In Q1 2025, the Top 10 Malware list showed slight changes, with SocGholish continuing its lead for the seventh consecutive quarter. This JavaScript downloader accounted for 48% of detections and poses significant risks by enabling further exploitation. New entries in the list included TeleGrab, an infostealer targeting Telegram, and VenomRAT, an open-source Remote Access Trojan (RAT). The primary infection vector was Malvertisement. Affected: SocGholish, TeleGrab, VenomRAT, CoinMiner, ZPHP, Agent Tesla, DarkGate, Ratenjay, LandUpdate808, Arechclient2
Keypoints :
- SocGholish, a JavaScript downloader, leads malware detections at 48%.
- New malware entries include TeleGrab and VenomRAT.
- TeleGrab targets Telegram and steals user data.
- VenomRAT is an open-source RAT with versatile capabilities.
- Malvertisement was the primary infection vector in Q1 2025.
- Other infection vectors included Dropped, Malspam, and Multiple.
- CIS CTI team supports cybersecurity defenses for U.S. government sectors.
MITRE Techniques :
- T1071 – Application Layer Protocol: SocGholish uses HTTP/HTTPS for communication with its servers.
- T1105 – Remote File Copy: VenomRAT is delivered and executed via other malware or malspam.
- T1070 – Indicator Removal on Host: TeleGrab evades detection by collecting user data without immediate signs of compromise.
- T1056 – Input Capture: VenomRAT incorporates keylogging capabilities.
- T1040 – Network Sniffing: TeleGrab captures chat history and contacts from Telegram sessions.
Indicator of Compromise :
- [Domain] apiexplorerzone[.]com
- [Domain] blackshelter[.]org
- [Domain] TeleGrab-specific domains
- [SHA256] 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca6
- [IP Address] 94[.]158[.]247[.]101
Full Story: https://www.cisecurity.org/insights/blog/top-10-malware-q1-2025
Views: 53