Software

Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio.[1]

Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014, initially targeting the financial sector, and has expanded to multiple verticals over time.[1]

Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

EnvyScout is a dropper that has been used by APT29 since at least 2021.[1]

Epic is a backdoor that has been used by Turla. [1]

Escobar is an Android banking trojan, first detected in March 2021, believed to be a new variant of AbereBot.[1]

EventBot is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.[1] EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.[1]

EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.[1]

EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns. [1]

Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.[1]

Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.[1]

Exbyte is an exfiltration tool written in Go that is uniquely associated with BlackByte operations. Observed since 2022, Exbyte transfers collected files to online file sharing and hosting services.[1]

Exobot is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.[1]

Exodus is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).[1]

Expand is a Windows utility used to expand one or more compressed CAB files.[1] It has been used by BBSRAT to decompress a CAB file into executable content.[2]

Explosive is a custom-made remote access tool used by the group Volatile Cedar. It was first identified in the wild in 2015.[1][2]

FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. [1]

FELIXROOT is a backdoor that has been used to target Ukrainian victims. [1]

FIVEHANDS is a customized version of DEATHRANSOM ransomware written in C++. FIVEHANDS has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with SombRAT.[1][2]

FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [1]

FLIPSIDE is a simple tool similar to Plink that is used by FIN5 to maintain access to victims. [1]

FRAMESTING is a Python web shell that was used during Cutting Edge to embed into an Ivanti Connect Secure Python package for command execution.[1]

FRP, which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet. FRP can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.[1][2][3][4]

FYAnti is a loader that has been used by menuPass since at least 2020, including to deploy QuasarRAT.[1]

FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic. [1]