Top 10 Malware Q2 2025

Total malware notifications from the Multi-State Information Sharing and Analysis Center®

(MS-ISAC®) monitoring services decreased 18% from Q1 2025 to Q2 2025. SocGholish led the top malware, continuing its two-year trend, comprising 31% of detections. SocGholish is a downloader written in JavaScript that is distributed through malicious or compromised websites via fake browser updates. SocGholish infections often lead to further exploitation, such as NetSupport and AsyncRAT remote access tools. ZPHP, a downloader, and Agent Tesla, a Remote Access Trojan (RAT), followed SocGholish.

In Q2 2025, the MS-ISAC also observed the return of ClearFake, Mirai, and NanoCore. VenomRat made its first appearance in Q1 2025 and became the fourth most prevalent malware in Q2. VenomRAT is an open-source RAT often dropped by other malware or spread via malspam. Since VenomRAT is open-source, there are multiple versions with varying capabilities. Most versions include keylogging, screen capture, password theft, data exfiltration, as well as downloading and executing additional files. In an observed campaign, VenomRAT used malicious domains mimicking antivirus software, such as Bitdefender, to trick victims into downloading it.[i]

Malware Infection Vectors

The MS-ISAC tracks potential initial infection vectors for the Top 10 Malware each quarter based on open-source reporting, as depicted in the graph below. We currently track three initial infection vectors: Dropped, Malspam, and Malvertisement. Some malware use different vectors in different contexts, which are tracked as Multiple.

• Dropped: Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Mirai used this technique at the time of publication.
• Malspam: Unsolicited emails, which either direct users to malicious websites or trick users into downloading or opening malware. Agent Tesla used this technique at the time of publication.
• Malvertisement: Malware introduced through malicious advertisements. ClearFake, LandUpdate808, SocGholish, and ZPHP used this technique at the time of publication.
• Multiple: Malware that currently uses at least two vectors, such as Dropped and Malspam. ArechClient2, CoinMiner, NanoCore, and VenomRAT used this technique at the time of publication.

The CIS Community Defense Model (CDM) v2.0 can help you defend against 77% of MITRE ATT&CK (sub-)techniques associated with malware — regardless of the infection vector they use. Learn more in the video below.

 

 

In Q2, Malvertisement was the number one initial infection vector due to the SocGholish, ZPHP, ClearFake, and LandUpdate808 campaigns.

 

Top 10 Malware and IOCs

Below are the Top 10 Malware listed in order of prevalence. The CIS CTI team provides associated Indicators of Compromise (IOCs) to aid defenders in detecting and preventing infections from these malware variants. Analysts sourced these IOCs from threat activity observed via CIS Services^® and open-source research. Network administrators can use the IOCs for threat hunting but should vet any indicator for organizational impact before using for blocking purposes.

1. SocGholish
2. ZPHP
3. Agent Tesla
4. VenomRAT
5. CoinMiner
6. Mirai
7. NanoCore
8. ArechClient2
9. ClearFake
10. LandUpdate808

1. SocGholish

SocGholish is a downloader written in JavaScript and distributed through malicious or compromised websites via fake browser updates. It uses multiple methods for traffic redirection and payload delivery, commonly uses Cobalt Strike, and steals information from the victim’s system. Additionally, SocGholish can lead to further exploitation, such as loading the NetSupport and AsyncRAT remote access tools or even ransomware in some cases.

Domains

ai[.]lanpdt[.]org
app[.]symphoniabags[.]com
billing[.]roofnrack[.]us
cpanel[.]productdevelopmentplan[.]com
folders[.]emeraldpinesolutions[.]com
m[.]cpa2go[.]com
photo[.]suziestuder[.]com
round[.]micha[.]ai
smthwentwrong[.]com
stirngo[.]com
whcms[.]greendreamcannabis[.]com
zone[.]ebuilderssource[.]com

2. ZPHP

ZPHP is a downloader written in JavaScript and distributed through malicious or compromised websites via fake browser updates. ZPHP is also known to drop the NetSupport remote access tool and Lumma Stealer malware.

Domains

eddereklam[.]com
islonline[.]org
lqsword[.]top
modandcrackedapk[.]com
textingworld[.]com

3. Agent Tesla

Agent Tesla is a RAT that targets Windows operating systems and is available for purchase on criminal forums. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host.

Domains

ftp[.]fosna[.]net
ftp[.]jeepcommerce[.]rs
hosting2[.]ro[.]hostsailor[.]com
myhost001[.]myddns[.]me
sixfiguredigital[.]group
topendpower[.]top

SHA256 Hashes

00179fa97b55a6f67a4e7be7041f3d38b0a794051ce47750ea2f988f61c3dcff
0cd0926bd998e8e1c8dc74c2edd3f48a73d7d30a7c5794790d104c1149c02e2e
3ac7c6799414c1fe18dc8e355833651a85e73b443df78f6870293a2266483093
550f191396c9c2cbf09784f60faab836d4d1796c39d053d0a379afaca05f8ee8
8406A1D7A33B3549DD44F551E5A68392F85B5EF9CF8F9F3DB68BD7E02D1EABA7
8e49a4e7b1929aa22ebb4a2abf0302b4b429b2536c675b02f8e0b871b7f06952
95e526a19a39942ee7073e28adddb685bb5bb41f889858c91bea644c657acb36
A1475A0042FE86E50531BB8B8182F9E27A3A61F204700F42FD26406C3BDEC862
AC5FC65AE9500C1107CDD72AE9C271BA9981D22C4D0C632D388B0D8A3ACB68F4
C93e37e35c4c7f767a5bdab8341d8c2351edb769a41b0c9c229c592dbfe14ff2
D58B1D7E55D823273BA9B87A79CDC5AAF0A0524C7D6A2524F39B97F973611FC5
D015A8AB246DA40B95A290976F45D9463256431F34433639A0D93F2E609F83F5

4. VenomRAT

VenomRAT is an open-source RAT often dropped by other malware or spread via malspam. Since VenomRAT is open-source, there are multiple versions with varying capabilities. Most versions include capabilities associated with keylogging, screen capture, password theft, data exfiltration, and downloading and executing additional files.

Domains

dataops-tracxn[.]com
idram-secure[.]live
bitdefender-download[.]com
royalbanksecure[.]online

SHA256 Hashes

075f991f42c1509d545a8e164875e6464c7394dbc1e8550ba8cd50d6b5b5f2ea
820a442192d72db78adede51a329b33185599b915d1c76fbda8c8b5a538f794f
Aa0587c13130ca51b361ad9734020bdf6484a0f9c046b4846b31552449082ee4
Adbce5e454bbc8b27c4ac87f70dee8d622395b541736d6f0af027dd94e454cb7
B2AE69E681C120901C4F5F839125D81B53EABD3F22C0A50547604C15D43A33F3
DEA36BC2C16832E0D7AE8427DDE77E3D398FD7757C705D8EE002DD373CB2EDF7
Ff939d8a377b37b1688edc3adb70925ffcf313f83db72278d14955b323b138b7
F3cade8dee5394be8783ffebddedab2c12be852fd4ef4d33838ede1a340520d4
EAD78CEBBB4CF8CF410E1D8674D89D89F35A7A9936C3FF61C16C534062B3E9B8

5. CoinMiner

CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities vary, as there are multiple variants. CoinMiner spreads through malspam or is dropped by other malware.

Domains

xmrminingproxy[.]com

SHA256 Hashes

47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
6FB4945BB73AC3F447FB7AF6BD2937395A067A6E0C0900886095436114A17443
72F1BA6309C98CD52FFC99DD15C45698DFCA2D6CE1EF0BF262433B5DFFF084BE
8A492973B12F84F49C52216D8C29755597F0B92A02311286B1F75EF5C265C30D
A31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
A4F20B60A50345DDF3AC71B6E8C5EBCB9D069721B0B0EDC822ED2E7569A0BB40
B6ea1681855ec2f73c643ea2acfcf7ae084a9648f888d4bd1e3e119ec15c3495
F08d47cb3e1e848b5607ac44baedf1754b201b6b90dfc527d6cefab1dd2d2c23

6. Mirai

Mirai is a malware botnet known to compromise Internet of Things (IoT) devices to conduct large-scale Distributed Denial of Service (DDoS) attacks. Mirai is dropped after a cyber threat actor exploits a device vulnerability for initial access.

SHA256 Hashes

11C0447F524D0FCB3BE2CD0FBD23EB2CC2045F374B70C9C029708A9F2F4A4114
438DC2A85E37356EEFD2D40AC7BAFA8C3AD273DD36991D4B155208C3A3D460B5
7461C0F8FEAC69A39586C4C1ECFEB32627C5A83043721BA0144479EFC0F036A1
F05247A2322E212513EE08B2E8513F4C764BDE7B30831736DFC927097BAF6714

7. NanoCore

NanoCore is a RAT sold on criminal forums and usually spread via malspam with an attachment, such as a malicious Excel (XLS) spreadsheet. NanoCore has a wide range of capabilities including keylogging, screen capture, password theft, data exfiltration, downloading and executing additional files, and adding registry keys for persistence.

Domains

louinc928[.]gotdns[.]ch
x02e2069bb8744[.]anondns[.]net

IP Addresses

123[.]123[.]123[.]123
193[.]161[.]193[.]99
74[.]77[.]124[.]104

SHA256 Hashes

069ced19d871f274f17ef17c0a6c973b12d9eb54a8d86c07c35b5cd33848c043
09bbc4211e7a0e63804344324e0528f31bc527e993662b5832f308629b6d2abf
4d190fffe482e99437ee796ee1b2e66938dfd77100ede00584733ec5442f6716
62c5fb5e4895a3da152268e54aecca3142b0ba8f1f5f4dd15b4a13747049d6f9
6fe55b655fc4cd3b51c813e38df4416675ae81ab0cd303e15f591fd74846f9de
84143a9050c55b6467062bd75f5f10f826b9b1107f7e96e7838122b33547c844
D1f622488a88176e81cdb1cb8669f586803c2dff54f660ac72a18f0a1d27194c
D24e8e1b9e5cdc40797bfc894bb086d455a679f5fee5a2a03c438e4dce141265
D3a2000ec18ab94aa8dbb5eef9360c6048ea3066d165fba1d9ca219ba5780385

8. Arechclient2

Arechclient2, also known as SectopRAT, is a .NET RAT with numerous capabilities including multiple defense evasion functions. Arechclient2 can profile victim systems, steal information such as browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-virtual machine and anti-emulator capabilities.

Domains

bienvenido[.]com
bind-new-connect[.]click
candyconverterpdf[.]com
candyxpdf[.]com
chrome[.]browser[.]com[.]de
key-systems[.]net
launchapps[.]site
promooformosa[.]com
server786[.]ninositsolution[.]com

IP Addresses

143[.]110[.]230[.]167
144[.]172[.]97[.]2
172[.]86[.]115[.]43
45[.]129[.]86[.]82
45[.]141[.]87[.]16
45[.]141[.]87[.]218

SHA256 Hashes

1da2b2004f63b11ab0d3f67cd1431742a1656460492bd4b42fd53d413e6e1570
515EA949BBE6068CD5E642A1C03A0D4BFDBDAC811E9D50FA4435DAADF103D578
7F386E57807F0C2D48B0B33F35E6BAF50BA5EE8B000BBD7B4BDD454CEDC9AE81
8BE80A33454F6C82AB565594CC33A2915D3E02AEB55D0E277AFB00E28249A1A1
F702CE107528B41BD2D6F725779F898D63A2DD1139CD5AE6DA85D2EB6B51CA8E

9. ClearFake

ClearFake is a downloader written in JavaScript and distributed through malicious or compromised websites via fake browser updates. It injects base64-encoded scripts into the HTML of compromised websites. ClearFake also uses PowerShell and loads additional malware such as Amadey, Lumma Stealer, Redline, and Racoon v2.

Domains

bandarsport[.]net
bip32[.]katuj[.]fun
getlastingro[.]com
kargotrong[.]com
ratatui[.]today
yuun[.]pages[.]dev

10. LandUpdate808

LandUpdate808 is a downloader written in JavaScript and distributed through malicious or compromised websites via fake browser updates. In reported campaigns, once a victim clicks on the fake browser update, a malicious MSIX file and two 7ZIP files download to the victim’s system. When executed, LandUpdate808 installs additional tools, such as the NetSupport remote access tool.

Domains

alhasba[.]com
edveha[.]com
jimriehls[.]com
nypipeline[.]com
rajjas[.]com
skatkat[.]com
swedrent[.]com
waxworkx[.]com

Strengthen Your Defenses against Cyber Threats

The quarterly Top 10 Malware list is just one of the ways the CIS CTI team helps U.S. State, Local, Tribal, and Territorial (SLTT) government organizations strengthen their cybersecurity posture. Members of the MS-ISAC receive additional insights and threat intelligence from the CIS CTI team on an ongoing basis.

Ready to get started?

---

[i] https://dti.domaintools.com/venomrat/