Malware#
Reference catalog of malware families an operator should recognize, organized by category. Each row is a family + brief notes; for full technical write-ups follow the references at the end (Mandiant family pages, Kaspersky Securelist, MalwareBazaar tags, Joe Sandbox / ANY.RUN reports, MITRE ATT&CK Software).
For active malware-distribution URLs and live samples, see
URLhaus, MalwareBazaar, and ThreatFox from abuse.ch.
Detonate live samples only inside an isolated analysis VM with
no production connectivity.
Loaders / droppers#
Family |
Notes |
|---|---|
Emotet |
Original banking trojan turned loader; multi-takedown. |
TrickBot |
Loader / banker; pivot to Conti, lineage parent. |
IcedID / BokBot |
Loader; replaced TrickBot circa 2021. |
QakBot / Qbot |
Loader / banker; FBI takedown 2023, partial revival. |
Bumblebee |
2022 loader; brokered by IABs. |
Latrodectus |
2024 loader; IcedID successor. |
PikaBot |
2023 loader; multiple delivery campaigns. |
Smokeloader |
Long-running modular loader. |
GuLoader |
Anti-analysis loader. |
Hijackloader / IDAT |
Modular loader 2023-2024. |
DarkLoader, Wikiloader, MaliBot |
Various 2024 loader brands. |
Banking trojans#
Family |
Notes |
|---|---|
Zeus / ZeuS |
Original credential-theft banker; many forks. |
Citadel, Atmos |
Zeus forks. |
Gozi / Ursnif / ISFB |
Long-running banker; multiple forks. |
Dridex |
EvilCorp; banker / loader. |
Ramnit |
Worm + banker. |
Trickbot |
See loaders. |
Emotet |
See loaders. |
Cerberus, Anubis, Hydra |
Android bankers. |
TrickMo |
Android trickbot variant. |
Sharkbot, Vultur |
Android RAT-bankers. |
Information stealers#
Family |
Notes |
|---|---|
RedLine Stealer |
2020-present; massive log market presence. |
Vidar |
Long-lived; Snowflake breach 2024 traced to creds from this. |
Lumma Stealer |
2022-present; rising market share 2024-2025. |
StealC |
2023; aggressive logging. |
Aurora Stealer |
2022-2023. |
Raccoon Stealer |
Took down 2022, returned. |
Mars Stealer |
Russian-language stealer. |
META Stealer |
2022; LinkedIn-themed delivery. |
Rhadamanthys |
2023-present. |
Atomic Stealer (AMOS) |
macOS stealer; 2023-present. |
Banshee Stealer |
macOS, 2024. |
Ovidiy, Pony / Fareit o |
lder but persistent. |
Agent Tesla |
keylogger / stealer; phishing-delivered. |
FormBook, XLoader |
long-running. |
Remote Access Trojans (RATs)#
Family |
Notes |
|---|---|
NjRAT |
Arabic-speaking ecosystem; long-lived. |
RemcosRAT |
Commercial-pretext RAT; widely abused. |
NanoCore |
Subscription RAT; many cracked versions. |
AsyncRAT |
Open-source RAT. |
QuasarRAT |
Open-source .NET RAT. |
DarkComet |
Older but still seen. |
PoisonIvy |
Classic; APT-favored historically. |
gh0st RAT |
Chinese-origin classic. |
Cobalt Strike Beacon |
Commercial post-ex; cracked builds widely abused. |
Sliver |
Open-source post-ex; APT and crime adoption. |
Mythic, Havoc |
OSS post-ex frameworks. |
Brute Ratel C4 |
Commercial; leaked builds in the wild. |
Empire (PowerShell / Python) |
OSS post-ex; deprecated mainline, forks alive. |
Metasploit Meterpreter |
Foundational; legitimate test tool. |
Mosquito |
Older Turla RAT. |
Ransomware (encryption brands)#
(Distinct from the operating group; many groups run multiple encryptors and rebrand often. See Hacker Groups for the operating crews.)
Family |
Notes |
|---|---|
LockBit (2.0 / 3.0 / Black / Green) |
most-prolific 2022-2024; disrupted Feb 2024. |
ALPHV / BlackCat |
Rust; double extortion; exit-scammed Feb 2024. |
Black Basta |
Conti spin-off; 2022-present. |
Royal / Blacksuit |
Conti spin-off. |
Akira |
2023; ESXi-targeting; Megazord Linux variant. |
Play |
2022-present. |
Cl0p |
Mass file-transfer-zero-day campaigns. |
Hive |
Disrupted Jan 2023. |
REvil / Sodinokibi |
Disrupted 2021. |
Conti |
Disbanded 2022 after leaks. |
Maze |
Original double-extortion; disbanded 2020. |
DarkSide / BlackMatter |
Colonial Pipeline; rebrands. |
Ryuk |
Wizard Spider; Conti precursor. |
Lockbit Black, Locky |
Older but referenced. |
Vice Society / RhySida |
Education-sector focus. |
Medusa, 8Base, NoEscape |
2024-2025 brands. |
Phobos / Eight |
Long-running; sold widely. |
Stop / Djvu |
Consumer-grade ransomware-as-product. |
WannaCry |
2017 worm-ransomware (NK Lazarus). |
NotPetya |
2017 wiper masquerading as ransomware (RU Sandworm). |
Bad Rabbit |
2017 NotPetya cousin. |
SamSam |
2018; attributed Iran (DOJ indictments 2018). |
Wipers#
Family |
Notes |
|---|---|
Shamoon (Disttrack) |
2012 Saudi Aramco; multiple resurfacings. |
NotPetya |
2017; Sandworm / Russia. |
Olympic Destroyer |
2018 PyeongChang Olympics. |
WhisperGate, HermeticWiper, IsaacWi |
per 2022 against Ukraine; Sandworm. |
CaddyWiper, AcidRain, AcidPour |
2022 / 2024 against Ukraine; KA-SAT modems. |
Industroyer / CrashOverride |
2016 Ukraine grid; Sandworm. |
Industroyer2 |
2022 Ukraine; Sandworm. |
WhisperKill |
Pseudo-ransomware wiper variants. |
ICS / OT#
Family |
Notes |
|---|---|
Stuxnet |
2010 Natanz; first publicly-known ICS-targeting worm. |
Duqu |
Stuxnet sibling; reconnaissance. |
Havex |
Energy sector recon. |
BlackEnergy 3 |
2015 Ukraine grid attack. |
Industroyer / Industroyer2 |
see Wipers. |
TRITON / TRISIS |
2017 Saudi Arabia; safety-instrumented system manipulation. |
Pipedream / Incontroller |
2022 multi-protocol ICS toolkit (Sandworm-attributed). |
Mobile (Android)#
Family |
Notes |
|---|---|
Cerberus, Anubis, Hydra |
Bankers. |
Joker |
Premium-SMS fraud. |
Triada, xHelper |
Persistent system-level malware. |
Pegasus (NSO) |
Commercial spyware; zero-click iMessage / WhatsApp / SMS. |
Predator (Intellexa) |
Commercial spyware. |
FinSpy / FinFisher |
Commercial spyware. |
Hermit |
Italian commercial spyware. |
RCS Lab Hermit, Karma |
other commercial spyware. |
SpyNote |
commodity Android RAT. |
SOVA |
Banker / RAT. |
Vultur |
Banker / VNC RAT. |
GoldDigger |
2023 Vietnam / SE Asia banker. |
Mobile (iOS)#
Family |
Notes |
|---|---|
Pegasus (NSO) |
Zero-click chains via iMessage (FORCEDENTRY etc.). |
Predator (Intellexa) |
iOS implants. |
TriangleDB |
Operation Triangulation; iMessage exploit chain. |
KeySteal, OSAMiner |
Older spyware-class. |
LightSpy |
Cross-platform implants. |
macOS#
Family |
Notes |
|---|---|
Atomic Stealer (AMOS) |
2023-present cred + crypto-wallet stealer. |
Banshee Stealer |
2024 macOS stealer. |
RustBucket |
DPRK; 2023. |
KandyKorn |
DPRK; crypto-targeting macOS. |
ObjCShellz |
BlueNoroff (DPRK). |
Silver Sparrow |
2021; widespread but limited payload. |
ThiefQuest / EvilQuest |
2020 ransomware + stealer. |
SpectralBlur |
Linux / cloud#
Family |
Notes |
|---|---|
Mirai |
IoT botnet; many variants (OMG, Satori, Reaper, Aidra). |
Mozi |
P2P IoT botnet (mostly extinct 2023). |
Tsunami / Kaiten |
Long-running IRC-controlled bot. |
XorDDoS |
DDoS bot; SSH brute-force entry. |
SystemdMiner, WatchDog, TeamTNT |
cryptomining campaigns on Linux / cloud. |
Kinsing |
Cloud crypto-jacker. |
8220 Mining Group |
Multiple loaders. |
RotaJakiro |
Backdoor (2021). |
Sysrv-hello |
Hybrid worm + miner. |
Symbiote |
Stealthy LD_PRELOAD-based. |
BPFDoor |
eBPF-based backdoor (2022). |
NerbianRAT |
2022 RAT. |
TrueBot, Spyder |
multi-platform RATs. |
Cryptominers#
Family |
Notes |
|---|---|
XMRig |
Monero miner; the open-source backbone. |
RandomXMRig |
Variant. |
Coinminer-class |
Many variants; cloud and IoT mainly. |
LemonDuck |
Cross-platform crypto-jacker + worm. |
Botnets#
Family |
Notes |
|---|---|
Emotet |
Disrupted 2021, returned 2021 / 2022. |
QakBot / Qbot |
FBI takedown 2023. |
TrickBot |
Microsoft + DoJ disruptions; lineage to Conti. |
Mirai (and forks) |
IoT. |
Mozi |
IoT P2P. |
Necurs |
Spam botnet; quiet since 2020. |
Avalanche |
Massive botnet ecosystem; 2016 takedown. |
Andromeda / Gamarue |
2017 takedown (Avalanche-adjacent). |
Phorpiex |
Sextortion / cred-stealer botnet. |
Worms#
Family |
Notes |
|---|---|
Stuxnet |
ICS worm. |
Conficker |
2008-9 Windows worm; massive infection base. |
WannaCry |
2017 EternalBlue worm. |
NotPetya |
2017 wiper-worm. |
SQL Slammer |
|
Code Red, Nimda, Blaster, Sasser |
Pre-2010 classics. |
ILOVEYOU |
2000 mail-attachment worm. |
Rootkits / bootkits#
Family |
Notes |
|---|---|
TDL / TDSS / Alureon |
Bootkit lineage. |
ZeroAccess |
Botnet rootkit. |
Necurs |
Rootkit + spam. |
LoJax |
First-public UEFI rootkit (2018, APT28). |
MoonBounce |
UEFI implant (2022, Winnti). |
CosmicStrand |
UEFI implant. |
BlackLotus |
UEFI bootkit; bypasses Secure Boot (2023). |
RotaJakiro |
Linux user-mode rootkit. |
Symbiote |
LD_PRELOAD Linux rootkit. |
Web / browser#
Family |
Notes |
|---|---|
Magecart (umbrella) |
JS skimmers on e-commerce checkouts. |
GootLoader S |
EO-poisoned JS loader. |
SocGholish |
FakeUpdates JS loader. |
Ramnit (web injects) b |
anker variant. |
By Name (A-Z)#
Family |
First seen |
Target |
Operator / Origin |
Ngrams & Search Queries |
|---|---|---|---|---|
Agent Tesla |
2014 |
Windows; browser, mail, FTP, IM creds |
Commodity .NET RAT; sold on forums |
“agent tesla .NET RAT”, |
Akira |
2023 |
Windows / ESXi ransomware (mid-market) |
Akira (Conti-adjacent) |
“akira ransomware 2023”, “akira ESXi tor” |
ALPHV / BlackCat |
2021-2024 |
Windows / Linux / ESXi ransomware |
ALPHV (BlackMatter / DarkSide successor); FBI-disrupted 2023 |
“ALPHV BlackCat Rust”, “BlackCat takedown 2023” |
AsyncRAT |
2019 |
Windows; remote control |
Open-source on GitHub; widely abused |
“AsyncRAT GitHub”, |
Atomic Stealer (AMOS) |
2023 |
macOS; browser, wallets, keychain |
“Atomic” actor; Telegram MaaS |
“atomic stealer macOS 2023”, “AMOS macOS info-stealer” |
Aurora Stealer |
2022 |
Windows; Go-based; browser, wallets, FTP, Telegram |
Sold as MaaS on forums |
“Aurora stealer Go MaaS”, “aurora stealer cluster” |
Azorult |
2016 |
Windows; browser, FTP, IM, crypto wallets |
Russian-speaking forum sales |
“azorult stealer”, “azorult campaign telemetry” |
Bad Rabbit |
2017 |
Windows ransomware (Ukraine / Russia focus) |
Sandworm-adjacent (Russia-attributed) |
“bad rabbit 2017 ransomware”, “bad rabbit notpetya analysis” |
Banshee Stealer |
2024 |
macOS; browser, wallets, keychain |
Sold on dark-web markets (Russian-speaking) |
“banshee stealer macOS 2024”, “banshee macOS MaaS” |
BlackEnergy 3 |
2014-2015 |
Windows / ICS (Ukraine power grid) |
Sandworm / GRU Unit 74455 |
“BlackEnergy 3 ukraine”, “BlackEnergy ICS plug-in” |
Brute Ratel C4 |
2020 |
Windows post-exploitation framework |
Chetan Nayak (commercial); widely cracked |
“brute ratel C4 leak”, “brute ratel APT use” |
Bumblebee |
2022 |
Windows loader (Conti-adjacent ingress) |
Conti / TrickBot lineage |
“bumblebee loader 2022”, “bumblebee conti successor” |
CaddyWiper |
2022 |
Windows / Ukraine ministries |
Sandworm / GRU |
“CaddyWiper Ukraine 2022”, “CaddyWiper ESET writeup” |
Cerberus |
2019 |
Android banker |
Cerberus actor; later open-sourced when sale failed |
“Cerberus Android banker”, “Cerberus 2.0 source leak” |
Cl0p |
2019 |
Windows / Linux ransomware + mass exploitation |
TA505-adjacent Cl0p crew |
“Cl0p MOVEit 2023”, “Cl0p GoAnywhere 2023” |
Cobalt Strike (Beacon) |
2012 |
Windows; commercial offensive framework |
HelpSystems / Fortra; constantly cracked / abused |
“Cobalt Strike beacon leak”, “Cobalt Strike cracked” |
Conti |
2020-2022 |
Windows / ESXi ransomware |
Wizard Spider / Conti crew (Russia-affiliated) |
“Conti leaks 2022 Trickleaks”, “Conti playbook leak” |
DarkComet |
2008 |
Windows RAT (historical) |
Jean-Pierre Lesueur (“DarkCoderSc”); discontinued 2012 |
“DarkComet RAT 2012”, “DarkComet syria campaign” |
DarkSide |
2020-2021 |
Windows / Linux ransomware (Colonial Pipeline) |
DarkSide → BlackMatter → ALPHV lineage |
“DarkSide colonial pipeline”, “DarkSide ransomware shutdown” |
Dridex |
2014 |
Windows banker (Bugat / Cridex lineage) |
Evil Corp (Maksim Yakubets) |
“Dridex evil corp”, “Maksim Yakubets dridex indictment” |
Duqu |
2011 |
Windows espionage (Stuxnet lineage) |
Equation Group / Unit 8200 (joint attribution) |
“Duqu 2.0 Kaspersky”, “Duqu stuxnet relative” |
Emotet |
2014 |
Windows banker → loader; later spam botnet |
TA542 / Mealybug (Mummy Spider) |
“Emotet takedown 2021”, “Emotet TA542 mealybug” |
Empire (PowerShell / Python) |
2015 |
Windows / Linux / macOS post-exploitation |
Open-source; abandoned, then forked (Empire-BC Security) |
“Empire framework powershell”, “BC Security Empire fork” |
FormBook / XLoader |
2016 / 2020 |
Windows / macOS infostealer |
“ng-Coder” forum sales; XLoader is cross-platform variant |
“FormBook stealer 2016”, “XLoader macOS 2021” |
GootLoader |
2020 |
Windows; SEO-poisoned JS loader → REvil / Cobalt Strike |
UNC2565 (Mandiant) |
“GootLoader SEO 2021”, “UNC2565 GootKit” |
gh0st RAT |
2008 |
Windows RAT; long-running PRC-actor tool |
PRC-aligned APT clusters |
“gh0st RAT 2008 China”, “gh0st RAT GhostNet” |
Gozi / Ursnif / ISFB |
2007+ |
Windows banker (multi-fork lineage) |
Multiple groups (Gozi → Vawtrak → ISFB → Saigon variants) |
“Ursnif ISFB banker”, “Gozi source code leak” |
GuLoader |
2019 |
Windows loader; vbcrypt / cloud-hosted payload |
UNC3833 / commodity actors |
“GuLoader 2019”, “GuLoader cloud delivery” |
Havex |
2014 |
Windows ICS (energy sector) |
Energetic Bear / Dragonfly (Russia-attributed) |
“Havex energetic bear”, “Havex OPC scanner” |
HermeticWiper |
2022 |
Windows / Ukraine (pre-invasion) |
Sandworm-aligned (Russia-attributed) |
“HermeticWiper 2022 ukraine”, “HermeticWiper ESET writeup” |
Hive |
2021-2023 |
Windows / Linux ransomware (healthcare focus) |
Hive crew; FBI / Europol disrupted 2023 |
“Hive ransomware takedown 2023”, “Hive FBI key recovery” |
IcedID / BokBot |
2017 |
Windows banker → loader |
TA551 (Shathak) primary distribution |
“IcedID BokBot loader”, “TA551 IcedID 2022” |
Industroyer / CRASHOVERRIDE |
2016, 2022 |
ICS (electric utilities) |
Sandworm / GRU |
“Industroyer CRASHOVERRIDE ukraine”, “Industroyer2 2022” |
Joker |
2017 |
Android (Play Store fleeceware / SMS subscription) |
Various actor clusters; recurring Play Store abuse |
“Joker malware play store”, “Joker fleeceware android” |
Latrodectus |
2023 |
Windows loader (IcedID successor) |
TA577 / TA578 distribution clusters |
“Latrodectus IcedID successor”, “Latrodectus 2023 loader” |
LockBit |
2019-2024 |
Windows / ESXi / Linux ransomware |
LockBitSupp (Dmitry Khoroshev); FBI takedown 2024 (“Cronos”) |
“LockBit takedown Operation Cronos”, “LockBit 3.0 builder leak” |
Lumma Stealer |
2022 |
Windows; browsers, wallets, 2FA tokens |
“Shamel” / “Lummac”; Russian-speaking |
“Lumma stealer 2024”, “LummaC2 MaaS” |
Mars Stealer |
2021 |
Windows; Oski fork; browsers / wallets |
Forum sales |
“Mars stealer Oski fork”, “Mars stealer 2022” |
Maze |
2019-2020 |
Windows ransomware (pioneered leak-site extortion) |
Maze crew (TA2101); shut down 2020 → Egregor |
“Maze leak site 2019”, “Maze ransomware retirement” |
Metasploit (Meterpreter) |
2003 |
Cross-platform offensive framework |
HD Moore originally; Rapid7 |
“Metasploit meterpreter”, “Metasploit module catalog” |
META Stealer |
2022 |
Windows; browser, IM, wallets (RedLine fork) |
MaaS forum sales |
“META stealer 2022 redline fork”, “MetaStealer telegram” |
Mirai |
2016 |
Linux / IoT botnet (DDoS) |
“Anna-senpai” (Paras Jha); source leaked Sept 2016 |
“Mirai source code leak”, “paras jha mirai indictment” |
Mythic (C2) |
2018 |
Cross-platform post-exploitation framework |
SpecterOps (Cody Thomas); open-source |
“Mythic C2 specterops”, “Mythic agent apollo” |
NanoCore |
2013 |
Windows RAT |
Taylor Huddleston; convicted 2017 |
“NanoCore RAT huddleston”, “NanoCore commodity RAT” |
NjRAT |
2013 |
Windows RAT; Arabic-speaking dev community |
njq8 (Kuwait); widely cloned |
“NjRAT njq8 source”, “NjRAT arabic forum” |
NotPetya |
2017 |
Windows wiper (M.E.Doc supply chain) |
Sandworm / GRU Unit 74455 |
“NotPetya 2017 sandworm”, “M.E.Doc notpetya” |
Olympic Destroyer |
2018 |
Windows wiper (PyeongChang Olympics) |
Sandworm; false-flag artifacts |
“Olympic Destroyer 2018”, “Olympic Destroyer false flag” |
Pegasus |
2016 |
iOS / Android spyware (zero-click 2019+) |
NSO Group (Israel) |
“Pegasus NSO Group”, “Pegasus FORCEDENTRY iMessage” |
Phobos |
2018 |
Windows ransomware (SMB-focused; Dharma fork) |
Multiple affiliates; Russian-speaking |
“Phobos ransomware 2018”, “Phobos Dharma fork” |
PikaBot |
2023 |
Windows loader (QakBot successor) |
TA577 / Water Curupira distribution |
“PikaBot 2023 loader”, “PikaBot Water Curupira” |
Play |
2022 |
Windows / Linux / ESXi ransomware |
PLAYCRYPT / Balloonfly |
“Play ransomware 2022”, “PLAYCRYPT victims” |
Predator |
2019 |
iOS / Android spyware |
Intellexa Alliance (Greece / Cyprus / North Macedonia) |
“Predator spyware Intellexa”, “Predator Citizen Lab Cytrox” |
QakBot / Qbot |
2007 |
Windows banker → loader |
QakBot crew; FBI Operation Duck Hunt 2023 |
“QakBot Operation Duck Hunt”, “QakBot loader 2022” |
QuasarRAT |
2014 |
Windows RAT (open-source) |
quasar (Github); abused by APT33, APT10 |
“QuasarRAT open source”, “QuasarRAT APT33” |
Raccoon Stealer |
2019 |
Windows; browser, mail, wallets |
Mark Sokolovsky (arrested 2022); v2 by same crew |
“Raccoon stealer v2”, “Mark Sokolovsky raccoon” |
Ramnit |
2010 |
Windows banker (Zeus-derived) |
Botnet historically; takedowns 2015, 2018 |
“Ramnit banker takedown”, “Ramnit web injects” |
REvil / Sodinokibi |
2019-2021 |
Windows / Linux ransomware |
REvil crew; Russian FSB arrests Jan 2022 |
“REvil Sodinokibi 2019”, “REvil Kaseya VSA 2021” |
RedLine Stealer |
2020 |
Windows; browser, FTP, IM, crypto, VPN configs |
Russian-speaking MaaS operator |
“RedLine stealer 2021”, “RedLine MaaS Telegram” |
RemcosRAT |
2016 |
Windows RAT |
Breaking-Security.net (Germany); commercial |
“Remcos RAT breaking-security”, “Remcos 4.0 panel” |
Rhadamanthys |
2022 |
Windows stealer (modular) |
Russian-speaking forum sales |
“Rhadamanthys 2022 stealer”, “Rhadamanthys modular plugins” |
Royal |
2022-2023 |
Windows ransomware (Conti successor) |
Royal → BlackSuit re-brand 2023 |
“Royal ransomware 2022 conti successor”, “BlackSuit Royal rebrand” |
Ryuk |
2018 |
Windows ransomware (big-game hunting) |
WIZARD SPIDER (Conti-adjacent) |
“Ryuk ransomware 2018”, “Ryuk big game hunting” |
SamSam |
2015-2018 |
Windows ransomware (manual / RDP brute) |
Iranian-nationals (indicted 2018) |
“SamSam ransomware indictment 2018”, “SamSam Atlanta city” |
Shamoon (Disttrack) |
2012, 2016, 2018 |
Windows wiper (Saudi Aramco) |
APT33 / Elfin (Iran-attributed) |
“Shamoon disttrack aramco”, “Shamoon 2 wiper” |
Sharkbot |
2021 |
Android banker (ATS automated transfer) |
Russian-speaking authors |
“SharkBot Android banker”, “SharkBot ATS overlay” |
Sliver |
2019 |
Cross-platform post-exploitation framework |
BishopFox (open-source) |
“Sliver C2 bishopfox”, “Sliver implant golang” |
SmokeLoader |
2011 |
Windows loader (long-running) |
Forum sales; Russia-affiliated developer |
“SmokeLoader 2011 forum”, “SmokeLoader botnet sales” |
SOVA |
2021 |
Android banker (overlay) |
Russian-speaking author |
“SOVA Android banker 2021”, “SOVA overlay TLM2” |
SpyNote |
2016 |
Android RAT |
Open-source on GitHub |
“SpyNote Android RAT”, “SpyNote builder telegram” |
StealC |
2023 |
Windows; modular browser / wallet stealer |
“Plymouth” forum handle |
“StealC stealer 2023”, “StealC Plymouth MaaS” |
Stuxnet |
2010 |
Windows / Siemens S7 PLC (Iran centrifuges) |
Equation Group / Unit 8200 (joint attribution) |
“Stuxnet 2010 Natanz”, “Stuxnet Siemens S7-300” |
TRITON / TRISIS |
2017 |
ICS (Schneider Triconex safety controllers) |
XENOTIME / TEMP.Veles (Russia-attributed) |
“TRITON Triconex 2017”, “XENOTIME TRISIS malware” |
TrickBot |
2016 |
Windows banker → loader |
TrickBot crew (WIZARD SPIDER lineage) |
“TrickBot WIZARD SPIDER”, “TrickBot module catalog” |
Vidar |
2018 |
Windows; browser, FTP, IM, wallets |
Russian-speaking MaaS operator |
“Vidar stealer 2019”, “Vidar MaaS Arkei fork” |
Vultur |
2021 |
Android banker (screen-recording) |
Russian-speaking authors |
“Vultur Android 2021”, “Vultur screen recorder banker” |
WannaCry |
2017 |
Windows ransomware (EternalBlue) |
Lazarus Group (DPRK-attributed) |
“WannaCry 2017 EternalBlue”, “Lazarus WannaCry NHS” |
WhisperGate |
2022 |
Windows wiper (Ukraine ministries, pre-invasion) |
Cadet Blizzard / DEV-0586 (Russia-attributed) |
“WhisperGate 2022 ukraine”, “Cadet Blizzard WhisperGate” |
Zeus / ZeuS |
2007 |
Windows banker (foundational) |
Slavik (Evgeniy Bogachev); source leaked 2011 |
“Zeus banker bogachev”, “Zeus source leak 2011” |
References#
MITRE ATT&CK Software, the cross-walk catalog.
Malpedia, per-family reference (Fraunhofer FKIE).
MalwareBazaar (abuse.ch), sample exchange, family tags.
URLhaus, live distribution URLs.
ThreatFox, per-family IOCs.
Joe Sandbox / ANY.RUN / Hybrid Analysis, behavioral reports.
Kaspersky Securelist, ESET WeLiveSecurity, Cisco Talos blog, vendor-research.
Hacker Groups, the operating crews.
Hacking, the techniques.
CTI Sources, the indicator feeds.
YARA, the pattern format used to classify families.