Top 10 Malware August 2022

In August 2022, the Top 10 Malware line-up changed considerably compared to the previous month. This month, LingyunNET, RecordBreaker, and TeamSpy made their first appearance, while SocGholish and Tinba returned to the Top 10 malware. LingyunNET is riskware that utilizes the victim's system resources. RecordBreaker is the successor to Racoon Stealer. RecordBreaker is an infostealer sold as malware-as-a-service on underground forums and steals data such as passwords, cookies, browser data, etc. TeamSpy is spyware that has been known to use a popular remote access tool, TeamViewer, and malware to steal information from victims. The Top 10 Malware variants comprised 47% of the total malware activity in August 2022, decreasing four percent from July 2022.

MS-ISAC Malware Notifications TLP WHITE August 2022 thumbnail

Top 10 Malware TLP WHITE August 2022 thumbnail

Malware Infection Vectors

The MS-ISAC tracks potential primary infection vectors for our Top 10 Malware each month based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. The MS-ISAC has not had any malware in the Top 10 use the initial infection vector Network in the past year. Some malware employ different vectors in different contexts and are thus tracked as Multiple.

In August 2022, Multiple replaced Malvertisement as the top initial infection vector due to the recent SocGholish campaign and to the end of the Shlayer campaign. Activity levels for Malspam and Multiple increased, while activity for Dropped and Malvertisement decreased. It is likely that Multiple will remain the primary infection vector in the coming months as SocGholish’s campaign persists and other malware add initial infection methods to increase the span of their campaign. The Multiple category can include several vectors, and as such, it tends to increase and decrease at unpredictable rates, making trend analysis challenging. This category will likely continue to comprise a significant portion of the initial infection vectors as malware becomes more sophisticated and employs multiple methods to infect systems. Malspam consistently represents a portion of the Top 10 malware as it is one of the oldest, most reliable primary initial infection vectors used by cyber threat actors in both this category and the Multiple category.

Top 10 Malware - Initial Infection Vectors TLP WHITE thumbnail

Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Currently, Gh0st is using this technique.

Multiple – Malware that currently favors at least two vectors. Currently, CoinMiner, LingyunNet, RecordBreaker, SocGholish, TeamSpy, and ZeuS are the malware utilizing multiple vectors.

Malspam – Unsolicited emails either direct users to malicious web sites or trick users into downloading or opening malware. Top 10 Malware using this technique include Agent Tesla, NanoCore, and Tinba.

Top 10 Malware and IOCs

Below are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these Top 10 Malware variants. The below IOCs are for the purpose of threat hunting and may not be inherently malicious.

Note: The associated URIs are aligned with malware’s respective domain(s) or IP(s) and increase the likelihood of maliciousness when found together. The URIs alone are not inherently malicious.  


SocGholish is a RAT and a banking trojan that uses fake Flash Updates to drop a NetSupport RAT payload.


  • irsbusinessaudit[.]net
  • irsgetwell[.]net
  • common.dotviolationsremoval[.]com
  • d2j09jsarr75l2.cloudfront[.]net
  • mafia.carverdesigngroup[.]com
  • cruize.updogtechnologies[.]com
  • record.usautosaleslv[.]com
  • hunter.libertylawaz[.]com
  • requests.pleaseactivate[.]me
  • zoom.themyr2bpodcast[.]com
  • accounts.mynewtopboyfriend[.]store
  • restructuring.breatheinnew[.]life
  • activation.thepowerofhiswhisper[.]com
  • sonic.myr2b[.]me
  • baget.godmessaged[.]me
  • predator.foxscalesjewelry[.]com
  • amplifier.myjesusloves[.]me
  • episode.foxscales[.]com
  • active.aasm[.]pro
  • tickets.kairosadvantage[.]com
  • templates.victoryoverdieting[.]com
  • casting.faeryfox[.]com
  • wallpapers.uniquechoice-co1[.]com
  • basket.stylingtomorrow[.]com
  • vacation.thebrightgift1[.]com
  • wallpapers.uniquechoice-co[.]com
  • vacation.thebrightgift[.]com
  • cigars.pawscolours[.]com
  • premium.i5417[.]com
  • rituals.fashionediter[.]com
  • expense.brick-house[.]net
  • loans.mistakenumberone[.]com
  • soendorg[.]top


ZeuS is a modular banking trojan that uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.

MD5 Hashes



CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. Additionally, it typically uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, due to multiple variants of this malware, capabilities may vary. CoinMiner spreads through malspam or is dropped by other malware.

MD5 Hashes



TeamSpy is spyware that has been known to use a popular remote access tool, TeamViewer, and malware to steal information from victims.




These are domains created by a generation algorithm (DGA).

  • Aidjthx[.]ru
  • aqzisud[.]ru
  • ayozgqi[.]ru
  • aypukww[.]ru
  • bjrmctw[.]com
  • brgnkyw[.]com
  • bzdsodx[.]com
  • cefndxb[.]net
  • disriou[.]info
  • dlylbux[.]info
  • eggrewv[.]ua
  • egtobdw[.]ua
  • embwhdk[.]ua
  • emrdtbx[.]ua
  • endtcww[.]ua
  • enxjicu[.]ua
  • eolptdd[.]ua
  • eudauew[.]ua
  • eugnhuw[.]ua
  • gjdhcdw[.]com
  • kdttmii21916368[.]ua
  • khuddqu24603344[.]ua
  • khvrder23620304[.]ua
  • kndexes24931024[.]ua
  • kneoeew24734416[.]ua
  • kxvfeow23554768[.]ua
  • qivoeeu[.]ru
  • rzawxds[.]com
  • uhgybdw[.]ua
  • uuxiqlu[.]ua
  • vixkknv[.]ru
  • wbikvir[.]com
  • wzhscse[.]com
  • yiwxukt[.]info
  • zbjqrus[.]ua
  • zfdboiu[.]ua
  • zhoppju[.]ua
  • zpueyer[.]ua
  • zukscuk[.]ua
  • zxfbihb[.]ua


NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.



SHA256 Hashes

  • c8c69f36f89061f4ce86b108c0ff12ade49d665eace2d60ba179a2341bd54c40
  • dfdb008304c3c2a5ec1528fe113e26088b6118c27e27e5d456ff39d300076451
  • ff66be4a8df7bd09427a53d2983e693489fbe494edd0244053b29b9f048df136
  • 0195b0fbff91bece4665d8189bec104e44cdec85b6c26f60023a92dece8ca713
  • 098fe3c8d0407e7438827fb38831dac4af8bd42690f8bd43d4f92fd2b7f33525
  • 2605a1cb2b510612119fdb0e62b543d035ad4f3c873d0f5a7aa3291968c50bc8
  • 28ef1f6f0d8350a3fda0f604089288233d169946fca868c074fc16541b140055
  • 4b61697d61a8835a503f2ea6c202b338bde721644dc3ec3e41131d910c657545
  • 7257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73
  • 959484bfe98d39321a877e976a7cde13c9e2d0667a155dda17aeade58b68391c
  • 988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7


LingyunNet is riskware that utilizes the victims system resources.



Agent Tesla

Agent Tesla is a RAT that can exfiltrate credentials, log keystrokes, and capture screenshots from an infected computer.

SHA256 Hashes

Initial Infection File

First Stage dll module

XLL Droppers

Final Agent Tesla Payload


Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.

SHA256 Hashes



RecordBreaker is an infostealer that is the successor to Racoon Stealer. RecordBreaker is sold as malware-as-a-service on underground forums, and it steals data such as passwords, cookies, browser data, etc.




Tinba (aka Tiny Banker) is a banking trojan, known for its small file size. Tinba uses web injection to collect victim information from login pages and web forms and is primarily disseminated via exploit kits.