Malware#

Reference catalog of malware families an operator should recognize, organized by category. Each row is a family + brief notes; for full technical write-ups follow the references at the end (Mandiant family pages, Kaspersky Securelist, MalwareBazaar tags, Joe Sandbox / ANY.RUN reports, MITRE ATT&CK Software).

For active malware-distribution URLs and live samples, see URLhaus, MalwareBazaar, and ThreatFox from abuse.ch. Detonate live samples only inside an isolated analysis VM with no production connectivity.

Loaders / droppers#

Family

Notes

Emotet

Original banking trojan turned loader; multi-takedown.

TrickBot

Loader / banker; pivot to Conti, lineage parent.

IcedID / BokBot

Loader; replaced TrickBot circa 2021.

QakBot / Qbot

Loader / banker; FBI takedown 2023, partial revival.

Bumblebee

2022 loader; brokered by IABs.

Latrodectus

2024 loader; IcedID successor.

PikaBot

2023 loader; multiple delivery campaigns.

Smokeloader

Long-running modular loader.

GuLoader

Anti-analysis loader.

Hijackloader / IDAT

Modular loader 2023-2024.

DarkLoader, Wikiloader, MaliBot

Various 2024 loader brands.

Banking trojans#

Family

Notes

Zeus / ZeuS

Original credential-theft banker; many forks.

Citadel, Atmos

Zeus forks.

Gozi / Ursnif / ISFB

Long-running banker; multiple forks.

Dridex

EvilCorp; banker / loader.

Ramnit

Worm + banker.

Trickbot

See loaders.

Emotet

See loaders.

Cerberus, Anubis, Hydra

Android bankers.

TrickMo

Android trickbot variant.

Sharkbot, Vultur

Android RAT-bankers.

Information stealers#

Family

Notes

RedLine Stealer

2020-present; massive log market presence.

Vidar

Long-lived; Snowflake breach 2024 traced to creds from this.

Lumma Stealer

2022-present; rising market share 2024-2025.

StealC

2023; aggressive logging.

Aurora Stealer

2022-2023.

Raccoon Stealer

Took down 2022, returned.

Mars Stealer

Russian-language stealer.

META Stealer

2022; LinkedIn-themed delivery.

Rhadamanthys

2023-present.

Atomic Stealer (AMOS)

macOS stealer; 2023-present.

Banshee Stealer

macOS, 2024.

Ovidiy, Pony / Fareit o

lder but persistent.

Agent Tesla

keylogger / stealer; phishing-delivered.

FormBook, XLoader

long-running.

Remote Access Trojans (RATs)#

Family

Notes

NjRAT

Arabic-speaking ecosystem; long-lived.

RemcosRAT

Commercial-pretext RAT; widely abused.

NanoCore

Subscription RAT; many cracked versions.

AsyncRAT

Open-source RAT.

QuasarRAT

Open-source .NET RAT.

DarkComet

Older but still seen.

PoisonIvy

Classic; APT-favored historically.

gh0st RAT

Chinese-origin classic.

Cobalt Strike Beacon

Commercial post-ex; cracked builds widely abused.

Sliver

Open-source post-ex; APT and crime adoption.

Mythic, Havoc

OSS post-ex frameworks.

Brute Ratel C4

Commercial; leaked builds in the wild.

Empire (PowerShell / Python)

OSS post-ex; deprecated mainline, forks alive.

Metasploit Meterpreter

Foundational; legitimate test tool.

Mosquito

Older Turla RAT.

Ransomware (encryption brands)#

(Distinct from the operating group; many groups run multiple encryptors and rebrand often. See Hacker Groups for the operating crews.)

Family

Notes

LockBit (2.0 / 3.0 / Black / Green)

most-prolific 2022-2024; disrupted Feb 2024.

ALPHV / BlackCat

Rust; double extortion; exit-scammed Feb 2024.

Black Basta

Conti spin-off; 2022-present.

Royal / Blacksuit

Conti spin-off.

Akira

2023; ESXi-targeting; Megazord Linux variant.

Play

2022-present.

Cl0p

Mass file-transfer-zero-day campaigns.

Hive

Disrupted Jan 2023.

REvil / Sodinokibi

Disrupted 2021.

Conti

Disbanded 2022 after leaks.

Maze

Original double-extortion; disbanded 2020.

DarkSide / BlackMatter

Colonial Pipeline; rebrands.

Ryuk

Wizard Spider; Conti precursor.

Lockbit Black, Locky

Older but referenced.

Vice Society / RhySida

Education-sector focus.

Medusa, 8Base, NoEscape

2024-2025 brands.

Phobos / Eight

Long-running; sold widely.

Stop / Djvu

Consumer-grade ransomware-as-product.

WannaCry

2017 worm-ransomware (NK Lazarus).

NotPetya

2017 wiper masquerading as ransomware (RU Sandworm).

Bad Rabbit

2017 NotPetya cousin.

SamSam

2018; attributed Iran (DOJ indictments 2018).

Wipers#

Family

Notes

Shamoon (Disttrack)

2012 Saudi Aramco; multiple resurfacings.

NotPetya

2017; Sandworm / Russia.

Olympic Destroyer

2018 PyeongChang Olympics.

WhisperGate, HermeticWiper, IsaacWi

per 2022 against Ukraine; Sandworm.

CaddyWiper, AcidRain, AcidPour

2022 / 2024 against Ukraine; KA-SAT modems.

Industroyer / CrashOverride

2016 Ukraine grid; Sandworm.

Industroyer2

2022 Ukraine; Sandworm.

WhisperKill

Pseudo-ransomware wiper variants.

ICS / OT#

Family

Notes

Stuxnet

2010 Natanz; first publicly-known ICS-targeting worm.

Duqu

Stuxnet sibling; reconnaissance.

Havex

Energy sector recon.

BlackEnergy 3

2015 Ukraine grid attack.

Industroyer / Industroyer2

see Wipers.

TRITON / TRISIS

2017 Saudi Arabia; safety-instrumented system manipulation.

Pipedream / Incontroller

2022 multi-protocol ICS toolkit (Sandworm-attributed).

Mobile (Android)#

Family

Notes

Cerberus, Anubis, Hydra

Bankers.

Joker

Premium-SMS fraud.

Triada, xHelper

Persistent system-level malware.

Pegasus (NSO)

Commercial spyware; zero-click iMessage / WhatsApp / SMS.

Predator (Intellexa)

Commercial spyware.

FinSpy / FinFisher

Commercial spyware.

Hermit

Italian commercial spyware.

RCS Lab Hermit, Karma

other commercial spyware.

SpyNote

commodity Android RAT.

SOVA

Banker / RAT.

Vultur

Banker / VNC RAT.

GoldDigger

2023 Vietnam / SE Asia banker.

Mobile (iOS)#

Family

Notes

Pegasus (NSO)

Zero-click chains via iMessage (FORCEDENTRY etc.).

Predator (Intellexa)

iOS implants.

TriangleDB

Operation Triangulation; iMessage exploit chain.

KeySteal, OSAMiner

Older spyware-class.

LightSpy

Cross-platform implants.

macOS#

Family

Notes

Atomic Stealer (AMOS)

2023-present cred + crypto-wallet stealer.

Banshee Stealer

2024 macOS stealer.

RustBucket

DPRK; 2023.

KandyKorn

DPRK; crypto-targeting macOS.

ObjCShellz

BlueNoroff (DPRK).

Silver Sparrow

2021; widespread but limited payload.

ThiefQuest / EvilQuest

2020 ransomware + stealer.

SpectralBlur

Linux / cloud#

Family

Notes

Mirai

IoT botnet; many variants (OMG, Satori, Reaper, Aidra).

Mozi

P2P IoT botnet (mostly extinct 2023).

Tsunami / Kaiten

Long-running IRC-controlled bot.

XorDDoS

DDoS bot; SSH brute-force entry.

SystemdMiner, WatchDog, TeamTNT

cryptomining campaigns on Linux / cloud.

Kinsing

Cloud crypto-jacker.

8220 Mining Group

Multiple loaders.

RotaJakiro

Backdoor (2021).

Sysrv-hello

Hybrid worm + miner.

Symbiote

Stealthy LD_PRELOAD-based.

BPFDoor

eBPF-based backdoor (2022).

NerbianRAT

2022 RAT.

TrueBot, Spyder

multi-platform RATs.

Cryptominers#

Family

Notes

XMRig

Monero miner; the open-source backbone.

RandomXMRig

Variant.

Coinminer-class

Many variants; cloud and IoT mainly.

LemonDuck

Cross-platform crypto-jacker + worm.

Botnets#

Family

Notes

Emotet

Disrupted 2021, returned 2021 / 2022.

QakBot / Qbot

FBI takedown 2023.

TrickBot

Microsoft + DoJ disruptions; lineage to Conti.

Mirai (and forks)

IoT.

Mozi

IoT P2P.

Necurs

Spam botnet; quiet since 2020.

Avalanche

Massive botnet ecosystem; 2016 takedown.

Andromeda / Gamarue

2017 takedown (Avalanche-adjacent).

Phorpiex

Sextortion / cred-stealer botnet.

Worms#

Family

Notes

Stuxnet

ICS worm.

Conficker

2008-9 Windows worm; massive infection base.

WannaCry

2017 EternalBlue worm.

NotPetya

2017 wiper-worm.

SQL Slammer

Code Red, Nimda, Blaster, Sasser

Pre-2010 classics.

ILOVEYOU

2000 mail-attachment worm.

Rootkits / bootkits#

Family

Notes

TDL / TDSS / Alureon

Bootkit lineage.

ZeroAccess

Botnet rootkit.

Necurs

Rootkit + spam.

LoJax

First-public UEFI rootkit (2018, APT28).

MoonBounce

UEFI implant (2022, Winnti).

CosmicStrand

UEFI implant.

BlackLotus

UEFI bootkit; bypasses Secure Boot (2023).

RotaJakiro

Linux user-mode rootkit.

Symbiote

LD_PRELOAD Linux rootkit.

Web / browser#

Family

Notes

Magecart (umbrella)

JS skimmers on e-commerce checkouts.

GootLoader S

EO-poisoned JS loader.

SocGholish

FakeUpdates JS loader.

Ramnit (web injects) b

anker variant.

By Name (A-Z)#

Family

First seen

Target

Operator / Origin

Ngrams & Search Queries

Agent Tesla

2014

Windows; browser, mail, FTP, IM creds

Commodity .NET RAT; sold on forums

“agent tesla .NET RAT”, site:any.run "agent tesla"

Akira

2023

Windows / ESXi ransomware (mid-market)

Akira (Conti-adjacent)

“akira ransomware 2023”, “akira ESXi tor”

ALPHV / BlackCat

2021-2024

Windows / Linux / ESXi ransomware

ALPHV (BlackMatter / DarkSide successor); FBI-disrupted 2023

“ALPHV BlackCat Rust”, “BlackCat takedown 2023”

AsyncRAT

2019

Windows; remote control

Open-source on GitHub; widely abused

“AsyncRAT GitHub”, site:any.run AsyncRAT

Atomic Stealer (AMOS)

2023

macOS; browser, wallets, keychain

“Atomic” actor; Telegram MaaS

“atomic stealer macOS 2023”, “AMOS macOS info-stealer”

Aurora Stealer

2022

Windows; Go-based; browser, wallets, FTP, Telegram

Sold as MaaS on forums

“Aurora stealer Go MaaS”, “aurora stealer cluster”

Azorult

2016

Windows; browser, FTP, IM, crypto wallets

Russian-speaking forum sales

“azorult stealer”, “azorult campaign telemetry”

Bad Rabbit

2017

Windows ransomware (Ukraine / Russia focus)

Sandworm-adjacent (Russia-attributed)

“bad rabbit 2017 ransomware”, “bad rabbit notpetya analysis”

Banshee Stealer

2024

macOS; browser, wallets, keychain

Sold on dark-web markets (Russian-speaking)

“banshee stealer macOS 2024”, “banshee macOS MaaS”

BlackEnergy 3

2014-2015

Windows / ICS (Ukraine power grid)

Sandworm / GRU Unit 74455

“BlackEnergy 3 ukraine”, “BlackEnergy ICS plug-in”

Brute Ratel C4

2020

Windows post-exploitation framework

Chetan Nayak (commercial); widely cracked

“brute ratel C4 leak”, “brute ratel APT use”

Bumblebee

2022

Windows loader (Conti-adjacent ingress)

Conti / TrickBot lineage

“bumblebee loader 2022”, “bumblebee conti successor”

CaddyWiper

2022

Windows / Ukraine ministries

Sandworm / GRU

“CaddyWiper Ukraine 2022”, “CaddyWiper ESET writeup”

Cerberus

2019

Android banker

Cerberus actor; later open-sourced when sale failed

“Cerberus Android banker”, “Cerberus 2.0 source leak”

Cl0p

2019

Windows / Linux ransomware + mass exploitation

TA505-adjacent Cl0p crew

“Cl0p MOVEit 2023”, “Cl0p GoAnywhere 2023”

Cobalt Strike (Beacon)

2012

Windows; commercial offensive framework

HelpSystems / Fortra; constantly cracked / abused

“Cobalt Strike beacon leak”, “Cobalt Strike cracked”

Conti

2020-2022

Windows / ESXi ransomware

Wizard Spider / Conti crew (Russia-affiliated)

“Conti leaks 2022 Trickleaks”, “Conti playbook leak”

DarkComet

2008

Windows RAT (historical)

Jean-Pierre Lesueur (“DarkCoderSc”); discontinued 2012

“DarkComet RAT 2012”, “DarkComet syria campaign”

DarkSide

2020-2021

Windows / Linux ransomware (Colonial Pipeline)

DarkSide → BlackMatter → ALPHV lineage

“DarkSide colonial pipeline”, “DarkSide ransomware shutdown”

Dridex

2014

Windows banker (Bugat / Cridex lineage)

Evil Corp (Maksim Yakubets)

“Dridex evil corp”, “Maksim Yakubets dridex indictment”

Duqu

2011

Windows espionage (Stuxnet lineage)

Equation Group / Unit 8200 (joint attribution)

“Duqu 2.0 Kaspersky”, “Duqu stuxnet relative”

Emotet

2014

Windows banker → loader; later spam botnet

TA542 / Mealybug (Mummy Spider)

“Emotet takedown 2021”, “Emotet TA542 mealybug”

Empire (PowerShell / Python)

2015

Windows / Linux / macOS post-exploitation

Open-source; abandoned, then forked (Empire-BC Security)

“Empire framework powershell”, “BC Security Empire fork”

FormBook / XLoader

2016 / 2020

Windows / macOS infostealer

“ng-Coder” forum sales; XLoader is cross-platform variant

“FormBook stealer 2016”, “XLoader macOS 2021”

GootLoader

2020

Windows; SEO-poisoned JS loader → REvil / Cobalt Strike

UNC2565 (Mandiant)

“GootLoader SEO 2021”, “UNC2565 GootKit”

gh0st RAT

2008

Windows RAT; long-running PRC-actor tool

PRC-aligned APT clusters

“gh0st RAT 2008 China”, “gh0st RAT GhostNet”

Gozi / Ursnif / ISFB

2007+

Windows banker (multi-fork lineage)

Multiple groups (Gozi → Vawtrak → ISFB → Saigon variants)

“Ursnif ISFB banker”, “Gozi source code leak”

GuLoader

2019

Windows loader; vbcrypt / cloud-hosted payload

UNC3833 / commodity actors

“GuLoader 2019”, “GuLoader cloud delivery”

Havex

2014

Windows ICS (energy sector)

Energetic Bear / Dragonfly (Russia-attributed)

“Havex energetic bear”, “Havex OPC scanner”

HermeticWiper

2022

Windows / Ukraine (pre-invasion)

Sandworm-aligned (Russia-attributed)

“HermeticWiper 2022 ukraine”, “HermeticWiper ESET writeup”

Hive

2021-2023

Windows / Linux ransomware (healthcare focus)

Hive crew; FBI / Europol disrupted 2023

“Hive ransomware takedown 2023”, “Hive FBI key recovery”

IcedID / BokBot

2017

Windows banker → loader

TA551 (Shathak) primary distribution

“IcedID BokBot loader”, “TA551 IcedID 2022”

Industroyer / CRASHOVERRIDE

2016, 2022

ICS (electric utilities)

Sandworm / GRU

“Industroyer CRASHOVERRIDE ukraine”, “Industroyer2 2022”

Joker

2017

Android (Play Store fleeceware / SMS subscription)

Various actor clusters; recurring Play Store abuse

“Joker malware play store”, “Joker fleeceware android”

Latrodectus

2023

Windows loader (IcedID successor)

TA577 / TA578 distribution clusters

“Latrodectus IcedID successor”, “Latrodectus 2023 loader”

LockBit

2019-2024

Windows / ESXi / Linux ransomware

LockBitSupp (Dmitry Khoroshev); FBI takedown 2024 (“Cronos”)

“LockBit takedown Operation Cronos”, “LockBit 3.0 builder leak”

Lumma Stealer

2022

Windows; browsers, wallets, 2FA tokens

“Shamel” / “Lummac”; Russian-speaking

“Lumma stealer 2024”, “LummaC2 MaaS”

Mars Stealer

2021

Windows; Oski fork; browsers / wallets

Forum sales

“Mars stealer Oski fork”, “Mars stealer 2022”

Maze

2019-2020

Windows ransomware (pioneered leak-site extortion)

Maze crew (TA2101); shut down 2020 → Egregor

“Maze leak site 2019”, “Maze ransomware retirement”

Metasploit (Meterpreter)

2003

Cross-platform offensive framework

HD Moore originally; Rapid7

“Metasploit meterpreter”, “Metasploit module catalog”

META Stealer

2022

Windows; browser, IM, wallets (RedLine fork)

MaaS forum sales

“META stealer 2022 redline fork”, “MetaStealer telegram”

Mirai

2016

Linux / IoT botnet (DDoS)

“Anna-senpai” (Paras Jha); source leaked Sept 2016

“Mirai source code leak”, “paras jha mirai indictment”

Mythic (C2)

2018

Cross-platform post-exploitation framework

SpecterOps (Cody Thomas); open-source

“Mythic C2 specterops”, “Mythic agent apollo”

NanoCore

2013

Windows RAT

Taylor Huddleston; convicted 2017

“NanoCore RAT huddleston”, “NanoCore commodity RAT”

NjRAT

2013

Windows RAT; Arabic-speaking dev community

njq8 (Kuwait); widely cloned

“NjRAT njq8 source”, “NjRAT arabic forum”

NotPetya

2017

Windows wiper (M.E.Doc supply chain)

Sandworm / GRU Unit 74455

“NotPetya 2017 sandworm”, “M.E.Doc notpetya”

Olympic Destroyer

2018

Windows wiper (PyeongChang Olympics)

Sandworm; false-flag artifacts

“Olympic Destroyer 2018”, “Olympic Destroyer false flag”

Pegasus

2016

iOS / Android spyware (zero-click 2019+)

NSO Group (Israel)

“Pegasus NSO Group”, “Pegasus FORCEDENTRY iMessage”

Phobos

2018

Windows ransomware (SMB-focused; Dharma fork)

Multiple affiliates; Russian-speaking

“Phobos ransomware 2018”, “Phobos Dharma fork”

PikaBot

2023

Windows loader (QakBot successor)

TA577 / Water Curupira distribution

“PikaBot 2023 loader”, “PikaBot Water Curupira”

Play

2022

Windows / Linux / ESXi ransomware

PLAYCRYPT / Balloonfly

“Play ransomware 2022”, “PLAYCRYPT victims”

Predator

2019

iOS / Android spyware

Intellexa Alliance (Greece / Cyprus / North Macedonia)

“Predator spyware Intellexa”, “Predator Citizen Lab Cytrox”

QakBot / Qbot

2007

Windows banker → loader

QakBot crew; FBI Operation Duck Hunt 2023

“QakBot Operation Duck Hunt”, “QakBot loader 2022”

QuasarRAT

2014

Windows RAT (open-source)

quasar (Github); abused by APT33, APT10

“QuasarRAT open source”, “QuasarRAT APT33”

Raccoon Stealer

2019

Windows; browser, mail, wallets

Mark Sokolovsky (arrested 2022); v2 by same crew

“Raccoon stealer v2”, “Mark Sokolovsky raccoon”

Ramnit

2010

Windows banker (Zeus-derived)

Botnet historically; takedowns 2015, 2018

“Ramnit banker takedown”, “Ramnit web injects”

REvil / Sodinokibi

2019-2021

Windows / Linux ransomware

REvil crew; Russian FSB arrests Jan 2022

“REvil Sodinokibi 2019”, “REvil Kaseya VSA 2021”

RedLine Stealer

2020

Windows; browser, FTP, IM, crypto, VPN configs

Russian-speaking MaaS operator

“RedLine stealer 2021”, “RedLine MaaS Telegram”

RemcosRAT

2016

Windows RAT

Breaking-Security.net (Germany); commercial

“Remcos RAT breaking-security”, “Remcos 4.0 panel”

Rhadamanthys

2022

Windows stealer (modular)

Russian-speaking forum sales

“Rhadamanthys 2022 stealer”, “Rhadamanthys modular plugins”

Royal

2022-2023

Windows ransomware (Conti successor)

Royal → BlackSuit re-brand 2023

“Royal ransomware 2022 conti successor”, “BlackSuit Royal rebrand”

Ryuk

2018

Windows ransomware (big-game hunting)

WIZARD SPIDER (Conti-adjacent)

“Ryuk ransomware 2018”, “Ryuk big game hunting”

SamSam

2015-2018

Windows ransomware (manual / RDP brute)

Iranian-nationals (indicted 2018)

“SamSam ransomware indictment 2018”, “SamSam Atlanta city”

Shamoon (Disttrack)

2012, 2016, 2018

Windows wiper (Saudi Aramco)

APT33 / Elfin (Iran-attributed)

“Shamoon disttrack aramco”, “Shamoon 2 wiper”

Sharkbot

2021

Android banker (ATS automated transfer)

Russian-speaking authors

“SharkBot Android banker”, “SharkBot ATS overlay”

Sliver

2019

Cross-platform post-exploitation framework

BishopFox (open-source)

“Sliver C2 bishopfox”, “Sliver implant golang”

SmokeLoader

2011

Windows loader (long-running)

Forum sales; Russia-affiliated developer

“SmokeLoader 2011 forum”, “SmokeLoader botnet sales”

SOVA

2021

Android banker (overlay)

Russian-speaking author

“SOVA Android banker 2021”, “SOVA overlay TLM2”

SpyNote

2016

Android RAT

Open-source on GitHub

“SpyNote Android RAT”, “SpyNote builder telegram”

StealC

2023

Windows; modular browser / wallet stealer

“Plymouth” forum handle

“StealC stealer 2023”, “StealC Plymouth MaaS”

Stuxnet

2010

Windows / Siemens S7 PLC (Iran centrifuges)

Equation Group / Unit 8200 (joint attribution)

“Stuxnet 2010 Natanz”, “Stuxnet Siemens S7-300”

TRITON / TRISIS

2017

ICS (Schneider Triconex safety controllers)

XENOTIME / TEMP.Veles (Russia-attributed)

“TRITON Triconex 2017”, “XENOTIME TRISIS malware”

TrickBot

2016

Windows banker → loader

TrickBot crew (WIZARD SPIDER lineage)

“TrickBot WIZARD SPIDER”, “TrickBot module catalog”

Vidar

2018

Windows; browser, FTP, IM, wallets

Russian-speaking MaaS operator

“Vidar stealer 2019”, “Vidar MaaS Arkei fork”

Vultur

2021

Android banker (screen-recording)

Russian-speaking authors

“Vultur Android 2021”, “Vultur screen recorder banker”

WannaCry

2017

Windows ransomware (EternalBlue)

Lazarus Group (DPRK-attributed)

“WannaCry 2017 EternalBlue”, “Lazarus WannaCry NHS”

WhisperGate

2022

Windows wiper (Ukraine ministries, pre-invasion)

Cadet Blizzard / DEV-0586 (Russia-attributed)

“WhisperGate 2022 ukraine”, “Cadet Blizzard WhisperGate”

Zeus / ZeuS

2007

Windows banker (foundational)

Slavik (Evgeniy Bogachev); source leaked 2011

“Zeus banker bogachev”, “Zeus source leak 2011”

References#