Threat Research

Top 10 Malware Q4 2025

cisecurity
Top 10 Malware Q4 2025

MS-ISAC reporting shows total malware notifications rose 7% from Q3 to Q4 2025, with SocGholish accounting for 30% of detections and CoinMiner and Agent Tesla also prominent. New and returning families observed include ACR Stealer, Calendaromatic, SombRAT, and Arechclient2, with notable vectors like malvertisement, malspam, WMI-based spread, and multiple persistence and C2 methods. #SocGholish #ACR_Stealer

Keypoints

  • MS-ISAC saw a 7% increase in malware notifications from Q3 to Q4 2025; SocGholish comprised 30% of detections and led the Top 10 list.
  • CoinMiner (cryptocurrency miner) and Agent Tesla (RAT/infostealer) were the second- and third-most prevalent families.
  • New/returning malware included the return of Arechclient2 and first-seen appearances of ACR Stealer, Calendaromatic, and SombRAT.
  • Primary initial infection vectors tracked were Multiple, Malvertisement, and Malspam, with Multiple leading in Q4 2025.
  • Common techniques observed: WMI-based lateral movement and persistence via AutoRun registry keys or Startup folder, DGA-based C2, encrypted DNS/TCP communication, process injection, and payload download.
  • The CIS Community Defense Model v2.0 can mitigate a large portion of MITRE ATT&CK sub-techniques associated with these malware families.

MITRE Techniques

  • [T1047 ] Windows Management Instrumentation – Used for spread and execution: ‘CoinMiner typically uses Windows Management Instrumentation (WMI) to spread across a network.’
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Persistence mechanism: ‘ACR Stealer achieves persistence via AutoRun registry keys or the Startup folder depending on the host environment.’
  • [T1071.001 ] Application Layer Protocol: Web Protocols (HTTP/S) – C2 over web protocols: ‘It uses HTTP and TCP for C2 communication.’
  • [T1071.004 ] Application Layer Protocol: DNS – C2 over DNS: ‘SombRAT … supports encrypted communication via DNS and TCP.’
  • [T1095 ] Non-Application Layer Protocol – Use of raw TCP for C2: ‘It uses HTTP and TCP for C2 communication.’
  • [T1055 ] Process Injection – Evasion and in-memory execution: ‘SombRAT … supports … process injection.’
  • [T1027 ] Obfuscated Files or Information – String obfuscation to hinder analysis: ‘hide its presence using process argument spoofing and XOR-based string obfuscation.’
  • [T1105 ] Ingress Tool Transfer – Downloading additional tooling/payloads: ‘SombRAT can download and execute additional payloads.’
  • [T1497 ] Virtualization/Sandbox Evasion – Anti-analysis measures: ‘it has several anti-virtual machine and anti-emulator capabilities.’
  • [T1056 ] Input Capture – Credential and input theft via keylogging/screen capture: ‘capturing keystrokes and screenshots, harvesting saved credentials from web browsers.’

Indicators of Compromise

  • [Domains ] Examples of malicious or campaign domains observed – app[.]abuarerestaurant[.]net (SocGholish), calendaromatic[.]com (Calendaromatic), and dozens of other domains used across the Top 10 families.
  • [SHA256 Hashes ] Sample payload hashes tied to detections and analysis – CoinMiner example: 3E59379F585EBF0BECB6B4E06D0FBBF806DE28A4BB256E837B4555F1B424557159F7C03A2021CB28A433AE0D018388B2A5B802686CA94699FA0BC9E1917AEAD09, ACR Stealer example: dc363b99506502dac735b4b5636dfeadc07fec6742140da0d89673110538e53200b84eae83e4cd6165255247026c702c2c88f5cea8a1032187c2b842dc54095d006f0054609064c00d3d217ee37f, and additional hashes listed for other families.

Read more: https://www.cisecurity.org/insights/blog/top-10-malware-q4-2025