Executive Summary
In this report, PolySwarm analysts chose fifteen standout malware families for the 2024 Malware Hall of Fame. A small selection of IOCs of our most recent samples of each family are provided as well.
Key Takeaways
- The 2024 Malware Hall of Fame includes a variety of malware, from ransomware, to bootkits, to botnets, that made a significant impact on the cybersecurity threat landscape in 2024.
- Malware families were chosen based on multiple factors, including how prolific the malware is, how successful the criminals behind the malware are, and any factors of interest that set these malware families apart from the others.
- A small selection of our most recent samples of each family are provided.
2024 Malware Hall of Fame
PolySwarm analysts chose the following malware for the 2024 Malware Hall of Fame based on multiple factors. In choosing the top malware of the year to feature in this report, PolySwarm analysts surveyed both our dataset and the broader threat landscape, focusing on malware families with a high volume of activity, families with high-profile targets, and families that use innovative methods.
LockBit
LockBit remains a dominant force in the ransomware landscape, employing advanced encryption algorithms and double-extortion techniques to coerce victims into payment. As a Ransomware-as-a-Service (RaaS) operation, it recruits affiliates who target various industries, from healthcare to logistics. LockBit’s versatility stems from its ability to evade detection through obfuscation and frequent updates. The malware often propagates through phishing emails and exploits in unpatched systems, ensuring maximum penetration.
Its operators provide support portals for victims, creating a paradoxically professional approach to extortion. The group also aggressively leaks data on their dedicated leak sites to pressure non-compliant victims. LockBit’s modular design enables customization for specific environments, making it a formidable threat. Industry reporting indicates the US recently charged a dual Russian-Israeli national, Rostislav Panev, as the developer of LockBit. However, PolySwarm analysts assess that the group’s resilience over time points to it continuing to be a formidable threat for the foreseeable future.
Black Basta
Black Basta has emerged as a major ransomware family, known for its highly targeted attacks on critical infrastructure and sensitive industries. Using a combination of encryption and data exfiltration, the group maximizes leverage over its victims. Its modus operandi often involves exploiting vulnerabilities in remote access systems or leveraging compromised credentials obtained through phishing campaigns. Black Basta is also known for deploying custom-built malware loaders that evade endpoint detection systems.
The ransomware features multi-threaded encryption, ensuring rapid encryption of large datasets. Victims often face threats of data publication on the group’s leak sites, a tactic that has escalated compliance rates. Additionally, Black Basta’s advanced persistence techniques allow it to remain undetected for extended periods. In recent months, Black Basta has begun using tactics that are reminiscent of nation state threat actor tactics and has shifted from opportunistic targeting to more refined, strategic targeting. PolySwarm analysts consider Black Basta to be both an evolving and emerging threat.
ALPHV
ALPHV, commonly referred to as BlackCat, is one of the most sophisticated ransomware strains currently in operation. ALPHV targets a diverse range of sectors, including healthcare, retail, and energy, often exploiting vulnerabilities in VPNs and unpatched servers. The ransomware’s operators are adept at lateral movement, using tools like Cobalt Strike to establish persistence in compromised networks.
ALPHV employs a multi-layered extortion model: encrypting files, stealing sensitive data, and threatening public leaks. Its operators frequently customize payloads for specific environments, ensuring higher success rates. The group’s active blog, used to name and shame victims, has become a hallmark of its intimidation tactics. PolySwarm analysts expect the threat actors involved with ALPHV to continue ransomware activity, whether under the ALPHV name or a rebrand, for the coming year.
RansomHub
RansomHub is a newcomer in the ransomware arena, known for its coordinated attacks on high-value targets in retail and manufacturing. It is also one of the most active ransomware families of 2024. The group relies on a blend of phishing campaigns and zero-day exploits to gain initial access. Once inside, RansomHub employs highly efficient encryption algorithms that lock critical systems within hours. Its operators prioritize exfiltration of intellectual property and financial data, often using FTP servers to siphon data.
Unlike traditional ransomware groups, RansomHub has shown a preference for targeting cloud-based systems, leveraging misconfigured storage buckets. The group’s leak site is frequently updated with stolen data, escalating pressure on victims to comply with ransom demands. Security researchers have noted the use of custom-built tools that evade traditional malware detection systems. PolySwarm analysts consider RansomHub to be a formidable emerging threat.
Play
Play ransomware has gained notoriety for its disruptive tactics, which include encrypting systems and disabling recovery mechanisms. The group primarily exploits known vulnerabilities in enterprise software, such as Microsoft Exchange servers. Play uses proprietary encryption methods that make decryption without the key nearly impossible. The malware’s attack lifecycle is rapid, often completing encryption within minutes of execution.
Additionally, Play leverages PowerShell scripts to automate data exfiltration and encryption processes. Victims frequently face double extortion, with data leaks adding pressure to already severe operational disruptions. Industry researchers have observed that Play’s operators conduct thorough reconnaissance before launching attacks, ensuring high success rates. Industry researchers saw a high volume of Play ransomware activity in 2024, and PolySwarm analysts expect Play to continue to be a significant threat in 2025.
Akira
Akira is a rising threat in the ransomware ecosystem, known for its ability to exploit vulnerabilities in remote access tools such as VPNs and RDP. Its operators combine traditional encryption with advanced data exfiltration techniques to maximize impact. Akira’s payloads are designed to evade signature-based detection mechanisms, relying on polymorphic code that changes with each deployment. The ransomware’s encryption process is resource-intensive, effectively locking systems while extracting valuable information.
Victims are provided detailed instructions for payment, often in Monero, to obscure transaction trails. Akira’s focus on exploiting enterprise-level vulnerabilities has made it a significant threat to industries reliant on remote work infrastructure. PolySwarm analysts have observed a surge in Akira activity in recent months and expect Akira to continue its momentum into early 2025.
NGate
NGate is an Android malware that steals NFC data to clone contactless payment cards. NGate is the first malware capable of performing this NFC relay technique on non-rooted devices. NGate, which was first observed in March 2024, appears to be part of a larger campaign that has been targeting Czech banks since late 2023. The threat actors use social engineering and smishing to deliver NGate.
NGate allows threat actors to make unauthorized ATM withdrawals from a victim’s account. This is done by relaying near field communication (NFC) data from a victim’s physical payment card via their Android device. The NFC relay method is based on a tool called NFCGate, which was created by students at Technical University of Darmstadt, Germany, to capture, analyze, and alter NFC traffic. PolySwarm analysts consider NGate to be an innovative and emerging threat.
Ebury
The Ebury botnet is a sophisticated strain targeting Linux servers, often using SSH backdoors to establish persistence. It exploits weak or stolen credentials to take control of systems, leveraging these servers for phishing, spam campaigns, or cryptocurrency mining. Ebury’s operators use its scalable design to quickly infect thousands of servers, turning them into botnet nodes. Its focus on Linux environments poses a significant threat to enterprises relying on open-source platforms. Although Ebury has been active since at least 2009, it has continued to evolve. PolySwarm analysts consider Ebury to be a resilient and evolving threat.
SocGholish
SocGholish is a sophisticated social engineering toolkit used to deliver malware through fake software updates. This malware typically targets high-traffic websites, embedding malicious scripts that redirect visitors to download pages disguised as legitimate updates. Once executed, SocGholish can deploy a variety of payloads, including ransomware and banking trojans. Its effectiveness lies in leveraging users’ trust in updates for common software like browsers and utilities.
Organizations targeted by SocGholish often report significant operational disruptions as the malware compromises critical systems. In December 2024, industry researchers reported a malicious campaign targeting Kaiser Permanente employees, using Google Search Ads, was being used to distribute SocGholish. While SocGholish has been active since at least 2018, PolySwarm analysts still consider it to be a capable threat.
AsyncRAT
AsyncRAT is a remote access trojan designed for data theft and surveillance. It provides attackers with the ability to control infected systems, capture keystrokes, monitor webcams, and exfiltrate sensitive information. AsyncRAT often spreads through phishing emails with malicious attachments or links. Its modular design allows attackers to customize its capabilities for specific operations, making it a versatile tool for cyber espionage. The trojan’s use of encrypted C2 communications enables it to evade detection. PolySwarm analysts have continued to observe significant AsyncRAT activity in 2024.
Gh0stRAT
Gh0stRAT is a versatile remote access trojan widely used in cyber espionage campaigns. It enables attackers to remotely control infected systems, log keystrokes, and steal sensitive data. The malware is particularly effective in bypassing firewalls and antivirus solutions due to its encrypted communications and stealth capabilities. Gh0stRAT is often deployed via phishing campaigns or malicious downloads and is frequently used alongside other malware strains to enhance its impact. In 2024, industry researchers observed multiple new distribution methods for Gh0stRAT. PolySwarm analysts consider Gh0stRAT to be a persistent and evolving threat.
AveMariaRAT
AveMariaRAT, also known as Warzone RAT, is a remote access trojan known for its credential-stealing capabilities. It uses keylogging, clipboard monitoring, and screen capturing to collect sensitive information from infected systems. This malware is often distributed through phishing emails containing malicious attachments or links. AveMariaRAT’s operators target industries with valuable data, such as finance and software development.
Its stealthy operations and focus on credential theft make it a persistent threat to enterprises. Although the US Department of Justice attempted to dismantle AveMariaRAT/Warzone RAT infrastructure in February 2024, new samples of the malware emerged the following month. AveMariaRAT continues to be a formidable threat. PolySwarm analysts consider AveMariaRAT to be persistent and resilient.
BootKitty
BootKitty is a firmware-level malware specializing in persistent infections. It targets the UEFI/BIOS firmware of devices, allowing it to remain undetected and resist reinstallation of operating systems. Once embedded, BootKitty can disable security mechanisms, deploy additional payloads, and exfiltrate sensitive information. This malware is particularly dangerous due to its ability to compromise critical infrastructure and endpoint devices.
Although BootKitty is part of a student project created by cybersecurity students participating in Korea's Best of the Best (BoB) training program, it is the first UEFI bootkit for Linux. PolySwarm analysts chose BootKitty for the 2024 Malware Hall of Fame due to its innovation and the potential that threat actors will attempt to repurpose leaked samples of BootKitty for nefarious activity.
Cobalt Strike
Cobalt Strike is a legitimate penetration testing tool often misused by attackers for lateral movement and command-and-control activities. Its Beacon payload allows attackers to execute commands, deploy malware, and exfiltrate data. Cobalt Strike’s flexibility and effectiveness make it a popular choice among threat actors. The tool is frequently used in combination with phishing campaigns to establish a foothold in targeted networks. PolySwarm has observed more widespread use of Cobalt Strike in 2024, with threat actors ranging from nation state groups to ransomware gangs leveraging Cobalt Strike.
Sliver
Sliver is an open-source adversary simulation framework increasingly used by attackers for stealthy operations. It provides a range of tools for lateral movement, privilege escalation, and encrypted C2 communications. Sliver’s lightweight design and modular functionality make it a versatile tool for both ethical hackers and malicious actors. Attackers often use Sliver to bypass traditional security solutions and maintain persistence in compromised networks. Sliver is among the favorite tools of multiple ransomware gangs. PolySwarm analysts expect threat actors to continue to use Sliver due to its versatility and evasion capabilities.
Tracking Malware Activity With PolySwarm
PolySwarm tracked each of these malware families in 2024. A selection of IOCs of our most recent samples of each family are provided below.
LockBit
dc498e513d71c81a2d5bcd0f39c44d474457342b8a6de203e85d6b8350d8a247
563cd800e80253a7051ea8a1bd690d123cf7820c355addeeaaabaa227984d9cb
0c516038b8f216fb87ebc0d4335fff4013c9b2a80c682069071ec9ae9e2005e9
2f5051217414f6e465f4c9ad0f59c3920efe8ff11ba8e778919bac8bd53d915c
d9e7a01521d956c5ef3e07153209be63da738eee98902050c06424292d7b1387
6adb8f7da4d7ff92c40f0f8231c7469865b170b440be5f2789724a2abe005b30
82d89a75d80e80e4be42c9eb79e401558c9fa3175648cd0c0467f2de1a07a908
2600f61f3f7a553cb7c5ac6d2997d6359bf6b276a1ecead8aa30f1a2c35cffe3
20dd91f589ea77b84c8ed0f67bce837d1f4d7688e56754e709d467db0bea03c9
33376f74c2f071ff30bab1c2d19d9361d16ebaa3dee73d3b595f6d789c15f620
69487c2f91495cfda293735fc01ac8d516b48359171e3b53581ccf3145bfb527
a33f21d28bd83a9501257ee727c46486989bdfea6d5cb9f1c12c9a67296b21b1
36f48ef3776c01d63a2fd594d52dfb7402ea634162fd079b0d942367a2fbed56
a98fb2671ae63d179c1cf39d163a4b3dbf769c9951a0ebad5d4c76244752253e
635e9ca3baae7e32225f05d16159e339a297a4c1b749e5a8e81ffc8df3c5c37c
48e2033a286775c3419bea8702a717de0b2aaf1e737ef0e6b3bf31ef6ae00eb5
3552dda80bd6875c1ed1273ca7562c9ace3de2f757266dae70f60bf204089a4a
42cdd8756d31e393e6a0d447dc36a6439f1683ab5be45fc08d90f826a5c1390c
4ed9a3c562403b426b69e90ea13be18773cf1ff4096cbf348c9ea5efd7847bd4
0ece70778b965cbc3de7c9a896361bc85861aa832675d7ae07b976bd52f9cc8a
BlackBasta
8718cd7ef174374534072d7eb063dc49eb71b15bbec96f9fa5031580660724d1
2cdd696efbcdf5a78d80e72222d6630a2c11585bd9864694648c4071752864b0
77799dbc33b417002eeb54b4cf2ed06b3d2f77e2a9ae213642e1a585d9c4afa2
96baed262fd126604299b719bb1c5f44376149693c9d5c66f663b2ea693854cc
80c6b04296ea1c89e4a58d67403dbe72f98691efb0013443c681225dd32b80ed
5549e8943fcb60643dc032765675bc486cb7f2f2603d8399ae3946df08b0be84
ff244b6459bdc8bb0b5680b6443b23632e7c49b308bca77e31ba122dd9ce982f
3be9db35eb038894f2ef0997c593dd6f63264fb907636d14043806caad7def3f
f68651251cec51e35d1eb7577c022faf9f41ad33a2ff52931cc8bd8a505e8040
ad04b4b8eb9fe76ba316335769d5de3d3c221dec5c5506c984a5ba77c2492c0a
6cd92db9ebc8a8a879d86002971b93562928eca738a2fe14228479cb6cc1fe33
bebd409c8fae76c16040bcd69eed914520d3660ab2da057955e0fe6bef65bda1
cc50bcbf6d462e1d8d61c318a4e39eba0950520921bfd770c6cd780d81daa146
764b1117262d33f0a69b4f4c72fad607b7c71c262f60b9b2b35a21e7f4967786
cf7fa7f54b06b09b750b8c50e4f8893e25ceaccfa9be8225f3279dc4e4ce0f4d
d0dae881ca7f6258125eb40fa835a6e74634e0051443325261ae0a653a1ac054
559ebc7ea5aabca20ff56505ea78ae62aaf0c68d88f6f8115ce28737fe100dcc
c2440f832feae642a3644d57bb86ad8cde08f25041ddefc47cac20d17e248246
259fcdc4c80370ec7e3cdc17aba3a6fb016edae16b32bb7e9a2ce477110e1f9d
b1f402d6c6bbba82028804cbc3884ed7042f4a00fe450c84cf53abacf4eaa27e
ALPHV
e7060538ee4b48b0b975c8928c617f218703dab7aa7814ce97481596f2a78556
9802a1e8fb425ac3a7c0a7fca5a17cfcb7f3f5f0962deb29e3982f0bece95e26
f7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083
3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1
f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6
5121f08cf8614a65d7a86c2f462c0694c132e2877a7f54ab7fcefd7ee5235a42
RansomHub
be3561689979044aaafb611e82af64a9571b9af3e8afd7c710178cf611d11a2f
c015c19dace973c46fd4be1785c1da85b48fe0313eb6f4e281904547030a405d
8ca7c7fbb0df8d6ac0faae2b5ad9bbec6191e1c1341b7e6c6323bf8f9a31b56f
38b715deab25c427e2c8caf8328a764676125bd7dd0f191673aff268e1444c91
20e34e1c458f6f8c0867bf5e03143efceb650e9910078ba22b23f11ec69f3682
d5b4ea6eb2889188bbd126be403de92c5d5e9d95aa235aaf48ffc91cb85bee5a
595cd80f8c84bc443eff619add01b86b8839097621cdd148f30e7e2214f2c8cb
ea9f0bd64a3ef44fe80ce1a25c387b562a6b87c4d202f24953c3d9204386cf00
37a06db5680eed64e07c4e14a0ef4d6b59273140f6a07be68fcc8c54de5f0a81
fae5d5c526bc45fb4f2763c3bb8741ebe6bee53509b52bf0e3d6ea44035dd0fa
6e0e44ded3c3b3d81560bc31cf8316e6894907929a430f4b9b9fd5420d783f81
e6c31a2ca538fb40280a117fe1e846f59e0f46c813dc5eed03c8ea611b68eaa8
74fc8bd52429e23c863d9b407314e56eb88936f4028aab7564dea3cbf64c9aa7
f6c47853c53254342416263ea39715e44374be7627697f41788ab789a307f77e
a0b3beae5a411b930ea3782fb708681ab2ad8d4806794ab594cbfe306a123e52
cfb787837a5563f91cfdaad054afd0b01524acb5208ebaf804c50e5b7e565741
566eedf17731c27f46f26d72cba54ae33641829d730aa63fa264ea2e1fb65d49
2b80b663eb0d415e8dbe48f9436bc0d1f592b760fe28f34fe05aad4203e8f076
ae35a3ee27cb81230a3f546253641bece5f4f6b72490e26fd3d019fbcb4b8ec1
7d81077de9916d402b9bbf027750a6592866b3f92b29f9193d44d49ac408204b
Play
7a55c8391fda90a5d4653fdebe2d685edb662859937e14b6756f45e29b76901d
3f943430b49481aca6f57051ed0ced1a08038373f063afdd2423d8d72b19b545
457755e50ad46b737fb7efa7d5404e54006e2b840c388177ecfc98dc68e33bdf
47c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57
453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465deb
952fec5f9e7137951700d7e4239728f903e360b3fdb0332deb9448bdc31c2f3f
dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a
006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
Akira
74fbb7885ee486028fe2723f95911474b771f361b2b40ddb77c46f252059c696
8a7ec6d72225e92a4ad3796f3198d1c6b4bd42ca79892c6c7d46732a1bef98a0
a5806174261004a0b8b5c0be808a77e5f25b867a4c522813035c2b0dc05d90a2
3720cafdd914d70d5fccf8d61593a66b5bdc400432e687c92e66eb3b5e8a9d9e
1ba1ccfacffbb6be9480380f5535a30d3eee1dd7787f3c649ebf8ea2a6a5de51
120715377727531a56f32225e196b1536618d224662fa0b3ba6c52dba80f3b29
a6d68214bf78c925b6fe6ab277589bc28c338e7253625925a674f380f3a52102
d07b379369e9faea0fed406b9b37652b2fc6453044ab17c1e2189cf61640ab90
e10cae894e8873c72ae9e5f3590e2f78f6cc2dcfe01e1a5039c8b6532bfab5f8
f11b60b273e2606e91832edbb014ad229563f5c537ddab11dba80018c11364dd
2d931f6867e7049b450c8ab36e1f8e6a51f0ee95fc2253d0759e3e3b118fe1d1
43b0ac119ff957bb209d86ec206ea1ec3c51dd87bebf7b4a649c7e6c7f3756e7
bef005edc108ab6b52ce241797313071e2c9a319d9ce245cb6c0f82b919bd7e9
a76c13e78706ca700d1dd063ef69acf4ae6e60d8b2b7f72fa9f17851d9dfce6a
aaa7799edfd86b52438a9e0d71f8069cbcbe1988036b95888fcdc553e729b7b9
8a70fbc674040511f7fc4313dfc01e0989c05968073c540fb04b9007940da878
ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5
78d75669390e4177597faf9271ce3ad3a16a3652e145913dbfa9a5951972fcb0
88da2b1cee373d5f11949c1ade22af0badf16591a871978a9e02f70480e547b2
a546ef13e8a71a8b5f0803075382eb0311d0d8dbae3f08bac0b2f4250af8add0
NGate
17a16f08108e25af1c8b058adbaca2cada6a93c2d38c9854148f9e9caac76ac3
ddd9e5cfa9e1ddd8d849baef2b487a1608d1695f44c70f246c101de1275887dd
95d906dca5a3be5cf066268662b3c953860e54e9cdcfcd427faf0aaa9cb62bad
162f8c6bafe0c343c37f173344c4f6880eaec0aea7b491565db874366b161784
e19a7c8e4994ea4ed680136c9e3a6fff7b82c72f5743952821a446b6cb830f06
1d126e5904dde3b46175a4aae89eec1fb8a6b80e35b1f473878e5dd288f8aae6
Ebury
9170f9219c263249c4c904e6b49a7c38fbcc33de80db93f96c5b100f6597e52d
eac13a3796c8b1ed28cca4fcd038455f20105425ce5a73176b086035cd9f63c7
3bd71c1165d825834c701b48ecfde2de1efd68481dbfbf5e6c76377390356f23
ba3e1bef2113bd14e44892c70ab891865425217ccc01728f01a12587bc6c002e
a4699a23b599665ada84307a5455bd97b50fc8fee01e84fdc3caddd5514eb3db
2c43ae80346b93cc2d11e1815629277631cc208b9bf91c5737333b76a51142c0
c7763d08c23f4dcb448264c3680d353525d08b5f0f6192fa8586e2df358c1209
428531410a0c2c4c37516caa192d81c5a8a16e7e8060deea5f2bb3086c209bfe
fdf801418d9995648fab9770cd50f005793d1ef6c48231506c793abe80533901
87a97608470b333b9c7cb924f41b3485d7fe21d7485ffaacd78b922dd563da16
861081d93fea6a477bb14a382fc6f4bdf4303a7c696b5a5c65a3d6b5e2355941
4ca8c859ff2a7feff4af1829ee9f69924a3546f8a0b66a6da3f56e964aaffb92
fc7a230393ce24b93aa1fccc523efc5954a3a4490e365c703e4096264591a909
b4326439c139fcd306e7e99b60c041609f853adc97301b4406227f1d46bc5b1e
430233d674d02b998dd8d9de6208bccf8a5c320609c7bb0d2cae8c361a5927ee
e83aa9e3173df16713b55b78f27c746478670359ccdc838f55e04452e32a31dd
c1d4794f2047aabf8e3e4650a0701b0b7df5bf1eea3577bdd02b6ff26dc22209
4a8b00976c6e7fe3a9a511f969c1afb742506db35544512347132a6a2f8e3f08
2343255b3e2c6380454bf56fecb3e1368261b15b08f59f9b7eb37bc8acaae01a
cb2f1a7ef1733faed91961ab63174e22e6fabfe658d631b5d5e3f7573418bfd5
AsyncRAT
b10e44ddfe6caff1127a964d4a5b9ebdbf9e92a24c2a2957e044dd45b14e8967
f925ae7e0a5c833cc9896aaedd6b14d711c9ab6a96e45e1e172ba4e2fc3a19b3
f625550b7acd9ac5bf93e6e0ae464783427c24a53cd5260f32bf1fdf3c11f36c
a7e90675c484bd34509a576983e8aa565a7d01e9e1f50b3c8e53b82f8e3c1fb8
74fdfbaadd19c08b46166f6be0241ae82c8432de8dd5e1e20c07cb624d4b2ec7
e125f943951cd1eb292dc1cb94868176d9a6423abae0155509b5cbacd500f1cb
0e94f0ea1581540d383a7d87b54d37c1157ad38398bbe87d670214e56caf775f
7d09a8b7b5a6152961c04de034fe72a97b7fcf4eef3938de998a5aca9f0fea6e
8d1e51edf3e6fee05244b444e0dab7782bcdae0a5ff6c77e110decbd75f5e89a
17f129df89da4ddb3fca84edca9d2db61decec317e4292a45fcf6aa5081d3fec
595d038f8e55148ac04518cf15cc34fc9494e622fc6ef27258e30c16fffa95a8
90b6f3aab3bb5bba8e7bb2249ccacba295445d092bd4c4713640d1b94b68b2b2
ba8ac250bdc6e0bd364bd98fd4404bdc32517eacdad84977133e87aac46af90e
cc6e66c0672e82d334213a6a8d8b7e7246d658b9aa5454342de8c5ac43ac7f1a
f383a6ec81b2cc2c6f76d35d63c6d63e927e52d4b35e7fe4e1974eda71fe3331
219b31b9527c6ee529021a15017c007a54f94ea52d1f8bba9b983e9546491201
024d8e245ab9a224d8ce61ae1e9f245c7d728c9f71aa6f929b85c4399c10eb0f
dcc0fbe7ca771b2b838ffc443b6f5b2716cc7574f67c6abd0af2b0de5d3120c5
6f3aaa6762ce47e24d3ff0240a428a13cebbdcd10f14a1a175aac22691c62ce4
9f5f83f51a404af7149ce4852aa234b08cdac89846d24e0f95ef14b1836f2c29
Gh0stRAT
aaf88339c23080ffd423da3b03a229d220b55c5e007c1f413fbd3633c48aad44
7f2b01e4a8eb8f0f1e7710f51dcad9963d1d4fd5be7a89b9115cb0176cf4f007
f5b309f6d59f85a324dcd14bfa76709c739e050fc2eb02b8f8c833103b31cb8d
e626dce8b1786976e361f8f60d9c7b829f113004625f26fdf09b126e81e22a36
d5e1b0702c26dbaf5793c59ca03f64aa0d036392202bbcd32035adab3e8d1f3f
7c5a5394a4c23a5730742e589d6b4e1ee733e22b3b92a717c573c07f3e6d3e37
ee3b8c349af80723bc940b7ceea71597106f962e1ea7281e866f76399511154b
39a83f7c88140cdf97f04ca8405d6811271305d6a5ca4cff8ca2bb1368e7b614
bef42fdae71eff14767b54c660a42d7ab6fedf56ce74f8faa304a0e1b526fe4a
e0989c99125dbc5957c7ecdfdc37ff6b7f31f2979531f3fb8747127243f28b7d
9cfe3a45220eb8a66db23438d13cf36d2960cd66ce77f60efd3e06f8b8644350
67722cdb588036c6c1f1dff771926d829bbdace9540dd0f7af271f784761e3b3
1d037a69afea13a6fbf62d0b82916c88d412efee3ff0303b323d54e868b0a8f4
2642784805da2fedd52c929b0988e1e75512db90eb94ec2551b673db515dfe6b
657ffa1f45c97cdda48a5c2ea95eecdfdfeae68d9aac937c120b0ab063ea6e87
449ba2d742d67fc9e6627d4cb6fa952c4ac41efa85ad3df41b1d8cced7965e22
6c728abd9ba37ea16de7ef5d4a088a787cd042e3554f9a2ea01ed0db4415cb39
66b05198714d00ca62085a223a5f602bc100d9342449c466cdc658091d555972
0ab3f28c2e63c11de5149502fb3d04411d07d00a46ab90b7fdecbc0daf3190e4
d0eac987bcbfdc5c85ec8190be7366798cf06035ffaf4088a41f3b82c1ab498c
AveMariaRAT
51cbf246a2f1cf7d123c8cd5ab4e889d5ddf85f6cd3424f48d6a1a65e185c912
164ec851702600dbfaff510c1bff29cd7e4e6d626895f5d49bc95bc35fee0b5a
9ce31ecd0fbf9e4b6425f70e58a6b7183f616fdfa3dd6d8eb9d783ee89e7e4b7
47544ead720c519eb7b90a0bb04847318aa070fb4bdb6bc58f07bc3ef92fa409
d7f08f5e080089d4893acf850427b466a0746ee4e945a675958eb7a0999cae55
6bdde4667d586f9226d3b518d6aa2059f00f5a845428f18e47cdfab2d5697b4b
acc4ef800ba9f56b5657b744803d10876a198d0a9fc496ce4d74b94d88e2ffc8
0c9551f44ddab3ca5dcc4c9298687b41d90f795e617479cb9ea22a5da3f00350
b09b8ea9bf09318793f152890735478512436918abee7ff0ec4d95d2e207e5ef
4de87ef958ac8792805f9b21afeff47e31ff6c2dcddc6d575a19434ab2d93e49
137d6047b852f90c03b282fdda7d71ed8c1cd0a6656c7bd9f84a6da40d157b00
ba7ea35abd11e36be31283bbff959cf61a22c8d3af8569aa3623537f8fbce73a
aaff6af7e1d227dbbd773eb9903433aed3ce43aa9a0270a99607d9612458a022
fc8b9ffb6ffbc7bac2cf616cb41b6e36233fd8b166b2bd63c736c120c80d73aa
f69b8710167601f44de2fd12ce0f6f55e07a8377807796119269110734b8167d
bc1b36ccdfd6c81e2e26da4d64f9da337c00e4c2c8716f43a202da1f44bdcd28
ed911990df9e835bfd8f5ed7f04a3d9f558226de6c270896f733037cece8bd61
bed0ab1283db842b5bec8770e3ddf5079e37d98d58299d5353d753eaaff53574
e59dcd3786f492f1644d6c1f9f09548af3fcfd6b7042dd27889efba3309105a9
a90c91730cb6c001571ab82cf6e8337b9631c86c171388346ff292c98f9b09fc
Bootkitty
0a54fe932ebc3e4fd5aeaf094ac163c9e92d1efa7ab66af3d1cbd2cb9ee4c294
9ee580a9be05b44a9b5102701c8cf45417c3a96617dbf73c40ac5ac4773dfe97
f1f84819bdf395d42c36adb36ded0e7de338e2036e174716b5de71abc56f5d40
CobaltStrike
31a2bd9b628a18a8e38d0a125bd56d958c9cb097da214d67560f8caae1a84032
421d0aa0fe267b45c88945d6d04d902bbcdff2ddd93286d70bb66ce008ca3398
8490c5eda80b5d4fa6b90b8a44d3fd0572d148f1b103cf62117132cabdbb322d
ca5fea17845d6918b55f1b94a3a537b6ba718deabcc60ba8403eab1e4c947071
621c71377b4d280bcf4a3ff121079b857da993615144f509d9042bf2ed4b9159
d0aa2c6c960b96f90a137b2900d6d063c562cc3314af2f35b759692bdf07b2fc
a7d70849da5f425662f519b2c1bb1976ad3283d97baf8597ccfb71fd2a4423ba
5c8e5ed947df22c737e89da781169d72659f201ad726269a719069b3cc887c84
b88ba8ef45c839d6868bbeef80c19e055bf2c560e227d398ee58cc16c3ac77a8
cc51e86e15fa154305e0bfcf99a08e72f71314c17038d27d534914494523f5af
43edbb2a8c5fb71bf15e453143f9fd0d80fb7588daa3f95e5833aeb960058894
407a931a6d65ef02c7c33a4f3d3fc543ff7ac3d71d3b12f3573f56a60a3d1cbc
24f8c8dab1869f3f9cad74ee619e2d4a4dab9d2e2fabeb1a1899ea892175e4ce
275b084d9a968568cdceaf3573d46dac159cddff0ad1df2cf6060734d66fcbd9
70f4ee590e691e56361dbaaa61bc54522d1cdd1b93ca4d99741c3856985c597b
f0c4588336d4dafe75af244819d04b1990b781d4ba8c2f76f9913ddeed54cf17
6259ab873046b485c506e5746f17bc71a2908c7423c7f18bb672b67588ad11ea
74e146e7cdd567ea54eebeaaa2bb63c071395bb3b932e56769dc9177b10d50d6
b6079f3f57ea7a818468e9d5c7633a52d83c7f29f10c6e914b65966b5ee3c3f6
6b0d99d86e08d23b024adb5f2d21ec3e94ae51690ed66abdf9528fa998588192
Sliver
238d000d4f72673584aa6e8e16e9808e288c295b5c4b82c2e088b5653e2903e2
2f9cf2feded9f6ce5d10bd8d7b91c6377b40d6ba17bc1a33a50078f634e687a7
bb8e116358583fd0a8b9658837d0c9bc9501e9860be9febb9a97d91f3ebc4c52
d66953dc071227c30ae670b1a00dee2ba9796bc1b659c7896e50b9aa33f8107e
dd81a3f39858099f80fa3ea2f53e5fcc56f8ed2977551ac35a0a1eb2399c87b9
c449efd2065c38f1448f594ee6b79ac7833aefcdc8a984a73a85ec7fcdd2e359
8bf0cb7f358f95d9e46ef7ae63cef22d6b190225b7f967a75f64157e39d67fc9
f0538f4022d29d4e772e949ac4069b95b6368c7eee4654d24efaa207ce2d3b84
0108279c30b4358c276afe384644c8db90b292002bb2370bcbc8905596d0db0d
8be390484029b7bedbd6e1abbb7cf8d90a0ac57c0c11c61b8a11693a67ee0c2e
50f56d4652062aff6070c99c4f10b526de553cd742c85039aa4c2d02d222482a
86cbe31ea5bc631442bce3fbf60b71246f15208807e21afaf02204494c87bff2
12a9c5b69975f544fa612ac6fe718da610ba718d3064277562b80c006a944f8a
0fe4236f57b3388bb36c35e97c64459f3d7df36ca96f48a3e812a58ffa2be400
134081c798fb3eb235d65cc456e1791edf42e44cfaa2156a16c486181299ac75
c147cc49bdfe129f286520e03a6570495eedcbcef5f0e2581f4bdeb87536e8d1
72dfc8626e3faf0ae478fd1e136ace23bb75a676c283b15a657db82b97eda27d
12e20c8380c4f76fb99e00ad484621cfec27ce239483a55844e4b42ea8db1100
503b7a6ff615acd12f395bfd2e0f992cad7b818ac1b210bbae0f93be5cd7e04c
bd2385d3db9f50ee1d2faf507f36a505b67c22766cb6691546791ef7c390dfe4
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
