Malware families

Infostealer / RAT

A long-running .NET infostealer and RAT sold as malware-as-a-service, specialising in credential theft, keylogging and exfiltration over SMTP/FTP/Telegram.

Ransomware

One of the first major ransomware families written in Rust, a sophisticated RaaS behind the Change Healthcare attack before its 2024 exit scam.

Worm / Botnet

A 2008 worm that exploited a Windows RPC flaw to build one of the largest botnets ever, infecting millions of machines that linger to this day.

Ransomware

A ruthless ransomware-as-a-service operation run as a criminal enterprise, whose 2022 internal leaks exposed its inner workings before it rebranded.

Banking trojan / Loader

A long-lived banking trojan operated by Evil Corp, descended from Bugat/Cridex and later used to stage BitPaymer and DoppelPaymer ransomware.

Banking trojan / Loader

A modular banking trojan turned prolific malware-as-a-service loader, infamous for malspam campaigns and for dropping ransomware payloads before its 2021 takedown.

Infostealer

A cheap, long-running malware-as-a-service infostealer and form-grabber, later rebranded and expanded cross-platform as XLoader.

Ransomware

An aggressively marketed ransomware-as-a-service that dominated 2018–2019 before its operators retired, claiming over $2 billion in ransoms.

RAT

A classic open-source remote access trojan of Chinese origin, used in countless espionage campaigns since its public release in 2008.

Banking trojan / Loader

A banking trojan turned modular loader that became a major initial-access vector for ransomware after Emotet and TrickBot were disrupted.

Ransomware

A ransomware-as-a-service operation that became the most deployed ransomware strain worldwide, known for fast encryption, an affiliate model, and double extortion.

Ransomware

The ransomware that popularised double extortion — stealing data and threatening to leak it — reshaping the entire ransomware economy before retiring in 2020.

Botnet / Worm

A self-propagating IoT botnet that hijacks Linux-based devices using default credentials, powering some of the largest DDoS attacks ever recorded.

RAT

A widely cloned .NET remote access trojan popular among low-skill operators, offering full remote control, keylogging and webcam spying since 2012.

Wiper

A destructive wiper disguised as ransomware that spread from a Ukrainian software update in 2017, causing an estimated $10 billion in global damage.

Spyware

Mercenary mobile spyware that uses zero-click exploits to fully compromise iOS and Android phones, repeatedly found targeting journalists and activists.

Banking trojan / Loader

A durable banking trojan turned modular loader and ransomware enabler, dismantled in 2023's Operation Duck Hunt but resurfacing afterward.

Infostealer

A popular malware-as-a-service infostealer that harvested credentials and crypto wallets at scale, with a 2022 disruption and later relaunch.

Infostealer

A wildly popular malware-as-a-service infostealer that harvested credentials, cookies and crypto wallets at scale until its 2024 law-enforcement takedown.

Ransomware

A prolific ransomware-as-a-service operation behind the Kaseya and JBS attacks, known for high ransoms and the Sodinokibi encryptor.

Ransomware

A targeted big-game-hunting ransomware deployed via TrickBot and Emotet against enterprises and hospitals, and a direct precursor to Conti.

Worm

A landmark cyber-physical weapon that sabotaged Iran's uranium enrichment centrifuges by targeting Siemens PLCs, first uncovered in 2010.

Banking trojan / Loader

A modular banking trojan that evolved into a dominant malware-as-a-service platform and a primary delivery vehicle for Ryuk and Conti ransomware.

Ransomware / Worm

A self-propagating ransomware worm that used the EternalBlue SMB exploit to infect over 200,000 systems across 150 countries in May 2017.

Banking trojan

The archetypal banking trojan whose 2011 source-code leak spawned a vast family of descendants — Citadel, Gameover, Atmos and more.