Software

OBAD is an Android malware family. [1]

ODAgent is a C#/.NET downloader that has been used by OilRig since at least 2022 including against target organizations in Israel to download and execute payloads and to exfiltrate staged files.[1]

OLDBAIT is a credential harvester used by APT28. [1] [2]

OSInfo is a custom tool used by APT3 to do internal discovery on a victim's computer and network. [1]

OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.[1][2]

OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (`root` or `user`).[1][2][3]

ObliqueRAT is a remote access trojan, similar to Crimson, that has been in use by Transparent Tribe since at least 2020.[1][2]

OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.[1]

Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic Octopus to target government organizations in Central Asia since at least 2014.[1][2][3]

OilBooster is a downloader written in Microsoft Visual C/C++ that has been used by OilRig since at least 2022 including against target organizations in Israel to download and execute files and for exfiltration.[1]

OilCheck is a C#/.NET downloader that has been used by OilRig since at least 2022 including against targets in Israel. OilCheck uses draft messages created in a shared email account for C2 communication.[1]

Okrum is a Windows backdoor that has been seen in use since December 2016 with strong links to Ke3chang.[1]

OldBoot is an Android malware family. [1]

Olympic Destroyer is malware that was used by Sandworm Team against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. Olympic Destroyer has worm-like features to spread itself across a computer network in order to maximize its destructive impact.[1][2]

OnionDuke is malware that was used by APT29 from 2013 to 2015. [1]

OopsIE is a Trojan used by OilRig to remotely execute commands as well as upload/download files to/from victims. [1]

Orz is a custom JavaScript backdoor used by Leviathan. It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. [1] [2]

Out1 is a remote access tool written in python and used by MuddyWater since at least 2021.[1]

OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Saint Bear since at least March 2021.[1]

OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390. [1]

P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.[1]

P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. [1]

P8RAT is a fileless malware used by menuPass to download and execute payloads since at least 2020.[1]

PACEMAKER is a credential stealer that was used by APT5 as early as 2020 including activity against US Defense Industrial Base (DIB) companies.[1]

PAKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024. PAKLOG is deployed via a RAR archive (e.g., key.rar), which contains two files: a signed, legitimate binary (PACLOUD.exe) and the malicious PAKLOG DLL (pa_lang2.dll). The PACLOUD.exe binary is used to side-load the PAKLOG DLL which starts with the keylogger functionality.[1]