{ "id": "b32ebd43-17ff-4df5-be9b-a1fffbfa96e5", "created_at": "2026-04-06T01:31:12.628482Z", "updated_at": "2026-04-10T03:36:47.788279Z", "deleted_at": null, "sha1_hash": "98d52a3a51de58f87d23944f6cd24b18f3e05895", "title": "Blog |Top 10 Malware March 2022", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 466380, "plain_text": "Blog |Top 10 Malware March 2022\r\nPublished: 2022-04-15 · Archived: 2026-04-06 00:39:28 UTC\r\nIn March 2022, the Top 10 stayed consistent with the previous month with malware changing spots in the Top 10.\r\nThis is with the exception of Gh0st and Jupyter, both returning to the Top 10. Gh0st is a RAT used to control\r\ninfected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to\r\nfully control the infected device. Jupyter, aka SolarMarker, is a highly evasive and adaptive .NET infostealer that\r\nis downloaded by leveraging SEO-poisoning to create watering hole sites for the purpose of deceiving\r\nunsuspecting users who visit the website and download a malicious document, often a zip or PDF file embedded\r\nwith a malicious executable. The Top 10 Malware variants comprise 76% of the total malware activity in March\r\n2022, increasing 4% from February 2022.\r\nhttps://www.cisecurity.org/insights/blog/top-10-malware-march-2022\r\nPage 1 of 5\n\nMalware Infection Vectors\r\nThe MS-ISAC tracks potential primary infection vectors for our Top 10 Malware each month based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped,\r\nMalvertisement, Malspam, and Network. The MS-ISAC has not had any malware in the Top 10 use the initial\r\ninfection vector Network in the past year. Some malware employ different vectors in different contexts and are\r\nthus tracked as Multiple.\r\nOur Community Defense Model (CDM) v2.0 can help you defend against 77% of ATT\u0026CK (sub-)techniques\r\nassociated with malware – regardless of the infection vector they use. Learn more in the video below.\r\n0:55\r\nIn March 2022, Malvertisement accounted for the greatest number of alerts. Malvertisement remains the top initial\r\ninfection vector due to Shlayer activity. Activity levels for Malvertisement, and Multiple decreased, while activity\r\nfor Dropped and Malspam increased. It is likely that Malvertisement will remain the primary infection vector as\r\nthe Shlayer campaign continues. The Multiple category increases and decreases at an unpredictable rate, which\r\nmaking it difficult to analyze trends. This category will likely continue to comprise a significant portion of the\r\ninitial infection vectors as malware becomes more sophisticated and employs multiple methods to infect systems.\r\nMalspam consistently represents a portion of the Top 10 malware as it is one of the oldest and most reliable\r\nprimary initial infection vectors used by cyber threat actors in both this category and the Multiple category.\r\nhttps://www.cisecurity.org/insights/blog/top-10-malware-march-2022\r\nPage 2 of 5\n\nDropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party\r\nsoftware, or manually by a cyber threat actor. Currently, Gh0st, Jupyter, and Mirai are the malware using this\r\ntechnique.\r\nMultiple – Malware that currently favors at least two vectors. Currently, Arechclient2, CoinMiner, Delf, and ZeuS\r\nare the malware utilizing multiple vectors.\r\nMalspam – Unsolicited emails either direct users to malicious web sites or trick users into downloading or\r\nopening malware. Top 10 Malware using this technique include Agent Tesla and NanoCore.\r\nMalvertisement – Malware introduced through malicious advertisements. Currently, Shlayer is the only Top 10\r\nMalware using this technique.\r\nTop 10 Malware and IOCs\r\nBelow are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are\r\nprovided to aid in detecting and preventing infections from these Top 10 Malware variants. Note: The associated\r\nURIs are aligned with malware’s respective domain(s) or IP(s) and increase the likelihood of maliciousness when\r\nfound together. The URIs alone are not inherently malicious.\r\n1. Shlayer\r\nShlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites,\r\nhijacked domains, and malvertizing posing as a fake Adobe Flash updater.\r\nAll Shlayer domains follow the same pattern \u003capi.random_name.com\u003e. Below area several examples of domains\r\nShlayer uses.\u003c/api.random_name.com\u003e\r\nDomains\r\nhttps://www.cisecurity.org/insights/blog/top-10-malware-march-2022\r\nPage 3 of 5\n\napi[.]interfacecache[.]com\r\napi[.]scalableunit[.]com\r\napi[.]typicalconfig[.]com\r\napi[.]standartanalog[.]com\r\napi[.]fieldenumerator[.]com\r\napi[.]practicalsprint[.]com\r\napi[.]searchwebsvc[.]com\r\napi[.]connectedtask[.]com\r\napi[.]navigationbuffer[.]com\r\napi[.]windowtask[.]com\r\n2. ZeuS\r\nZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user\r\nvisits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have\r\nadopted parts of its codebase, which means that events classified as ZeuS may actually be other malware using\r\nparts of the ZeuS code.\r\n3. Agent Tesla\r\nAgent Tesla is a RAT that exfiltrate credentials, log keystrokes, and capture screenshots from an infected\r\ncomputer.\r\n4. NanoCore\r\nNanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept\r\ncommands to download and execute files, visit websites, and add registry keys for persistence.\r\n5. CoinMiner\r\nCoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI)\r\nand EternalBlue to spread across a network. Additionally, it typically uses the WMI Standard Event Consumer\r\nscripting to execute scripts for persistence. However, due to multiple variants of this malware, capabilities may\r\nvary. CoinMiner spreads through malspam or is dropped by other malware.\r\n6. Delf\r\nDelf is a family of malware with multiple variants written in the Delphi programming language, where most are\r\ndownloaders. Campaigns, targets, infection vectors and capabilities vary based on the variant. Delf has multiple\r\ninitial infection vectors, such as: dropped, malspam, or unintentional downloaded from a malicious website. Some\r\nof the abilities Delf variants exhibit include: backdoor or proxy functionality, stealing information, terminating\r\nantivirus applications, and mass mailing.\r\n7. Gh0st\r\nhttps://www.cisecurity.org/insights/blog/top-10-malware-march-2022\r\nPage 4 of 5\n\nGh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a\r\ndevice that allows an attacker to fully control the infected device.\r\n8. Jupyter\r\nJupyter aka SolarMarker, is a highly evasive and adaptive .NET infostealer that is downloaded by leveraging\r\nSEO-poisoning to create watering hole sites for the purpose of deceiving unsuspecting users to visit the website\r\nand download a malicious document, often a zip or PDF file embedded with a malicious executable. Jupyter\r\nprimarily targets browser data in browsers such as Chrome, Chromium, and Firefox and has full backdoor\r\nfunctionality.\r\nIPs\r\n37[.]120.233[.]92\r\n89[.]44.9[.]108\r\n92[.]204.160[.]101\r\n92[.]204.160[.]114\r\n146[.]70.101[.]97\r\n146[.]70.53[.]153\r\n146[.]70.40[.]236\r\n193[.]29.104[.]89\r\n9. Arechclient2\r\nArechclient2, aka SectopRAT, is a .NET RAT with numerous capabilities including multiple stealth functions.\r\nArechclient2 can profile victim systems, steal information such as browser and crypto-wallet data, and launch a\r\nhidden secondary desktop to control browser sessions. Additionally, it has several anti-VM and anti-emulator\r\ncapabilities.\r\n10. Mirai\r\nMirai is a malware botnet known to compromise Internet of Things (IoT) devices in order to conduct large-scale\r\nDDoS attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine.\r\nAs of June 23, 2025, the MS-ISAC has introduced a fee-based membership. Any potential reference to no-cost\r\nMS-ISAC services no longer applies.\r\nSource: https://www.cisecurity.org/insights/blog/top-10-malware-march-2022\r\nhttps://www.cisecurity.org/insights/blog/top-10-malware-march-2022\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022" ], "report_names": [ "top-10-malware-march-2022" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439072, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/98d52a3a51de58f87d23944f6cd24b18f3e05895.pdf", "text": "https://archive.orkl.eu/98d52a3a51de58f87d23944f6cd24b18f3e05895.txt", "img": "https://archive.orkl.eu/98d52a3a51de58f87d23944f6cd24b18f3e05895.jpg" } }