Top 10 Malware Q4 2023
By: The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center® (MS-ISAC®)
Published February 27, 2024
In Q4 2023, the Top 10 Malware observed at the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) changed slightly from the previous quarter. Arechclient2 climbed from eighth to the second spot, while ReverseRAT and Pegasus replaced Fake Browser and Ratenjay. This was Pegasus’s first appearance on the Top 10 Malware list. SocGholish was the most observed malware in Q4 again, comprising 60% of Top 10 Malware incidents. SocGholish maintained its top position by leveraging fake browser updates. Additionally, the second and third most prevalent malware were .Net-based Remote Access Trojans (RATs). These RATs capture keystrokes and screenshots from Windows operating systems.
.png?rev=746f7998799d4a49a9ed918ddbbc4af4&hash=1FAF23DC24F9559DB6E87158294F5436)
Malware Infection Vectors
The MS-ISAC tracks potential initial infection vectors for the Top 10 Malware each quarter based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. Some malware use different vectors in different contexts and are tracked as Multiple.
The CIS Community Defense Model (CDM) v2.0 can help you defend against 77% of MITRE ATT&CK (sub-)techniques associated with malware – regardless of the infection vector they use. Learn more in the video below.
In Q4, Malvertisement was the top initial infection vector due to a significant increase in alerts related to SocGholish and its ongoing campaign where it masquerades as software updates for initial access. Additionally, Q4 saw the Multiple category nearly double due to an increase in Arechclient2 activity. This threat added malvertisement and SEO poisoning to its toolkit in H2 2023, and it uses MSIX files to deliver the payload.
.png?rev=5398700705914a7f96b56e3ea176f74c&hash=5AF3D4613C0106D66D97EF3190C4EFF1)
Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Gh0st is the only Top 10 Malware currently using this technique.
Malspam – Unsolicited emails, which either direct users to malicious websites or trick users into downloading or opening malware. Agent Tesla and NanoCore are currently using this technique.
Multiple – Malware that currently uses at least two vectors, such as Dropped and Malspam. Currently, ArechClient2, CoinMiner, ViperSoftX, ReverseRAT, and Pegasus are malware utilizing multiple vectors.
Malvertisement – Malware introduced through malicious advertisements. Currently, RogueRaticate and SocGholish are using this technique.
Top 10 Malware and IOCs
Below are the Top 10 Malware listed in order of prevalence. The respective indicators of compromise (IoCs) are provided to aid in detecting and preventing infections from these malware variants. The below IoCs can be used for threat hunting but may not be inherently malicious for blocking purposes.
1. SocGholish
SocGholish is a downloader written in JavaScript and is distributed through malicious or compromised websites. It uses fake software updates, such as browser updates or Flash updates, to trick users into downloading the malware. The malware uses multiple methods for traffic redirection and payload delivery, is known to use Cobalt Strike, and steals information from the victim’s system. Additionally, SocGholish can lead to further exploitation, such as loading the NetSupport Remote Access Tool, the Async Remote Access Tool, and in some cases ransomware.
IP Addresses
88[.]119[.]169[.]108
31[.]184[.]254[.]115
164[.]132[.]237[.]64
91[.]121[.]240[.]104
39[.]104[.]90[.]45
Domains
taxes[.]rpacx[.]com
assay[.]porchlightcommunity[.]org
change-land[.]com
loans[.]mistakenumberone[.]com
rituals[.]fashionediter[.]com
premium[.]i5417[.]com
cigars[.]pawscolours[.]com
vacation[.]thebrightgift[.]com
basket[.]stylingtomorrow[.]com
casting[.]faeryfox[.]com
templates[.]victoryoverdieting[.]com
active[.]aasm[.]pro
amplifier[.]myjesusloves[.]me
baget[.]godmessaged[.]me
sonic[.]myr2b[.]me
restructuring[.]breatheinnew[.]life
zoom[.]themyr2bpodcast[.]com
hunter[.]libertylawaz[.]com
irsgetwell[.]net
bhtl[.]digital
morth[.]buzz
rsgdkffvsjkoavd[.]ml
gettouy[.]org
2. Arechclient2
Arechclient2, also known as SectopRAT, is a .NET RAT with numerous capabilities, including multiple defense evasion functions. Arechclient2 can profile victim systems, steal information such as browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-virtual machine (VM) and anti-emulator capabilities.
SHA256 Hashes
8e289b8dfc7e4994d808ef79a88adb513365177604fe587f6efa812f284e21a3
a835602db71a42876d0a88cc452cb60001de4875a5e91316da9a74363f481910
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
IP Addresses
77[.]73[.]133[.]83
34[.]107[.]35[.]186
3. Agent Tesla
Agent Tesla is a RAT that targets Windows operating systems. It is available for purchase on criminal forums as malware-as-a-service. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host.
IP Addresses
45[.]33[.]8[.]30
91[.]92[.]250[.]136
34[.]154[.]74[.]85
Domains
Topendpower[.]top
7070bc8[.]sytes[.]net
4. CoinMiner
CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities may vary since there are multiple variants. CoinMiner spreads through malspam or is dropped by other malware.
SHA256 Hashes
6FB4945BB73AC3F447FB7AF6BD2937395A067A6E0C0900886095436114A17443
72F1BA6309C98CD52FFC99DD15C45698DFCA2D6CE1EF0BF262433B5DFFF084BE
99D9DFD8F1C11D055E515A02C1476BD9036C788493063F08B82BB5F34E19DFD6
A4F20B60A50345DDF3AC71B6E8C5EBCB9D069721B0B0EDC822ED2E7569A0BB40
8A492973B12F84F49C52216D8C29755597F0B92A02311286B1F75EF5C265C30D
URLs
evinfeoptasw[.]dedyn[.]io/updater[.]php
eu1[.]microtunnel[.]it/c0s1ta/index[.]php
euserv3[.]herokuapp[.]com/c0s1ta/index[.]php
eldi8[.]github[.]io/src[.]txt
5. NanoCore
NanoCore is a RAT spread via malspam with an attachment, such as a malicious Excel (.xls) spreadsheet. NanoCore accepts commands to download and execute files, visit websites, and add registry keys for persistence.
MD5 Hashes
42b86b1774e0634afa169f72a9ef08cb
a1d4eaa6f0f151d604a1e6f79583ff88
04b12e17ab63048b21b8996955aeee5a
2bd30803f1a6a7aa3f280e8da02ae04b
411e2a93398bddd6c13c105da83ca801
02d1d6119f13b83cab2278c3e43b08a9
1d615678fe4e768a0b8ff9f15d4a2884
2f7fc48c821a1ee87c7c95b069fe69ef
23ee6fc8b90d6619cc22f1f5577fa5ed
9d10e2af44800c5f5248adb48d22c687
47cf778895d5e51b3be5ada7f81f7907
b9ff56932963babf8acf628bb6d33daf
80a9f5a1f01d4716c15bcdc8d025a8b2
ba08c0723b7d96a47c83bc8d7111e01c
80225e6fc6a1c15d38a7c924641fdb84
88b17e26ef2c53627314448b4894bb9a
f224b4bb5f65abd0d093fb29584bf370
2916c6e4cefea97681e5f7d39afe1baa
9e48278fd8663c2722eb3ce7b5ae34e7
09768ed665365838e5f15dff9c5b3e74
bc15d9095a6d6fc6c794516a839793e4
4cfc0e1b4abecad9e5e862d34d9b014d
444f0a93e49f13d2863e4bbe80395e43
688e964feeb18ae69d6f9159e379a694
52b29489c928823c8da84a6e3d22fc12
b4280a4c2797d899137625740b57a144
ef0d014f8dd257f6bfb8fa7e4f6e5839
581d9f88bf2bf367e29bab4544111547
264e01e9cae9c9e1967ea892288bc9ae
af1ee91fdbf586c55760acccc9c6ea52
290fce33014ad508c6a7e7cf17c2e991
8cd95ee6d335088255f79db2579e8a98
91ddaf1628da8f0c1d532cd217a7f26d
c133a4df2fc42b747a8cf16603b66cfa
cc4785f780b286ccdaf01c38bbbc809d
d4e61a92ff8da165dbf4922816810d0f
cc4b8b6bbce04726a89a89c165241570
1cbfd7fcf52961bf55fbbe7dcfb42607
ed24b048880a8a2a3b7ac4911a7e81df
f4a329dff4849f902fe877e345e6d740
6e65813ad51126c4fcabcf6ad9267e26
56a626b9244c18ac768b5d3db7e014ed
f0ef2c3a320448b3a8ea0535da3b411b
68009cdd2529871592a32554ee184abd
81abca731625a26c26b7831db81c0e1e
a974ba2381279891bbb4b89e7b81329b
17bb37120b51ff2558ba2d2f9db05ec4
e758928032effa43ba8de94338661e9b
IP Addresses
193[.]161[.]193[.]99
79[.]134[.]225[.]113
167[.]235[.]49[.]247
179[.]43[.]141[.]210
Domains
hadleyshope[.]3utilities[.]com
eu-central-7075[.]packetriot[.]net
nano8100[.]duckdns[.]org
6. RogueRaticate
RogueRaticate is a downloader written in JavaScript distributed through malicious or compromised websites using fake browser updates. The payload for RogueRaticate involves an HTML application file zipped or downloaded as a shortcut file. RogueRaticate is known to lead to additional exploitation, such as by loading the NetSupport Remote Access Tool.
SHA256 Hashes
1d9900c8dbaa47d2587d08b334d483b06a39acb27f83223efc083759f1a7a4f6
08d9df800127f9fb7ff1a246346e1cf5cfef9a2521d40d6b2ab4e3614a19b772
IP Addresses
178[.]159[.]37[.]25
7. ViperSoftX
ViperSoftX is a multi-stage cryptocurrency stealer spread within torrents and filesharing sites, where it is typically distributed as a malicious crack for popular software.
Domains
chatgigi2[.]com
api[.]private-chatting[.]com
static-cdn-349[.]net
8. ReverseRAT
ReverseRAT is a RAT that provides attackers with unauthorized access to a compromised system. ReverseRAT is commonly used to steal sensitive information and spy on the compromised user by accessing the host’s webcam and microphone. It also uses the compromised system for future distributed denial-of-service (DDoS) attacks.
MD5 Hashes
f0f322dcfe9953991c03746984b923ed
1325ff46b5ae1bce48ad444ea3d3f7cb
Domains
Mazagondoc[.]com
9. Gh0st
Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor that allows an attacker to fully control the infected device.
MD5 Hashes
2d330c354c14b39368876392d56fb18c
4E2D8CA775D0214E2532ACD778B91424
6B7CFB983A2DC2338B89CBADD837C801
62C6F595B570EAFDA24CAB01DC2E18A2
AC2F55CEFD715937E9584752B706712B
Domains
worldinfocontact[.]club
siekis[.]com
alienlol[.]com
a1free9bird[.]com
hodbeast[.]com
ip[.]yototoo[.]com
xiaoxiannv[.]gnway[.]net
icybin[.]flnet[.]org
bj6po[.]a1free9bird[.]com
beiyeye[.]401hk[.]com
tcp[.]nhntech[.]com
ad[.]jcrsoft[.]com
10. Pegasus
Pegasus is a mobile spyware designed to target iOS and Android devices as well as collect data on the user. Data collected on the compromised devices can include texts, emails, installed apps, location services, audio recordings, and photos.
URL
bun54l2b67[.]get1tn0w[.]free247downloads[.]com:30495/szev4hz
Stay Informed about Cyber Threats
The quarterly Top 10 Malware list is just one of the ways the CIS CTI team helps U.S. State, Local, Tribal, and Territorial (SLTT) government organizations strengthen their cybersecurity posture.
Want additional insights from the CIS CTI team?
About the Author: The Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures. Additional information: team tradecraft and indicator feeds.
Supported via cooperative agreement No. 23CISMSI00003-01-01 - 09/29/2025 awarded through the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (U.S. DHS). The analysis, findings, and conclusions or recommendations expressed in this document are those of the MS-ISAC and EI-ISAC.
