Top 10 Malware Q2 2024

By: The Center for Internet Security, Inc. (CIS®) Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center® (MS-ISAC®)

Published August 9, 2024

Cyber Threat Intelligence thumbnail

In Q2 2024, the Top 10 Malware observed via the MS-ISAC’s monitoring services changed moderately from the previous quarter. The downloader, SocGholish, continues to lead as the top malware, making up 60% of the list. Agent Tesla, a remote access trojan (RAT), was second, and CoinMiner, a malicious cryptocurreny miner, was third. Magecart and Mirai returned to the Top 10 Malware list in Q2, while ZPHP and DarkGate made their first appearance. Please see below for more detailed malware descriptions and associated indicators of compromise.

Top 10 Malware Q2 2024

Malware Infection Vectors

The MS-ISAC tracks potential initial infection vectors for the Top 10 Malware each quarter based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. Some malware use different vectors in different contexts and are tracked as Multiple.

The CIS Community Defense Model (CDM) v2.0 can help you defend against 77% of MITRE ATT&CK (sub-)techniques associated with malware — regardless of the infection vector they use. Learn more in the video below.

 

 

In Q2, Malvertisement was the number one initial infection vector due to the ongoing SocGholish and ZPHP malware campaigns. Additionally, the Dropped category increased 38% from the previous quarter due to an increase in Magecart and Mirai activity.

 

Top 10 Malware Q2 2024

Dropped — Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. The threats on our Top 10 Malware list that currently use this technique are Magecart and Mirai.

Malspam — Unsolicited emails, which either direct users to malicious websites or trick users into downloading or opening malware. The threats on our Top 10 Malware list that currently use this technique are Agent Tesla and NanoCore.

Multiple — Malware that currently uses at least two vectors, such as Dropped and Malspam. The threats on our Top 10 Malware list that currently use this technique are ArechClient2, CoinMiner, DarkGate, and Lumma Stealer.

Malvertisement — Malware introduced through malicious advertisements. The threats on our Top 10 Malware list that currently use this technique are SocGholish and ZPHP.

Top 10 Malware and IOCs

Below are the top 10 malware listed in order of prevalence. The associated indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these malware variants. The below IOCs can be used for threat hunting but may not be inherently malicious for blocking purposes.

1. SocGholish

SocGholish is a downloader written in JavaScript and is distributed through malicious or compromised websites. It uses fake software updates, such as browser updates or Flash updates, to trick users into downloading the malware. The malware uses multiple methods for traffic redirection and payload delivery, commonly uses Cobalt Strike, and steals information from the victim’s system. Additionally, SocGholish can lead to further exploitation, such as by loading the NetSupport and Async remote access tools or even ransomware in some cases.

Domains

aitcaid[.]com
advancedsportsandspine[.]com
brow-ser-update[.]top
marvin-occentus[.]net
photoshop-adobe[.]shop
pluralism[.]themancav[.]com
scada.paradizeconstruction[.]com
1sale[.]com

IP Addresses

81[.]94[.]150[.]21
83[.]69[.]236[.]128
88[.]119[.]169[.]108
91[.]121[.]240[.]104
185[.]158[.]251[.]240
185[.]196[.]9[.]156
193[.]233[.]140[.]136

2. Agent Tesla

Agent Tesla is a RAT that targets Windows operating systems. It is available for purchase on criminal forums as malware-as-a-service. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host.

Domains

equalizerrr[.]duckdns[.]org
ftp[.]fosna[.]net
Ilang[.]in
topendpower[.]top

IP Addresses

34[.]154[.]74[.]85
45[.]33[.]8[.]30
91[.]92[.]250[.]136

SHA256 Hashes

A1475A0042FE86E50531BB8B8182F9E27A3A61F204700F42FD26406C3BDEC862
208AF8E2754A3E55A64796B29EF3A625D89A357C59C43D0FF4D2D30E20092D74
5C2C93B18CAA56E2591D32399C6BCA39C03F27AB9FC21FAA565915FFCB4944A0
7230CC614270DCA79415B0CF53A666A219BEB4BEED90C85A1AC09F082AEA613B
8406A1D7A33B3549DD44F551E5A68392F85B5EF9CF8F9F3DB68BD7E02D1EABA7
95e526a19a39942ee7073e28adddb685bb5bb41f889858c91bea644c657acb36

3. CoinMiner

CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities may vary since there are multiple variants. CoinMiner spreads through malspam or is dropped by other malware.

IP Addresses

80[.]71[.]158[.]96
167[.]114[.]114[.]169

SHA256 Hashes

6FB4945BB73AC3F447FB7AF6BD2937395A067A6E0C0900886095436114A17443
72F1BA6309C98CD52FFC99DD15C45698DFCA2D6CE1EF0BF262433B5DFFF084BE
99D9DFD8F1C11D055E515A02C1476BD9036C788493063F08B82BB5F34E19DFD6     
A4F20B60A50345DDF3AC71B6E8C5EBCB9D069721B0B0EDC822ED2E7569A0BB40
8A492973B12F84F49C52216D8C29755597F0B92A02311286B1F75EF5C265C30D
d37224bd65996195415c0de364cb80f78609e5ea83e5295600b364298b39d7d1     

URLs

evinfeoptasw[.]dedyn[.]io/updater[.]php
eldi8[.]github[.]io/src[.]txt
euserv3[.]herokuapp[.]com/c0s1ta/index[.]php
eu1[.]microtunnel[.]it/c0s1ta/index[.]php

4. NanoCore

NanoCore is a RAT sold on criminal forums and is usually spread via malspam with an attachment, such as a malicious Excel (.xls) spreadsheet. NanoCore has a wide range of capabilities including keylogging, screen capturing, password stealing, data exfiltration, downloading and executing additional files, and adding registry keys for persistence.

Domains

hadleyshope[.]3utilities[.]com
louinc928[.]gotdns[.]ch

IP Addresses

193[.]161[.]193[.]99

SHA256 Hashes

189de068ddcd7dce84ba934933c073486a55f13a2b0b0a3a29e734531e3ef97b
00b58dd6009cf6c5bea7dc96037e24e99abf1de8df75937c4190a4eaed7c2484
fc7e75ee589dc972a703c2431d406f8b095cc27ebf9e951ddf990e56839f37d8
069ced19d871f274f17ef17c0a6c973b12d9eb54a8d86c07c35b5cd33848c043
81e64743814b5b8b8a60ee12d662788fbfdec09a7abbd8e546696f1df9dc6faa
d1f622488a88176e81cdb1cb8669f586803c2dff54f660ac72a18f0a1d27194c
b1302f8312506956db9526159dd028bb4852a0f53fba64db7aae97d8f1a1ba14
aeb8f27ac2bd40c4bb08aad29488af84d18b01a2be4b86cbe18dad6454d7c5e8
09bbc4211e7a0e63804344324e0528f31bc527e993662b5832f308629b6d2abf
4d190fffe482e99437ee796ee1b2e66938dfd77100ede00584733ec5442f6716
b799a7a8d2744eed52b8c8ae4515ec1c6d3363a717572daef2cdf9eaad459106
d24e8e1b9e5cdc40797bfc894bb086d455a679f5fee5a2a03c438e4dce141265
84143a9050c55b6467062bd75f5f10f826b9b1107f7e96e7838122b33547c844
b674cc279ec0579f342c73a81a4a4bed94b6e7e3aceb017801053261bcf060b6
62c5fb5e4895a3da152268e54aecca3142b0ba8f1f5f4dd15b4a13747049d6f9
6fe55b655fc4cd3b51c813e38df4416675ae81ab0cd303e15f591fd74846f9de
d3a2000ec18ab94aa8dbb5eef9360c6048ea3066d165fba1d9ca219ba5780385

5. ZPHP

ZPHP is a downloader written in JavaScript, and similar to SocGholish, it is distributed through malicious or compromised websites via fake browser updates. ZPHP is also known to drop the NetSupport remote access tool and the malware Lumma Stealer.

Domains

beetrootculture[.]com
busbookingjbg[.]com
gnoticiasimparciais[.]com
helpcenter[.]cyou
ipscanadvsf[.]com
nanoderecho[.]com
pixelread[.]com
propertyclosings[.]com

6. Mirai

Mirai is a malware botnet known to compromise Internet of Things (IoT) devices to conduct large-scale DDoS attacks. Mirai is dropped after a cyber threat actor exploits a device vulnerability for initial access.

SHA256 Hashes

01E9B8C584293A08BEB127000D649603A66D1375B5B720B75BD0B7A584C36968
18BE8322F7AE0141BF0A26B7DE00CA3C1DC6AAD3948F0B1317A2F5CB408B10E8
2B314C753066F0D87B50578268994DB809420385A943DE11539A2CC1F2A14325
47F1A35033172016D96148925AD8564B9FFB20C97956B7A9EB9365D3ED4045DB
8AF8A8C1FA49EC80F3D57D8F5B511E455D615738071199931459294BD6A40356
9C7C0AF997B5F639F0AB540CE644017917B1E20A2597D45B7F2298D991F96D12
A6147EDD78567EA2D55F403901E15ABD54F56E4E8FF6CB1CAA32C8E25F72682C
B28F8E057A2F6D5049D062A75C099D7C688418B33BB0AC098E62DE0065878CD0
B3ACD752C097C38F2225247FA298F37C84D3E6C33AABD02249B145EECEA5ED83
C015EFA805AB0D761D72664F39FF705426CF79B3097CEB0C7A7972B95D52A1EC
E0275413980CF20F3C432D4DCDF46F19586CAFC0E2791F12E1A383349B578A9F
F9735ED2D9331F6AF2355225F7B421D18B84734716EB8DA1A533F3BD1370CDD7
FFAFDA02AC12138400D24706ABFF32E18DDE04C416178B7CA71FFA8CB7083932

7. Magecart

Magecart is a credit card skimming and point-of-sale malware that takes payment data from forms on vulnerable websites. Traffic to the below domains may indicate that the affected host had sensitive financial data compromised.

IP Addresses

34[.]143[.]245[.]173
45[.]88[.]3[.]201
45[.]88[.]3[.]63
47[.]129[.]31[.]212
187[.]17[.]111[.]105
195[.]242[.]110[.]172
195[.]242[.]110[.]83
195[.]242[.]111[.]146

Domains

daichetmob[.]sbs
genlytec[.]us
interytec[.]shop
pyatiticdigt[.]shop
shumtech[.]shop
stacstocuh[.]quest
zapolmob[.]sbs

8. Arechclient2

Arechclient2, also known as SectopRAT, is a .NET RAT with numerous capabilities including multiple defense evasion functions. Arechclient2 can profile victim systems, steal information such as browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-virtual machine and anti-emulator capabilities.

Domains

be-precision[.]com
bienvenido[.]com
elin[.]co[.]in
key-systems[.]net
promooformosa[.]com
server786[.]ninositsolution[.]com
womansvitamin[.]com

IP Addresses

23[.]227[.]203[.]57
45[.]129[.]86[.]82
45[.]141[.]87[.]16

SHA256 Hashes

17BBFCB94482982E9B4282C44DA52313A1E3862ADC5BB48A997A9123B41EBB0B
1EB9C449A55F015945DCE8848379D29DC55BA3C258972372B8316AB143D8F160
31BB59E8E526D3F2EAD73E4D240B20F5618699FADEDADF50F6218E2C205DEDBE
515EA949BBE6068CD5E642A1C03A0D4BFDBDAC811E9D50FA4435DAADF103D578
7F386E57807F0C2D48B0B33F35E6BAF50BA5EE8B000BBD7B4BDD454CEDC9AE81
DACCDD9EFD13F37083E98CDC9974BB55BB39CBA782A40C10B629B9AB3A25EC4A
F702CE107528B41BD2D6F725779F898D63A2DD1139CD5AE6DA85D2EB6B51CA8E

9. DarkGate

DarkGate is a downloader typically sold on Russian-language cybercriminal dark web forums. DarkGate can steal financial information, exfiltrate personally identifiable information (PII), and drop additional malware. It uses legitimate AutoIT files and typically runs AutoIT scripts. Additionally, DarkGate can download and execute files to memory. It comes with a hidden virtual network computing (VNC) module and keylogging capabilities.

URLs

adfhjadfbjadbfjkhad44jka[.]com/aa
adfhjadfbjadbfjkhad44jka[.]com/zanmjtvh
nextroundst[.]com/aa
nextroundst[.]com/ffcxlohx

SHA256 Hashes

83F1FAB236357817270F995A6E3E32F90661DAD6D625AD1E1F16B06C248DA1D1
6C8E82B582F55A03277427E757331E5AA53DCF6656785DCB44F2958EF5516863
49A46F2FF414AD11B2B623A7DC811002BF78979B5DB1FB6F03334FD1FA20F8A6
0A3764E9972DCDD3819F4728038D094A28A1CCFF43D7D9E413EAB794C9ECBE05
F9D8B85FAC10F088EBBCCB7FE49274A263CA120486BCEAB6E6009EA072CB99C0
BA8F84FDC1678E133AD265E357E99DBA7031872371D444E84D6A47A022914DE9
96E22FA78D6F5124722FE20850C63E9D1C1F38C658146715B4FB071112C7DB13
897B0D0E64CF87AC7086241C86F757F3C94D6826F949A1F0FEC9C40892C0CECB
51AB25A9A403547EC6AC5C095D904D6BC91856557049B5739457367D17E831A7
2E34908F60502EAD6AD08AF1554C305B88741D09E36B2C24D85FD9BAC4A11D2F
02ACF78048776CD52064A0ADF3F7A061AFB7418B3DA21B793960DE8A258FAF29

10. Lumma Stealer

Lumma Stealer is an infostealer malware sold on the dark web that targets PII, such as credentials, cookies, and banking information. Additionally, it has numerous defense evasion capabilities, including the ability to detect whether the infected system is a virtual environment, detect user activity on the system, and encrypt its executable to prevent reverse engineering.

Domains

arritswpoewroso[.]shop
citizencenturygoodwk[.]shop
civilizzzationo[.]shop
contintnetksows[.]shop
curtainjors[.]fun
dancecmapleadsjwk[.]shop
ellaboratepwsz[.]xyz
flockkydwos[.]shop
foodypannyjsud[.]shop
gogobad[.]fun
pedestriankodwu[.]xyz
penetratedpoopp[.]xyz
potterryisiw[.]shop
swellfrrgwwos[.]xyz
towerxxuytwi[.]xyz

SHA256 Hashes

7603C6DD9EDCA615D6DC3599970C203555B57E2CAB208D87545188B57AA2C6B1
674D96C42621A719007E64E40AD451550DA30D42FD508F6104D7CB65F19CBA51
48CBEB1B1CA0A7B3A9F6AC56273FBAF85E78C534E26FB2BCA1152ECD7542AF54
483672A00EA676236EA423C91D576542DC572BE864A4162DF031FAF35897A532
01A23F8F59455EB97F55086C21BE934E6E5DB07E64ACB6E63C8D358B763DAB4F

Stay Informed about Cyber Threats

The quarterly Top 10 Malware list is just one of the ways the CIS CTI team helps U.S. State, Local, Tribal, and Territorial (SLTT) government organizations strengthen their cybersecurity posture.

Want additional insights from the CIS CTI team?

 

About the AuthorThe CIS Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC® and EI-ISAC®) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures. Additional information: team tradecraft and indicator feeds.

Supported via cooperative agreement No. 23CISMSI00003-01-01 - 09/29/2025 awarded through the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (U.S. DHS). The analysis, findings, and conclusions or recommendations expressed in this document are those of the MS-ISAC and EI-ISAC.