Top 10 Malware Q1 2024

By: The Center for Internet Security, Inc. (CIS®) Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center® (MS-ISAC®)

Published May 2, 2024

Cyber Threat Intelligence thumbnail

In Q1 2024, the Top 10 Malware observed at the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) changed slightly from the previous quarter. The downloader SocGholish continues to lead as the Top Malware, making up 60% of the Top 10 Malware. ArechClient2, a .Net-based Remote Access Trojan (RAT), came in second, while CoinMiner, a malicious cryptocurreny miner, was the third most-prevalent malware in Q1 2024. Lumma Stealer, Jupyter, and Ratenjay all returned to the list in Q1. Please see below for more detailed malware descriptions and associated indicators of compromise. Windows operating systems.

MS-ISAC Malware Notifications Q4 2023

  

 

Malware Infection Vectors

The MS-ISAC tracks potential initial infection vectors for the Top 10 Malware each quarter based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. Some malware use different vectors in different contexts and are tracked as Multiple.

The CIS Community Defense Model (CDM) v2.0 can help you defend against 77% of MITRE ATT&CK (sub-)techniques associated with malware — regardless of the infection vector they use. Learn more in the video below.

 

 

In Q1, Malvertisement was the number one initial infection vector due to a significant increase in alerts related to SocGholish and its ongoing campaign where it masquerades as software updates for initial access. Additionally, the Dropped category increased 290% from the previous quarter due to an increase in Gh0st and Ratenjay activity.

 

Top 10 Malware – Initial Infection Vectors Q1 2024

 

Dropped — Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Top 10 Malware currently using this technique include Gh0st and Ratenjay.

Malspam — Unsolicited emails, which either direct users to malicious websites or trick users into downloading or opening malware. Top 10 Malware currently using this technique include Agent Tesla and NanoCore.

Multiple — Malware that currently uses at least two vectors, such as dropped and malspam. Top 10 Malware currently using this technique include ArechClient2, CoinMiner, and Lumma Stealer.

Malvertisement — Malware introduced through malicious advertisements. Top 10 Malware currently using this technique include Jupyter, RogueRaticate, and SocGholish.

Top 10 Malware and IOCs

Below are the Top 10 Malware listed in order of prevalence. The associated indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these malware variants. The below IOCs can be used for threat hunting but may not be inherently malicious for blocking purposes.

1. SocGholish

SocGholish is a downloader written in JavaScript and is distributed through malicious or compromised websites. It uses fake software updates, such as browser updates or Flash updates, to trick users into downloading the malware. The malware uses multiple methods for traffic redirection and payload delivery, is known to use Cobalt Strike, and steals information from the victim’s system. Additionally, SocGholish can lead to further exploitation, such as by loading NetSupport Remote Access Tool, Async Remote Access Tool, and in some cases, ransomware.

Domains

assay[.]porchlightcommunity[.]org
eeatgoodx[.]com
event[.]coachgreb[.]com
funcallback[.]com
gitbrancher[.]com
libertariancounterpoint[.]com
pluralism[.]themancav[.]com
usersync[.]tiqcdn[.]net
whitedrill[.]org

IP Addresses

81[.]94[.]150[.]21
83[.]69[.]236[.]128
88[.]119[.]169[.]108
91[.]121[.]240[.]104
185[.]158[.]251[.]240
193[.]233[.]140[.]136

2. ArechClient2

ArechClient2, also known as SectopRAT, is a .NET RAT with numerous capabilities, including multiple defense evasion functions. ArechClient2 can profile victim systems, steal information such as browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-VM and anti-emulator capabilities.

IP Addresses

34[.]107[.]35[.]186
77[.]73[.]133[.]83
195[.]201[.]198[.]179

SHA256 Hashes

8e289b8dfc7e4994d808ef79a88adb513365177604fe587f6efa812f284e21a3
a835602db71a42876d0a88cc452cb60001de4875a5e91316da9a74363f481910
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
9118c090b3c2b7e945397eae30585bd6d3c5924ed677f2cb2259f1223ade4b18
99254891543a79f2a6ea6163ff10dfd12c839655e8012d199ccc6b6c530d8f5f

3. CoinMiner

CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities may vary since there are multiple variants. CoinMiner spreads through malspam or is dropped by other malware.

IP Addresses

80[.]71[.]158[.]96
167[.]114[.]114[.]169

SHA256 Hashes

6FB4945BB73AC3F447FB7AF6BD2937395A067A6E0C0900886095436114A17443
72F1BA6309C98CD52FFC99DD15C45698DFCA2D6CE1EF0BF262433B5DFFF084BE
99D9DFD8F1C11D055E515A02C1476BD9036C788493063F08B82BB5F34E19DFD6
A4F20B60A50345DDF3AC71B6E8C5EBCB9D069721B0B0EDC822ED2E7569A0BB40
8A492973B12F84F49C52216D8C29755597F0B92A02311286B1F75EF5C265C30D
d37224bd65996195415c0de364cb80f78609e5ea83e5295600b364298b39d7d1     

URLs

evinfeoptasw[.]dedyn[.]io/updater[.]php
eldi8[.]github[.]io/src[.]txt
euserv3[.]herokuapp[.]com/c0s1ta/index[.]php     
eu1[.]microtunnel[.]it/c0s1ta/index[.]php

4. NanoCore

NanoCore is a RAT spread via malspam with an attachment, such as a malicious Excel (.xls) spreadsheet. NanoCore accepts commands to download and execute files, visit websites, and add registry keys for persistence.

Domains

hadleyshope[.]3utilities[.]com
louinc928[.]gotdns[.]ch

IP Addresses

193[.]161[.]193[.]99

SHA256 Hashes

189de068ddcd7dce84ba934933c073486a55f13a2b0b0a3a29e734531e3ef97b
00b58dd6009cf6c5bea7dc96037e24e99abf1de8df75937c4190a4eaed7c2484
fc7e75ee589dc972a703c2431d406f8b095cc27ebf9e951ddf990e56839f37d8
069ced19d871f274f17ef17c0a6c973b12d9eb54a8d86c07c35b5cd33848c043
81e64743814b5b8b8a60ee12d662788fbfdec09a7abbd8e546696f1df9dc6faa
d1f622488a88176e81cdb1cb8669f586803c2dff54f660ac72a18f0a1d27194c
b1302f8312506956db9526159dd028bb4852a0f53fba64db7aae97d8f1a1ba14
aeb8f27ac2bd40c4bb08aad29488af84d18b01a2be4b86cbe18dad6454d7c5e8
09bbc4211e7a0e63804344324e0528f31bc527e993662b5832f308629b6d2abf
4d190fffe482e99437ee796ee1b2e66938dfd77100ede00584733ec5442f6716
b799a7a8d2744eed52b8c8ae4515ec1c6d3363a717572daef2cdf9eaad459106
d24e8e1b9e5cdc40797bfc894bb086d455a679f5fee5a2a03c438e4dce141265
84143a9050c55b6467062bd75f5f10f826b9b1107f7e96e7838122b33547c844
b674cc279ec0579f342c73a81a4a4bed94b6e7e3aceb017801053261bcf060b6
62c5fb5e4895a3da152268e54aecca3142b0ba8f1f5f4dd15b4a13747049d6f9
6fe55b655fc4cd3b51c813e38df4416675ae81ab0cd303e15f591fd74846f9de
d3a2000ec18ab94aa8dbb5eef9360c6048ea3066d165fba1d9ca219ba5780385

5. Agent Tesla

Agent Tesla is a RAT that targets Windows operating systems. It is available for purchase on criminal forums as Malware as a Service. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host.

Domains

Topendpower[.]top
7070bc8[.]sytes[.]net

IP Addresses

34[.]154[.]74[.]85
45[.]33[.]8[.]30
91[.]92[.]250[.]136

SHA256 Hashes

95e526a19a39942ee7073e28adddb685bb5bb41f889858c91bea644c657acb36
5C2C93B18CAA56E2591D32399C6BCA39C03F27AB9FC21FAA565915FFCB4944A0
4de0c431cb9805cb419d42e5f3630a74393ed10409bf0e6d3d65c7b95e380aa5
f712b4e15225a89a206e7168e702fefc5cc9fabf62ae2a3a598796a0c36da621
dbbc943775cef80dc40c35392e895c1ce2e29945d9ffd418c6cc348373cbbbf0
8b78d6da98f169fd75cb59064e11661d4b56461385985214833732b0b7958301
4f972768d48bae371172ca8a9387331a7a8c1ad13dbc0022c8dba93ac5c4fe2a

6. Lumma Stealer

Lumma Stealer is an infostealer malware sold on the dark web that targets personally identifiable information, such as credentials, cookies, and banking information. Additionally, it has numerous defense evasion capabilities, including detecting whether the infected system is a virtual environment, detecting user activity on the system, and encrypting its executable to prevent reverse engineering.

Domains

chincenterblandwka[.]pw
loogsporus[.]pw
meayyammgaterre[.]pw
netovrema[.]pw
opposesicknessopw[.]pw
politefrightenpowoa[.]pw

SHA256 Hashes

7603C6DD9EDCA615D6DC3599970C203555B57E2CAB208D87545188B57AA2C6B1
674D96C42621A719007E64E40AD451550DA30D42FD508F6104D7CB65F19CBA51
48CBEB1B1CA0A7B3A9F6AC56273FBAF85E78C534E26FB2BCA1152ECD7542AF54
483672A00EA676236EA423C91D576542DC572BE864A4162DF031FAF35897A532
01A23F8F59455EB97F55086C21BE934E6E5DB07E64ACB6E63C8D358B763DAB4F

7. Ratenjay

Ratenjay is a RAT dropped by other malware or downloaded as a file onto a victim’s system. It executes commands remotely and includes keylogging capabilities.

IP Addresses

94[.]158[.]247[.]101
167[.]235[.]141[.]81

8. Jupyter

Jupyter, aka SolarMarker, is a highly evasive and adaptive .NET infostealer. For initial access, the threat actors create watering hole websites to deceive unsuspecting users into downloading a malicious document, often a ZIP or PDF file embedded with a malicious executable. Additionally, they use SEO-poisoning to artificially move the malicious website up in search result rankings.

IP Addresses

86[.]106[.]20[.]155
146[.]70[.]81[.]77
146[.]70[.]88[.]119
146[.]70[.]101[.]97

SHA256 Hashes

F08673C59D7D5FA6D87784A8C6560D32B57BFA4EA9A5FCD4E68991BF85A001FE
EF1D778B5EFB65F684E8E6501DB508DBAB2B0EE40E928662539DA377F9363605
E95C03486D63185FF6FD0996865D1437F3A135D0DA2B268E529EED0D3C4488B8
E675ADA65B850344AF62CEE3D42E6F526B3F8ACFB711D1144692AA7C95B1C367
E349ADE11956F85CA535FDBB8F3266FCAB8680782AE756304BF54D75BE265CD7
E0B2457491A8C2D50710AA343AD1957A76F83CEAF680165FFA0E287FE18ABBD6
CA59E25646DB40E71372AAA5517C4C5C0907B014D4D41C434D0322B99902CDFE
C34B7F29D9F7B8031D8DD86730473753E616644323A634167FBF853A6E5FC704
BB00EAE53865D5D316941969455270A84A6E7039E119BDCFF9D2FF3460385CDD
59B22F656CE9285F837706D3A2CA952C6008524D8F26C16CFDC36A06DDFE1368
075564c99ceb389d65faf3342d13d8bb39bbbd0d6966d3a345a8c3062f0a0d1b

9. RogueRaticate

RogueRaticate is a downloader written in JavaScript that is distributed through malicious or compromised websites using fake browser updates. The payload for RogueRaticate involves an HTML application file that is zipped or downloaded as a shortcut file. RogueRaticate is known to lead to additional exploitation, such as by loading the NetSupport Remote Access Tool.

SHA256 Hashes

1d9900c8dbaa47d2587d08b334d483b06a39acb27f83223efc083759f1a7a4f6
08d9df800127f9fb7ff1a246346e1cf5cfef9a2521d40d6b2ab4e3614a19b772 

10. Gh0st

Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor that allows an attacker to fully control the infected device.

Domains

ad[.]jcrsoft[.]com
alienlol[.]com
a1free9bird[.]com
beiyeye[.]401hk[.]com
hodbeast[.]com
icybin[.]flnet[.]org
ip[.]yototoo[.]com
siekis[.]com
tcp[.]nhntech[.]com
worldinfocontact[.]club
xiaoxiannv[.]gnway[.]net

SHA256 Hashes

f86d05c1d7853c06fc5561f8df19b53506b724a83bb29c69b39f004a0f7f82d8
7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8
bf52ca4d4077ae7e840cf6cd11fdec0bb5be890ddd5687af5cfa581c8c015fcd
d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297
5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841

Stay Informed about Cyber Threats

The quarterly Top 10 Malware list is just one of the ways the CIS CTI team helps U.S. State, Local, Tribal, and Territorial (SLTT) government organizations strengthen their cybersecurity posture.

Want additional insights from the CIS CTI team? 


 

About the AuthorThe CIS Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC® and EI-ISAC®) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures.  Additional information: team tradecraft and indicator feeds.

Supported via cooperative agreement No. 23CISMSI00003-01-01 - 09/29/2025 awarded through the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (U.S. DHS). The analysis, findings, and conclusions or recommendations expressed in this document are those of the MS-ISAC and EI-ISAC.