| 1 | Crux | Ransomware | New strain by BlackByte. Disables recovery, encrypts via svchost.exe → cmd.exe. | Use of rclone, svchost.exe spikes, shadow copy deletion | 3 known attacks, lateral movement via RDP |
| 2 | ToolShell | Web Shell | Deployed via MS SharePoint 0‑day (CVE‑2025‑53770/71), persistent access | Backdoor in SharePoint logs, compromised cryptographic keys | Used by state-backed actors to breach U.S. gov servers |
| 3 | DarkGate | Loader | Malicious VBScript loader, uses PowerShell and AutoHotKey | Abnormal registry edits, task scheduler persistence | Rapid global spread in SMBs |
| 4 | PyLoose | Fileless Malware | Python-based loader running in-memory in Linux via cloud tools | Unusual Python execution in /tmp, C2 calls | Cloud-native Linux systems targeted |
| 5 | Mystic Stealer | InfoStealer | Steals browser data, cryptocurrency wallets, Telegram data | Injects into explorer.exe, steals clipboard + session tokens | Increasing in use across APAC & EU |
| 6 | Bumblebee | Loader | Delivered via phishing; stages ransomware like Quantum | DLL sideloading, Windows Defender bypass | Part of several ransomware ops |
| 7 | AgentTesla | RAT / Keylogger | Ongoing variant updates, steals creds, logs keystrokes | HTTP POST exfiltration, C2 to bulletproof servers | Often hidden in Excel/email macro lures |
| 8 | RedLine Stealer | InfoStealer | Popular on Telegram, uses cheap-as-a-service kits | Looks for browser passwords, cold wallet files | Used in massive credential dumps |
| 9 | LummaC2 | Stealer/Loader | New hybrid C2 kit for malware-as-a-service | C2 beaconing over Discord, obfuscated JS droppers | Growing in Southeast Asia & US |
| 10 | Remcos RAT | Remote Access Trojan | Delivered via cracked software and phishing | Uses Windows registry for persistence, keylogging | Used in targeted espionage campaigns |