{ "id": "bffcb825-abe7-4de4-80c2-99a1f5e702b1", "created_at": "2026-04-06T00:16:08.143842Z", "updated_at": "2026-04-10T03:38:01.67279Z", "deleted_at": null, "sha1_hash": "28b3fccea91691089263b0b8d409323e283d6d17", "title": "Avast Q2/2022 threat report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6565948, "plain_text": "Avast Q2/2022 threat report\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 16:59:28 UTC\r\nAnother quarter has passed, which means it’s time for us to share our Avast Q2/2022 Threat Report with the\r\nworld. I must admit, time flies. It’s been exactly one year since we’ve started publishing these reports and this last\r\nyear was everything but boring. This latest report is proof of that.\r\nIn Q2/2022 , we witnessed just how quickly malware authors can adapt to changes. A few months ago Microsoft\r\nannounced that it will make it difficult to run VBA macros in Office documents that were downloaded from the\r\nInternet. They backpedaled on that promise, but promised it again shortly after. Threat actors have already started\r\npreparing various alternative infection vectors, now that their beloved vector they had been using for decades is\r\nbeing blocked by default. For example, IcedID and Emotet have already started using LNK files, ISO or IMG\r\nimages, and other tricks supported on the Windows platform as an alternative to maldocs to spread their\r\ncampaigns. It’s likely you’ve already witnessed these in your inboxes.\r\nExploits spreading in-the-wild also made Q2/2022 interesting. For example, the Follina zero-day vulnerability\r\nin Office and Windows was widely exploited by all kinds of attackers. Our researchers also discovered and\r\nreported multiple serious zero-day exploits used by malware authors – CVE-2022-2294 affecting browsers from\r\nGoogle, Microsoft, and Apple. We also discovered a zero-day that Candiru exploited to get into the Windows\r\nkernel.\r\nAfter months of decline, we’ve seen a significant ( +24% ) uptick of ransomware attacks in Q2/2022 . This was\r\npartially connected to the usual ransomware suspects, but also to sudden changes happening with the Conti\r\nransomware syndicate. Conti finally stopped its operations, but like with the mythical hydra – when you cut off\r\na hydra’s head, two more will grow back, so we have many more ransomware groups and strains to track now. On\r\nthe bright side, several new free ransomware decryptors were introduced in Q2/2022 .\r\nWe participated in shutting down Zloader and witnessed the resurrection of Racoon Stealer , who’s core\r\ndeveloper was allegedly killed in the Russian war in Ukraine . Speaking of these two countries, the malware\r\nrisk ratio in these countries has stabilized, but is still higher. We also detected various malware types targeting our\r\nusers in Japan, Germany, and Brazil in Q2/2022 .\r\nFortunately, malicious cryptojacking coinminers decreased slightly in the quarter, which is good news for victims,\r\nas the energy costs are skyrocketing in many countries. And finally, I encourage you to read the mobile section\r\nwhere my colleagues discuss the rise and fall of the most prevalent mobile malware strains such as HiddenAds ,\r\nFlubot , and SMSFactory .\r\nHappy reading, and stay safe.\r\nJakub Křoustek, Malware Research Director\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 1 of 23\n\nMethodology\r\nThis report is structured into two main sections – Desktop-related threats, where we describe our intelligence\r\naround attacks targeting the Windows, Linux, and Mac operating systems, and Mobile-related threats, where we\r\ndescribe the attacks focusing on the Android and iOS operating systems.\r\nFurthermore, we use the term risk ratio in this report to describe the severity of particular threats, calculated as a\r\nmonthly average of “Number of attacked users / Number of active users in a given country.” Unless stated\r\notherwise, calculated risks are only available for countries with more than 10,000 active users per month.\r\nDesktop-Related Threats\r\nAdvanced Persistent Threats (APTs)\r\nAdvanced Persistent Threats are typically created by nation state sponsored groups which, unlike cybercriminals,\r\nare not solely driven by financial gain. These groups pursue their nation states’ espionage agenda, which means\r\nthat specific types of information, be it of geopolitical importance, intellectual property, or even information that\r\ncould be used as a base for further espionage, are what they are after.\r\nIn Q2/2022 , the most notable APT campaigns we observed came from the Confucius , Gadolinium/APT40 ,\r\nGamaredon , and MustangPanda groups.\r\nConfucius\r\nRecently, we discovered a known APT group from India, Confucious , targeting Pakistani embassies in multiple\r\ncountries like Brunei, Nepal, Argentina, and Azerbaijan from March to June 2022 . \r\nThe Confucious group spread their malware by sending phishing emails with PDF attachments, which contained\r\nlinks to phishing websites. These sites imitated official government websites which contained passwords for\r\ndocuments site visitors could download, these documents were malicious. This is done so that the files remain\r\nencrypted, to avert detection from static AV scanners.\r\nWe spotted malicious documents with various names related to current events, such as\r\n“ VaccineStatusReport.xlsx ”.\r\nThe group used documents with malicious macros to drop further infection stages written in C#. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 2 of 23\n\nWe also noticed several other malware families like trojan downloaders, file stealers, QuasarRAT and a custom\r\nRAT developed in C++ being dropped by the macros.\r\nWe suspect that the group may be after intelligence, based on the fact that the malware being used in their attacks\r\nis designed to spy on victims and steal files and other data. \r\nGadolinium/APT40\r\nWe discovered a threat actor hosting payloads on an Australian VOIP telecommunications provider’s servers. The\r\nthreat actor was abusing a zero-day remote code execution bug in Microsoft Office ( CVE-2022-30190 ). Further\r\nanalysis indicated that targets in Palau were sent malicious documents that, when opened, exploited the zero-day\r\nvulnerability, causing victims’ computers to contact the provider’s website, download and execute the malware,\r\nand subsequently become infected. Multiple stages of this attack were signed with a legitimate company\r\ncertificate to add legitimacy.\r\nWhen a malicious document was opened it contacted the compromised websites that hosted a first stage\r\n“Sihost.exe”, executed by msdt.exe. After execution it downloaded the second stage which was a loader. The\r\nloader was then used to download and decrypt the third stage of the attack, an encrypted file stored as\r\n‘favicon.svg’ on the same web server. The third stage of the attack was also used to download and execute the\r\nfourth stage, which loads a shellcode from the AsyncRat malware family.\r\nThanks to the security community this attack was attributed to Gadolinium/APT40 , a known Chinese APT group.\r\nGiven a RAT was the final payload, we suspect the group may be collecting intel from its victims. \r\nGamaredon\r\nWe saw a steady high volume of Gamaredon detections throughout Q2/2022, similar to what we have been\r\nobserving since the start of the conflict in Ukraine in February. Gamaredon, a known Russian-backed APT group,\r\ncontinued using the same old toolset, as well as new powershell-based tools and their activity was still tightly\r\nfocused on Ukraine.\r\nGraph showing users Avast protected from Gamaredon’s spreading in Ukraine\r\nMustangPanda\r\nWe’ve noticed multiple MustangPanda (a known Chinese APT group) campaigns running in parallel during\r\nQ2/2022 in multiple locations, including Philippines, Myanmar, Thailand, Singapore, Mongolia, and India, as\r\nwell as in other, new regions the group previously hadn’t been present in. All of these campaigns utilized DLL\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 3 of 23\n\nsideloading for payload delivery, for which the group continued using well known abused binaries, similarly to\r\ntheir previous campaigns, but they also added a few new ones to their arsenal. \r\nBased on the language and content of the phishing documents they used, the group expanded their activities in\r\nEurope e.g. Baltic countries, as well as in South America. The main malware strain being used for the initial\r\ninfection was still Korplug RAT.\r\nLuigino Camastra, Malware Researcher\r\nIgor Morgenstern, Malware Researcher\r\nJan Holman, Malware Researcher\r\nAdware\r\nDesktop adware has slowed down this quarter compared to Q1/2022 , as the graph below illustrates:\r\nGraph showing users (globally) Avast protected from desktop adware in Q2/2022\r\nWe have monitored a noticeable decrease in risk ratio for users in Africa, the Balkans, the Middle East, and\r\nSoutheast Asia. On the other hand, there was an increase in risk ratio for users in South America, parts of Europe,\r\nand Central Asia; namely, Brazil, Austria, Germany, Switzerland, Tajikistan, and Uzbekistan; see the map below.\r\nMap showing global risk ratio for adware in Q1/2022 vs. Q2/2022\r\nIn Q1/2022 , we observed considerable adware activity in Japan that returned to its average level in Q2/2022 .\r\nOn the contrary, there was a rise in adware activity in Austria and Switzerland, as illustrated in the chart below.\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 4 of 23\n\nGraph showing users in Austria and Switzerland Avast protected from desktop adware in Q2/2022\r\nThe common denominator for both countries is Revizer adware, which is usually dropped by other malware or\r\nfree applications. Revizer adware monitors users’ actions on specific sites and updates their content without users’\r\nconsent or permission. The adware typically injects unwanted banners on websites the victim visits, rewrites the\r\ndefault home page of browsers, and defines web page text being updated to hyperlinks that lead to unwanted or\r\nmalicious content.\r\nAs in Q1/2022 , 65% of adware we saw was from various adware families. The clearly identified strains of\r\nWindows adware are: RelevantKnowledge , Cryxos , OpenCandy , MultiPlug , Revizer , and ICLoader . The\r\nmost viewed adware for MacOS are as follows: MacOS:Bundlore , MacOS:Adload , MacOS:Spigot ,\r\nMacOS:MaxOfferDeal .\r\nMartin Chlumecký, Malware Researcher\r\nVladimír Žalud, Malware Analyst\r\nBots\r\nEmotet developers are keeping up with the times and, as many other projects do, started supporting the 64-bit\r\narchitecture. Emotet’s 32-bit binaries are no longer distributed. There have also been some minor changes in their\r\nbackend workflow. While previously, we could have expected to receive the fingerprinting module only once, just\r\nafter the registration, we are receiving it with every request now. The module’s distribution has also changed a bit.\r\nIn the past, we would see a new file size quite regularly, now the file size seems to remain stable. However,\r\nEmotet samples themselves have gotten bigger, after having a quick look, this was due to Nirsoft’s Mail\r\nPassView being included in these new samples.\r\nPerhaps the most noticeable change in botnet behavior was spurred by Microsoft’s announcement that it will be\r\nsignificantly harder to execute VBA macros in documents downloaded from the internet. Since malicious\r\ndocuments are one of the most popular infection vectors, spambots had to react. We have already observed\r\ncybercriminals using alternative attack vectors, such as LNK files linking to malicious resources on the internet.\r\nSome of the new substitutes are rather unusual. For example, ISO and IMG files are usually images of optical\r\ndiscs and hard drives (or SSDs), but they are now being used as archives instead. Newer versions of Microsoft\r\nWindows provide a native way of mounting these images. They have therefore become a viable alternative to\r\nmaldocs. There are also a few added benefits to using ISO images, such as using hidden files so they can, for\r\ninstance, use LNK files without needing to rely on remote resources.\r\nIn Q2/2022 , authorities from the United States, Germany, the Netherlands, and the United Kingdom claim to\r\nhave dismantled the RSOCKS botnet. This botnet consisted of millions of hacked devices that were rented as\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 5 of 23\n\nproxies to anyone wanting to route their traffic through these devices. Only the botnet was disrupted, so the owner\r\nmay still try to rebrand and relaunch his/her operation. This theory is supported by a post from Rsocks account on\r\nBlackHatWorld forum that informs about RSocks’ end of existence and about a transfer of all active plans, and\r\nfund balances to another service which is yet to be announced.\r\nWhile the development of many botnets was rather turbulent, the landscape itself and the risk ratio remained\r\nrather stable. The most significant increase in risk ratio was in Brazil, where users had an approximately 35%\r\nhigher chance of encountering this kind of malware attack compared to Q1/2022. In contrast to the previous\r\nquarter, the risk ratio has almost stabilized in Russia and Ukraine.\r\nIn terms of the war in Ukraine, we are still seeing attacks associated with the conflict, usually as a retaliatory\r\naction; for instance, attacks targeting Lithuanian infrastructure after imposing a partial goods blockade on\r\nKaliningrad. On the other hand, we have observed a decline in websites that include code to use site visitors’\r\ncomputers to carry out DDoS on Russian infrastructure. Nevertheless, it is still too soon to declare complete\r\n“professionalization” of attacks. After the aforementioned attacks on the Lithuanian infrastructure, It should not be\r\nmuch of a surprise that Ukrainian Telegram channels organizing cyber-vigilantes are also still active and new\r\nDDoS target lists are being distributed.\r\nGraph showing users (globally) Avast protected from botnet attacks in Q1/2022 vs. Q2/2022\r\nMap showing global risk ratio for botnets in Q2/2022\r\nWe have seen a significant decline in several botnet showrunners, notably Emotet , Phorpiex , Ursnif , and\r\nMyloBot . On the other hand, Qakbot , SDBot , and Amadey have seen rather significant increases in their\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 6 of 23\n\nmarket share. The most common bots we are seeing are:\r\nEmotet\r\nAmadey\r\nPhorpiex\r\nMyKings\r\nQakbot\r\nNitol\r\nTofsee\r\nAdolf Středa, Malware Researcher\r\nCoinminers\r\nWith the energy crisis on our shoulders and electricity bills reaching new heights, coinminers can cause more\r\nharm than ever before. Fortunately, in comparison to the previous quarter, there was quite a big decline in the\r\noverall coinmining activities during Q2/2022 , -17% of risk ratio in total. This is further underlined by the fact\r\nthat cryptocurrencies are at their long term lows, turning the return of investment less attractive for the attackers.\r\nGraph showing users (globally) Avast protected from coinmining in Q2/2022\r\nEven though the number of overall attacks decreased, we did observe users in some countries being targeted more\r\nthan others, including Madagascar with a 9.12% risk ratio ( +57% Q2/2022 vs. Q1/2022 ). Based on our\r\ntelemetry, this is due to the increased NeoScrypt activity in the region. The second most impacted country is\r\nSerbia with a 7.16% risk ratio ( +25% Q2/2022 vs. Q1/2022 ) where we saw web miners used more often.\r\nMap showing global risk ratio for coinminer attacks in Q2/2022\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 7 of 23\n\nThe leading trend continues to be web miners. These miners are commonly used as a substitute, or on top of ads\r\non websites, to further monetize site owners’ profits, and are usually completely hidden and run without any users’\r\nconsent.\r\nThe notorious XMRig is still leading the murky waters of executable miners, being it used as a standalone\r\napplication or ultimately hidden as the final payload of the vast constellation of droppers, mining worms, or\r\nconfigured as a dedicated module of information stealers and other monetary-focused malware.\r\nThe most common coinminers in Q2/2022 were:\r\nWeb miners (various strains)\r\nXMRig\r\nCoinBitMiner\r\nNeoScrypt\r\nCoinHelper\r\nAt this point, we would like to remind our readers about the distinction between mining tools and mining\r\nmalware. If you are interested in learning the difference between the two, please read our guidelines.\r\nJan Rubín, Malware Researcher\r\nInformation Stealers\r\nTwo important things happened in Q2/2022 : The first is the shutdown of Zloader at the end of March. The\r\nsecond is the release of the version 2.0 of Raccoon Stealer in May. \r\nDespite this, Q2/2022 didn’t bring much change in the overall numbers. The trend is just slightly increasing,\r\nfollowing the previous quarter.\r\nGraph showing users (globally) Avast protected from information stealers in Q1/2022 and Q2/2022\r\nTargeted regions also didn’t change much, the number of users we protected in countries around the world only\r\nchanged slightly compared to the previous quarter. The only notable change happened in Angola, where the risk\r\nratio dropped ( -18% ) mostly due to a decline in Fareit infections.\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 8 of 23\n\nMap showing global risk ratio for information stealers in Q2/2022\r\nThe most common information stealers in Q2/2022 were:\r\nFormBook\r\nLokibot\r\nAgentTesla\r\nFareit\r\nRedLine\r\nVIPSpace\r\nReturn of Raccoon Stealer\r\nRaccoon Stealer is a popular information stealer that has been around since 2019 . It is capable of stealing\r\nvarious data, including cookies, and cryptowallet files. The actors behind Raccoon Stealer use the Telegram\r\ninfrastructure to deliver actual C\u0026C addresses to bots. You can read our in-depth technical analysis of Raccoon\r\nStealer here.\r\nIn March 2022 , the development and spreading of Raccoon Stealer was paused: a team member allegedly died\r\nduring the war in Ukraine:\r\n \r\nHowever, we started to see new samples of Raccoon Stealer in May 2022 , indicating the beginning of the group’s\r\nnew era. Shortly after, in late June 2022 , the group made an announcement that Raccoon Stealer 2.0 is ready\r\nand released and that the group is back in business.\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 9 of 23\n\nInterestingly, the new version is much simpler and smaller. The malware’s authors didn’t use any traffic\r\nencryption, C\u0026Cs are hardcoded in the samples, responses from C\u0026C servers are no longer in JSON format, and\r\nmore features that were included in version 1.0 are missing.\r\nZloader Shutdown\r\nZloader was an infamous banker with a wide range of capabilities: it was able to download and execute other\r\nmalware, steal cookies and cryptowallet files. It was also able to inject arbitrary code in HTML pages to steal\r\nmoney from online banking systems. \r\nOur mission is to protect digital freedom, and in order to do so, we need to go after the bad guys who threaten that\r\nfreedom. At the end of March 2022 , after months of cooperating with Microsoft and other major players from the\r\nsecurity industry, our analysis of Zloader played a role in taking down the Zloader infrastructure. A Zloader team\r\nmember was also identified as a result of the investigations. We haven’t seen any new Zloader C\u0026C activities\r\nsince. \r\nDuring our analysis of Zloader, we discovered links to other malware: Raccoon Stealer and Ursnif . Two out\r\nof three Zloader download tasks contained links to Raccoon Stealer, they used the same configuration.\r\nFurthermore, Raccoon Stealer was mentioned in an analysis published by Checkpoint before we received\r\ncommands from C\u0026Cs, which included links to Raccoon Stealer. A bigger surprise to us was when we found\r\nZloader samples and Ursnif samples signed with the same digital signature. This leads us to believe that the group\r\nbehind Zloader is either working with the groups behind Raccoon Stealer and Ursnif or purchased and applied\r\ntheir products.\r\nJan Rubín, Malware Researcher\r\nVladimir Martyanov, Malware Researcher\r\nRansomware\r\nFor those who read our previous Threat Reports (Q1/2022, Q4/2021, etc.), you may recall that the volume of\r\nransomware attacks had been declining over the past few quarters. This was most likely a result of several busts\r\nand takedowns, Russian officials persecuting ransomware-gangs, and other impactful actions carried out by law\r\nenforcement. The bad news is that this is no longer the case in Q2/2022 . We’ve witnessed a significant increase\r\nof ransomware attacks: +24% globally compared to Q1/2022 . Clearly, ransomware is not going away this year.\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 10 of 23\n\nGraph showing users (globally) Avast protected from ransomware in Q1/2022 and Q2/2022\r\nThe countries in which users are most at risk of encountering ransomware are:\r\nYemen (0.53% risk ratio)\r\nEgypt (0.41%)\r\nAlgeria (0.37%)\r\nVietnam (0.32%)\r\nMap showing global risk ratio for ransomware in Q2/2022\r\nThe highest Q/Q increases in ransomware risk ratio occurred in Argentina ( +56% ), UK ( +55% ), Brazil ( +50% ),\r\nFrance ( +42% ), and India ( +37% ).\r\nThe most prevalent ransomware samples in Q2/2022 were:\r\nSTOP\r\nWannaCry\r\nConti (and its successors)\r\nLockbit\r\nThanatos\r\nHiddenTear variants\r\nCrySiS\r\nCryakl\r\nIt’s well known that the ransomware business is based on blackmailing – the cybercriminals render data\r\ninaccessible in the hopes that victims pay to get their data back. The process, however, is, unfortunately, not that\r\nstraightforward. According to a recent survey conducted by Venafi, 35% of victims paid the ransom , but were\r\nstill unable to retrieve their data. This is a good reminder that there is no guarantee that upon paying the ransom,\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 11 of 23\n\nvictims get their data back. Please, backup your data regularly – so that if you fall for ransomware, you are not\r\npressured into paying a ransom fee to get your data back!\r\nTo protect your computer or company’s network even further, make sure you regularly update your PC – the\r\noperating system, your antivirus, and even the applications you are using. According to our fellow security\r\nresearchers at Group-IB, ransomware gangs are relying on existing vulnerabilities more and more, exploiting them\r\nto get their ransomware onto devices. According to the joint report by Cyber Security Works , Securin ,\r\nCyware and Ivanti , there was a 6.8% increase in vulnerabilities actively exploited by ransomware\r\n( Q1/2022 vs. Q4/2021 ), and there are now 157 vulnerabilities actively being exploited by ransomware\r\noperators. \r\nLuckily, ransomware developers are humans too, so they can make mistakes when developing their “products”.\r\nOne such example is the TaRRaK ransomware which we successfully analyzed, and found a weakness in its\r\nencryption schema. This allowed us to release a free decryption tool for the ransomware in June .\r\nRelated to the same topic, a legitimate company can improve its product by announcing a bug bounty – an open\r\ncontest, challenging everyone to find bugs in its product and giving rewards for it. Ransomware developers do the\r\nsame. The authors of LockBit 3.0 announced a bug-bounty challenge, paying for bugs found in their website,\r\nencryption and even paying people who deliver good ideas to the ransomware gang.\r\nOn the bright side, the operators behind the AstraLocker ransomware announced that they are shutting down\r\ntheir business and moving on to the area of crypto-jacking. As part of the shutdown, a ZIP file with decryptors was\r\npublished. Anyone who fell victim to this ransomware in the past, can therefore now decrypt their data without\r\npaying the ransom.\r\nIn our previous report, we described the latest development around the Sodinokibi / REvil ransomware. After\r\nthe arrest of some of the gang members at the end of 2021 , and the decline of the ransomware samples, things\r\nchanged a bit  in Q2/2022 . On April 7th , Russian news agency TASS reported that “Washington announced\r\nthat it unilaterally shut down the communication channel on cybersecurity with Moscow”. Shortly after this, on\r\nApril 19th , REvil’s TOR sites were back online and a new ransomware operation began. Two weeks later,\r\nnew ransomware samples started to appear. It seemed that REvil was back at that moment, but luckily pretty much\r\nnothing related to REvil has happened since. Let’s hope it will stay the same.\r\nBut Sodinokibi/REvil was not the only ransomware group with ties to Russia…\r\nConti\r\nThe first public mention of victims of the new Conti ransomware dates back to 2019 . However, it was not\r\nentirely new, it was a continuation of the Ryuk ransomware from 2018 , which had ties to the Hermes\r\nransomware from 2017 . Over time, Conti transformed from a small ransomware group to a ransomware\r\nsyndicate, and it was in the news spotlight many times in Q2/2022 . \r\nWe’ve previously reported about a breach of Conti’s infrastructure by a Ukrainian security researcher leading to a\r\nleak of their source-codes and internal communications. Conti, which collected more than 150 million USD in\r\nransom, as of January 2022 , based on estimates from the US Department of State, resumed its operations and\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 12 of 23\n\ncontinued targeting dozens of organizations. Moreover, in Q2/2022 , Conti targeted 27 Costa Rican government\r\nbodies in Q2/2022 , causing the country to declare a national state of emergency. A second wave of attacks\r\ntargeting the country’s healthcare was carried out using HIVE , a ransomware-as-a-service which Conti has ties to.\r\nOur telemetry reveals Costa Rica as the fourth highest country in terms of risk ratio ( +101% increase, compared\r\nto Q1/2022 ). \r\nConti’s resurrection was short-lived, and ended in June when their operations were shut down by its authors. We\r\nbelieve it was a result of multiple factors, including the aforementioned leak, unwanted attention, revealed\r\nconnection to Russia, and complications with victim payments, because these may be violating U.S. economic\r\nsanctions on Russia.\r\nUnfortunately, the end of one malware threat rarely means peace and quiet, and this especially applies to\r\nransomware. The end of the Conti syndicate may lead to hundreds of cybercriminals moving to work with other\r\ngroups, such as Hive , BlackCat , or Quantum , or them working on new ransomware “brands”, e.g. Black\r\nBasta or Karakurt . Let’s see how the Conti story will continue in Q3/2022…\r\nJakub Křoustek, Malware Research Director\r\nLadislav Zezula, Malware Researcher\r\nRemote Access Trojans (RATs)\r\nSame year, new quarter and similar level of RAT activity. This quarter’s RAT activity was inline with what we are\r\nused to seeing, although spiced up by the appearance of some previously unseen RATs. We can speculate that the\r\nactivity is going to slightly decrease in the summer.\r\nGraph showing users (globally) Avast protected from RATs in Q1/2022 and Q2/2022\r\nThe most affected countries in Q2/2022 were Papua New Guinea, Yemen and Turkmenistan. There was a drop in\r\nRAT activity in countries involved in the ongoing war in Ukraine, with risk ratios dropping by -26% in the\r\nUkraine, compared to Q1/2022 , and -43% in Russia, and -33% in Belarus. This might suggest a bit of slowing\r\ndown after the initial wave of attacks we reported in our last report. On the other hand, we’ve seen a huge increase\r\nin RAT attacks in Japan ( +63% ), due to AsyncRat, and in Germany ( +28% ), mainly due to Netwire .\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 13 of 23\n\nMap showing global risk ratio for RATs in Q2/2022\r\nThe most prevalent RATs based on our telemetry in this quarter were:\r\nnjRAT\r\nWarzone\r\nAsyncRat\r\nRemcos\r\nNanoCore\r\nNetWire\r\nHWorm\r\nQuasarRAT\r\nLuminosityLink\r\nFlawedAmmyy\r\nWhile njRAT and Warzone are steadily leading the bunch, there has been a change in the third spot. AsyncRat\r\nmoved up by one place. One of the reasons for this change might be because the Follina vulnerability ( CVE\r\n2022-30190 ) was used to distribute this RAT, as we reported in June.\r\nOther RATs whose prevalence increased considerably in Q2/2022:\r\nBlackNix\r\nVanillaRAT\r\nHWorm\r\nBorat\r\nHWorm is a RAT written in JavaScript, we saw a big increase in detections, causing the RAT to make it into the\r\ntop 10 most prevalent RATs this quarter. HWorm was mostly active in Africa and Central Asia.\r\nThe Borat RAT, which appeared in Q1/2022 , is steadily gaining a foothold amongst its competition. It made\r\nthe news again when its source code leaked. It turned out it was a decompiled code and not the original source\r\ncode, nevertheless this leak might still lead to derivatives appearing.\r\nIn May , we tweeted about a campaign targeting Unicredit bank in Italy which made use of a slightly modified\r\nversion of HorusEyes . HorusEyes is a RAT, publicly available on GitHub.\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 14 of 23\n\nIn our Q1/2022 report, we closed our RAT section mentioning two new RATs written in Go. In Q2/2022 , there\r\nwas at least one new addition, the Nerbian RAT. Nerbian is usually delivered via phishing emails with Microsoft\r\nOffice attachments containing macros. The macro executes a downloader, which deploys the RAT payload on\r\nvictims’ computers. The set of features included is fairly common as you would expect in a modern RAT,\r\nincluding logging keystrokes, capturing screen etc.\r\nWe have also spotted malware which seems to be a crossover between a bot and a RAT named MSIL/Bobik ,\r\nbeing used to carry out DDoS attacks. Its features also include manipulating files and exfiltrating them from\r\nvictim systems, deploying additional malware, stealing credentials etc. We tweeted some of its targets, which\r\nseem to be pro Ukraine targeting companies and governments supporting Ukraine.\r\nAPT group GALLIUM , likely a Chinese state-sponsored group, was seen using a new remote access trojan named\r\nPingPull as reported by Palo Alto Networks Unit 42. PingPull can make use of three protocols to facilitate\r\ncommunication with its command and control server (ICMP, HTTP, and raw TCP). It tries to hide as “Iph1psvc”\r\nservice mimicking the legitimate IP Helper service, including taking on its name and description. The functions\r\navailable include manipulating files, enumerating drives and running commands on victim system.\r\nAt the end of June , we observed a new campaign delivering the AgentTesla RAT to potential victims in Czech\r\nRepublic and Hungary, using phishing emails as an entry point. The emails claim confirmation of an unspecified\r\ncheck is needed, referring to a previous phone call (that never happened) in order to trick recipients into opening\r\nthe attachment.\r\nThere was another piece of news regarding AgentTesla : A group of three suspected global scammers from\r\nNigeria were arrested according to INTERPOL. They used AgentTesla to access business computers and divert\r\nmonetary transactions to their own accounts.\r\nThe last days of this quarter brought news of ZuoRAT targeting SOHO routers, as reported by Lumen. This RAT\r\nallows attackers to pivot into the local network and to make connected devices install additional malware.\r\nOndřej Mokoš, Malware Researcher\r\nRootkits\r\nIn Q2/2022 , rootkit activity remained on the same level as the previous quarter, as illustrated in the chart below.\r\nA little surprise is a relatively stable trend this quarter, despite the many campaigns that we have observed, as\r\ncampaigns usually cause peaks in trends.\r\nGraph showing users (globally) Avast protected from rootkits in Q4/2021, Q1/2022, and Q2/2022\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 15 of 23\n\nIn our previous quarterly report, we introduced the rising trend of r77-Rootkit ( R77RK ), representing 37% of\r\nall identified rootkits. This trend continued in Q2/2022 , and R77RK represented more than 57% of the rootkits\r\nwe detected. We also monitored the activity of R77RK in its GitHub repository, and it is evident that the rootkit\r\ndevelopment is still active within several new branches. Consequently, R77RK has become the major rootkit since\r\nits trend copies the overall rootkit trend in Q2/2022 , as the graph below demonstrates.\r\nUsers (globally) Avast protected from rootkits in Q2/2022 vs. users (globally) Avast protected from the\r\nR77Rootkit in Q2/2022\r\nThis phenomenon can explain the stable trend, as integrating R77RK into any malware is easy thanks to the\r\nexcellent rootkit documentation. Therefore, malware authors have started to abuse this rootkit more frequently.\r\nThe map below animates that China is still the most at-risk country in terms of all the users we protected from\r\nrootkits in general, and R77RK has spread to South America, Africa, East Europe, and Southwest Asia.\r\nIn comparison to Q1/2022 , the risk ratio has increased for users in the following countries: Brazil, Ukraine,\r\nColombia, and Italy. On the other hand, the risk ratio decreased for users in Taiwan, Malaysia, and China.\r\nIn summary, China remains the country in which users have the highest risk of encountering a rootkit, and the\r\nactivity seems uniform due to the increasing dominance of R77RK. We will have to wait till Q3/2022 to see\r\nwhether or not R77RK is still the most prevalent rootkit in the wild.\r\nWe also published an analysis of a new evasive Linux malware known as Syslogk we discovered. Even if other\r\nopen source kernel rootkits (e.g. Reptile) are clearly more prevalent Linux threats, we noticed that more stealthy\r\nLinux malware is being developed (e.g. Symbiote and OrBit ). Let’s see if cybercriminals will continue to\r\ntarget Linux servers next quarter.\r\nMartin Chlumecký, Malware Researcher\r\nDavid Àlvarez, Malware Researcher\r\nTechnical support scams\r\nIt appears the scammers behind tech support scams (TSS) are taking a break to enjoy the summer weather, as there\r\nwere no big spikes in TSS activity in Q2/2022 . In May , we saw a 12% drop in comparison to the previous\r\nmonth. This drop can be  partially due to the INTERPOL operation against social engineering scammers.\r\nAccording to the report, many call centers worldwide were raided by the police in an attempt to clampdown on\r\norganized crime.\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 16 of 23\n\nGraph showing users (globally) Avast protected from tech support scams in Q2/2022\r\nThe top affected countries are still the same as in Q1/2022 , but it looks like there was a slight increase in TSS\r\nactivity in risk ratio in Japan ( +2,35% ) as well as Germany ( +0,98% ) in Q2/2022 , compared to Q1/2022\r\nMap showing global risk ratio for tech support scams in Q2/2022\r\nScreenshot of a prevalent TSS targeting users in Japan\r\nIn Q2/2022 , we registered hundreds of unique telephone numbers used in TSS scams. Here are the top 20\r\nphone numbers:\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 17 of 23\n\nAlexej Savčin, Malware Analyst\r\nVulnerabilities and Exploits\r\nQ2/2022 surprised us with the return of Candiru. This notorious spyware vendor came back with an updated\r\ntoolset and fresh zero-day exploits. We managed to capture two zero-days used by Candiru, and discovered\r\nevidence suggesting that they have at least one more zero-day at their disposal. \r\nThe first zero-day we found abused a bug in WebRTC ( CVE-2022-2294 ) and was exploited to attack Google\r\nChrome users in highly targeted watering hole attacks. As the bug was located in WebRTC, it affected not only\r\nGoogle Chrome, but also many other browsers. As a result, Google, Microsoft, and Apple all had to patch their\r\nrespective browsers. This WebRTC vulnerability allowed Candiru to achieve remote code execution (RCE) in a\r\nsandboxed renderer process. A second zero-day exploit was needed to escape the sandbox. Unfortunately, Candiru\r\nwas serious about protecting its zero-days against threat hunters like us, so the nature of the sandbox escape\r\nexploit remains a mystery for now. \r\nA third zero-day that Candiru exploited to get into the Windows kernel, on the other hand, did not remain a\r\nmystery to us. This was a vulnerability in a third-party signed driver that Candiru smuggled onto their target’s\r\nmachine, BYOVD style. This vulnerability was a textbook example of a common vulnerability class, where a\r\ndriver exposes IOCTLs that let attackers directly access physical memory.\r\nIn other vulnerability news, the Follina zero-day (discovered in the wild by nao_sec in May ) was widely\r\nexploited by all kinds of attackers, ranging from common opportunistic cybercriminals to Russia-linked APTs\r\noperating in Ukraine. Interestingly, we also discovered an outbreak of Follina targeting Palau, an enchanting tiny\r\narchipelago in Micronesia. \r\nFollina remained unpatched for quite a while which, combined with the ease of exploitation, made it a very\r\nserious threat. Follina was mostly exploited through Microsoft Office documents, where it could execute arbitrary\r\ncode even without the victim having to enable macros. This relates to another factor that might have contributed to\r\nFollina’s popularity: Microsoft’s decision to block macros by default. While Microsoft seemed to be unsure about\r\nthis decision, rolling it back shortly after announcing because of “user feedback”, the latest decision is to block\r\nmacros from untrusted sources by default. We hope it stays that way.\r\nThe most frequently used exploit for MacOS was MacOS:CVE-2019-6225 in Q2/2022 . This memory corruption\r\nissue was available for MacOS, iOS, and tvOS and malware strains were using those to elevate privileges.\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 18 of 23\n\nFurthermore, MacOS:CVE-2022-26766 was also prevalent as it was available for tvOS, iOS iPadOS, macOS, and\nwatchOS. The software did not validate a certificate. Malicious apps were thus able to bypass signature validation.\nJan Vojtěšek, Malware Reseracher\nWeb skimming\nIn Q2/2022 we observed several malicious domains that served skimmer code for months without being taken\ndown. For example, we have been detecting fraudlabpros[.]at since February 2022 and it is still active and\nserving heavily obfuscated malicious skimmer code.\nThe code below was found on the infected e-commerce site pricelulu[.]co[.]uk. Malicious actors continuously use\nthe same technique: They pretend to load a script from googletagmanager.com, but instead malicious Javascript\nfrom //fraudlabpros[.]at/jquery.min.js?hash=a7214c982403084a1681dd6 is loaded.\nAnother domain that is still active and has been used since at least February is segtic[.]com, it resolves to IP\n54.39.48.95 from 2020-09-29. It is connected to jqueryllc[.]net that was used in malicious code as an exfiltration\ndomain for payment details.\nThe most common content detection in Q2/2022 was a skimmer that mostly attacks Magento websites. This\nskimmer exploits compromised third party websites to exfiltrate payment details. The pattern for exfiltration\ndetails was the same every time – /pub/health_check.php. In some cases the skimmer was\nsimple 50 line code, in other cases, the skimmer inserted its own payment form on the compromised website and\nthe payment details were custom encoded before exfiltration.\nMap showing global risk ratio for web skimming in Q2/2022\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\nPage 19 of 23\n\nThis quarter,  we saw an increase in web skimmer activity in Serbia, caused by the malicious domain\r\nyoursafepayments[.]com, which infected the e-commerce website planetbike[.]rs. The malicious domain is the\r\nsame one used in the attack on Philco Brazil in February that we tweeted about. Several e-commerce websites\r\naround the world have been infected with this malicious domain and attackers have also used other filenames that\r\ncontain malicious code (des.css, back.css, text.css, s.css), not just fonts.css.\r\nOverall, web skimming attacks are still prevalent and in many cases they remain on infected websites for a long\r\ntime.\r\nPavlína Kopecká, Malware Analyst\r\nMobile Threats\r\nAdware\r\nAs with last quarter , adware clearly dominates the mobile threat landscape, as has been the case for the last\r\nfew years. While not necessarily as malicious as other Android threats, adware has a significant negative impact\r\non the user experience with intrusive advertisements that can permeate the entire device, often paired with stealth\r\nfeatures to avoid discovery.\r\nStrains such as HiddenAds and FakeAdblockers use overlays that go on top of the user’s intended activity,\r\ncreating pop ups that hassle and frustrate the user when using the infected device. Another common feature used\r\nin strains such as MobiDash is to delay adware activity by several days to fool the user into thinking it may be\r\ncaused by another app. Coupled with stealth features such as hiding their own app icon and name, the Adware’s\r\nmay become fairly difficult for the user to identify.\r\nWhile the Google Play Store has been a favorite method of delivery, repackaged games and applications are\r\nincreasingly being bundled with adware. Users are advised to avoid unofficial app sources to prevent adware\r\ninfection, and to check reviews as well as permissions on official app stores. Adware is often disguised as games,\r\nQR code scanners, camera filters and photo editing apps among others.\r\nAsia, the Middle East, and South America continue to be the regions most affected by mobile adware, as shown in\r\nthe map below. Brazil, India, Argentina, and Mexico hold the top spots, however we saw a 33% decrease in\r\nprotected users on average when compared to last quarter in these countries. On the other hand, the US holds fifth\r\nplace where we see a 15% uptick in protected users. Despite these shifts, adware is and continues to be a\r\npersistent threat and annoyance to users worldwide.\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 20 of 23\n\nMap showing global risk ratio for mobile adware in Q2/2022\r\nBankers\r\nQ2/2022 was eventful in the mobile banker malware domain. While Cerberus/Alien holds the top spot for\r\nmost users protected, Hydra has again been surpassed by Flubot for second place. This is despite the news that\r\nthe Flubot group has been disbanded by Europol in May . Avast observed a large SMS phishing campaign in\r\nseveral European countries just prior to the takedown. It remains to be seen what effect Flubot’s takedown will\r\nhave on the overall Banker sphere.\r\nInfection vectors for bankers appear to remain largely the same, relying on fake delivery messages, voicemails and\r\nsimilar. These masquerading techniques appear to yield results as reflected in the continuously high numbers of\r\nprotected users. Unfortunately, we have observed that infected devices are often used to further spread banker\r\nmalware via SMS and other messaging services, contributing to the high numbers.\r\nTaking into account Flubot’s takedown in May, as well as other disruptions to its spread in last quarter, we see a\r\nsteady decrease in the number of protected users from last quarter. We have dipped below the numbers prior to\r\nFlubot’s entry into the market back in April 2021 .\r\nGraph showing users (globally) Avast protected from mobile bankers in Q1/2021-Q2/2022\r\nIn Q2/2022 Spain, Turkey and Australia are again the most targeted markets, as has been the case for several\r\nquarters now, despite an average of 24% less protected users when compared to last quarter. Interestingly,\r\nFrance and Japan are also among the top affected countries, where despite the downward trend of banker attacks,\r\nwe see a 12% increase in protected users.\r\nMap showing global risk ratio for mobile bankers in Q2/2022\r\nTrojanSMS\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 21 of 23\n\nAs reported in Q1/2022 , a new wave of premium subscription-related scams was unleashed on Android users.\r\nUltimaSMS , GriftHorse and Darkherring malware strains caused significant hassle and financial losses to\r\nusers worldwide. Continuing the trend of SMS focused malware, we are seeing a big uptick in users protected\r\nfrom a newly discovered strain of TrojanSMS , SMSFactory, taking the top spot in Q2/2022 , followed by\r\nDarkHerring .\r\nSMSFactory takes a different approach when compared to the previous premium SMS subscription malwares.\r\nInstead of subscribing victims to premium services, it sends SMS messages to premium numbers to extract money\r\nfrom its victims. Unlike UltimaSMS or others that used the Play Store as an infection vector, SMSFactory is\r\nspreading through pop ups, redirects and fake app stores. It has gathered a considerable number of victims in a\r\nshort span of time. With its stealth features, such as hiding its icon and not having an app name, it may prove\r\ndifficult to identify and remove, causing havoc on the victim’s phone bill.\r\nThere is a notable shift in focus, mainly due to SMSFactory’s worldwide spread. Brazil, Russia and Germany have\r\nthe highest number of protected users, while Iraq, Azerbaijan and Haiti have the highest risk numbers. It is clear\r\nSMSFactory takes a different and effective approach to its spread and it is reflected in the high numbers of\r\nprotected users.\r\nMap showing global risk ratio for mobile TrojanSMS in Q2/2022\r\nThe quarterly Q2/2022 graph shows a steady increase, mainly due to SMSFactory and its new versions popping\r\nup later in the quarter. We expect this trend to continue into the next quarter.\r\nGraph showing users (globally) Avast protected from mobile Trojan SMS in Q2/2022\r\nJakub Vávra, Malware Analyst\r\nAcknowledgements / Credits\r\nMalware researchers\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 22 of 23\n\nAdolf Středa\r\nAlexej Savčin\r\nDavid Álvarez\r\nIgor Morgenstern\r\nJakub Křoustek\r\nJakub Vávra\r\nJan Holman\r\nJan Rubín\r\nJan Vojtěšek\r\nLadislav Zezula\r\nLuigino Camastra\r\nMartin Chlumecký \r\nOndřej Mokoš\r\nPavlína Kopecká\r\nVladimir Martyanov\r\nVladimír Žalud\r\nData analysts\r\nPavol Plaskoň\r\nCommunications\r\nStefanie Smith\r\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/" ], "report_names": [ "avast-q2-2022-threat-report" ], "threat_actors": [ { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "053574fc-5d11-4a41-9741-057e111c7a39", "created_at": "2023-11-08T02:00:07.157454Z", "updated_at": "2026-04-10T02:00:03.429471Z", "deleted_at": null, "main_name": "Confucious", "aliases": [], "source_name": "MISPGALAXY:Confucious", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "38f8da87-b4ba-474b-83e6-5b04d8fb384b", "created_at": "2024-02-02T02:00:04.032871Z", "updated_at": "2026-04-10T02:00:03.532955Z", "deleted_at": null, "main_name": "Caramel Tsunami", "aliases": [ "SOURGUM", "Candiru" ], "source_name": "MISPGALAXY:Caramel Tsunami", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434568, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/28b3fccea91691089263b0b8d409323e283d6d17.pdf", "text": "https://archive.orkl.eu/28b3fccea91691089263b0b8d409323e283d6d17.txt", "img": "https://archive.orkl.eu/28b3fccea91691089263b0b8d409323e283d6d17.jpg" } }