Top 10 Malware Q4 2025

Total malware notifications from Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®) monitoring services increased seven percent from Q3 2025 to Q4 2025. SocGholish continued to lead the Top 10 Malware, comprising 30% of detections. CoinMiner, a cryptocurrency miner, and Agent Tesla, a remote access trojan (RAT), followed SocGholish.

In Q3 2025, the MS-ISAC also observed the return of Arechclient2, while ACR Stealer, Calendaromatic, and SombRAT made their first appearances.

• ACR Stealer is an infostealer used by the SideCopy threat group to collect sensitive files, system information, user credentials, and details about installed antivirus software. It uses HTTP/TCP for command and control (C2) and achieves persistence via AutoRun registry keys or the Startup folder.
• Calendaromatic is a backdoor that masquerades as a legitimate calendar download and is spread through malvertisements and SEO poisoning. According to research by MalwareBazaar, Calendaromatic is tied to the TamperedChef malvertising campaign.
• SombRAT is a modular backdoor primarily used after initial compromise to collect and exfiltrate information and deliver additional payloads. It uses a domain generation algorithm (DGA) to create domains for its C2.

Malware Infection Vectors

The MS-ISAC tracks potential initial infection vectors for the Top 10 Malware each quarter based on open-source reporting, as depicted in the graph below. We currently track three initial infection vectors: Dropped, Malspam, and Malvertisement. Some malware use different vectors in different contexts, which are tracked as Multiple.

• Dropped: Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. In Q4 2025, none of the malware in the Top 10 list used this technique at the time of publication.
• Malspam: Unsolicited emails, which either direct users to malicious websites or trick users into downloading or opening malware. SombRAT used this technique at the time of publication.
• Malvertisement: Malware introduced through malicious advertisements. SocGholish, Calendaromatic, and ZPHP used this technique at the time of publication.
• Multiple: Malware that currently uses at least two vectors, such as Dropped and Malspam. ACR Stealer, Agent Tesla, Arechclient2, CoinMiner, Jinupd, and VenomRAT used this technique at the time of publication.

The CIS Community Defense Model (CDM) v2.0 can help you defend against 77% of MITRE ATT&CK (sub-)techniques associated with malware regardless of the infection vector they use. Learn more in the video below.

 

 

In Q4 2025, Multiple continued to lead the initial infection vectors due to an increase in alerts related to ACR Stealer, Arechclient2, Jinupd, and VenomRAT.

Top 10 Malware and IOCs

Below are the Top 10 Malware listed in order of prevalence. The CIS CTI team provides associated indicators of compromise (IOCs) to aid defenders in detecting and preventing infections from these malware variants. Analysts sourced these IOCs from threat activity observed via CIS Services^® and open-source research. Network administrators can use the IOCs for threat hunting but should vet any indicator for organizational impact before using for blocking purposes.

1. SocGholish
2. CoinMiner
3. Agent Tesla
4. Jinupd
5. SombRAT
6. Calendaromatic
7. ZPHP
8. VenomRAT
9. ACR Stealer
10. Arechclient2

1. SocGholish

SocGholish is a downloader written in JavaScript and distributed through malicious or compromised websites via fake browser updates. It uses multiple methods for traffic redirection and payload delivery, commonly uses Cobalt Strike, and steals information from the victim’s system. Additionally, SocGholish can lead to further exploitation, such as loading the NetSupport and AsyncRAT remote access tools or even ransomware in some cases.

Domains

app[.]abuarerestaurant[.]net
configure[.]visionsflorida[.]com
cpanel[.]paquetesparaorlando[.]com
demo[.]halfmoonboulder[.]com
diariodetaubateregiao[.]com[.]br
estate[.]Verano[.]life
files[.]parsonspaving[.]ca
images[.]nestledinniagara[.]com
images[.]weightlosstonight[.]net
investor[.]veranofund[.]com
secure[.]kasindramaharaj[.]com
shadowqueueflow[.]com

2. CoinMiner

CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities vary, as there are multiple variants. CoinMiner spreads through malspam or is dropped by other malware.

Domains

karbowanec[.]com
miner[.]rocks
sberex[.]com
umnsrx[.]net

SHA256 Hashes

3E59379F585EBF0BECB6B4E06D0FBBF806DE28A4BB256E837B4555F1B4245571
59F7C03A2021CB28A433AE0D018388B2A5B802686CA94699FA0BC9E1917AEAD0
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

3. Agent Tesla

Agent Tesla is a RAT that targets Windows operating systems and is available for purchase on criminal forums. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host.

Domains

akilay[.]kingx[.]info
mail[.]gcsho[.]com
mail[.]kino2[.]top
mail[.]vinatax[.]us
zulpine[.]shop

SHA256 Hashes

ac5fc65ae9500c1107cdd72ae9c271ba9981d22c4d0c632d388b0d8a3acb68f4
beb842dd5ec5124b36d861a60410a2f354e0571807d8b4c214f186e70da15698
04a4108b85dd9d19175d5fbfafb837d4118526fd67e0b2541151d4003e2cfe35
664aaf79f6347412ff7f0548ea18e07a793b1dac84cd60df011bdba433f7837b
703f5e60fded94a8fda75bd5bbed5877b2a02bbdfaa36ca9ef2784ab9dbd72f9

4. Jinupd

Jinupd, also known as JackPOS, is a point of sales (POS) infostealer that steals credit card information by scraping memory from payment-processing applications. It often masquerades as a Java updater, establishes persistence through registry modifications, exfiltrates stolen data, and downloads additional payloads. Jinupd typically spreads via drive-by downloads, compromised websites, or as a secondary payload from other malware.

SHA256 Hashes

ca6b92b816c98e3fca7b287cf665257a93f1a35cc768cae223ac31a97d1af203
e01fa4ca545c8a4002b9afe3243f80027b76ef5fb81fd5d9e9d1dcaddfaca54b
f213970c9bde24a7b774e16803b9df9be69e02f1795e777241ada5201ed72666
4ad9fd2b5519c521765a80f3411f825adcd38409ba6cfefd595873c9c6db92c3
9375878e6780ed937d68f58904d27257c5ec7af0fef24c6126a8e05eb2dbd4f3

5. SombRAT

SombRAT is a modular backdoor written in C++ that's been used since at least 2019. It supports encrypted communication via DNS and TCP, data staging, process injection, and masquerading. SombRAT can download and execute additional payloads, exfiltrate data, and hide its presence using process argument spoofing and XOR-based string obfuscation. It uses DGA domains for its C2 and encrypts its C2 communication. SombRAT has been linked to campaigns involving FIVEHANDS ransomware.

SHA256 Hashes

c0db3dadf2e270240bb5cad8a652e5e11e3afe41b8ee106d67d47b06f5163261
d69764b22d1b68aa9462f1f5f0bf18caebbcff4d592083f80dbce39c64890295
561bf3f3db67996ce81d98f1df91bfa28fb5fc8472ed64606ef8427a97fd8cdd
70d63029c65c21c4681779e1968b88dc6923f92408fe5c7e9ca6cb86d7ba713a
8323094c43fcd2da44f60b46f043f7ca4ad6a2106b6561598e94008ece46168b

6. Calendaromatic

Calendaromatic is a backdoor that masquerades as a legitimate calendar download and is spread through malvertisements and SEO poisoning. According to research by MalwareBazaar, Calendaromatic is tied to the TamperedChef malvertising campaign.

Domains

calendaromatic[.]com
ovementxview[.]com
krestinaful[.]com
ahegazedatthewond[.]org
tropicalhorizonext[.]com

SHA256 Hashes

b399e181c8d546bbb1658f711220fee6995ffa627aacc24654d10e8c635bdf32
c24774d9b3455b47a41c218d404ae6b702da0d2e3e8ad3d2a353ffddd62239c2
e32d6b2b38b11db56ae5bce0d5e5413578a62960aa3fab48553f048c4d5f91f0
f377e3c8144315d9e4d73354cca966040fd137f6a0e892a843430fd5a0e7590b
1619bcad3785be31ac2fdee0ab91392d08d9392032246e42673c3cb8964d4cb7
29a6fd32cae16336ef5eb28c495e2c6bc38e6555ee9d564792984c359838b4c2
497ed5bca59fa6c01f80d55c5f528a40daff4e4afddfbe58dbd452c45d4866a3
69934dc1d4fdb552037774ee7a75c20608c09680128c9840b508551dbcf463ad

7. ZPHP

ZPHP is a downloader written in JavaScript and distributed through malicious or compromised websites via fake browser updates. ZPHP is also known to drop the NetSupport remote access tool and Lumma Stealer malware.

Domains

cpajoliette[.]com
dinozozo[.]com
ijels[.]com
mercedesheritage[.]com
obsidianmidnight[.]top
pippyheydguide[.]com
selcukpeker[.]com
watchsmiler[.]com

8. VenomRAT

VenomRAT is an open-source RAT often dropped by other malware or spread via malspam. Since VenomRAT is open source, there are multiple versions with varying capabilities. Most versions include capabilities associated with keylogging, screen capture, password theft, data exfiltration, and downloading and executing additional files.

Domains

dpaste[.]org
joinmc[.]link
pktriot[.]net
portmap[.]io
theriygrt[.]com
tyuropium[.]com

SHA256 Hashes

b9ff92917225778b82c30587d5559628f0ab14c359bd2b6ae4981ff262480fc8
0cec3100b84f95dfb1e856390cf41809b653812fd4d51025517ba11b167442fa
e4a1b01b2a76ef02a2f6ea32275eeee4f44b867d2d5768bf89f870cbfacfa47e
2428bd931dde4d818437ff9e12197bdbb4a5c0548bc7c068bb732c7bc4847554
3e99b0f5eb750b818e55f23a6f1fcf8213e7ed3ac850529ade7e6fa6b7afe0e2
8721d3af5d2d01dc76d8102716dd6bc4271284a7682df46f10b6aacfd5b2cd48
bc55d60466f7d1a03e4002759aa95cae2bd08cf9c0685f2f822ebcc8956569b2
bbf45b03ba04ceab793e2a4dda578c9d4881ba26d1a39bc1257a7996f7c3dfac
f7131fc0267d5e0eae0b00ee05eb221351910114d1794c30997a5e45e24059ef

9. ACR Stealer

ACR Stealer is a credential and data theft infostealer written in C++ and used by the SideCopy threat group. ACR Stealer collects sensitive files including documents, spreadsheets, PDFs, and images from infected systems. It uses HTTP and TCP for C2 communication and stores exfiltrated data locally before transmission. The malware also gathers system information, user credentials, and details about installed antivirus software. ACR Stealer achieves persistence via AutoRun registry keys or the Startup folder depending on the host environment.

Domains

apposx[.]com
dpaste[.]org
globalsnn2-new[.]cc
globalsnn3-new[.]cc
indeanapolice[.]cc
joinmc[.]link
memory-scanner[.]cc

SHA256 Hashes

dc363b99506502dac735b4b5636dfeadc07fec6742140da0d89673110538e532
00b84eae83e4cd6165255247026c702c2c88f5cea8a1032187c2b842dc54095d
006f0054609064c00d3d217ee37f924b4cf8c4fabde362408cdec1446d719913
0111ffb0dab4bdef8c8788e4ce6ad4fc071b9f7b1f3affb7ead8d5df9582f34f
12ab29ed1c3f60092c101e9c8451ff44fda6c9787c6e32e3956e9a645be5dcee
38cd4bb0d7e4b8bc5de10df2a2554939ae96642109567e103d779b6eb19c40ae
4867b739b7a4cb72fdd88c7716150e12183b98a07a752753ced440355a5ee193

10. Arechclient2

Arechclient2, also known as SectopRAT, is a .NET RAT with numerous capabilities, including multiple defense evasion functions. Arechclient2 can profile victim systems, steal information such as browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-virtual machine and anti-emulator capabilities.

SHA256 Hashes

2df520219dd0db59d75203dec58c8d0dcce55b4e947defb1df30fdce4af982da
68f9e86795c5dd817dec72f776ea0162a8c4a9cef26b54843fac00c101158ba1
2db0c548a91356a4f79bcad8d492342699a5842b36cd813485145df0c2957c08
64010a9fe4483155044ad76aecbd2cdafab0fc1399e4ae0c644bcce6acbf7f58
f82938352cebfe4338e0e3e763cfee88aa5dd6229ac36200ce0392619153f4cd
ad0bfefa643b395400d4c89181446dbfec57f263dda39555c2ef5e704a9e6eb6

Leverage the Power of Tailored Threat Intelligence

This threat intelligence briefing illustrates how the CIS CTI team supports paid members of the MS-ISAC. Available to U.S. State, Local, Tribal, and Territorial (SLTT) government entities, MS-ISAC membership enables organizations to share information and collaborate on defending against cyber threats. The CIS CTI team supports members by maintaining the only STIX/TAXII threat intelligence feed tailored to U.S. SLTTs. It also routinely releases threat intelligence briefings along with detailed reports, such as the Quarterly Threat Report and Operational Cyber Analytic Report, to provide decision-makers with actionable threat intelligence they can use to take a proactive approach to their organization's cyber defense.

Ready to augment your cybersecurity posture using the expertise of the CIS CTI team?