Software

MirageFox is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. [1]

MirrorStealer is a credential stealer that has been used by MirrorFace since at least 2022 to steal credentials from various applications, including browsers and email clients. MirrorStealer has been delivered directly into system memory via commands issued by LODEINFO.[1]

Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.[1]

Misdat is a backdoor that was used in Operation Dust Storm from 2010 to 2011.[1]

Mispadu is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.[1][2] This malware is operated, managed, and sold by the Malteiro cybercriminal group.[2] Mispadu has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.[2][3][4]

Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach. [1]

MobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic. [1]

MoleNet is a downloader tool with backdoor capabilities that has been observed in use since at least 2019.[1]

Moneybird is a ransomware variant written in C++ associated with Agrius operations. The name "Moneybird" is contained in the malware's ransom note and as strings in the executable.[1]

Mongall is a backdoor that has been used since at least 2013, including by Aoqin Dragon.[1]

Monokle is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.[1]

MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. [1]

More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [1][2]

Mori is a backdoor that has been used by MuddyWater since at least January 2022.[1][2]

Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. [1]

MuddyViper is custom backdoor written in C and C++ used by MuddyWater for command and control (C2) communications and persistence. MuddyViper is loaded by Fooder and sends frequent messages to the C2 server.[1]

MultiLayer Wiper is wiper malware written in .NET associated with Agrius operations. Observed samples of MultiLayer Wiper have an anomalous, future compilation date suggesting possible metadata manipulation.[1]

Mythic is an open source, cross-platform post-exploitation/command and control platform. Mythic is designed to "plug-n-play" with various agents and communication channels.[1][2][3] Deployed Mythic C2 servers have been observed as part of potentially malicious infrastructure.[4]

NBTscan is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.[1][2][3][4]

NDiskMonitor is a custom backdoor written in .NET that appears to be unique to Patchwork. [1]

NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” [1]

NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.[1][2][3]

NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.[1]

NICECURL is a VBScript-based backdoor used by APT42 to download additional modules.[1]

NKAbuse is a Go-based, multi-platform malware abusing NKN (New Kind of Network) technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities.[1][2]