ReliaQuest reports that QakBot, SocGholish and Raspberry Robin are the three most popular malware loaders, accounting for up to 80% of observed incidents.
For the period from January 1 to July 31 of this year, QakBot accounted for 30% of incidents, SocGholish - 27% of them, and Raspberry Robin - 23%.
According to the company, not all of the incidents studied showed a network compromise, as in some cases the bootloader was detected and neutralized before it could cause serious problems.
Active since 2009, QakBot (QBot or Quakbot) was originally a banking trojan but later evolved into a malware loader that could deploy additional payloads, steal sensitive information, and enable lateral movement.
QakBot, usually delivered via phishing emails, was linked to the BlackBasta ransomware group, made up of former members of Conti.
Researchers characterize QakBot as an evolving, persistent threat used for massive attacks on various industries or regions.
Its operators are resourceful and adapt quickly to changing conditions, and are likely to continue to be active for the foreseeable future.
Active since at least 2018, SocGholish (also known as FakeUpdates) is being rolled out via drive-by downloads using a wide network of hacked fake update websites.
The uploader has been associated with Evil Corp, which has been active since at least 2007, as well as an Initial Access Broker (IAB) known as Exotic Lily.
In the first half of 2023, SocGholish operators were seen to carry out aggressive attacks on watering holes using hacked websites of major organizations.
First discovered in September 2021, the Raspberry Robin worm for Windows mainly spreads through removable devices such as USB sticks and has been associated with various attackers including Evil Corp and Silence.
Raspberry Robin has been observed to use a wide range of ransomware and malware families, including Cl0p, LockBit, TrueBot, and others, in attacks targeting financial institutions, government organizations, and telecommunications and manufacturing companies located primarily in Europe.
In addition to these three downloaders, Gootloader, Chromeloader, Guloader, and Ursnif also saw high activity during the first seven months of the year, according to ReliaQuest.
For the period from January 1 to July 31 of this year, QakBot accounted for 30% of incidents, SocGholish - 27% of them, and Raspberry Robin - 23%.
According to the company, not all of the incidents studied showed a network compromise, as in some cases the bootloader was detected and neutralized before it could cause serious problems.
Active since 2009, QakBot (QBot or Quakbot) was originally a banking trojan but later evolved into a malware loader that could deploy additional payloads, steal sensitive information, and enable lateral movement.
QakBot, usually delivered via phishing emails, was linked to the BlackBasta ransomware group, made up of former members of Conti.
Researchers characterize QakBot as an evolving, persistent threat used for massive attacks on various industries or regions.
Its operators are resourceful and adapt quickly to changing conditions, and are likely to continue to be active for the foreseeable future.
Active since at least 2018, SocGholish (also known as FakeUpdates) is being rolled out via drive-by downloads using a wide network of hacked fake update websites.
The uploader has been associated with Evil Corp, which has been active since at least 2007, as well as an Initial Access Broker (IAB) known as Exotic Lily.
In the first half of 2023, SocGholish operators were seen to carry out aggressive attacks on watering holes using hacked websites of major organizations.
First discovered in September 2021, the Raspberry Robin worm for Windows mainly spreads through removable devices such as USB sticks and has been associated with various attackers including Evil Corp and Silence.
Raspberry Robin has been observed to use a wide range of ransomware and malware families, including Cl0p, LockBit, TrueBot, and others, in attacks targeting financial institutions, government organizations, and telecommunications and manufacturing companies located primarily in Europe.
In addition to these three downloaders, Gootloader, Chromeloader, Guloader, and Ursnif also saw high activity during the first seven months of the year, according to ReliaQuest.
