Threat Intelligence
Malware Encyclopedia
Know your enemy. Plain-English breakdowns of active malware threats targeting businesses.
AcidRain
AcidRain bricked satellite modems across Europe right as Russia invaded Ukraine. It disrupted communications for the Ukrainian military.
Adwind
Adwind is a spy-for-hire program that works on any computer with Java, sold like a subscription service to criminals who want to hack people.
Agenda
Agenda ransomware attacks hospitals and schools. It is written in modern programming languages to avoid detection.
Agent Racoon
Agent Racoon is a newer backdoor that hides its communications in normal-looking DNS traffic.
Agent Tesla
Agent Tesla is a spy program that records everything you type on your keyboard and takes screenshots of what you do. It's been around since 2014 and is sold as 'monitoring software' but criminals use it to steal passwords and spy on victims. It typically arrives through business email scams pretending to be invoices or shipping notices.
Agent Tesla
Agent Tesla pretends to be parental monitoring software but is really used by criminals to spy on everything you type and steal passwords.
Akira
Akira ransomware uses a cool retro look for their website but does serious damage to small and medium businesses.
Amadey
Amadey is a budget malware that criminals use to install other malware on your computer.
Amadey
Amadey is a cheap botnet tool that criminals buy to build armies of infected computers and deliver other malware.
Amadey Bot
Amadey is a cheap malware delivery service. It infects computers and then downloads other viruses, including ransomware.
Anubis
Anubis is an Android banking virus that shows fake login screens over your real banking app to steal your passwords and money.
AnyDesk Abuse
AnyDesk is real remote desktop software. Hackers trick people into installing it or use it after breaking in.
AppleSeed
AppleSeed is a North Korean backdoor used by the Kimsuky hackers to target South Korean organizations.
Arcane Stealer
Arcane is a newer info stealer that grabs passwords from browsers, VPNs, games, and chat apps.
ArechClient2
ArechClient2 is a remote access tool that also steals information. It spreads through spam emails.
AsyncRAT
AsyncRAT started as an open-source project on GitHub but is now one of the most common hacking tools. Because anyone can download and modify the code, there are countless versions floating around. Once it infects your computer, hackers can control it remotely, watch your screen, steal your files, and even use your webcam.
AsyncRAT
AsyncRAT is a free spy program that anyone can download from the internet, making it easy for even beginner hackers to take control of victim computers.
Atomic Stealer
Atomic Stealer attacks Mac computers - unusual because most stealers target Windows. It steals Keychain passwords and crypto.
Atomic Stealer
Atomic Stealer is a popular Mac password thief sold on Telegram that hunts for crypto wallets and saved passwords.
Aurora Stealer
Aurora is a Go-based password stealer that grabs your saved passwords, cryptocurrency info, and personal files. It is sold to criminals who want to steal your information.
Aurora Stealer
Aurora is a modern password stealer written in a programming language that helps it work on different types of computers.
Avaddon
Avaddon ransomware unexpectedly shut down and gave away all their decryption keys. Victims could decrypt their files for free.
AZORult
AZORult steals passwords from browsers and cryptocurrency wallets. It has been around for years and is still widely used.
AZORult
AZORult is a Russian password stealer that has been popular with criminals for years because it is effective and affordable.
Babuk
Babuk attacked the Washington DC Police and leaked their files. After their code got leaked, many other ransomware groups copied it.
Babylon RAT
Babylon RAT is an older open-source hacking tool still used against targets in the Middle East.
BabyShark
BabyShark is a North Korean tool that scouts out computers before the main attack begins.
BackdoorDiplomacy
BackdoorDiplomacy spies on diplomats and foreign ministries, especially in Africa. They use customized hacking tools.
Bad Rabbit
Bad Rabbit pretended to be a Flash Player update but was really a ransomware that locked computers and spread through office networks.
Banshee Stealer
Banshee cleverly uses Apple's own security code to hide from antivirus on Mac computers.
Banshee Stealer
Banshee is one of the newest Mac password stealers, grabbing data from browsers, crypto wallets, and even your notes.
Bashlite
Bashlite is an older IoT botnet that still infects devices with weak passwords. It is used for DDoS attacks.
BatLoader
BatLoader tricks people through fake Google ads. When you search for software and click an ad, you might download malware instead of the real program.
Bebloh
Bebloh changes your banking transactions while you are making them. It is very old but still active.
BianLian
BianLian stopped encrypting files and just steals data now. They threaten to publish your stolen information unless you pay.
BitPaymer
BitPaymer was Evil Corp's first major ransomware. It eventually became DoppelPaymer.
Black Basta
Black Basta is run by former Conti ransomware members. They have attacked over 500 companies since 2022.
BlackCat/ALPHV
BlackCat was a dangerous ransomware gang that finally collapsed in 2024 after stealing from their own affiliates.
BlackLotus
BlackLotus is a super-advanced virus that infects the deepest part of your computer. It survives reinstalling Windows and is nearly impossible to remove without expert help.
BlackMatter
BlackMatter was DarkSide with a new name. They promised not to attack hospitals but shut down quickly anyway.
BlackSuit
BlackSuit is Royal ransomware with a new name. They still attack hospitals and important infrastructure.
BlindEagle
BlindEagle targets Colombian government and businesses with phishing attacks and off-the-shelf malware.
BloodHound
BloodHound maps out a company's network to find the easiest path to administrator access. Hackers use it to plan their attacks.
Braodo
Braodo is a Vietnamese stealer that targets local users, stealing browser passwords and cryptocurrency.
BrickerBot
BrickerBot destroyed millions of insecure IoT devices to "protect the internet." Its creator was controversial - hero or vigilante?
Brute Ratel
Brute Ratel is an expensive hacking tool designed to avoid detection. A pirated copy leaked online and is now used by criminals worldwide.
Bumblebee
Bumblebee is the new favorite tool for ransomware gangs to get into your network.
Bumblebee
Bumblebee is a new delivery service for hackers that sneaks into companies and opens the door for ransomware attacks.
Cactus
Cactus ransomware is sneaky - it encrypts its own code so antivirus cannot detect it. It breaks in through VPN vulnerabilities.
Cactus Ransomware
Cactus ransomware is extra sneaky because it encrypts its own code to hide from security software while breaking into companies.
CaddyWiper
CaddyWiper was yet another Russian wiper targeting Ukraine. It erases your data and makes your computer unbootable.
Candiru
Candiru makes spy tools that governments buy to watch people through their computers, able to see everything on screen and hear through microphones.
Carberp
Carberp was a Russian banking virus whose code leaked online. Many copycats appeared afterward.
Careto
Careto is like a master spy who can disguise itself to work on any type of computer - Windows, Mac, or even phones - to steal important government secrets.
Casbaneiro
Casbaneiro hides its attack instructions in YouTube descriptions while stealing from banks and crypto wallets.
Cerber
Cerber was one of the first ransomware franchises where criminals could rent the software, and it even talked to victims through their speakers.
Cerberus
Cerberus tricks Android users into entering their banking passwords into fake screens. It is widespread and very effective at stealing money from bank accounts.
Chaes
Chaes is a banking thief that targets Brazilian online shoppers, watching their browser to steal payment information.
ChromeLoader
ChromeLoader hijacks your Chrome browser to show you ads and redirect your searches. It installs itself as a hidden browser extension.
Citadel
Citadel was a Zeus copycat banking virus. The creator went to prison.
Cl0p Ransomware
Cl0p specializes in attacking file transfer software that companies use to share data. Their MOVEit attack was one of the biggest hacks ever.
Cobalt Strike
Cobalt Strike is a professional hacking tool meant for security testing, but criminals love it. It's so popular with hackers that if a company finds it on their network (and they weren't testing), it almost always means a serious breach is happening. Ransomware gangs and nation-state hackers all use it because it's reliable and hard to detect.
CoinMiner
CoinMiner is any secret program that uses your computer to make digital money for criminals while making your computer slow.
Conficker
Conficker was like a computer plague that infected millions of computers around the world, showing how dangerous worms could become.
Conti
Conti was a huge Russian ransomware gang. When Russia invaded Ukraine, someone leaked all their internal chats and they fell apart.
CosmicStrand
CosmicStrand is a stealthy virus that hides in your motherboard firmware. It has been secretly infecting computers for years without being detected.
Covenant
Covenant is a free alternative to Cobalt Strike. Hackers use it for controlling compromised computers.
Crimson RAT
Crimson RAT is a Pakistani hacking tool used to spy on India's government and military.
CryptBot
CryptBot has been around for years, stealing cryptocurrency and passwords. It often hides in fake software downloads and is particularly dangerous for crypto users.
CryptoLocker
CryptoLocker started the ransomware epidemic in 2013. It was the first widely successful ransomware to demand Bitcoin.
CryptoLocker
CryptoLocker was the first famous ransomware that locked your files and demanded Bitcoin, starting the ransomware epidemic we see today.
CryptoWall
CryptoWall was a ransomware that made hundreds of millions of dollars by copying CryptoLocker tactics and improving them.
Cuba
Cuba ransomware (not from Cuba) targets American hospitals and infrastructure. It uses advanced techniques.
DarkComet
DarkComet was a popular spy program whose creator stopped making it after bad governments used it to spy on protesters, but copies still spread online.
DarkGate
DarkGate can steal your passwords, mine cryptocurrency, and let attackers control your computer.
DarkGate
DarkGate is an old malware that came back stronger, now doing everything from mining cryptocurrency to giving hackers full control.
DarkSide
DarkSide attacked Colonial Pipeline and caused gas shortages across the eastern US. The FBI got back most of the ransom money.
DCRat
DCRat is a cheap Russian hacking tool that criminals can rent. It gives hackers full control over infected computers.
DCRat
DCRat is a cheap Russian spy program that anyone can afford, with add-on features like stealing bank passwords or mining cryptocurrency.
DeathStalker
DeathStalker is a hacker-for-hire group that steals corporate secrets from law firms and financial companies.
Dharma
Dharma is an old ransomware that still attacks small businesses through remote desktop. Many variants exist under different names.
DoppelPaymer
DoppelPaymer was run by Evil Corp. German police finally caught some of the hackers in 2023.
Dridex
Dridex steals your banking passwords and can install ransomware. It spreads through email attachments.
Dridex
Dridex is a bank-robbing program made by a criminal gang that changes what you see on banking websites to trick you into giving up your money.
Duqu
Duqu is related to Stuxnet and was used to spy on Iran nuclear talks. It even hacked Kaspersky, a major antivirus company.
Duqu
Duqu is like Stuxnet cousin - instead of breaking machines, it quietly steals information and secrets from important targets.
Egregor
Egregor was the successor to Maze ransomware but was quickly shut down when police arrested its members in Ukraine.
Emotet
Emotet is the 'malware delivery service' of the criminal world. It arrives via email, infects your computer, and then installs other malware - including ransomware. Despite being 'killed' multiple times by law enforcement, it keeps coming back. It's particularly dangerous because it hijacks real email conversations to spread.
Emotet
Emotet is like a delivery service for hackers - it breaks into computers through email and then lets other criminals install their own malware.
ESXiArgs
ESXiArgs automatically attacked thousands of VMware servers in one weekend. It exploited an old vulnerability that many organizations had not patched.
Evilnum
Evilnum attacks financial technology companies to steal trading secrets and financial data.
FakeBat
FakeBat tricks people with fake software download ads on search engines, then installs password stealers on their computers.
FakeUpdates
FakeUpdates shows fake "Update your browser" messages on hacked websites. Clicking them installs malware.
FinSpy
FinSpy is like a professional spy kit that governments can buy to secretly watch everything someone does on their phone or computer.
Flame
Flame was a huge spying program that recorded conversations and took screenshots. It was used against Iran and other Middle Eastern countries.
Flame
Flame was like a Swiss Army knife for spying, able to do almost anything to steal information from computers including recording conversations nearby.
FluBot
FluBot spread through fake package delivery texts. If you clicked the link and installed the app, it would steal your banking info. Police shut it down in 2022.
FONIX
FONIX ransomware shut down and gave away their decryption keys. All victims can now recover their files.
Formbook
Formbook is a popular password-stealing malware that's been around since 2016. It watches everything you type into website forms - login pages, checkout pages, anything. It rebranded as 'XLoader' and now works on both Windows and Mac. It's cheap and easy to use, so lots of criminals rely on it.
FormBook
FormBook watches what you type into websites and steals your login information before it even gets sent to the real website.
FritzFrog
FritzFrog is a clever botnet that spreads through SSH without needing a central command server. It mines cryptocurrency.
Gafgyt
Gafgyt is an IoT botnet older than Mirai that turns smart devices into attack zombies.
GameOver Zeus
GameOver Zeus was an advanced bank-robbing program that worked with early ransomware until the FBI took it down.
GandCrab
GandCrab was a hugely successful ransomware that "retired" after making $2 billion. Its creators went on to build REvil ransomware.
GandCrab
GandCrab was ransomware-for-rent that made so much money the criminals claimed to retire like millionaires.
Gauss
Gauss was like a mysterious locked box that stole banking information, and even experts could not figure out what secret mission was hidden inside.
Gh0st RAT
Gh0st RAT is an old Chinese hacking tool whose code is publicly available. Many groups have modified and used it.
Gh0st RAT
Gh0st RAT is a free spy program whose code was shared publicly, so now many different hackers use their own versions of it for attacks.
GoldBackdoor
GoldBackdoor is used to spy on journalists who write about North Korea. It hides its communications in cloud services.
Gootkit
Gootkit started as a banking virus but now delivers other malware. It tricks people through poisoned search results on Google.
GootLoader
GootLoader poisons Google search results. When you search for legal documents, you might download malware.
Grandoreiro
Grandoreiro is a Latin American bank robber program that keeps coming back even after police try to stop it.
Grief
Grief ransomware was likely DoppelPaymer with a new name. They famously attacked the NRA.
Hajime
Hajime was a mysterious botnet that claimed to protect IoT devices by closing security holes. No one knows who made it.
Hancitor
Hancitor spreads through spam emails with Word documents. When you open the document, it downloads more dangerous malware onto your computer.
Havoc
Havoc is a free hacking framework that attackers use to control compromised computers. It is becoming popular because it is free and hard to detect.
HelloKitty
HelloKitty is famous for attacking the company that made Cyberpunk 2077. They stole game source code.
HermeticWiper
HermeticWiper was used by Russia to attack Ukraine right before the invasion. It destroyed data on government and bank computers.
Hermit
Hermit is government spyware made in Italy. It can read your messages, track your location, and record your calls if installed on your phone.
Hide and Seek
Hide and Seek was an IoT botnet that could survive when you restarted your device - unusual for IoT malware.
Hive
Hive was a massive ransomware gang that attacked hospitals and schools. The FBI secretly hacked them and shut them down, saving victims $130 million.
Hunters International
Hunters International rose from the ashes of the Hive ransomware that the FBI shut down. They use the same code but claim to be new.
Hunters International
Hunters International took over from the Hive gang after police shut them down, focusing on stealing data more than encrypting files.
IcedID
IcedID started out stealing banking credentials but evolved into something more dangerous. Now it's mainly used as a doorway for ransomware gangs. When IcedID infects a company, the criminals often sell that access to ransomware operators. It's one of the top malware families that leads to major ransomware attacks.
IcedID
IcedID started as a bank thief but became a malware delivery truck, helping ransomware gangs get into company networks.
Imminent Monitor
Imminent Monitor was a RAT that police shut down in 2019. They arrested the creator and many users.
INC Ransom
INC Ransom is a newer ransomware group that operates like a business. They target companies through phishing and software vulnerabilities.
Industroyer
Industroyer is a Russian weapon designed to shut down power grids. It caused blackouts in Ukraine in 2016 and they tried again in 2022.
IsaacWiper
IsaacWiper was another Russian wiper used against Ukraine during the invasion. It destroys data completely.
Kinsing
Kinsing attacks poorly configured cloud containers to mine cryptocurrency. It is very common in cloud environments.
Kinsing
Kinsing hunts for cloud containers and servers with security holes to install cryptocurrency miners.
Koadic
Koadic is a sneaky hacking tool that uses Windows Script Host to avoid detection.
Konni
Konni is a North Korean hacking tool used to spy on South Korean diplomats and government officials.
KPOT
KPOT steals passwords from browsers, email programs, game accounts like Steam, and cryptocurrency wallets.
Kronos
Kronos was created by someone later arrested by the FBI. It still exists as Osiris banking malware.
Latrodectus
Latrodectus is the new version of IcedID malware. When IcedID went quiet, the same criminals made Latrodectus.
LaZy ScripTer
LaZy ScripTer is a hacking tool used by Middle Eastern hackers to target airlines and aerospace companies.
LockBit 3.0
LockBit 3.0 was the biggest ransomware gang until police from 11 countries took them down in 2024.
LockerGoga
LockerGoga attacked aluminum company Norsk Hydro and cost them $70 million. It used real security certificates to bypass defenses.
Locky
Locky was ransomware that spread through millions of spam emails, encrypting files and demanding Bitcoin payment.
LokiBot
LokiBot steals passwords from over 100 applications including browsers and email clients.
LokiBot
LokiBot is a cheap, common password stealer that has been used in countless attacks because it is easy to buy and use.
Lorenz
Lorenz ransomware targets small businesses by exploiting phone system vulnerabilities. They steal data before encrypting.
LuminosityLink
LuminosityLink was a popular RAT whose creator went to prison. Thousands of hackers used it before the takedown.
Lumma Stealer
Lumma is a password-stealing program that criminals can rent for about $250/month. It grabs saved passwords from your browsers, steals cryptocurrency wallet data, and even tries to bypass two-factor authentication. It often spreads through fake software downloads or sketchy ads.
Lumma Stealer
Lumma is a password-stealing service criminals can rent, constantly updated to steal the newest types of login information.
LV Ransomware
LV Ransomware uses stolen REvil code. When REvil shut down, someone took their code and started a new operation.
MacStealer
MacStealer breaks into your Mac iCloud Keychain to steal passwords and cryptocurrency wallet secrets.
Magniber
Magniber mostly attacks Korean computer users through malicious ads. It runs without leaving files on disk.
Mallox
Mallox attacks database servers and encrypts all your data. It specifically targets poorly secured SQL servers.
Mars Stealer
Mars Stealer is a newer, lighter password stealer. It specifically targets 2FA browser extensions, making it extra dangerous.
Matanbuchus
Matanbuchus is a loader that criminals rent to deliver their malware through spam emails.
Maze
Maze invented the ransomware trick of stealing your data before encrypting it, then threatening to publish it online. Many ransomware groups copied this approach.
Medusa Ransomware
Medusa ransomware has been attacking hospitals, schools, and government offices for years. They are aggressive with their ransom demands.
Medusa Ransomware
Medusa ransomware is a criminal service that helps hackers encrypt victim files and publicly shame companies that do not pay.
Meduza Stealer
Meduza is a newer password stealer that cybercriminals buy to steal your browser passwords, credit cards saved in Chrome, and crypto wallet information.
MegaCortex
MegaCortex was deployed manually by hackers after they broke into networks. It demanded huge ransoms from big companies.
Mekotio
Mekotio tricks people in Latin America with fake banking pop-ups that steal their real login information.
META Stealer
META is a RedLine competitor that steals browser passwords, crypto wallets, and even password manager data.
Meterpreter
Meterpreter is part of Metasploit, the most famous hacking toolkit. It runs invisibly in computer memory.
Meterpreter
Meterpreter is a pentesting tool that gives hackers complete control, used by both security researchers and criminals.
Mimikatz
Mimikatz is a tool that pulls passwords out of Windows computer memory. Almost every hacker uses it to steal credentials after breaking in.
Mirai
Mirai took down Twitter, Netflix, and other sites in 2016 by infecting millions of cameras and routers. Its code was released and variants still exist.
MoonBounce
MoonBounce is a Chinese government virus that lives in your computer's firmware. It survives even if you replace the hard drive, making it very hard to remove.
MountLocker
MountLocker kept changing names but eventually went quiet. Its hackers moved to other ransomware groups.
Mozi
Mozi was a huge botnet that infected routers and security cameras. Chinese police arrested the creators but it took years to fully stop.
Mystic Stealer
Mystic Stealer attacks over 40 different browsers and many crypto wallets. It is heavily encrypted to avoid detection.
Mythic
Mythic is a free command center for hackers. It can control malware on Windows, Mac, and Linux computers.
NanoCore
NanoCore is a powerful spy tool that was sold commercially until the creator got caught.
NanoCore
NanoCore is a spy program whose creator went to jail, but illegal copies are still shared among hackers who use it to control victim computers.
Necurs
Necurs was a massive spam machine that sent billions of malicious emails until Microsoft and police shut it down.
NetSupport RAT
NetSupport is real IT software that hackers abuse. They install it after breaking in to control computers.
NetWalker
NetWalker attacked hospitals during COVID-19. The FBI shut it down and arrested people involved, recovering some ransom payments.
NetWire
NetWire was a remote access tool used by criminals for over a decade. The FBI shut it down in 2023, but variants may still be circulating.
njRAT
njRAT gives hackers full control of your computer. It's been around for over a decade.
njRAT
njRAT is one of the most common spy programs because it is easy to use and free, letting even amateur hackers control thousands of computers.
Nokoyawa
Nokoyawa ransomware uses advanced techniques including security bugs that no one knew about. It evolved from the Hive ransomware crew.
NotPetya
NotPetya looked like ransomware but was really a weapon designed to destroy data. It caused $10 billion in damages and was created by Russia.
NullMixer
NullMixer installs a whole bunch of viruses at once. If you download fake cracked software, you might get 10+ different malware programs at the same time.
ObliqueRAT
ObliqueRAT hides its commands inside images. It is used by Pakistani hackers to target South Asian governments.
Olympic Destroyer
Olympic Destroyer attacked the Winter Olympics in South Korea. Russia tried to make it look like North Korea or China did it.
Orion RAT
Orion RAT can secretly view and control your screen, steal passwords, and replace cryptocurrency addresses.
Outlaw
Outlaw is a criminal groups botnet that breaks into Linux servers to mine cryptocurrency.
Pandora HVNC
Pandora lets hackers secretly control your computer without you seeing anything on screen. Used for bank fraud.
Pegasus
Pegasus is the most advanced phone spyware in the world. Governments use it to spy on people. It can infect your phone without you clicking anything and read all your messages.
Perfctl
Perfctl is sneaky Linux malware that secretly mines cryptocurrency while hiding so well that security tools cannot find it.
Petya
Petya was a special type of computer hostage-taker that locked up the whole computer startup instead of just files.
Phemedrone Stealer
Phemedrone is a clever password stealer that can bypass Windows security features. It steals browser passwords and crypto information.
Phobos
Phobos attacks small businesses by breaking in through remote desktop. It has been around for years and keeps making money from SMBs.
Pikabot
Pikabot is the successor to Emotet. It hijacks email conversations to spread malware.
PikaBot
PikaBot is the new kid replacing older malware that got shut down, helping hackers break into companies with sneaky tricks.
Play
Play is a ransomware gang that targets companies in Latin America and Europe. They use their own custom tools.
Play Ransomware
Play ransomware is a newer threat that breaks into organizations, steals data, then encrypts everything while threatening to release secrets online.
PlugX
PlugX is a Chinese hacking tool used for spying. It has been around for 15+ years and is still actively used today.
PlugX
PlugX is a Chinese spy tool that hides inside legitimate programs, giving hackers remote control of computers to steal important information.
Poison Ivy
Poison Ivy is a very old Chinese hacking tool. It has been around since 2005 but modified versions are still used today.
Poison Ivy
Poison Ivy was like an easy-to-use remote control for hackers, so popular that it was found in spy attacks all over the world for over a decade.
Pony
Pony is an old but still popular password stealer whose code was leaked, so many criminals made their own versions.
Poseidon
Poseidon is a Mac password stealer spread through fake ads that targets cryptocurrency and password managers.
PoshC2
PoshC2 is an open-source command and control framework that uses PowerShell.
PowerShell Empire
PowerShell Empire is a hacking tool that runs entirely in PowerShell. It is open-source and used by many attackers.
Predator
Predator is commercial spyware like Pegasus that governments buy to spy on people. It can take over your phone completely without you knowing.
Predator
Predator is powerful spy software that can break into your phone without you clicking anything, letting someone see everything you do.
Predator the Stealer
Predator the Stealer grabs passwords from browsers, FTP programs, and crypto wallets. It is sold cheaply on Russian forums.
PrivateLoader
PrivateLoader is a malware delivery network. Criminals pay to have their viruses installed on computers through fake software downloads.
PrivateLoader
PrivateLoader is a malware delivery network that installs different viruses on computers through fake download websites.
Pupy
Pupy is a Python hacking tool that works on Windows, Linux, and Mac. Iranian hackers have used it.
Pupy
Pupy is a free, multi-platform spy tool that nation-state hackers use because it works on Windows, Mac, and Linux.
PYSA
PYSA ransomware loves attacking schools and hospitals. They use common IT tools against their victims.
Qakbot
Qakbot is a veteran malware that's been around since 2007 and keeps evolving. It arrives via phishing emails, often hijacking real email conversations. Once it's in, it steals banking credentials and - more dangerously - opens the door for ransomware. The FBI took it down in 2023, but it came back.
Qakbot
Qakbot is like a zombie virus for computers that keeps coming back even after authorities try to stop it, spreading through email to steal money.
Quantum
Quantum ransomware is incredibly fast - it can encrypt your entire network in just 4 hours.
Quasar RAT
Quasar is a free remote access tool that was meant to be legitimate but is now used by hackers because anyone can download and modify it.
Raccoon Stealer
Raccoon Stealer is like a digital pickpocket that criminals rent for about $200/month. It sneaks onto your computer through fake downloads or email attachments, then steals all your saved passwords, credit card info, and cryptocurrency. The developers were briefly stopped when one was arrested, but it came back even stronger as 'Raccoon v2'.
Raccoon Stealer v2
Raccoon Stealer came back with version 2 after the original creator was arrested. It is still one of the most used password stealers.
Raccoon Stealer v2
Raccoon v2 is a rebuilt version of a famous password stealer that kept operating even after its creator was arrested.
Ragnar Locker
Ragnar Locker was clever - they ran their ransomware inside a virtual machine to hide from antivirus. Police finally caught them in 2023.
Ragnarok
Ragnarok ransomware suddenly quit and released all their decryption keys. Victims can now decrypt for free.
Ramnit
Ramnit is an old banking virus that refuses to die. It has been around since 2010 and keeps coming back.
Ramnit
Ramnit is a virus that learned new tricks over time, going from just infecting files to also stealing banking passwords.
Ransom Cartel
Ransom Cartel uses REvil code and appeared after REvil was shut down. They target big companies.
RansomHub
RansomHub is a new ransomware service that opened in 2024. Former members of other ransomware gangs have joined them.
Realst
Realst spreads through fake blockchain games and targets Mac users' cryptocurrency and passwords.
RedLine Stealer
RedLine is a password-stealing program that criminals can rent cheaply online. Once it infects your computer, it grabs all saved passwords from your browser, steals cryptocurrency wallet data, and sends everything to hackers. It spreads through fake software downloads and phishing emails.
Regin
Regin is believed to be a Western intelligence tool for spying. It can intercept phone calls and has been used against telecom companies.
Regin
Regin is like an invisible wiretap that can listen to phone calls and read messages from inside the phone company computers without anyone knowing.
Rekoobe
Rekoobe is a hidden door into Linux servers that spies use to secretly access victim networks.
Remcos
Remcos claims to be a legal remote control tool, but criminals buy it to secretly spy on people computers and steal their information.
Remcos RAT
Remcos is sold as legitimate remote access software, but criminals love using it for hacking. It's powerful and can spy on everything you do - keystrokes, webcam, microphone, screen. It spreads mainly through phishing emails pretending to be invoices or business documents. The company that sells it claims it's for 'legal use only' but that rarely happens.
REvil/Sodinokibi
REvil was a huge ransomware gang that attacked thousands of companies through Kaseya. Russia finally arrested them in 2022 after US pressure.
Rhadamanthys
Rhadamanthys is a sneaky password stealer that is hard for antivirus to catch. It specifically targets cryptocurrency users and steals wallet information along with browser passwords.
Rhysida
Rhysida is a new ransomware gang that attacked the British Library and several hospitals. They have grown quickly since appearing in 2023.
Rhysida
Rhysida is a new ransomware gang that attacks hospitals, schools, and governments, making headlines for breaching famous institutions.
RisePro
RisePro is a password stealer that criminals can rent. It spreads through fake downloads and steals your browser passwords and crypto wallet info.
RisePro
RisePro is a newer password thief that uses Telegram messaging app to secretly send stolen information back to hackers.
RobbinHood
RobbinHood attacked the city of Baltimore and shut down their computers for weeks. It used a clever trick to disable antivirus.
Royal
Royal was run by ex-Conti hackers. They changed their name to BlackSuit in 2023.
Ryuk
Ryuk was a ransomware that attacked hospitals and big companies. It often arrived after other malware like TrickBot infected the network first.
Sality
Sality is an ancient computer virus that has survived for over 20 years by hiding in program files and spreading copies of itself.
SamSam
SamSam attacked hospitals and cities across America. The FBI traced it to two Iranian men who made $6 million.
SCARLETEEL
SCARLETEEL is a new threat that attacks cloud systems to mine crypto while also stealing sensitive data and cloud secrets.
Scattered Spider Toolkit
Scattered Spider does not use normal viruses. They trick helpdesk employees and steal phone numbers to break into companies like MGM and Caesars.
ScreenConnect Abuse
ScreenConnect is real IT support software that hackers abuse. Once installed, they can control your computer remotely.
Sekhmet
Sekhmet was part of the Maze ransomware family. When Maze shut down, Sekhmet disappeared too.
Shade
Shade ransomware shut down and released 750,000 decryption keys. It was one of the biggest releases ever.
ShadowPad
ShadowPad is a shared hacking tool used by multiple Chinese government groups. It was hidden in legitimate software updates.
ShadowPad
ShadowPad is like a master key that Chinese hackers share, letting them secretly control computers at big companies and government organizations.
Shamoon
Shamoon destroyed 35,000 computers at Saudi Aramco in 2012. It is believed to be an Iranian government weapon.
SharkBot
SharkBot is a dangerous Android malware that can move money from your bank account automatically, without you even touching your phone.
SILENTTRINITY
SILENTTRINITY is an open-source hacking framework that uses Python on Windows computers.
Skidmap
Skidmap is sneaky mining malware for Linux that hides so deep in the system that normal tools cannot see it stealing your computers power.
Skuld
Skuld is an easy-to-use stealer popular with beginners. It targets Discord accounts and crypto wallets.
Sliver
Sliver is a free hacking tool designed for security testing but now used by real attackers. It helps hackers control infected computers remotely.
sLoad
sLoad is a PowerShell downloader that brings in banking malware. It targets specific countries.
SmokeLoader
SmokeLoader is like a delivery truck for malware - its job is to get other malware onto your computer. It's been around since 2011, making it one of the oldest active malware families. Criminals buy it to load ransomware, stealers, or banking trojans. It's really good at hiding from antivirus software.
SmokeLoader
SmokeLoader is a veteran delivery system that has been helping criminals install malware on computers for over a decade.
Snake
Snake was Russia's most sophisticated spying tool for 20 years. The FBI finally took it down in 2023.
Snake Keylogger
Snake Keylogger is a spy program that records everything you type and sends it to criminals through email or Telegram.
Snatch
Snatch is clever - it restarts your computer into Safe Mode where antivirus does not work, then encrypts all your files.
SocGholish
SocGholish tricks you with fake "Your browser needs to update" pop-ups on hacked websites. If you click, you get malware that leads to ransomware.
Splinter
Splinter is a new hacking tool written in Rust. It appeared in 2024 and is sold to criminals.
SpyNote
SpyNote is spyware for Android phones. Once installed, hackers can read your texts, listen to calls, track your location, and steal your banking apps.
StealC
StealC is a cheap but effective password-stealing program sold to cybercriminals. It grabs saved passwords from your browser, cryptocurrency wallet info, and login details from apps.
StealC
StealC is a new password thief built from parts of older successful stealers, grabbing credentials from dozens of programs.
StoneDrill
StoneDrill is another Iranian wiper like Shamoon. It is better at hiding from antivirus and has been used against Saudi Arabia.
STOP/Djvu
STOP/Djvu is the most common ransomware attacking regular people. It usually comes from downloading cracked software.
STRRAT
STRRAT pretends to be ransomware to scare victims, but it is really just stealing passwords while making you think your files are locked.
Stuxnet
Stuxnet was the first cyber weapon. America and Israel used it to destroy Iran's nuclear equipment by making centrifuges spin out of control.
SUNBURST
SUNBURST was hidden inside a trusted software update, secretly opening doors to thousands of organizations including the US government.
SysJoker
SysJoker is a sneaky backdoor that works on any operating system and hides its communication in normal cloud services.
SystemBC
SystemBC creates secret tunnels for hackers to communicate with infected computers. Ransomware gangs love using it because it hides their traffic.
SystemBC
SystemBC is a secret tunnel tool that ransomware gangs use to hide their connections and keep access to hacked networks.
TA505/Clop Operations
TA505 runs the Clop ransomware gang. They specialize in attacking file sharing software used by thousands of companies at once.
TeaBot
TeaBot hides in innocent-looking apps on Google Play. Once installed, it steals your banking passwords and can even take over your phone.
TeamTNT
TeamTNT specializes in hacking cloud systems to mine cryptocurrency. They steal AWS keys and attack Kubernetes.
TeamTNT
TeamTNT is a criminal group that hunts cloud servers and containers to steal resources and cloud credentials.
TeamViewer Abuse
TeamViewer is popular remote access software that scammers love to abuse. Tech support scams often use it.
TEARDROP
TEARDROP was a sneaky loader that hid attack tools inside images and never touched the hard drive.
TeslaCrypt
TeslaCrypt was ransomware that targeted video game players, but surprisingly the criminals gave away the key to unlock files for free.
ThunderKitty
ThunderKitty is a Mac stealer that goes after crypto wallets, SSH keys, and cloud accounts.
Tinba
Tinba is a tiny but dangerous banking virus - only 20KB. Small size helps it avoid detection.
Titan Stealer
Titan Stealer is written in Go and sends stolen data via Telegram. It focuses on browser passwords and crypto.
TrickBot
TrickBot was once the Swiss Army knife of malware - it could steal banking credentials, spread through networks, and open doors for ransomware. It was behind countless Ryuk and Conti ransomware attacks. After years of law enforcement action and the Russia-Ukraine conflict impacting the group, TrickBot finally shut down. But its people moved to other malware operations.
TrickBot
TrickBot is a Swiss Army knife for hackers that started stealing bank passwords but grew to do almost anything criminals need.
Trigona
Trigona ransomware breaks in through database servers. If your SQL Server is exposed to the internet, you are at risk.
Trigona
Trigona ransomware specializes in attacking database servers, encrypting business-critical data to maximize ransom leverage.
TRITON
TRITON is terrifying malware designed to disable safety systems in factories. It could cause explosions or chemical releases.
Tsunami
Tsunami is an old but still active Linux botnet that hackers control through chat rooms to launch attacks.
Uroburos
Think of Uroburos as an invisible spy that lives in the deepest parts of your computer, hiding so well that even security programs cannot see it while stealing secrets.
Ursnif
Ursnif is an ancient banking virus that refuses to die. It steals online banking credentials and has been around since 2007.
Vawtrak
Vawtrak is a banking virus that targets hundreds of banks. It is very good at hiding from antivirus software.
Venom RAT
Venom RAT is a fork of AsyncRAT sold to criminals. It can steal passwords and mine cryptocurrency on infected computers.
Vice Society
Vice Society loves attacking schools. They steal student data and threaten to release it if schools do not pay.
Vidar Stealer
Vidar is a steal-everything malware that criminals customize like ordering from a menu. They choose exactly what to steal - passwords, crypto, files, screenshots. It's cheap to rent and often used as the first step before a bigger attack like ransomware. It hides in fake software downloads and email attachments.
Virut
Virut was a shape-shifting virus that infected program files and web pages, building an army of zombie computers.
WannaCry
WannaCry spread like wildfire in 2017 using a leaked NSA hacking tool. It hit hospitals, businesses, and government in 150 countries.
WannaCry
WannaCry was a computer virus that spread across the whole world in one weekend, locking up hospitals and businesses and asking for Bitcoin.
Warzone RAT
Warzone was a popular hacking tool that criminals could buy to take over computers. The FBI shut it down and arrested the people running it.
Warzone RAT
Warzone is a spy program sold to criminals that was so successful the FBI had to shut it down, but copies are still being used.
WastedLocker
WastedLocker is ransomware made by the Russian Evil Corp gang. They targeted major US companies with huge ransom demands.
WellMail
WellMail was a helper tool used with WellMess by Russian spies to steal research secrets.
WellMess
WellMess was a spy tool used by Russian hackers to steal vaccine research during the pandemic.
WhisperGate
WhisperGate looked like ransomware but was really a Russian weapon to destroy Ukrainian government computers before the invasion.
WhiteSnake Stealer
WhiteSnake steals passwords from your browsers, email programs, and crypto wallets. It is sold to criminals and spread through phishing emails.
Winnti
Winnti started as a tool to hack video game companies but grew into a spy program used against all kinds of businesses to steal their secrets.
Xenomorph
Xenomorph attacks Android banking apps and can automatically steal money from your accounts. It targets hundreds of banks, especially in Europe.
XLoader
XLoader evolved from an older stealer to work on Macs and Windows, stealing passwords from browsers and email programs.
XMRig
XMRig is a cryptocurrency miner. While it is legitimate software, criminals use it to mine crypto on your computer without permission.
XMRig
XMRig is a legal mining program that criminals steal and secretly install on victims computers to make cryptocurrency money.
XorDDoS
XorDDoS is a Linux computer virus that guesses server passwords to build an army of attack machines.
XWorm
XWorm is a modular hacking tool that can be customized with plugins. It steals passwords, logs keystrokes, and can steal cryptocurrency.
XWorm
XWorm is a new type of spy software that can hide from security programs while stealing passwords, cryptocurrency, and letting hackers attack other computers.
Zeppelin
Zeppelin attacks hospitals and IT companies. The FBI recovered some decryption keys that can help victims.
Zeus/Zbot
Zeus is the grandfather of banking malware. It steals your online banking credentials and has been around since 2007. Many modern malware families are based on Zeus.
ZLoader
ZLoader evolved from the infamous Zeus banking malware. It steals credentials and delivers ransomware.
ZLoader
ZLoader is like a modernized version of one of the first major bank-stealing programs, updated to also deliver ransomware attacks.
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required