Software

Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. [1] The group using this malware has also been referred to as Sykipot. [2]

SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. [1] [2]

Sys10 is a backdoor that was used throughout 2013 by Naikon. [1]

SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.[1]

SystemBC is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.SystemBC executes a variety of tasks including setting up SOCKS5 proxies, maintaining persistence, ingesting malicious files, and handing C2 communication. SystemBC was first detected in 2018, and has been used by Wizard Spider since at least 2020, and by FIN7 since at least 2022.[1][2][3][4][5]

Systeminfo is a Windows utility that can be used to gather detailed information about a computer. [1]

T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. [1] [2]

TAINTEDSCRIBE is a fully-featured beaconing implant integrated with command modules used by Lazarus Group. It was first reported in May 2020.[1]

TAMECAT is a malware that is used by APT42 to execute PowerShell or C# content.[1]

TDTESS is a 64-bit .NET binary backdoor used by CopyKittens. [1]

TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was likely used by APT29 since at least May 2020.[1][2]

TERRACOTTA is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.[1]

TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017. [1]

THINCRUST is a Python-based backdoor tool that has been used by UNC3886 since at least 2023.[1]

TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. [1]

TONESHELL is a custom backdoor that has been used since at least Q1 2021.[1] TONESHELL malware has previously been leveraged by Chinese affiliated actors identified as Mustang Panda.[2][3]

TRAILBLAZE is an in-memory dropper used to deploy the passive backdoor BRUSHFIRE. First reported in March 2025, TRAILBLAZE has been observed in operations attributed to People's Republic of China (PRC) state-sponsored affiliated actors, including UNC5221 and SYLVANITE. [1][2][3]

TRANSLATEXT is malware that is believed to be used by Kimsuky.[1] TRANSLATEXT masqueraded as a Google Translate extension for Google Chrome, but is actually a collection of four malicious Javascript files that perform defense evasion, information collection and exfiltration.[1]

TSCookie is a remote access tool (RAT) that has been used by BlackTech in campaigns against Japanese targets.[1][2]. TSCookie has been referred to as PLEAD though more recent reporting indicates a separation between the two.[3][2]

TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. [1] [2]

TYPEFRAME is a remote access tool that has been used by Lazarus Group. [1]

Taidoor is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.[1] Taidoor has primarily been used against Taiwanese government organizations since at least 2010.[2]

TajMahal is a multifunctional spying framework that has been in use since at least 2014. TajMahal is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.[1]

Tangelo is iOS malware that is believed to be from the same developers as the Stealth Mango Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. [1]

TangleBot is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. TangleBot has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to FluBot Android malware campaigns.[1]