Software

TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.[1][2][3][4]

TrickMo a 2FA bypass mobile banking trojan, most likely being distributed by TrickBot. TrickMo has been primarily targeting users located in Germany.[1]

TrickMo is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.[1]

Triton is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.[1][2][3][4][5][6][7]

Trojan-SMS.AndroidOS.Agent.ao is Android malware. [1]

Trojan-SMS.AndroidOS.FakeInst.a is Android malware. [1]

Trojan-SMS.AndroidOS.OpFake.a is Android malware. [1]

Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. [1][2][3]

Trojan.Mebromi is BIOS-level malware that takes control of the victim before MBR. [1]

Troll Stealer is an information stealer written in Go associated with Kimsuky operations. Troll Stealer has typically been delivered through a dropper disguised as a legitimate security program installation file. Troll Stealer features code similar to AppleSeed, also uniquely associated with Kimsuky operations.[1][2]

TruffleHog is an open-source secrets-discovery tool that is used to search for credentials, API keys, and encryption keys across a variety of data sources and environments.[1][2] TruffleHog has the ability to discover credentials and secrets stored in code repositories, git history, CI/CD pipelines, among other common storage locations to include filesystems and cloud storage buckets.[1][3][2] TruffleHog was first released by its author in 2016.[2]

Truvasys is first-stage malware that has been used by PROMETHIUM. It is a collection of modules written in the Delphi programming language. [1] [2] [3]

Tsundere Botnet is a botnet first reported in mid-2025 that is delivered via MSI installer or a PowerShell script. It leverages Node.js and JavaScript for payload delivery and execution, and uses smart contracts on the blockchain to host command and control (C2) addresses. Tsundere Botnet is attributed to a likely Russian-speaking threat actor.

A variant named DinDoor has been linked to MuddyWater operations and uses the Deno runtime for execution rather than Node.js.[1][2][3][4]

Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.[1]

Twitoor is a dropper application capable of receiving commands from social media.[1]

UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. [1]

UBoatRAT is a remote access tool that was identified in May 2017.[1]

UPPERCUT is a 32-bit HTTP-based backdoor that has been used by menuPass since at least 2017.[1] Once thought to be exclusive to menuPass, UPPERCUT was also observed being used by menuPass-associated MirrorFace during Operation AkaiRyū.[2]

UPSTYLE is a Python-based backdoor associated with exploitation of Palo Alto firewalls using CVE-2024-3400 in early 2024. UPSTYLE has only been observed in relation to this exploitation activity, which involved attempted install on compromised devices by the threat actor UTA0218.[1][2]

USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. [1] [2]

USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks against Taiwanese and Philippine air-gapped military environments. USBferry shares an overlapping codebase with YAHOYAH, though it has several features which makes it a distinct piece of malware.[1]

A Linux rootkit that provides backdoor access and hides from defenders.

Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. [1]

Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.[1][2]

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[1][2] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[3]

VBShower is a backdoor that has been used by Inception since at least 2019. VBShower has been used as a downloader for second stage payloads, including PowerShower.[1]