Top 10 Malware Q4 2024
By: The Center for Internet Security® (CIS®) Cyber Threat Intelligence (CTI) team
Published January 31, 2025
In Q4 2024, the Top 10 Malware observed by the monitoring services of the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) changed slightly from the previous quarter. The downloader SocGholish continued to lead as the top malware, making up 53% of the list. CoinMiner, a cyrptocurrency miner, and Arechclient2, a remote access trojan (RAT), followed behind SocGholish. Meanwhile, Ratenjay RAT, the DarkGate downloader, and the Jupyter infostealer all returned this quarter to our Top 10 malware list.
.png?h=622&w=967&rev=bf71e16f913d4dd4a640fd1caa1f08ee&hash=397EE9A70B1F95CCB56DEF9430AA5E20)
Malware Infection Vectors
The MS-ISAC tracks potential initial infection vectors for the Top 10 Malware each quarter based on open-source reporting, as depicted in the "Top 10 Malware — Initial Infection Vectors" graph below. We currently track three initial infection vectors: Dropped, Malvertisement, and Malspam. Some malware use different vectors in different contexts, which are tracked as Multiple.
- Dropped: Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. The threat on our Top 10 Malware list that used this technique at the time of publication was Ratenjay.
- Malspam: Unsolicited emails, which either direct users to malicious websites or trick users into downloading and opening malware. The threat on our Top 10 Malware list that used this technique at the time of publication was Agent Tesla.
- Multiple: Malware that currently uses at least two vectors, such as Dropped and Malspam. The threats on our Top 10 Malware list that used this technique at the time of publication were ArechClient2, CoinMiner, DarkGate, and NanoCore.
- Malvertisement: Malware introduced through malicious advertisements. The threats on our Top 10 Malware list that used this technique at the time of publication were Jupyter, LandUpdate808, SocGholish, and ZPHP.
The CIS Community Defense Model (CDM) v2.0 can help you defend against 77% of MITRE ATT&CK (sub-)techniques associated with malware — regardless of the infection vector they use. Learn more in the video below.
In Q4, Malvertisement was the number one initial infection vector due to the SocGholish, LandUpdate808, ZPHP, and Jupyter campaigns.
.png?h=574&w=1201&rev=c43665a6cca44a6d9e0938bdb6a56d02&hash=FD1478A4AF0B48A6869493DBFF8E25A2)
Top 10 Malware and IOCs
Below are the Top 10 Malware listed in order of prevalence. The CIS CTI team provides associated Indicators of Compromise (IOCs) to aid defenders in detecting and preventing infections from these malware variants. Analysts source these IOCs from threat activity observed via CIS Services® and open-source research. Network administrators can use the IOCs for threat hunting, but they should vet any indicator for organizational impact before using it for blocking purposes.
1. SocGholish
SocGholish is a downloader written in JavaScript and is distributed through malicious or compromised websites via fake browser updates. The malware uses multiple methods for traffic redirection and payload delivery, commonly uses Cobalt Strike, and steals information from the victim’s system. Additionally, SocGholish can lead to further exploitation, such as by loading the NetSupport and Async remote access tools or even ransomware in some cases.
Domains
bellonasoftware[.]com
benefits[.]melanatedbloodlinesrestoration[.]com
blacksaltys[.]com
circle[.]innovativecsportal[.]com
law[.]kimsavagelaw[.]com
outfit[.]dianamercer[.]com
premium[.]davidabostic[.]com
riders[.]50kfor50years[.]com
storefixturesandsupplies[.]com
swaceapp[.]com
virtual[.]urban-orthodontics[.]com
IP Addresses
185[.]76[.]79[.]50
185[.]158[.]251[.]240
185[.]196[.]9[.]156
SHA256 Hashes
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
8f03491247cbfa8a2e60e0f7ec62d63b5070659f60383a1c81abeb2b20221be3
2. CoinMiner
CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities vary, as there are multiple variants. CoinMiner spreads through malspam or is dropped by other malware.
IP Address
80[.]71[.]158[.]96
SHA256 Hashes
47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
6FB4945BB73AC3F447FB7AF6BD2937395A067A6E0C0900886095436114A17443
72F1BA6309C98CD52FFC99DD15C45698DFCA2D6CE1EF0BF262433B5DFFF084BE
8A492973B12F84F49C52216D8C29755597F0B92A02311286B1F75EF5C265C30D
a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
a4F20B60A50345DDF3AC71B6E8C5EBCB9D069721B0B0EDC822ED2E7569A0BB40
b6ea1681855ec2f73c643ea2acfcf7ae084a9648f888d4bd1e3e119ec15c3495
f08d47cb3e1e848b5607ac44baedf1754b201b6b90dfc527d6cefab1dd2d2c23
3. Arechclient2
Arechclient2, also known as SectopRAT, is a .NET RAT with numerous capabilities including multiple defense evasion functions. Arechclient2 can profile victim systems, steal information such as browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-virtual machine and anti-emulator capabilities.
Domains
be-precision[.]com
bienvenido[.]com
elin[.]co[.]in
key-systems[.]net
promooformosa[.]com
server786[.]ninositsolution[.]com
womansvitamin[.]com
IP Addresses
23[.]227[.]203[.]57
45[.]129[.]86[.]82
45[.]141[.]87[.]16
45[.]141[.]87[.]218
SHA256 Hashes
17BBFCB94482982E9B4282C44DA52313A1E3862ADC5BB48A997A9123B41EBB0B
1EB9C449A55F015945DCE8848379D29DC55BA3C258972372B8316AB143D8F160
31BB59E8E526D3F2EAD73E4D240B20F5618699FADEDADF50F6218E2C205DEDBE
515EA949BBE6068CD5E642A1C03A0D4BFDBDAC811E9D50FA4435DAADF103D578
7F386E57807F0C2D48B0B33F35E6BAF50BA5EE8B000BBD7B4BDD454CEDC9AE81
DACCDD9EFD13F37083E98CDC9974BB55BB39CBA782A40C10B629B9AB3A25EC4A
F702CE107528B41BD2D6F725779F898D63A2DD1139CD5AE6DA85D2EB6B51CA8E
4. NanoCore
NanoCore is a RAT sold on criminal forums and is usually spread via malspam with an attachment, such as a malicious Excel (XLS or XLSX) spreadsheet. NanoCore has a wide range of capabilities including keylogging, screen capturing, password stealing, data exfiltration, downloading and executing additional files, and adding registry keys for persistence.
Domains
hadleyshope[.]3utilities[.]com
louinc928[.]gotdns[.]ch
IP Addresses
193[.]161[.]193[.]99
74[.]77[.]124[.]104
SHA256 Hashes
069ced19d871f274f17ef17c0a6c973b12d9eb54a8d86c07c35b5cd33848c043
09bbc4211e7a0e63804344324e0528f31bc527e993662b5832f308629b6d2abf
14d0c1ed0cc7844da2e404e9bff4419d92cc1cf0c256ba38dba56f38a462b8c9
4d190fffe482e99437ee796ee1b2e66938dfd77100ede00584733ec5442f6716
56db73fbce62213a0212c17ab6f8f5aa6e64efba3d4512389ac3ffe6bd10b44a
62c5fb5e4895a3da152268e54aecca3142b0ba8f1f5f4dd15b4a13747049d6f9
6fe55b655fc4cd3b51c813e38df4416675ae81ab0cd303e15f591fd74846f9de
84143a9050c55b6467062bd75f5f10f826b9b1107f7e96e7838122b33547c844
87fc5f129412920d00657351b1a21c9b47fd82bf02fad4c086e4b0e89785dc14
95187557c2a3db0b14a11ccbea994ce7450f7688262f002273fe8e0087fc6830
ac2fe39b981c36b6048a44016219cac1e095741cb73ed49d0fcafa3b48b2e4db
cc46b67218cadc08882c5e635e4f16a2a4d93558818714b66a3e8967f728dc4b
d1f622488a88176e81cdb1cb8669f586803c2dff54f660ac72a18f0a1d27194c
d24e8e1b9e5cdc40797bfc894bb086d455a679f5fee5a2a03c438e4dce141265
d3a2000ec18ab94aa8dbb5eef9360c6048ea3066d165fba1d9ca219ba5780385
5. Agent Tesla
Agent Tesla is a RAT that targets Windows operating systems and is available for purchase on criminal forums. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host.
Domains
equalizerrr[.]duckdns[.]org
ftp[.]fosna[.]net
Ilang[.]in
topendpower[.]top
SHA256 Hashes
00179fa97b55a6f67a4e7be7041f3d38b0a794051ce47750ea2f988f61c3dcff
0cd0926bd998e8e1c8dc74c2edd3f48a73d7d30a7c5794790d104c1149c02e2e
208AF8E2754A3E55A64796B29EF3A625D89A357C59C43D0FF4D2D30E20092D74
3ac7c6799414c1fe18dc8e355833651a85e73b443df78f6870293a2266483093
47f8dd63f16253fbcdf2a1e912c3eb87c7b58d468592a410fb3132ae3899790b
7230CC614270DCA79415B0CF53A666A219BEB4BEED90C85A1AC09F082AEA613B
8406A1D7A33B3549DD44F551E5A68392F85B5EF9CF8F9F3DB68BD7E02D1EABA7
8e49a4e7b1929aa22ebb4a2abf0302b4b429b2536c675b02f8e0b871b7f06952
95e526a19a39942ee7073e28adddb685bb5bb41f889858c91bea644c657acb36
A1475A0042FE86E50531BB8B8182F9E27A3A61F204700F42FD26406C3BDEC862
6. Ratenjay
Ratenjay is a RAT dropped by other malware or downloaded as a file onto a victim’s system. It executes commands remotely and includes keylogging capabilities.
Domains
doddyfire[.]linkpc[.]net
IP Addresses
94[.]158[.]247[.]101
167[.]235[.]141[.]81
SHA256 Hashes
0b7f183b40b372a2779f558291fc51b1f9a3ce2862d1a72ba0a307cc2d55a356
07eaa040d73e39f53851533c8c09d92cd3228d099236e3995b19b4c8a1c15ada
2c14e87e4a8176546f3b989c8b8e88f520f13db9982472638de6fc74a5a254aa
5f1d94e632a9abaffe774c5813f1164620b61cb0b1f82efb1af8d7d29a774426
6431b4286483d7321ba205a441d72b85a7ae2c3711df252826d270b766521935
8869d81691cdc2a3847bc8964e58822a56e2e6a9225beb65a8182976dab70db9
ecb76b84a0e4c8423c1daf5b4a346f1dda22d656378e7217505da1f79a01c19a
7. ZPHP
ZPHP is a downloader written in JavaScript and is distributed through malicious or compromised websites via fake browser updates. ZPHP is also known to drop the NetSupport remote access tool and the malware Lumma Stealer.
Domains
bentia[.]info
ggoryo[.]com
luxurycaborental[.]com
megasena777[.]top
nanoderecho[.]com
novidadesfresquinhas[.]online
opravy[.]biz
prajapatisamaj[.]info
space-cadet[.]info
swaceapp[.]com
wanconyan[.]co
8. DarkGate
DarkGate is a downloader typically sold on Russian language cybercriminal dark web forums. DarkGate can steal financial information, exfiltrate personally identifiable information (PII), and drop additional malware. It uses legitimate AutoIT files and typically runs AutoIT scripts. Additionally, DarkGate can download and execute files to memory. It also comes with a Hidden Virtual Network Computing (HVNC) module and keylogging capabilities.
URLs
adfhjadfbjadbfjkhad44jka[.]com
diveupdown[.]com
nextroundst[.]com
IP Addresses
179[.]60[.]149[.]194
SHA256 Hashes
2a8a49d9c25d786a5108a53d0b3281677b299540f54580a7b49aa8de78ec0ee1
2E34908F60502EAD6AD08AF1554C305B88741D09E36B2C24D85FD9BAC4A11D2F
3b7a634458e8195a13a4c1610bb25d78a77f2b904b38835fca391d38509dd530
4f30d975121d44705a79c4f5c8aeba80d8c97c8ef10c86fee011b99f12b173b4
51AB25A9A403547EC6AC5C095D904D6BC91856557049B5739457367D17E831A7
5e9fbae0b94f6e36717bbd2c997981ba438d7efd800e76924f73452a69c04051
738393c9e46150b246a0db906a22d77ba93812840919bf8b4913ef528df95e35
897B0D0E64CF87AC7086241C86F757F3C94D6826F949A1F0FEC9C40892C0CECB
96E22FA78D6F5124722FE20850C63E9D1C1F38C658146715B4FB071112C7DB13
9b2be97c2950391d9c16497d4362e0feb5e88bfe4994f6d31b4fda7769b1c780
EF28A572CDA7319047FBC918D60F71C124A038CD18A02000C7AB413677C5C161
9. Jupyter
Jupyter, aka SolarMarker, is a highly evasive and adaptive .NET infostealer. For initial access, the cyber threat actors create watering hole websites to deceive unsuspecting users into downloading a malicious document, often a ZIP or PDF file embedded with a malicious executable. Jupyter operators additionally use SEO-poisoning to artificially elevate the malicious website's rankings on search engine results pages.
IP Addresses
37[.]221[.]114[.]23
86[.]106[.]20[.]155
146[.]70[.]101[.]97
SHA256 Hashes
075564c99ceb389d65faf3342d13d8bb39bbbd0d6966d3a345a8c3062f0a0d1b
1e7914f799371cbc8560bc52203d3531bb20cb4f6092158c76a4842dbf85dabc
6301bea8c6f7ff1d640f5043c208cb10c6ddec254271a82d8fedcfdc816ae7e4
8aaf2a9920c23cbccf4ee9686679ad605ed3943685e80855192cdaf27913d9b7
d9570a6cec653ed9fe8e6175e495aa1c25ce7703c7f6d3d04fbcc53484406bd6
E0B2457491A8C2D50710AA343AD1957A76F83CEAF680165FFA0E287FE18ABBD6
E349ADE11956F85CA535FDBB8F3266FCAB8680782AE756304BF54D75BE265CD7
f69b84249f6703cb1e99a0a39974a9d6fb543b40a9ff44f7d5da9a2bdbbd9eb3
10. LandUpdate808
LandUpdate808 is a downloader written in JavaScript and distributed through malicious or compromised websites via fake browser updates. In recently reported campaigns, once a victim clicks on the fake browser update, a malicious MSIX file and two 7ZIP files download to the victim’s system. When executed, LandUpdate808 installs additional tools, such as the NetSupport remote access tool.
Domains
ambiwa[.]com
chewels[.]com
codereviewerss[.]com
edveha[.]com
elizgallery[.]com
esaleerugs[.]com
e2sky[.]com
gcafin[.]com
ilsotto[.]com
nyciot[.]com
safigdata[.]com
tayakay[.]com
Stay Informed about Cyber Threats
The quarterly Top 10 Malware list is just one of the ways the CIS CTI team helps U.S. State, Local, Tribal, and Territorial (SLTT) government entities along with other organizations strengthen their cybersecurity posture. The CIS CTI team also supports ThreatWA™ to help organizations understand what's new in the multidimensional threat landscape — regardless of their sector.
Want to better understand and defend against cyber threats confronting your organization?
About the Author: The CIS Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC® and EI-ISAC®) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures. Additional information: team tradecraft and indicator feeds.
Supported via cooperative agreement No. 23CISMSI00003-01-01 - 09/29/2025 awarded through the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (U.S. DHS). The analysis, findings, and conclusions or recommendations expressed in this document are those of the MS-ISAC and EI-ISAC.
