Software

SombRAT is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including FIVEHANDS ransomware.[1][2][3]

SoreFang is first stage downloader used by APT29 for exfiltration and to load other malware.[1][2]

Spark is a Windows backdoor and has been in use since as early as 2017.[1]

SpeakUp is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. [1]

Spica is a custom backdoor written in Rust that has been used by Star Blizzard since at least 2023.[1]

SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at least 2018.[1]

SplatCloak is a malware that disables EDR-related routines used by Windows Defender and Kaspersky to aid in evading detection. SplatCloak has been deployed by SplatDropper and is known to be leveraged by Mustang Panda since 2025.[1]

SplatDropper is a loader that utilizes native windows API to deliver its payload to the victim environment. SplatDropper has been delivered through RAR archives and used legitimate executable for DLL side-loading. SplatDropper is known to be leveraged by Mustang Panda and was first observed utilized in 2025.

SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.[1]

There are multiple close variants of SpyC23, such as VAMP[2], GnatSpy[3], Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.

SpyDealer is Android malware that exfiltrates sensitive data from Android devices. [1]

SpyNote RAT (Remote Access Trojan) is a family of malicious Android apps. The SpyNote RAT builder tool can be used to develop malicious apps with the malware's functionality. [1]

Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as Cobalt Strike and the QakBot banking trojan.[1][2]

SslMM is a full-featured backdoor used by Naikon that has multiple variants. [1]

StarProxy is custom malware used by Mustang Panda as a post-compromise tool, to enable proxying of traffic between the infected machine and other machines on the same network. [1]

Starloader is a loader component that has been observed loading Felismus and associated tools. [1]

StealBit is a data exfiltration tool that is developed and maintained by the operators of the the LockBit Ransomware-as-a-Service (RaaS) and offered to affiliates to exfiltrate data from compromised systems for double extortion purposes.[1][2]

Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer. [1]

StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.[1][2]

StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. [1]

StrelaStealer is an information stealer malware variant first identified in November 2022 and active through late 2024. StrelaStealer focuses on the automated identification, collection, and exfiltration of email credentials from email clients such as Outlook and Thunderbird.[1][2][3][4]

StrifeWater is a remote-access tool that has been used by Moses Staff in the initial stages of their attacks since at least November 2021.[1]

StrongPity is an information stealing malware used by PROMETHIUM.[1][2]

Stuxnet was the first publicly reported malware to specifically target industrial control systems devices. Stuxnet is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]

Stuxnet was the first publicly reported malware to specifically target industrial control systems devices. Stuxnet is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]

Sunbird is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Sunbird was first active in early 2017. While Sunbird and Hornbill overlap in core capabilities, Sunbird has a more extensive set of malicious features.[1]