Software

YAHOYAH is a Trojan used by Tropic Trooper as a second-stage backdoor.[1]

YiSpecter is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. YiSpecter abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.[1]

ZIPLINE is a passive backdoor that was used during Cutting Edge on compromised Secure Connect VPNs for reverse shell and proxy functionality.[1]

ZLib is a full-featured backdoor that was used as a second-stage implant during Operation Dust Storm since at least 2014. ZLib is malware and should not be confused with the legitimate compression library from which its name is derived.[1]

Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. [1][2][3][4]

Zen is Android malware that was first seen in 2013.[1]

ZergHelper is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. [1]

ZeroCleare is a wiper malware that has been used in conjunction with the RawDisk driver since at least 2019 by suspected Iran-nexus threat actors including activity targeting the energy and industrial sectors in the Middle East and political targets in Albania.[1][2][3][4]

ZeroT is a Trojan used by TA459, often in conjunction with PlugX. [1] [2]

Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for monetary gain. [1]

Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. Zeus Panda’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.[1][2]

Zox is a remote access tool that has been used by Axiom since at least 2008.[1]

ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.[1][2]

ZxxZ is a trojan written in Visual C++ that has been used by BITTER since at least August 2021, including against Bangladeshi government personnel.[1]

adbupd is a backdoor used by PLATINUM that is similar to Dipsind. [1]

at is used to schedule tasks on a system to run at a specified date or time.[1][2]

attrib is a Windows utility used to display, set or remove attributes assigned to files or directories.[1]

build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]

ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.[1]

cd00r is an open-source backdoor for UNIX and UNIX-variant operating systems that was orginally released in 2000. cd00r source code is primarily based on a packet-capturing program as it utilizes a sniffer to listen for specific sequences of network traffic or "secret knock" before executing the attacker's code.[1][2]

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [1]

cipher.exe is a native Microsoft utility that manages encryption of directories and files on NTFS (New Technology File System) partitions by using the Encrypting File System (EFS).[1]

cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [1]

Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir [2]), deleting files (e.g., del [3]), and copying files (e.g., copy [4]).

down_new is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]

dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. [1] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.