{
	"id": "78915622-35a9-4f8e-9491-ed888abcdf85",
	"created_at": "2026-04-06T00:09:45.291805Z",
	"updated_at": "2026-04-10T03:33:12.467153Z",
	"deleted_at": null,
	"sha1_hash": "240edb29479ddabca336042802d16035fc71a6b8",
	"title": "2020: The year in malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 186236,
	"plain_text": "2020: The year in malware\r\nBy Jonathan Munshaw\r\nPublished: 2020-12-21 · Archived: 2026-04-05 22:49:56 UTC\r\nMonday, December 21, 2020 17:38\r\nBy Jon Munshaw.\r\nNothing was normal in 2020. Our ideas of working from offices, in-person meetings, hands-on learning and\r\nbasically everything else was thrown into disarray early in the year. Since then, we defenders have had to adapt.\r\nBut so have workers around the globe, and those IT and security professionals in charge of keeping those workers’\r\ninformation secure.\r\nAdversaries saw all these changes as an opportunity to capitalize on strained health care systems, schools\r\nscrambling to adapt to online learning and companies who now had employees bringing home sensitive\r\ninformation and data while working on their personal networks. This led to a huge spike in ransomware attacks\r\nand headlines all over of companies spending millions of dollars to recover their data and get back to work\r\nquickly.\r\nOh, and there was a presidential election this year, too, which came with its own set of challenges.\r\nTo recap this crazy year, we’ve compiled a list of the major malware, security news and more that Talos covered\r\nthis year. Look through the timeline below and click through some of our other blog posts to get caught up on the\r\nyear that was in malware.\r\nJanuary\r\nhttps://blog.talosintelligence.com/2020/12/2020-year-in-malware.html\r\nPage 1 of 4\n\nAttackers used several popular and well-known file-hosting services to avoid blocklisting and\r\ndeliver a threat we called “JhoneRAT,” mainly to Arabic-speaking targets. \r\nFebruary\r\nAnother RAT, “ObliqueRAT,” used malicious Microsoft Office documents to infect diplomatic\r\nand government agencies/organizations in Southeast Asia. Cisco Talos also discovered a link\r\nbetween ObliqueRAT and another campaign from December 2019 distributing CrimsonRAT. \r\nMarch\r\nAs the COVID-19 pandemic hit the United States, workers across the country and globe had to\r\nbegin working from home full-time. As the pandemic was the biggest news story of the year,\r\nhitting its peak in mid-March, attackers started using news around COVID-19 to spread\r\nmalware. \r\nThe pandemic also presented a platform for adversaries to spread disinformation around the\r\nvirus and associated government relief packages. \r\nApril\r\nCisco Talos researchers highlighted some of the problems with using fingerprint scans to protect\r\nyour devices. We cloned fingerprints using a few different methods and tested their ability to\r\nunlock certain devices, showing that you shouldn’t use biometric scanners as the last line of\r\ndefense for vital data or devices. \r\nPython-based PoetRAT used COVID-19-themed lures to target government agencies and\r\neveryday users in Azerbaijan, also capitalizing on the country’s ongoing military and civil\r\nconflicts. \r\nOnline meeting software exploded in popularity, which created a fresh target for attackers\r\nlooking to spread malware or just generally be disrupted. One such example was this\r\nvulnerability in the Zoom meeting software Talos discovered, though there are many more\r\nexploits out there for all sorts of meeting software. \r\nThe Aggah malspam campaign expanded its reach, now delivering Agent Tesla, njRAT and\r\nNanocore RAT. \r\nMay\r\nThai Android devices and users are targeted by a modified version of DenDroid we called\r\n\"WolfRAT,\" now targeting messaging apps like WhatsApp, Facebook Messenger and Line. \r\nBrazilian users are targeted with the Astaroth malware family, which used YouTube as a unique\r\ncommand and control (C2) to help evade detection. \r\nJune\r\nhttps://blog.talosintelligence.com/2020/12/2020-year-in-malware.html\r\nPage 2 of 4\n\nIndigoDrop utilizes military-themed malicious maldocs to spread Cobalt Strike beacons\r\ncontaining full-fledged RAT capabilities. These maldocs use malicious macros to deliver a\r\nmultistage and highly modular infection. \r\nThe PROMETHIUM actor expands its reach and tries to infect new targets in Colombia, India,\r\nCanada and Vietnam by teaming up with StrongPity3. \r\nJuly\r\nThe wave of ransomware attacks hits a peak. Specifically, WastedLocker targeted some big-name companies and organizations looking to make headlines and rake in big paydays. \r\nWe released our first research paper in a series covering election security and disinformation\r\nahead of the November presidential election. \r\nThe Prometei botnet adds multiple ways to spread, deploying a Monero-focused cryptocurrency\r\nminer.\r\nSeptember\r\nA new campaign we dubbed “Salfram” spreads various malware payloads including Gozi ISFB,\r\nZLoader, SmokeLoader and AveMaria, among others. \r\nWith many students returning to school totally online, we spotted a spike in online homework\r\nscams, with sites promising to write papers and complete assignments for a fee, though many of\r\nthem turned out to be phony or even deliver malware. \r\nLodaRAT shows it’s adding new features and obfuscation techniques. \r\nOctober\r\nThe Lemon Duck cryptocurrency-mining botnet uses several new techniques likely to be spotted\r\nby defenders but would largely go undetected by end users while the adversary stole their\r\ncomputing power. \r\nThe DoNot APT group experiments with new methods of delivery for their payloads. They used\r\na legitimate service within Google's infrastructure which makes it harder for detection across a\r\nuser's network. \r\nThe FBI and U.S. Cybersecurity and Infrastructure Security Agency released an alert warning\r\nhealth care systems to look out for a wave of ransomware attacks, corresponding in a rise in\r\nCOVID-19 cases. \r\nhttps://blog.talosintelligence.com/2020/12/2020-year-in-malware.html\r\nPage 3 of 4\n\nNovember\r\nA new version of the CRAT malware pops up in the wild with sandbox evasion techniques and a\r\nnew modular plugin framework. \r\nEmotet completes its 2020 comeback with a huge November and October, increasing its activity\r\nacross the globe after it largely went quiet over the summer. \r\nDecember\r\nWe uncover the Xanthe cryptocurrency miner after it tried to compromise one of Cisco's\r\nsecurity honeypots for tracking Docker-related threats. \r\nSource: https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html\r\nhttps://blog.talosintelligence.com/2020/12/2020-year-in-malware.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html"
	],
	"report_names": [
		"2020-year-in-malware.html"
	],
	"threat_actors": [
		{
			"id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960",
			"created_at": "2022-10-25T16:07:24.077859Z",
			"updated_at": "2026-04-10T02:00:04.860725Z",
			"deleted_at": null,
			"main_name": "Promethium",
			"aliases": [
				"APT-C-41",
				"G0056",
				"Magenta Dust",
				"Promethium",
				"StrongPity"
			],
			"source_name": "ETDA:Promethium",
			"tools": [
				"StrongPity",
				"StrongPity2",
				"StrongPity3",
				"Truvasys"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6",
			"created_at": "2022-10-25T15:50:23.777222Z",
			"updated_at": "2026-04-10T02:00:05.399303Z",
			"deleted_at": null,
			"main_name": "PROMETHIUM",
			"aliases": [
				"PROMETHIUM",
				"StrongPity"
			],
			"source_name": "MITRE:PROMETHIUM",
			"tools": [
				"Truvasys",
				"StrongPity"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b0d34dd6-ee90-483b-bb6c-441332274160",
			"created_at": "2022-10-25T16:07:23.296754Z",
			"updated_at": "2026-04-10T02:00:04.526403Z",
			"deleted_at": null,
			"main_name": "Aggah",
			"aliases": [
				"Operation Red Deer",
				"Operation Roma225"
			],
			"source_name": "ETDA:Aggah",
			"tools": [
				"AgenTesla",
				"Agent Tesla",
				"AgentTesla",
				"Aggah",
				"Atros2.CKPN",
				"Bladabindi",
				"Jorik",
				"Nancrat",
				"NanoCore",
				"NanoCore RAT",
				"Negasteal",
				"Origin Logger",
				"Revenge RAT",
				"RevengeRAT",
				"Revetrat",
				"Warzone",
				"Warzone RAT",
				"ZPAQ",
				"Zurten",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4660477f-333f-4a18-b49b-0b4d7c66d482",
			"created_at": "2023-01-06T13:46:38.511962Z",
			"updated_at": "2026-04-10T02:00:03.007466Z",
			"deleted_at": null,
			"main_name": "PROMETHIUM",
			"aliases": [
				"StrongPity",
				"G0056"
			],
			"source_name": "MISPGALAXY:PROMETHIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2",
			"created_at": "2023-06-20T02:02:10.254614Z",
			"updated_at": "2026-04-10T02:00:03.365336Z",
			"deleted_at": null,
			"main_name": "Hagga",
			"aliases": [
				"TH-157",
				"Aggah"
			],
			"source_name": "MISPGALAXY:Hagga",
			"tools": [
				"Agent Tesla"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434185,
	"ts_updated_at": 1775791992,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/240edb29479ddabca336042802d16035fc71a6b8.pdf",
		"text": "https://archive.orkl.eu/240edb29479ddabca336042802d16035fc71a6b8.txt",
		"img": "https://archive.orkl.eu/240edb29479ddabca336042802d16035fc71a6b8.jpg"
	}
}