Learning & Threat Centre

Learning Centre

Featured Articles

  • Targeted Attacks

    Write your caption here
    targeted attacks
  • Write your caption here
    Advanced Persistent Threats
  • Slide title

    Write your caption here
    Phishing & Data Loss

All articles

  1. Targeted attacks
  2. Advanced Persistent Threats
  3. Phishing and Data Loss
  4. Process Hollowing and code injection
  5. Sandbox evasion and how it is kept under control
  6. Different approaches tomalware detection - pros and cons

Prolific Malware Families


  • Agent Tesla

    Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.


    Marketed and sold on its own website, which falsely advertises the program as a legitimate keylogger for personal use, the Agent Tesla virus has gained significant popularity within the hacker community. This is partly due to its user-friendly interface and technical support, which is available on the "official" website where the attackers sell this malware, as well as on a dedicated Discord server. Although the software's legitimacy is claimed, the support staff advises on the illegal use of the virus. Agent Tesla spyware is believed to have originated in Turkey.


    The spyware is created using .Net software framework. It is aimed at stealing personal data and transmitting it back to the C2 server. The malware is able to access information from web browsers, email clients, and FTP servers.


    In addition, Agent Tesla malware can capture screenshots and videos. It can also record clipboard information and form values. The virus was being distributed on agenttesla-dot-com where attackers could purchase it for as little as 15$. However, depending on the requested options the package price could easily reach roughly 70$.


    Uniquely, creators of the malware have set up a sort of an ecosystem around the program, providing 24/7 customer support as well as pre-matched purchase plans that include various options tailored for different budgets and goals. The virus is supplied with a dedicated builder that has a simple-to-use control panel. It allows even a non-technically savvy attacker to pack the payload into a malicious document. What’s more, after 2015 the control panel of Agent Tesla has been expanded with extensive automation functionality, allowing the attacker to automatically capture snapshots or remotely activate the webcam on a victim’s PC in set intervals.


  • WannaCry

    WannaCry, sometimes also called WCry or WanaCryptor is ransomware malware, meaning that it encrypts files of its victims and demands a payment to restore the stolen information, usually in bitcoin with ransom amounts ranging from $300 to $600 equivalents.


    The virus can be described as ransomware like Dharma or Ryuk but with worm functionality, since it is capable of spreading itself within infected networks using the EternalBlue exploit. Additionally, the virus uses DoublePulsar exploit to upload and execute a copy of itself to a new machine.


    Once WannaCry infiltrates a target computer, it initiates its attack by searching for a hardcoded kill switch domain—either fferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com or iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. If such a domain is detected, the malware ceases operation. If not, WannaCry proceeds to encrypt files on the system and attempts to exploit the SMB vulnerability to spread to other computers and those within the same local network. Upon completing encryption, it displays a ransom note, demanding $300 within three days. Failure to comply results in the ransom doubling to $600, payable within seven days. Payments are made to several hardcoded Bitcoin addresses, and while anyone can view the transactions and balances of these wallets, the actual owners remain untraceable.

  • AsyncRAT

    In 2019 and 2020, researchers observed the first campaigns distributing AsyncRAT. A modified version of the malware was arriving in spam email campaigns with mentions of the Covid-19 pandemic. In another tactic, attackers impersonated local banks and law enforcement institutions. The malware was gaining popularity and, in late 2020, surfaced in numerous threads in Chinese underground forums.


    In 2021, AsyncRAT was spotted in a phishing campaign called Operation Spalax. In an unrelated incident, it was dropped by an HCrypt loader. Soon after, researchers saw the first strain of AsyncRAT loading using VBScripts. And in 2022, a heavily modified version of the malware appeared, which was spread in a spear phishing campaign using an attachment that downloaded ISO files. This strain could bypass most security measures.


    Because of the open-sourced nature of this malware, attackers have developed numerous alterations of AsyncRAT throughout its lifetime. In 2022, researchers found a new variant that can be distributed in fileless form. It is thought to spread through email using compressed file attachments.


    AsyncRAT mainly infects victims in the IT, hospitality, and transportation industries across North, South, and Central America, though its distribution is not limited to these regions. RAT users aim to steal personal credentials or banking details and use them as leverage to demand ransom.

  • Formbook

    FormBook is a type of infostealer trojan that operates as malware-as-a-service. It is commonly utilized by attackers who possess minimal technical skills and programming knowledge. The primary function of FormBook is to exfiltrate a variety of data from compromised systems.


    Despite its ease of setup and use, the malware boasts sophisticated theft and evasion capabilities, including the retrieval of stored and recorded user inputs. Moreover, FormBook can search for, view, interact with files, and capture screenshots. While its data theft abilities may be deemed average, the simplicity of its operation, its injection techniques, and the robust measures it employs to evade antivirus detection have contributed to FormBook's popularity within the hacking community, with its prevalence unfortunately increasing in 2019.

  • XWorm

    XWorm is a remote access trojan (RAT) that gives cybercriminals unauthorized access to a victim's computer. It is a modular malware, meaning that it can be customized to perform a variety of malicious tasks, such as stealing sensitive data and cryptocurrency, launching DDoS attacks, and deploying ransomware. It first came into the spotlight in July 2022 and is believed to have originated in the ex-USSR.


    XWorm is sold as a malware-as-a-service (MaaS), which makes it extremely dangerous. It lowers the barrier to entry and opens hacking opportunities to more people. Since its first appearance in the global threat landscape in July 2022, XWorm has gone through several iterations. As of August 2023, the 4.2 version and the 5.0 version were the latest ones available for purchase.


    Criminals use multi-stage attacks to deploy XWorm on victims’ computers. For example, an attack might start with a phishing email that contains a malicious Word document attachment. When the document is opened, it will load an .rtf file from an external link. This file will contain an Excel spreadsheet with macros that will execute a PowerShell script, which will then download XWorm onto the computer.

  • Remcos RAT

    Remcos is a remote access trojan, a type of malware designed to take control of infected computers remotely. Since its emergence in 2016, it has been actively maintained and updated, often being sold in dark web hacker forums. The Remcos RAT has seen consistent updates, with new versions released nearly every month. Prices for the malware ranged from slightly over 60 dollars to more than 400 dollars for various packages as of April 2019.

  • RedLine Stealer

    RedLine is an information-stealing malware that targets data from browsers, instant messaging systems, and FTP clients. It primarily seeks passwords, credit card details, usernames, locations, autofill data, cookies, software configurations, and even hardware setups such as keyboard layouts and UAC settings. Additionally, it has the capability to steal cryptocurrency.


    This malicious software operates similarly to other stealers like Raccoon or Pony, with functionalities that include file transfer, command execution, and reporting on the infected system's details. Attackers also utilize RedLine to distribute further malicious software, including ransomware, RATs, trojans, and cryptocurrency miners.


    RedLine Stealer is readily available on underground forums and C&C panels, offering various versions for malware-as-a-service or subscription models, typically priced between $100 and $200.


    While RedLine Stealer may not be as complex as some ransomware, it possesses common features of its malware family. It is a .Net-based malware written in C#, indicating the involvement of skilled programmers. Cybercriminals continuously update the malware, adding capabilities such as downloading secondary payloads and incorporating advanced filtering options.

  • LUMMA Stealer

    Lumma, a malware stealer, is openly sold on Dark Web forums and Telegram channels. Despite being less known than other stealers like RedLine and Formbook, it has become increasingly popular among cybercriminals for extracting sensitive information from victims. Believed to be operated by a group from the former USSR, LummaC2 Stealer has been developing since 2022, receiving updates that boost its functionality.


    Lumma Stealer represents a significant risk to numerous computer systems, targeting Windows OS from Windows 7 to Windows 11, thus enabling it to penetrate a large array of systems and amplify its impact.


    Operating on a malware-as-a-service model, Lumma Stealer is available to those who can afford its subscription, leading to its broad adoption. It offers three subscription tiers, each with different features, including a command-and-control (C2) panel for criminals to oversee the malware's operations on infected machines.


    Similar to stealers like Raccoon or Pony, it includes capabilities such as file transfer, command execution, and system detail reporting. Additionally, RedLine is used to spread more malware, including ransomware, RATs, trojans, and crypto miners.


    RedLine Stealer is also available on the dark web, with various versions for sale or subscription, typically costing between $100 and $200.


    Although not as intricate as some ransomware, RedLine Stealer shares common traits with its malware family, being a .Net-based malware written in C#, suggesting the involvement of skilled developers.

  • njRat

    njRAT, also known as Bladabindi and Njw0rm, is a remote access trojan designed to take control of infected computers remotely. Its widespread use can be attributed to its easy availability, the abundance of online tutorials, extensive information, and a comprehensive set of core features, coupled with multiple evasion techniques. njRAT has become one of the most prevalent RATs globally.


    First identified in 2013, njRAT has roots that trace back to related RATs spotted by researchers as early as 2012. The most significant spike in njRAT trojan attacks occurred in 2014, predominantly affecting the Middle East, which remains the primary target for this malware.

  • Hijack Loader

    HijackLoader has gained infamy for its stealth capabilities, notably through the use of an altered Windows C Runtime (CRT) function to establish a presence on a device. In its initial phase, it determines whether to embed the final payload within the binary or to retrieve it from an external source, utilizing a series of DWORD values for this purpose. Additionally, HijackLoader can verify internet connectivity by connecting to legitimate websites, a tactic that helps it stay undetected when the network is down. It also employs delayed execution of its code components to further evade detection. To complicate analysis by reverse engineers, HijackLoader dynamically loads APIs using a proprietary hashing technique, obscuring the specific API calls it makes during its operation. The malware's AVDATA module is specifically crafted to detect and adapt to the security software present on the system, tailoring its activities based on the scan results.

View more

Latest news

We like the following podcasts

Share by: