Software

PcShare is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.[1][2]

Pcexter is an uploader that has been used by ToddyCat since at least 2023 to exfiltrate stolen files.[1]

Pegasus for Android is the Android version of malware that has reportedly been linked to the NSO Group. [1] [2] The iOS version is tracked separately under Pegasus for iOS.

Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.[1][2] The Android version is tracked separately under Pegasus for Android.

Peirates is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.[1]

Penquin is a remote access trojan (RAT) with multiple versions used by Turla to target Linux systems since at least 2014.[1][2]

Peppy is a Python-based remote access Trojan, active since at least 2012, with similarities to Crimson.[1]

Phenakite is a mobile malware that is used by APT-C-23 to target iOS devices. According to several reports, Phenakite was developed to fill a tooling gap and to target those who owned iPhones instead of Windows desktops or Android phones.[1][2]

Pikabot is a backdoor used for initial access and follow-on tool deployment active since early 2023. Pikabot is notable for extensive use of multiple encoding, encryption, and defense evasion mechanisms to evade defenses and avoid analysis. Pikabot has some overlaps with QakBot, but insufficient evidence exists to definitively link these two malware families. Pikabot is frequently used to deploy follow on tools such as Cobalt Strike or ransomware variants.[1][2][3]

Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.[1]

PinchDuke is malware that was used by APT29 from 2008 to 2010. [1]

Ping is an operating system utility commonly used to troubleshoot and verify network connections. [1]

PingPull is a remote access Trojan (RAT) written in Visual C++ that has been used by GALLIUM since at least June 2022. PingPull has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.[1]

PipeMon is a multi-stage modular backdoor used by Winnti Group.[1]

Pisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by APT18 and is similar to another malware family, HTTPBrowser, that has been used by the group. [1]

Playcrypt is a ransomware that has been used by Play since at least 2022 in attacks against against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Playcrypt derives its name from adding the .play extension to encrypted files and has overlap with tactics and tools associated with Hive and Nokoyawa ransomware and infrastructure associated with Quantum ransomware.[1][2][3]

PlugX is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.[1][2][3][4]

PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. PoetRAT derived its name from references in the code to poet William Shakespeare. [1][2][3]

PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.[1][2][3]

PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been used to drop MiniDuke.[1]

Pony is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.[1]

PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[1]

PowGoop is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by MuddyWater as their main loader.[1][2]

Power Loader is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. [1] [2]

PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. [1]