Skip to main content
Download the Buyer’s Guide for Cyber Risk Quantification Solutions
Download Guide
Request a Demo

Top Malware Strains Used by Threat Actors in 2021 – CISA Alert

Malware continues to grow in sophistication as record numbers of cyberattacks occur worldwide. Malware is often the tip of the spear for threat actors — first, they use it to compromise a computer or mobile device and then gain access to it. In recognition of the expanding threat that malware presents, the US Cybersecurity and Infrastructure Security Agency (CISA) has released a Cybersecurity Advisory AA22-216A, which identifies the prevalent malware strains observed during 2021. 

Top malware strains identified include remote access Trojans (RATs), banking Trojans, information stealers, and ransomware. Most of the top malware strains have been in use for more than five years. During that time, code bases and feature sets have continually evolved into many dangerous variations. The four top categories of malware identified in the CISA alert include:

  1. Remote Access Trojans (RATs). RATs are a type of malware that enables a threat actor to remotely control an infected computer. RATs enable threat actors to send commands to a compromised system and then receive data back. 
  2. Banking Trojans. Banking Trojans are designed to specifically target the theft of financial information. They employ a variety of techniques to obtain credentials, fraudulently steal funds, create botnets, and inject code into browsers. 
  3. Information Stealers. An Information Stealer is a specialized Trojan that is primarily designed to gather and exfiltrate confidential information from a targeted system. 
  4. Ransomware. Ransomware is a malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. The threat actors hold the data hostage until the ransom is paid. 

The Top Malware Strains of 2021

CISA lists 11 top malware strains, including Formbook, Ursnif, and LokiBot. Threat actors have used some of these strains, like Formbook, LokiBot, and NanoCore, for at least five years and others, like Qakbot and Ursnif, for more than a decade. The CISA Advisory notes that Qakbot and TrickBot are frequently used to build botnets by Eurasian threat actors. These same threat actors often operate with the quiet approval of highly permissive governments, such as those found in Russia and other former Soviet republics.

Defend Against Top Malware Threats with ThreatConnect

The ThreatConnect Platform can help your team identify and defeat threats like Agent Tesla, AZORult, Formbook, and others. As dangerous malware proliferates, it becomes more important to leverage available intelligence quickly and make it actionable. This helps defenders minimize the time gap between malicious cyber activity and their defensive posture. Defenders can more quickly identify, investigate, and memorialize intelligence. This knowledge can then be applied to improve the speed and accuracy of detection, improve prevention strategies, and strengthen mitigation across your organization’s entire cybersecurity ecosystem. 

Identifying threat groups and understanding the behavior of these enemies is critically important. The ThreatConnect Platform can share attribution data and IOC information on the responsible threat groups and the malware tools they use. This attribution is critical because it maximizes the available information to your defenders. Rapid access to this information, and faster and better decision-making by the SOC, makes all the critical difference necessary to stop a serious cyberattack.

Threat Intelligence Analysts Go Faster with ThreatConnect

The need for speed is real. By maximizing collaboration and encouraging information-sharing across your security teams, you’ll establish a continuous feedback loop that allows for increased threat intelligence insight and reduced risk to your organization.

Learn More

To learn more about the top malware strains used by threat actors, please refer to the original CISA Advisory here.  To learn more about how ThreatConnect can help you maximize insight, increase efficiency, and improve overall collaboration to better defend and protect your remote workers, please take a look at the ThreatConnect Platform. Reach out to us, and we’ll be pleased to share a customized demonstration of the ThreatConnect Platform. 

About the Author


By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at