The Top Malware Threats of 2022: A Year in Review

Top Malware Threats

This joint Cybersecurity Advisory (CSA) was co authored by the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) about TOP Malware Threats. This advisory provides details on the top malware strains observed in 2021 and also possible still hype in 2022 onwards. 

Malware, short for “malicious software,” can compromise a system by performing an unauthorized function or process. Malicious cyber actors often use malware to covertly compromise and then gain access to a computer or mobile device. Some examples of malware include viruses, worms, Trojans, ransomware, spyware, and rootkits.

Top Malware Threats

The top malware strains of 2021 are: Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot and GootLoader.

  • Malicious cyber actors have used Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos, and TrickBot for at least five years.
  • Malicious cyber actors have used Qakbot and Ursnif for more than a decade. 

Updates made by malware developers, and reuse of code from these malware strains, contribute to the malware’s longevity and evolution into multiple variations. Malicious actors’ use of known malware strains offers organizations opportunities to better prepare, identify, and mitigate attacks from these known malware strains.

Agent Tesla

  • Overview: Agent Tesla is capable of stealing data from mail clients, web browsers, and File Transfer Protocol (FTP) servers. This malware can also capture screenshots, videos, and CISA | ACSC TLP:WHITE Page 3 of 16 | Product ID: AA22-216A A TLP: WHITE Windows clipboard data. Agent Tesla is available online for purchase under the guise of being a legitimate tool for managing your personal computer. Its developers continue to add new functionality, including obfuscation capabilities and targeting additional applications for credential stealing.[3][4]
  • Active Since: 2014
  • Malware Type: RAT
  • Delivery Method: Often delivered as a malicious attachment in phishing emails.
  • Resources: See the MITRE ATT& CK page on Agent Tesla.


  • Overview: AZORult is used to steal information from compromised systems. It has been sold on underground hacker forums for stealing browser data, user credentials, and cryptocurrency information. AZORult’s developers are constantly updating its capabilities.[5][6]
  • Active Since: 2016
  • Malware Type: Trojan
  • Delivery Method: Phishing, infected websites, exploit kits (automated toolkits exploiting known software vulnerabilities), or via dropper malware that downloads and installs AZORult.
  • Resources: See the MITRE ATT&CK page on AZORult and the Department of Health and Human Services (HHS)’s AZORult brief.


  • Overview: FormBook is an information stealer advertised in hacking forums. ForrmBook is capable of key logging and capturing browser or email client passwords, but its developers continue to update the malware to exploit the latest Common Vulnerabilities and Exposures (CVS)[7], such as CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability.[8][9] 
  • Active Since: At least 2016 • Malware Type: Trojan 
  • Delivery Method: Usually delivered as an attachment in phishing emails. 
  • Resources: See Department of Health and Human Services (HHS)’s Sector Note on Formbook Malware Phishing Campaigns.


  • Overview: Ursnif is a banking Trojan that steals financial information. Also known as Gozi, Ursnif has evolved over the years to include a persistence mechanism, methods to avoid sandboxes and virtual machines, and search capability for disk encryption software to attempt key extraction for unencrypting files.[10][11][12] Based on information from trusted third parties, Ursnif infrastructure is still active as of July 2022.
  • Active Since: 2007 
  • Malware Type: Trojan 
  • Delivery Method: Usually delivered as a malicious attachment to phishing emails. 
  • Resources: See the MITRE ATT&CK page on Ursnif.


  • Overview: LokiBot is a Trojan malware for stealing sensitive information, including user credentials, cryptocurrency wallets, and other credentials. A 2020 LokiBot variant was disguised as a launcher for the Fortnite multiplayer video game.[13][14]
  • Active Since: 2015
  • Malware Type: Trojan
  • Delivery Method: Usually delivered as a malicious email attachment.
  • Resources: See CISA’s LokiBot Malware alert and the MITRE ATT&CK page on LokiBot. 


  • Overview: MOUSEISLAND is usually found within the embedded macros of a Microsoft Word document and can download other payloads. MOUSEISLAND may be the initial phase of a ransomware attack.[15] 
  • Active Since: At least 2019 
  • Malware Type: Macro downloader 
  • Delivery Method: Usually distributed as an email attachment. 
  • Resources: See Mandiant’s blog discussing MOUSEISLAND. 


  • Overview: NanoCore is used for stealing victims’ information, including passwords and emails. NanoCore could also allow malicious users to activate computers’ webcams to spy on victims. Malware developers continue to develop additional capabilities as plug-ins available for purchase or as a malware kit or shared amongst malicious cyber actors.[16][17][18] 
  • Active Since: 2013 
  • Malware Type: RAT 
  • Delivery Method: Has been delivered in an email as an ISO disk image within malicious ZIP files; also found in malicious PDF documents hosted on cloud storage services. 
  • Resources: See the MITRE ATT&CK page on NanoCore and the HHS Sector Note: Remote Access Trojan Nanocore Poses Risk to HPH Sector.


  • Overview: originally observed as a banking Trojan, Qakbot has evolved in its capabilities to include performing reconnaissance, moving laterally, gathering and exfiltrating data, and delivering payloads. Also known as QBot or Pinksliplot, Qakbot is modular in nature enabling malicious cyber actors to configure it to their needs. Qakbot can also be used to form botnets.[19][20] 
  • Active Since: 2007 
  • Malware Type: Trojan 
  • Delivery Method: May be delivered via email as malicious attachments, hyperlinks, or embedded images. 
  • Resources: See the MITRE ATT&CK page on Qakbot and the Department of Health and Human Services (HHS) Qbot/Qakbot Malware brief. 


  • Overview: Remcos is marketed as a legitimate software tool for remote management and penetration testing. Remcos, short for Remote Control and Surveillance, was leveraged by malicious cyber actors conducting mass phishing campaigns during the COVID-19 pandemic to steal personal data and credentials. Remcos installs a backdoor onto a target system. Malicious cyber actors then use the Remcos backdoor to issue commands and gain administrator privileges while bypassing antivirus products, maintaining persistence, and running as legitimate processes by injecting itself into Windows processes.[21][22] 
  • Active Since: 2016 
  • Malware Type: RAT 
  • Delivery Method: Usually delivered in phishing emails as a malicious attachment. 
  • Resources: See the MITRE ATT&CK page on Remcos. 


  • Overview: TrickBot malware is often used to form botnets or enable initial access for the Conti ransomware or Ryuk banking trojan. TrickBot is developed and operated by a sophisticated group of malicious cyber actors and has evolved into a highly modular, multistage malware. In 2020, cyber criminals used TrickBot to target the Healthcare and Public Health (HPH) Sector and then launch ransomware attacks, exfiltrate data, or disrupt healthcare services. Based on information from trusted third parties, TrickBot’s infrastructure is still active in July 2022.[23][24][25][26] 
  • Active Since: 2016 
  • Malware Type: Trojan 
  • Delivery Method: Usually delivered via email as a hyperlink. 
  • Resources: See the MITRE ATT&CK page on Trickbot and the Joint CSA on TrickBot Malware. 


  • Overview: GootLoader is a malware loader historically associated with the GootKit malware. As its developers updated its capabilities, GootLoader has evolved from a loader downloading a malicious payload into a multi-payload malware platform. As a loader malware, GootLoader is usually the first-stage of a system compromise. By leveraging search engine poisoning, GootLoader’s developers may compromise or create websites that rank highly in search engine results, such as Google search results.[27] 
  • Active Since: At least 2020 
  • Malware Type: Loader 
  • Delivery Method: Malicious files available for download on compromised websites that rank high as search engine results 
  • Resources: See New Jersey’s Cybersecurity & Communications Integration Cell (NJCCIC) page on GootLooader and BlackBerry’s Blog on GootLoader.


The steps that CISA and ACSC recommend organizations take to improve their cybersecurity posture based on known adversary tactics, techniques, and procedures (TTPs) to tackle TOP Malware Threats.

CISA and ACSC urge critical infrastructure organizations to prepare for and mitigate potential cyber threats immediately by (1) updating software, (2) enforcing MFA, (3) securing and monitoring RDP and other potentially risky services, (4) making offline backups of your data, and (5) providing end-user awareness and training.