Top 10 Malware August 2020

In August 2020, we had 4 new malware enter the Top 10 with two of them being first-timers on the list, Agent Tesla and Blaknight. The Top 10 Malware variants composed 78% of Total Malware activity in August 2020, up from 60% in July. The significant jump from the previous month is due to the rapid increase in Shlayer activity, which has not entered the Top 10 Malware since February 2019. This is likely due to recent structural upgrades to Shlayer, giving it dropper and downloader capabilities in conjunction with its existent adware functionality. Additionally, due to the start of a new school year, Shlayer activity has drastically increased from the previous month. Shlayer is highly likely to continue to be at the top of the Top Ten Malware as their campaign pans out.



In August 2020, malvertisement accounted for the greatest number of alerts. Malvertisement continued  increase as the top initial infection vector, is due to Shlayer activity. Shlayer returned to the Top 10 Malware after new evidence resulted in it being reclassified as a Trojan Downloader, compared to an Adware Dropper. Adware Droppers are not included in the Top 10 Malware count. Activity levels for all vectors, except multiple and network, increased. MS-ISAC observed two new malware variants, Agent Tesla  and Blaknight.


Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Currently Gh0st and Qakbot are being dropped.

Multiple – Malware that currently favors at least two vectors. ZeuS is the only malware currently utilizing multiple vectors. ZeuS is dropped by other malware, but it is also delivered via malvertisement.

Malspam – Unsolicited emails, which either direct users to malicious websites or trick users into downloading or opening malware. Top 10 Malware using this technique Blaknight, Dridex, Kovter, Megalodon, and NanoCore.

Malvertisement – Malware introduced through malicious advertisements. Currently, Shlayer  and SocGholish are the only Top 10 Malware using this technique.


  1. Shlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertizing posing as a fake Adobe Flash updater.
  2. Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.
  3. Agent Tesla is a RAT that exfiltrate credentials, log keystrokes, and capture screenshots from an infected computer.
  4. ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS may be other unnamed malware using parts of the ZeuS code.
  5. Blaknight, also known as HawkEye, is an Infostealer known for its keylogging capabilities for credential and banking theft.
  6. Qakbot is financial malware designed to target governments and businesses for financial fraud and known for its wormability on a network. Qakbot installs a keylogger to steal user credentials. It monitors network traffic, specifically traffic to online banking websites and can piggyback on a user’s active banking session by intercepting authentication tokens. It is currently being dropped by Emotet.
  7. SocGholish is a RAT and a banking trojan that uses fake Flash Updates to drop a NetSupport RAT payload. Recently, SocGholish has been used to drop WastedLocker ransomware, a new ransomware variant.
  8. NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
  9. Dridex is a banking trojan that uses malicious macros in Microsoft Office with either malicious embedded links or attachments. Dridex is disseminated via malspam campaigns
  10. Kovter is a fileless click fraud malware and a downloader that evades detection by hiding in registry keys. Reporting indicates that Kovter can have backdoor capabilities and uses hooks within certain APIs for persistence.