Top Malware(s)

Home/Uncategorized/Top Malware(s)
cyber security

Threat Hunting Journal May 2022 Edition

Top Malware(s) Detections: 1st of May – 27th of May

Heimdal™ returns with the May edition of our threat hunting journal. As you might have expected, king trojan reigns unhindered with over 16,000 positive detections. There are a couple of newcomers, some of which may give our uncrowned monarch a run for his money. Stick around for more information and goodies. Enjoy!

Top Malware(s) Detections: 1st of May – 27th of May

Throughout May, Heimdal™’s SOC team has detected 16 trojan variants, with a grand total of 16,738 positive detections – a 55.19% drop compared to April, when the historical high of 25,976 positive detections was recorded. Concerning distribution, we have 11 new newcomers and 20 backsliders. TR/Rozena/jrrvz raked the highest number of positive IDs (i.e., 2675), followed closely by TR/CoinMiner.uwtyu with 2316 positive IDs, and EXP/MS04-028.JPEG.A with 2280 hits. Here’s the full list of May detections.

Malware Name Positive Detections
TR/Rozena.jrrvz 2675
TR/CoinMiner.uwtyu 2316
EXP/MS04-028.JPEG.A 2280
TR/Rozena.rfuus 1635
TR/Trash.Gen 1600
TR/Patched.Gen 1439
TR/AD.GoCloudnet.kabtg 1398
EXP/CVE-2010-2568.A 969
TR/Downloader.Gen 958
TR/CoinMiner.wmstw 919
TR/PSInject.G1 916
VBS/Dldr.Agent.VPET 801
W32/Run.Ramnit.C 778
TR/Dropper.Gen 754
ACAD/Bursted.AN 698
TR/Crypt.XPACK.Gen 667
TR/AD.Swotter.lckuu 512
W32/Floxif.hdc 437
ACAD/Burste.K 308
TR/Crypt.XPACK.Gen2 295
TR/Dropper.Gen5 269
W32/Chir.B 265
WORM/Brontok.C 224
W32/Sality.Y 214
ADWARE/JsPopunder.G 199
W32/Parite 199
TR/AD.Swotter.fgqir 195
TR/Dropper.tfflr 190
EXP/PyShellCode.G 182

Top 10 Malware Detailed

Let’s get around to covering those new detections.


TR/Trash.Gen is trojan-type malware that’s usually contracted by visiting unsecured pornographic websites. Trash.Gen can install backdoors, ramp up CPU usage, and install adware.


PSInject.G1 is PowerShell scrip-carrying trojan that accesses multiple comdlets such are new-object, out-null, test-path, where-object, write-output, and write-verbose.


Dldr.Agent.VPET is a trojan downloader. It’s used to inject and execute malicious VBS scripts on the victim’s machine.


An adware-carrying trojan is used to collect host and network data from the infected machine.


A ‘trojanized’ virus that affects ACAD .lsp files. Upon infection, the virus waits for user input in order to load the files.


A trojan dropper used to install backdoors, deliver additional malware components or to eavesdrop on the victim.


The .C variant of the Brontok worm. This malware’s distributed via email. Once inside the machine, it will create a new Windows Registry entry, disable regedit.exe, and modify several Windows Explorer settings.


The .Y variant of the Sality virus is used to install backdoors or connect the victim’s computer to a botnet.


An adware-type malware. Can display malicious popups or ads on the affected machine.

Additional Cybersecurity Tips and Parting Thoughts

This concludes the May edition of Heimdal™ Security’s threat hunting journal. Before I go, I’m gonna share with you a couple of tips on how you can jog up your security.

  • Scanning frequency. Don’t have any type of device-scanning policy in place? Well, now would be a good time to enforce one.
  • Better AV protection. Some types of malware won’t show up on a regular AV scan. If so, I would encourage you to try out Heimdal™ Next-Gen AV & MDM, a solution than combines top-tier detection rates, brute-force detection & protection features, and more.
  • Phishing. As you know, most malware’s transmitted via email. So, if it looks suspicious, it’s probably dangerous and should, therefore, not be opened.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.