Top 10 Malware Q1 2025

In Q1 2025, the Top 10 Malware observed via the Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®) monitoring services changed slightly from the previous quarter. The downloader SocGholish continued to lead the Top 10 Malware for the seventh quarter in a row, comprising 48% of detections. SocGholish is a downloader written in JavaScript that is distributed through malicious or compromised websites via fake browser updates. SocGholish infections can lead to further exploitation, such as by loading the NetSupport and AsyncRAT remote access tools. ZPHP, a downloader, and CoinMiner, a cryptocurrency miner, followed SocGholish.

In Q1 2025, TeleGrab and VenomRAT made their first appearance. TeleGrab is an infostealer that targets the desktop and web versions of Telegram. It collects cache and key files, hijacks chat sessions, and captures contacts and chat history. VenomRAT is an open-source Remote Access Trojan (RAT) often dropped by other malware or spread via malspam. Since VenomRAT is open-source, there are multiple versions with varying capabilities. Most versions include capabilities associated with keylogging, screen capture, password theft, data exfiltration, and downloading and executing additional files.

Malware Infection Vectors

The MS-ISAC tracks potential initial infection vectors for the Top 10 Malware each quarter based on open-source reporting, as depicted in the graph below. We currently track three initial infection vectors: Dropped, Malspam, and Malvertisement. Some malware use different vectors in different contexts, which are tracked as Multiple.

• Dropped: Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Ratenjay used this technique at the time of publication.
• Malspam: Unsolicited emails, which either direct users to malicious websites or trick users into downloading or opening malware. Agent Tesla used this technique at the time of publication.
• Malvertisement: Malware introduced through malicious advertisements. LandUpdate808, SocGholish, and ZPHP used this technique at the time of publication.
• Multiple: Malware that currently uses at least two vectors, such as Dropped and Malspam. ArechClient2, CoinMiner, DarkGate, TeleGrab, and VenomRAT used this technique at the time of publication.

The CIS Community Defense Model (CDM) v2.0 can help you defend against 77% of MITRE ATT&CK (sub-)techniques associated with malware — regardless of the infection vector they use. Learn more in the video below.

 

In Q1 2025, Malvertisement was the number one initial infection vector due to the SocGholish, ZPHP, and LandUpdate808 campaigns.

 

Top 10 Malware and IOCs

Below are the Top 10 Malware listed in order of prevalence. The CIS CTI team provides associated Indicators of Compromise (IOCs) to aid defenders in detecting and preventing infections from these malware variants. Analyst sourced these IOCs from threat activity observed via CIS Services^® and open-source research. Network administrators can use the IOCs for threat hunting but should vet any indicator for organizational impact before using for blocking purposes.

1. SocGholish
2. ZPHP
3. CoinMiner
4. Agent Tesla
5. TeleGrab
6. Arechclient2
7. LandUpdate808
8. VenomRAT
9. DarkGate
10. Ratenjay

1. SocGholish

SocGholish is a downloader written in JavaScript and is distributed through malicious or compromised websites via fake browser updates. The malware uses multiple methods for traffic redirection and payload delivery, commonly uses Cobalt Strike, and steals information from the victim’s system. Additionally, SocGholish can lead to further exploitation, such as loading the NetSupport and AsyncRAT remote access tools or even ransomware in some cases.

Domains

apiexplorerzone[.]com
blacksaltys[.]com
blackshelter[.]org
blessedwirrow[.]org
brickedpack[.]com
clicktopanel[.]app
digdonger[.]org
foundedbrounded[.]org
goneflower[.]org
groundrats[.]org
leatherbook[.]org
losttwister[.]com
modernkeys[.]org
newgoodfoodmarket[.]com
packedbrick[.]com
rapiddevapi[.]com
rednosehorse[.]com
newgreenvibes[.]com
smthwentwrong[.]com

2. ZPHP

ZPHP is a downloader written in JavaScript and is distributed through malicious or compromised websites via fake browser updates. ZPHP is also known to drop the NetSupport remote access tool and the malware Lumma Stealer.

Domains

23mtkro[.]cn
allenew1[.]com
alhasba[.]com
bstionline[.]com
cinaweine[.]shop
comparegjs[.]com
covaticonstructioncorp[.]shop
cryptohardware[.]shop
dcdh4[.]shop
dgdsrzzw45tg[.]cn
egaolife[.]info
e3ubj753ifg[.]xyz
huntaget[.]cn
islonline[.]org
kfzversicherungskosten[.]top
layardrama21[.]top
pablogutierrez[.]life
poormet[.]com

3. CoinMiner

CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities vary, as there are multiple variants. CoinMiner spreads through malspam or is dropped by other malware.

Domains

xmrminingproxy[.]com

SHA256 Hashes

47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
6FB4945BB73AC3F447FB7AF6BD2937395A067A6E0C0900886095436114A17443
72F1BA6309C98CD52FFC99DD15C45698DFCA2D6CE1EF0BF262433B5DFFF084BE
8A492973B12F84F49C52216D8C29755597F0B92A02311286B1F75EF5C265C30D
a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
a4F20B60A50345DDF3AC71B6E8C5EBCB9D069721B0B0EDC822ED2E7569A0BB40
b6ea1681855ec2f73c643ea2acfcf7ae084a9648f888d4bd1e3e119ec15c3495
f08d47cb3e1e848b5607ac44baedf1754b201b6b90dfc527d6cefab1dd2d2c23

4. Agent Tesla

Agent Tesla is a RAT that targets Windows operating systems and is available for purchase on criminal forums. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host.

Domains

equalizerrr[.]duckdns[.]org
ftp[.]fosna[.]net
Ilang[.]in
topendpower[.]top

SHA256 Hashes

00179fa97b55a6f67a4e7be7041f3d38b0a794051ce47750ea2f988f61c3dcff
0cd0926bd998e8e1c8dc74c2edd3f48a73d7d30a7c5794790d104c1149c02e2e
208AF8E2754A3E55A64796B29EF3A625D89A357C59C43D0FF4D2D30E20092D74
3ac7c6799414c1fe18dc8e355833651a85e73b443df78f6870293a2266483093
47f8dd63f16253fbcdf2a1e912c3eb87c7b58d468592a410fb3132ae3899790b
7230CC614270DCA79415B0CF53A666A219BEB4BEED90C85A1AC09F082AEA613B
8406A1D7A33B3549DD44F551E5A68392F85B5EF9CF8F9F3DB68BD7E02D1EABA7
8e49a4e7b1929aa22ebb4a2abf0302b4b429b2536c675b02f8e0b871b7f06952
95e526a19a39942ee7073e28adddb685bb5bb41f889858c91bea644c657acb36
A1475A0042FE86E50531BB8B8182F9E27A3A61F204700F42FD26406C3BDEC862

5. TeleGrab

TeleGrab is an infostealer that targets the desktop and web versions of Telegram. It collects cache and key files, hijacks chat sessions, and captures contacts and chat history.

SHA256 Hashes

04235dc68d798863ca1177864c7dba300cf1def2c6eb79885338fc8279b8aa49
2be87bc7e1cee08a3abc7f8fefcfab697bd28404441f2b8ee8fafba356164902
683aca7614f51d52e2121e240dd2d5fc72858d7dbc6e27f97be83a987f9c5103
8b8b7d5da95a731f699ccc5c81f410f7d3b48b4986d5be2dee084cb269931151
a5dbbbc7996967cf7f16f998fab6dbc09a087082a0d17287418b8ffc2b6228f3
c0b505299214d21c5f89aea4d381dbd76ef5ce9a38770b693578d4647e61a471

6. Arechclient2

Arechclient2, also known as SectopRAT, is a .NET RAT with numerous capabilities including multiple defense evasion functions. Arechclient2 can profile victim systems, steal information such as browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-virtual machine and anti-emulator capabilities.

Domains

be-precision[.]com
bienvenido[.]com
chrome[.]browser[.]com[.]de
elin[.]co[.]in
key-systems[.]net
launchapps[.]site
promooformosa[.]com
server786[.]ninositsolution[.]com
womansvitamin[.]com

IP Addresses

23[.]227[.]203[.]57
45[.]129[.]86[.]82
45[.]141[.]87[.]16
45[.]141[.]87[.]218

SHA256 Hashes

17BBFCB94482982E9B4282C44DA52313A1E3862ADC5BB48A997A9123B41EBB0B
515EA949BBE6068CD5E642A1C03A0D4BFDBDAC811E9D50FA4435DAADF103D578
7F386E57807F0C2D48B0B33F35E6BAF50BA5EE8B000BBD7B4BDD454CEDC9AE81
8BE80A33454F6C82AB565594CC33A2915D3E02AEB55D0E277AFB00E28249A1A1
DACCDD9EFD13F37083E98CDC9974BB55BB39CBA782A40C10B629B9AB3A25EC4A
F702CE107528B41BD2D6F725779F898D63A2DD1139CD5AE6DA85D2EB6B51CA8E
f0977c293f94492921452921181d79e8790f34939429924063e77e120ebd23d7

7. LandUpdate808

LandUpdate808 is a downloader written in JavaScript and distributed through malicious or compromised websites via fake browser updates. In recently reported campaigns, once a victim clicks on the fake browser update, a malicious MSIX file and two 7ZIP files download to the victim’s system. When executed, LandUpdate808 installs additional tools, such as the NetSupport remote access tool.

Domains

alhasba[.]com
ambiwa[.]com
chewels[.]com
codereviewerss[.]com
edveha[.]com
elizgallery[.]com
esaleerugs[.]com
e2sky[.]com
gcafin[.]com
ilsotto[.]com
nyciot[.]com
nypipeline[.]com
rajjas[.]com
safigdata[.]com
skatkat[.]com
tayakay[.]com
waxworkx[.]com

8. VenomRAT

VenomRAT is an open-source RAT often dropped by other malware or spread via malspam. Since VenomRAT is open-source, there are multiple versions with varying capabilities. Most versions include capabilities associated with keylogging, screen capture, password theft, data exfiltration, and downloading and executing additional files.

SHA256 Hashes

075f991f42c1509d545a8e164875e6464c7394dbc1e8550ba8cd50d6b5b5f2ea
2da1f0becc2a345ae2df1f7a406cd030d3b44976e336f67a8fc506eab5a3b2f5
820a442192d72db78adede51a329b33185599b915d1c76fbda8c8b5a538f794f
aa0587c13130ca51b361ad9734020bdf6484a0f9c046b4846b31552449082ee4
adbce5e454bbc8b27c4ac87f70dee8d622395b541736d6f0af027dd94e454cb7
ff939d8a377b37b1688edc3adb70925ffcf313f83db72278d14955b323b138b7
f3cade8dee5394be8783ffebddedab2c12be852fd4ef4d33838ede1a340520d4

9. DarkGate

DarkGate is a downloader typically sold on Russian language cybercriminal dark web forums. DarkGate can steal financial information, exfiltrate personally identifiable information (PII), and drop additional malware. It uses legitimate AutoIT files and typically runs AutoIT scripts. Additionally, DarkGate can download and execute files to memory. It also comes with a Hidden Virtual Network Computing (HVNC) module and keylogging capabilities.

URLs

adfhjadfbjadbfjkhad44jka[.]com
diveupdown[.]com
nextroundst[.]com

IP Addresses

179[.]60[.]149[.]194

SHA256 Hashes

07193b01c5787e5b105cf683dea272f98cd9d049a6d15309c1c1470af29f7775
2a8a49d9c25d786a5108a53d0b3281677b299540f54580a7b49aa8de78ec0ee1
4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4
4fe8bbc88d7a8cc0eec24bd74951f1f00b5127e3899ae53de8dabd6ff417e6db
5e9fbae0b94f6e36717bbd2c997981ba438d7efd800e76924f73452a69c04051
6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea
897B0D0E64CF87AC7086241C86F757F3C94D6826F949A1F0FEC9C40892C0CECB
bb56354cdb241de0051b7bcc7e68099e19cc2f26256af66fad69e3d2bc8a8922

10. Ratenjay

Ratenjay is a RAT dropped by other malware or downloaded as a file onto a victim’s system. It executes commands remotely and includes keylogging capabilities.

Domains

doddyfire[.]linkpc[.]net

IP Addresses

94[.]158[.]247[.]101
167[.]235[.]141[.]81

SHA256 Hashes

0b7f183b40b372a2779f558291fc51b1f9a3ce2862d1a72ba0a307cc2d55a356
07eaa040d73e39f53851533c8c09d92cd3228d099236e3995b19b4c8a1c15ada
2c14e87e4a8176546f3b989c8b8e88f520f13db9982472638de6fc74a5a254aa
5f1d94e632a9abaffe774c5813f1164620b61cb0b1f82efb1af8d7d29a774426
6431b4286483d7321ba205a441d72b85a7ae2c3711df252826d270b766521935
8869d81691cdc2a3847bc8964e58822a56e2e6a9225beb65a8182976dab70db9
ecb76b84a0e4c8423c1daf5b4a346f1dda22d656378e7217505da1f79a01c19a

Strengthen Your Defenses against Cyber Threats

The quarterly Top 10 Malware list is just one of the ways the CIS CTI team helps U.S. State, Local, Tribal, and Territorial (SLTT) government organizations strengthen their cybersecurity posture. Members of the Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®) receive additional insights and threat intelligence from the CIS CTI team on an ongoing basis.

Ready to get started?