deploying mul…

Ransomware operating as RaaS targeting healthcare and financial sectors, distinct from the Medusa ra…

Ransomware sold cheaply on criminal forums, often deployed by less sophisticated actors against SMBs…

Popular infostealer sold on criminal forums, targeting browser credentials, crypto wallets, and VPN …

Infostealer derived from Arkei, targeting browser credentials, crypto wallets, and 2FA applications.

Infostealer modeled after Raccoon and Vidar, targeting credentials, browser data, and cryptocurrency…

Fast-growing infostealer MaaS platform targeting browser credentials, crypto wallets, and two-factor…

Infostealer sold as MaaS that captures form data, screenshots, and credentials from browsers.

MaaS infostealer harvesting credentials, crypto wallets, and browser data. Resurfaced after shutdown…

Infostealer distributed via pay-per-install networks, stealing credentials, crypto wallets, and brow…

Notorious banking trojan turned modular malware loader. Repeatedly disrupted by law enforcement but …

Sophisticated malware loader replacing BazarLoader as primary delivery vehicle for ransomware payloa…

Worm spreading via USB drives and used by multiple threat actors as an access-as-a-service platform.

Long-running malware loader used to download and execute additional payloads, frequently seen in phi…

Modular malware loader appearing after QakBot takedown, with similar distribution channels and capab…

Malware loader offered as MaaS with capabilities including keylogging, credential theft, and crypto …

Malware loader that emerged in 2023 as a possible IcedID successor, sharing infrastructure with Iced…

Malware loader distributed via SEO poisoning on compromised websites, used to deliver Cobalt Strike …

Drive-by malware framework using fake browser update lures on compromised websites, delivering multi…

Commercial remote access tool abused as malware for surveillance and credential theft in targeted at…

Sophisticated FSB malware framework (Turla) used for long-term espionage, dismantled by FBI in Opera…

RAT used extensively by Chinese APT groups for long-term espionage operations. Includes self-spreadi…

Popular commercial RAT and keylogger sold as MaaS, widely used in phishing campaigns for credential …

Open-source remote access tool used in phishing campaigns, featuring keylogging, screen capture, and…

Remote access trojan popular in Middle Eastern threat actor campaigns, used for espionage and creden…

Proxy malware used as a persistent backdoor by ransomware groups including REvil and Ryuk for C2 tra…

Sophisticated modular backdoor used exclusively by Chinese state-sponsored groups, considered the su…

Backdoor distributed via fake software update lures, used for reconnaissance and payload delivery.

Open-source penetration testing framework widely used by both legitimate security professionals and …

Commercial penetration testing tool widely abused by threat actors as a C2 framework for lateral mov…

Commercial adversary simulation tool marketed as a Cobalt Strike alternative, adopted by ransomware …

Open-source C2 framework developed by BishopFox, increasingly adopted by threat actors as a Cobalt S…

Open-source post-exploitation C2 framework increasingly adopted by threat actors as a free Cobalt St…

Modular banking trojan used for credential theft and as a precursor to Ryuk/Conti ransomware deploym…

Banking trojan and malware loader used by multiple threat actors. Infrastructure seized by FBI in Op…

Banking trojan that evolved into a full malware loader, frequently used to deliver ransomware.

Banking trojan operated by Evil Corp used for credential theft and ransomware deployment. Under US O…

Destructive wiper disguised as ransomware, deployed against Ukrainian targets days before the 2022 R…

Destructive wiper targeting Ukrainian organizations deployed alongside HermeticRansom at the start o…

Data-wiping malware targeting Ukrainian organizations, erasing data on all drives and connected shar…

Malware targeting industrial control systems (ICS), used to cause power outages in Ukraine. Also kno…

UEFI bootkit bypassing Secure Boot on Windows systems, capable of surviving OS reinstalls.

Commercial mobile spyware developed by Intellexa consortium, targeting journalists and politicians.

Commercial spyware developed by NSO Group, used by governments to surveil journalists, activists, an…