Threat Research

Top 10 Malware Q2 2025

cisecurity
Top 10 Malware Q2 2025

Malware notifications reported by MS-ISAC decreased 18% from Q1 to Q2 2025, with SocGholish remaining the most prevalent malware, accounting for 31% of detections. New and returning malware such as VenomRAT, ClearFake, Mirai, and NanoCore contributed to ongoing threats using various infection vectors like malvertisement and malspam. #SocGholish #VenomRAT #MSISAC

Keypoints

  • MS-ISAC reported an 18% decline in total malware notifications from Q1 to Q2 2025.
  • SocGholish was the top malware in Q2 2025, responsible for 31% of detections, often leading to further exploitation involving NetSupport and AsyncRAT.
  • Other prevalent malware included ZPHP, Agent Tesla, VenomRAT, CoinMiner, Mirai, NanoCore, ArechClient2, ClearFake, and LandUpdate808.
  • VenomRAT emerged as the fourth most prevalent malware in Q2 2025, an open-source RAT spread via malspam and dropper malware with capabilities including keylogging and data exfiltration.
  • Infection vectors tracked by MS-ISAC are Dropped, Malspam, Malvertisement, and Multiple; malvertisement was the leading vector in Q2 due to campaigns involving SocGholish and others.
  • SocGholish, ZPHP, ClearFake, and LandUpdate808 primarily use malvertisement as their infection vector.
  • The CIS Community Defense Model (CDM) v2.0 can help defend against 77% of malware-related MITRE ATT&CK techniques regardless of initial infection vector.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Mirai is dropped after threat actors exploit device vulnerabilities for initial access (“Mirai is dropped after a cyber threat actor exploits a device vulnerability for initial access”).
  • [T1566] Phishing – VenomRAT spread via malspam, tricking users through malicious emails (“VenomRAT is an open-source RAT often dropped by other malware or spread via malspam”).
  • [T1195] Supply Chain Compromise – SocGholish and other downloaders use malvertisement and compromised websites to deliver payloads (“SocGholish is a downloader distributed through malicious or compromised websites via fake browser updates”).
  • [T1059] Command and Scripting Interpreter – ClearFake uses PowerShell scripts to load additional malware (“ClearFake uses PowerShell and loads additional malware such as Amadey, Lumma Stealer, Redline, and Racoon v2”).
  • [T1071] Application Layer Protocol – SocGholish uses multiple methods for traffic redirection and payload delivery (“It uses multiple methods for traffic redirection and payload delivery”).
  • [T1046] Network Service Scanning – CoinMiner uses WMI for persistence and lateral movement (“CoinMiner typically uses Windows Management Instrumentation (WMI) to spread across a network and execute scripts for persistence”).
  • [T1027] Obfuscated Files or Information – ClearFake injects base64-encoded scripts into compromised website HTML (“ClearFake injects base64-encoded scripts into the HTML of compromised websites”).
  • [T1113] Screen Capture – VenomRAT and other RATs have screen capture capabilities (“Most versions include screen capture, password theft, data exfiltration”).
  • [T1005] Data from Local System – Agent Tesla exfiltrates victim files and credentials (“Agent Tesla … captures keystrokes and screenshots, harvests saved credentials, copies clipboard data, exfiltrates victim files”).

Indicators of Compromise

  • [Domains] SocGholish campaign domains – ai.lanpdt.org, app.symphoniabags.com, billing.roofnrack.us, cpanel.productdevelopmentplan.com, and others.
  • [Domains] ZPHP campaign domains – eddereklam.com, islonline.org, lqsword.top, modandcrackedapk.com.
  • [Domains] Agent Tesla associated domains – ftp.fosna.net, ftp.jeepcommerce.rshosting2.ro, hostsailor.com.
  • [SHA256 Hashes] Agent Tesla samples – 00179fa97b55a6f67a4e7be7041f3d38b0a794051ce47750ea2f988f61c3dcff0c and others.
  • [Domains] VenomRAT associated malicious domains – dataops-tracxn.com, idram-secure.live, bitdefender-download.com.
  • [SHA256 Hashes] VenomRAT samples – 075f991f42c1509d545a8e164875e6464c7394dbc1e8550ba8cd50d6b5b5f2ea82 and others.
  • [SHA256 Hashes] Mirai sample – 11C0447F524D0FCB3BE2CD0FBD23EB2CC2045F374B70C9C029708A9F2F4A41144.
  • [Domains] NanoCore campaign domains – louinc928.gotdns.ch, x02e2069bb8744.anondns.net.
  • [IP Addresses] NanoCore campaign IPs – 123.123.123.123, 193.161.193.99.
  • [SHA256 Hashes] NanoCore samples – 069ced19d871f274f17ef17c0a6c973b12d9eb54a8d86c07c35b5cd33848c04309 and others.
  • [Domains] ArechClient2 campaign domains – bienvenido.com, bind-new-connect.click, candyconverterpdf.com.
  • [IP Addresses] ArechClient2 associated IPs – 143.110.230.167, 144.172.97.217.
  • [SHA256 Hashes] ArechClient2 samples – 1da2b2004f63b11ab0d3f67cd1431742a1656460492bd4b42fd53d413e6e15705.
  • [Domains] ClearFake campaign domains – bandarsport.net, bip32.katuj.fun, getlastingro.com.
  • [Domains] LandUpdate808 campaign domains – alhasba.com, dveha.com, jimriehls.com.

Read more: https://www.cisecurity.org/insights/blog/top-10-malware-q2-2025

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint