Software

Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer. [1]

StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.[1][2]

StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. [1]

StrelaStealer is an information stealer malware variant first identified in November 2022 and active through late 2024. StrelaStealer focuses on the automated identification, collection, and exfiltration of email credentials from email clients such as Outlook and Thunderbird.[1][2][3][4]

StrifeWater is a remote-access tool that has been used by Moses Staff in the initial stages of their attacks since at least November 2021.[1]

StrongPity is an information stealing malware used by PROMETHIUM.[1][2]

Stuxnet was the first publicly reported malware to specifically target industrial control systems devices. Stuxnet is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]

Stuxnet was the first publicly reported malware to specifically target industrial control systems devices. Stuxnet is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]

Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.[1][2]CitationCISA ICS Advisory (ICSA-10-238-01B)[3]

Sunbird is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Sunbird was first active in early 2017. While Sunbird and Hornbill overlap in core capabilities, Sunbird has a more extensive set of malicious features.[1]

Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. [1] The group using this malware has also been referred to as Sykipot. [2]

SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. [1] [2]

Sys10 is a backdoor that was used throughout 2013 by Naikon. [1]

SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.[1]

SystemBC is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.SystemBC executes a variety of tasks including setting up SOCKS5 proxies, maintaining persistence, ingesting malicious files, and handing C2 communication. SystemBC was first detected in 2018, and has been used by Wizard Spider since at least 2020, and by FIN7 since at least 2022.[1][2][3][4][5]

Systeminfo is a Windows utility that can be used to gather detailed information about a computer. [1]

T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. [1] [2]

TAINTEDSCRIBE is a fully-featured beaconing implant integrated with command modules used by Lazarus Group. It was first reported in May 2020.[1]

TAMECAT is a malware that is used by APT42 to execute PowerShell or C# content.[1]

TDTESS is a 64-bit .NET binary backdoor used by CopyKittens. [1]

TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was likely used by APT29 since at least May 2020.[1][2]

TERRACOTTA is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.[1]

TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017. [1]

THINCRUST is a Python-based backdoor tool that has been used by UNC3886 since at least 2023.[1]

TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. [1]