Software

Shark is a backdoor malware written in C# and .NET that is an updated version of Milan; it has been used by HEXANE since at least July 2021.[1][2]

SharkBot is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.[1]

SharpDisco is a dropper developed in C# that has been used by MoustachedBouncer since at least 2020 to load malicious plugins.[1]

SharpStage is a .NET malware with backdoor capabilities.[1][2]

ShiftyBug is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. [1]

ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "ShimRat" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. [1]

ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary's targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.[1]

ShrinkLocker is a VBS-based malicious script that leverages the legitimate Bitlocker application to encrypt files on victim systems for ransom. ShrinkLocker functions by using Bitlocker to encrypt files, then renames impacted drives to the adversary’s contact email address to facilitate communication for the ransom payment.[1][2]

Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three Sibot variants in early 2021 during its investigation of APT29 and the SolarWinds Compromise.[1]

SideTwist is a C-based backdoor that has been used by OilRig since at least 2021.[1]

SilkBean is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.[1]

Siloscape is malware that targets Kubernetes clusters through Windows containers. Siloscape was first observed in March 2021.[1]

SimBad was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name "SimBad" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.[1]

Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. [1] Functionality similar to Skeleton Key is included as a module in Mimikatz.

Skidmap is a kernel-mode rootkit used for cryptocurrency mining.[1]

Skygofree is Android spyware that is believed to have been developed in 2014 and used through at least 2017. [1]

Sliver is an open source, cross-platform, red team command and control (C2) framework written in Golang. Sliver includes its own package manager, "armory," for staging and downloading additional tools and payloads to the primary C2 framework.[1][2]

Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.[1][2]

Security researchers have also noted Small Sieve's use by UNC3313, which may be associated with MuddyWater.[3]

Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. [1] [2]

SnappyTCP is a web shell used by Sea Turtle between 2021 and 2023 against multiple victims. SnappyTCP appears to be based on a public GitHub project that has since been removed from the code-sharing site. SnappyTCP includes a simple reverse TCP shell for Linux and Unix environments with basic command and control capabilities.[1]

Snip3 is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including AsyncRAT, Revenge RAT, Agent Tesla, and NETWIRE.[1][2]

SocGholish is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by Mustard Tempest and its access has been sold to groups including Indrik Spider for downloading secondary RAT and ransomware payloads.[1][2][3][4]

Socksbot is a backdoor that abuses Socket Secure (SOCKS) proxies. [1]

SodaMaster is a fileless malware used by menuPass to download and execute payloads since at least 2020.[1]

Solar is a C#/.NET backdoor that was used by OilRig during the Outer Space campaign to download, execute, and exfiltrate files.[1]