Top 10 Malware Q3 2024

In Q3 2024, the Top 10 Malware observed via the MS-ISAC’s monitoring services changed moderately from the previous quarter. The downloader, SocGholish, continued to lead as the top malware, making up 42% of the list. Following SocGholish were the downloaders LandUpdate808 and ClearFake. This quarter marked the first time the MS-ISAC observed either of these downloaders in its quarterly Top 10 Malware list..

Malware Infection Vectors

The MS-ISAC tracks potential initial infection vectors for the Top 10 Malware each quarter based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. Some malware use different vectors in different contexts and are tracked as Multiple.

The CIS Community Defense Model (CDM) v2.0 can help you defend against 77% of MITRE ATT&CK (sub-)techniques associated with malware — regardless of the infection vector they use. Learn more in the video below.

 

 

In Q3, Malvertisement was the number one initial infection vector due to SocGholish, LandUpdate808, ClearFake, and ZPHP campaigns. Malvertisement is highly likely to continue to be the top initial infection vector observed while these campaigns continue. 

 

Dropped: Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. The threat on our Top 10 Malware list that uses this technique at the time of publication is Mirai.

Malspam: Unsolicited emails, which either direct users to malicious websites or trick users into downloading or opening malware. The threat on our Top 10 Malware list that uses this technique at the time of publication is Agent Tesla.

Multiple: Malware that currently uses at least two vectors, such as Dropped and Malspam. The threats on our Top 10 Malware list that use this technique at the time of publication are ArechClient2, CoinMiner, Lumma Stealer, and NanoCore.

Malvertisement: Malware introduced through malicious advertisements. The threats on our Top 10 Malware list that use this technique at the time of publication are ClearFake, LandUpdate808, SocGholish, and ZPHP.

Top 10 Malware and IOCs

Below are the Top 10 Malware listed in order of prevalence. The associated indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these malware variants. The IOCs are sourced from CIS Services^® and open-source research. They can be used for threat hunting but may not be inherently malicious for blocking purposes.

1. SocGholish

SocGholish is a downloader written in JavaScript and is distributed through malicious or compromised websites via fake browser updates. The malware uses multiple methods for traffic redirection and payload delivery, commonly uses Cobalt Strike, and steals information from the victim’s system. Additionally, SocGholish can lead to further exploitation, such as by loading the NetSupport and Async remote access tools or even ransomware in some cases.

Domains

aitcaid[.]com
advancedsportsandspine[.]com
automotivemuseumguide[.]com
brow-ser-update[.]top
circle[.]innovativecsportal[.]com
marvin-occentus[.]net
photoshop-adobe[.]shop
pluralism[.]themancav[.]com
scada.paradizeconstruction[.]com
scada.paradizeconstruction[.]com
storefixturesandsupplies[.]com
1sale[.]com

IP Addresses

81[.]94[.]150[.]21
83[.]69[.]236[.]128
88[.]119[.]169[.]108
91[.]121[.]240[.]104|
185[.]158[.]251[.]240
185[.]196[.]9[.]156
193[.]233[.]140[.]136

2. LandUpdate808

LandUpdate808 is a downloader written in JavaScript and distributed through malicious or compromised websites via fake browser updates. In recently reported campaigns, once a victim clicks on the fake browser update, a malicious MSIX file and two 7ZIP files download to the victim’s system. When executed, LandUpdate808 installs additional tools, such as the NetSupport remote access tool.

Domains

edveha[.]com
e2sky[.]com
tayakay[.]com

3. ClearFake

ClearFake is a downloader written in JavaScript and is distributed through malicious or compromised websites via fake browser updates. It injects base64-encoded scripts into the HTML of compromised websites. ClearFake also uses PowerShell and loads additional malware such as Amadey, Lumma Stealer, Redline, and Racoon v2.

Domains

bandarsport[.]net
consultantinsurance[.]net
currentsilverprice[.]com
daslkjfhi2[.]xyz
debtavailable[.]com
itemsdostawa[.]com
listwisconsin[.]com
skylinehigh[.]com
teachabletutorials[.]com
valentinedaycard[.]com
voicelesson[.]org
waytowealth[.]org

4. ZPHP 

ZPHP is a downloader written in JavaScript and is distributed through malicious or compromised websites via fake browser updates. ZPHP is also known to drop the NetSupport remote access tool and the malware Lumma Stealer.

Domains

canroura[.]com
firsho[.]com
fitnessscop[.]com
geronimooficial[.]com
libidotechnexus[.]com
luxurycaborental[.]com
megasena777[.]top
nanoderecho[.]com
nijanse[.]com
novidadesfresquinhas[.]online
theapplefix[.]com
thecookoutcaterer[.]com

5. Agent Tesla

Agent Tesla is a remote access trojan (RAT) that targets Windows operating systems and is available for purchase on criminal forums. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host.

Domains

equalizerrr[.]duckdns[.]org
ftp[.]fosna[.]net
Ilang[.]in
topendpower[.]top

SHA256 Hashes

A1475A0042FE86E50531BB8B8182F9E27A3A61F204700F42FD26406C3BDEC862
a5b61b1138adcc779a1b42b0101bc98bb9697d6b962a97cb7e21368e7fed992e
dac619b8fc24212c46534f5371fb3b8121da5747800bf8dbad3aeb7375e82c36
208AF8E2754A3E55A64796B29EF3A625D89A357C59C43D0FF4D2D30E20092D74
54AD2EAC7F23ADB2CD0E9C6F287268A66679E3C3E18009D5B59DCB3485A19FC6
7230CC614270DCA79415B0CF53A666A219BEB4BEED90C85A1AC09F082AEA613B
8406A1D7A33B3549DD44F551E5A68392F85B5EF9CF8F9F3DB68BD7E02D1EABA7
95e526a19a39942ee7073e28adddb685bb5bb41f889858c91bea644c657acb36

6. CoinMiner

CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities vary, as there are multiple variants. CoinMiner spreads through malspam or is dropped by other malware.

IP Address

80[.]71[.]158[.]96

SHA256 Hashes

6FB4945BB73AC3F447FB7AF6BD2937395A067A6E0C0900886095436114A17443
72F1BA6309C98CD52FFC99DD15C45698DFCA2D6CE1EF0BF262433B5DFFF084BE
A4F20B60A50345DDF3AC71B6E8C5EBCB9D069721B0B0EDC822ED2E7569A0BB40
8A492973B12F84F49C52216D8C29755597F0B92A02311286B1F75EF5C265C30D

7. Arechclient2

Arechclient2, also known as SectopRAT, is a .NET RAT with numerous capabilities including multiple defense evasion functions. Arechclient2 can profile victim systems, steal information such as browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-virtual machine and anti-emulator capabilities.

Domains

Be-precision[.]com
Bienvenido[.]com
Elin[.]co[.]in
Key-systems[.]net
Promooformosa[.]com
Server786[.]ninositsolution[.]com
Womansvitamin[.]com

IP Addresses

23[.]227[.]203[.]57
45[.]129[.]86[.]82
45[.]141[.]87[.]16

SHA256 Hashes

17BBFCB94482982E9B4282C44DA52313A1E3862ADC5BB48A997A9123B41EBB0B
1EB9C449A55F015945DCE8848379D29DC55BA3C258972372B8316AB143D8F160
31BB59E8E526D3F2EAD73E4D240B20F5618699FADEDADF50F6218E2C205DEDBE
515EA949BBE6068CD5E642A1C03A0D4BFDBDAC811E9D50FA4435DAADF103D578
7F386E57807F0C2D48B0B33F35E6BAF50BA5EE8B000BBD7B4BDD454CEDC9AE81
DACCDD9EFD13F37083E98CDC9974BB55BB39CBA782A40C10B629B9AB3A25EC4A
F702CE107528B41BD2D6F725779F898D63A2DD1139CD5AE6DA85D2EB6B51CA8E

8. Mirai

Mirai is a malware botnet known to compromise Internet of Things (IoT) devices to conduct large-scale Distributed Denial of Service (DDoS) attacks. Mirai is dropped after a cyber threat actor exploits a device vulnerability for initial access.

SHA256 Hashes

01E9B8C584293A08BEB127000D649603A66D1375B5B720B75BD0B7A584C36968
18BE8322F7AE0141BF0A26B7DE00CA3C1DC6AAD3948F0B1317A2F5CB408B10E8
2B314C753066F0D87B50578268994DB809420385A943DE11539A2CC1F2A14325
47F1A35033172016D96148925AD8564B9FFB20C97956B7A9EB9365D3ED4045DB
8AF8A8C1FA49EC80F3D57D8F5B511E455D615738071199931459294BD6A40356
9C7C0AF997B5F639F0AB540CE644017917B1E20A2597D45B7F2298D991F96D12
A6147EDD78567EA2D55F403901E15ABD54F56E4E8FF6CB1CAA32C8E25F72682C
B28F8E057A2F6D5049D062A75C099D7C688418B33BB0AC098E62DE0065878CD0
B3ACD752C097C38F2225247FA298F37C84D3E6C33AABD02249B145EECEA5ED83
C015EFA805AB0D761D72664F39FF705426CF79B3097CEB0C7A7972B95D52A1EC
E0275413980CF20F3C432D4DCDF46F19586CAFC0E2791F12E1A383349B578A9F
F9735ED2D9331F6AF2355225F7B421D18B84734716EB8DA1A533F3BD1370CDD7
FFAFDA02AC12138400D24706ABFF32E18DDE04C416178B7CA71FFA8CB7083932

9. NanoCore

NanoCore is a RAT sold on criminal forums and is usually spread via malspam with an attachment, such as a malicious Excel (XLS) spreadsheet. NanoCore has a wide range of capabilities including keylogging, screen capturing, password stealing, data exfiltration, downloading and executing additional files, and adding registry keys for persistence.

Domains

hadleyshope[.]3utilities[.]com
louinc928[.]gotdns[.]ch

IP Addresses

193[.]161[.]193[.]99

SHA256 Hashes

189de068ddcd7dce84ba934933c073486a55f13a2b0b0a3a29e734531e3ef97b
069ced19d871f274f17ef17c0a6c973b12d9eb54a8d86c07c35b5cd33848c043
d1f622488a88176e81cdb1cb8669f586803c2dff54f660ac72a18f0a1d27194c
09bbc4211e7a0e63804344324e0528f31bc527e993662b5832f308629b6d2abf
4d190fffe482e99437ee796ee1b2e66938dfd77100ede00584733ec5442f6716
b799a7a8d2744eed52b8c8ae4515ec1c6d3363a717572daef2cdf9eaad459106
d24e8e1b9e5cdc40797bfc894bb086d455a679f5fee5a2a03c438e4dce141265
84143a9050c55b6467062bd75f5f10f826b9b1107f7e96e7838122b33547c844
b674cc279ec0579f342c73a81a4a4bed94b6e7e3aceb017801053261bcf060b6
62c5fb5e4895a3da152268e54aecca3142b0ba8f1f5f4dd15b4a13747049d6f9
6fe55b655fc4cd3b51c813e38df4416675ae81ab0cd303e15f591fd74846f9de
d3a2000ec18ab94aa8dbb5eef9360c6048ea3066d165fba1d9ca219ba5780385

10. Lumma Stealer

Lumma Stealer is an infostealer malware sold on the dark web that targets personally identifiable information (PII), such as credentials and banking information. Additionally, it has numerous defense evasion capabilities, including detecting whether the infected system is a virtual environment, detecting user activity on the system, and encrypting its executable to prevent reverse engineering.

Domains

advertisedszp[.]shop
bassicnuadnwi[.]shop
bravedreacisopm[.]shop
broccoltisop[.]shop
disappearsodsz[.]shop
effectivedoxzj[.]shop
extorteauhhwigw[.]shop
femininedspzmhu[.]shop
grassytaisol[.]shop
horizonvxjis[.]shop
importancedopz[.]shop
limitadmitiwo[.]shop
parntorpkxzlp[.]shop
shellfyyousdjz[.]shop
stimultaionsppzv[.]shop
teentytinyjeo[.]shop
tiggerstrhekk[.]shop
unawaredfostwp[.]shop
warrantelespsz[.]shop

SHA256 Hashes

674D96C42621A719007E64E40AD451550DA30D42FD508F6104D7CB65F19CBA51
48CBEB1B1CA0A7B3A9F6AC56273FBAF85E78C534E26FB2BCA1152ECD7542AF54
483672A00EA676236EA423C91D576542DC572BE864A4162DF031FAF35897A532
01A23F8F59455EB97F55086C21BE934E6E5DB07E64ACB6E63C8D358B763DAB4F

Stay Informed about Cyber Threats

The quarterly Top 10 Malware list is just one of the ways the CIS CTI team helps U.S. State, Local, Tribal, and Territorial (SLTT) government organizations strengthen their cybersecurity posture. The CIS CTI team also supports CIS Threat Aware to help organizations understand what's new in the multi-dimensional threat landscape — regardless of their sector.

Want to better understand and defend against cyber threats confronting your organization?

 

---

About the Author: The CIS Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC^® and EI-ISAC^®) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures. Additional information: team tradecraft and indicator feeds.

Supported via cooperative agreement No. 23CISMSI00003-01-01 - 09/29/2025 awarded through the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (U.S. DHS). The analysis, findings, and conclusions or recommendations expressed in this document are those of the MS-ISAC and EI-ISAC.