Threat Category: Windows malware | Page 5

Attackers are sending malicious scripts that download the Remote Manipulator System (RMS) build, known as BurnsRAT, and NetSupport RAT

The non-mobile threat report for Q3 2024 contains data on ransomware, miners, and macOS and IoT threats.

In this part of the malware report we discuss the most remarkable findings of Q3 2024, including APT and hacktivist attacks, ransomware, stealers, macOS malware and so on.

Kaspersky experts describe an Elpaco ransomware sample, a Mimic variant, which abuses the Everything search system for Windows and provides custom features via a GUI.

Kaspersky experts share their insights into cyberthreats that face online shoppers in 2024: phishing, banking trojans, fake shopping apps and Black Friday sales on the dark web data market.

Kaspersky GERT experts have discovered in Colombia new Ymir ransomware, which uses RustyStealer for initial access and the qTox client for communication with its victims.

Kaspersky shares details on QSC modular cyberespionage framework, which appears to be linked to CloudComputating group campaigns.

Kaspersky experts have discovered a new SteelFox Trojan that mimics popular software like Foxit PDF Editor and JetBrains to spread a stealer-and-miner bundle.

Malicious CAPTCHA distributed through ad networks delivers the Amadey Trojan or the Lumma stealer, which pilfers data from browsers, password managers, and crypto wallets.

Kaspersky researchers investigated a number of stealer attacks over the past year, and they are now sharing some details on the new Kral stealer, recent AMOS version and Vidar delivering ACR stealer.

A close look at the utilities, techniques, and infrastructure used by the hacktivist group Crypt Ghouls has revealed links to groups such as Twelve, BlackJack, etc.

Kaspersky experts have discovered a new version of the APT Awaken Likho RAT Trojan, which uses AutoIt scripts and the MeshCentral system to target Russian organizations.

Malicious actors are spreading miners through fake websites with popular software, Telegram channels and YouTube, installing Wazuh SIEM agent on victims’ devices for persistence.

Kaspersky experts studied the activity of Key Group, which utilizes publicly available builders for ransomware and wipers, as well as GitHub and Telegram.

An investigation of BlackJack’s software, TTPs, and motivations led Kaspersky experts to identify a possible connection with the Twelve group.

Reports

Cloud Atlas attacks the public sector and diplomatic structures of Russia and Belarus, using ReverseSocks, SSH, and Tor for persistence in infected systems and its new tool, PowerCloud.

Kaspersky researchers analyze a range of new PebbleDash-based tools used in recent Kimsuky campaigns and reveal their connection to the AppleSeed malware cluster.

Kaspersky researchers uncovered malicious wheel packages in PyPI that targeted both Windows and Linux and contained a dropper delivering malware dubbed ZiChatBot. We attribute this activity to OceanLotus APT.

Kaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka Mustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.

Windows malware

Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT

IT threat evolution in Q3 2024. Non-mobile statistics

IT threat evolution Q3 2024

Analysis of Elpaco: a Mimic variant

Scammer Black Friday offers: Online shopping threats and dark web sales

Ymir: new stealthy ransomware in the wild

QSC: A multi-plugin framework used by CloudComputating group in cyberespionage campaigns

New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency

Lumma/Amadey: fake CAPTCHAs want to know if you’re human

Stealer here, stealer there, stealers everywhere!

Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia

Awaken Likho is awake: new techniques of an APT group

Scam Information and Event Management

Key Group: another ransomware group using leaked builders

From 12 to 21: how we discovered connections between the Twelve and BlackJack groups

Reports

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Kimsuky targets organizations with PebbleDash-based tools

OceanLotus suspected of using PyPI to deliver ZiChatBot malware

HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns

Subscribe to our weekly e-mails