Malicious Tools Index
This index links to one defensive page per malware family, implant, web shell, backdoor, wiper, or dual-use tool tracked in data/tool-intelligence.csv.
The tool pages are generated. They summarize behavior, hash/IOC availability, actor linkage, source references, hunting notes, mapped detections, and handling rules.
The repository does not store malware binaries, exploit code, credentials, or bulk copied IOC dumps. Hashes are included only when already present in public source reporting and are treated as pivots, not attribution proof.
| Tool | Actor | Type | Confidence | Hash / IOC Status |
|---|---|---|---|---|
AridSpy | APT-C-23 | Mobile RAT | High | Representative ESET-published SHA1s include 797073511A15EB85C1E9D8584B26BAA3A0B14C9E, 5F0213BA62B84221C9628F7D0A0CF87F27A45A28, E71F1484B1E3ACB4C8E8525BA1F5F8822AB7238B, and 16C8725362D1EBC8443C97C5AB79A1B6428FF87D; use full ESET IOC table for current coverage. |
Desert Scorpion | APT-C-23 | Mobile malware | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
FrozenCell | APT-C-23 | Mobile malware | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Micropsia | APT-C-23 | Backdoor | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Phenakite | APT-C-23 | Mobile malware | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
RedAlert.apk | APT-C-23 | Mobile spyware / trojanized app | Low | Hash not committed; provisional until primary Acronis reporting is available. |
SpyC23 | APT-C-23 | Mobile spyware | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
ANTAK / ASPXSPY | APT39 | Web shells | Medium | Hash not committed; use source-linked IOCs and local webroot baselines. |
Cadelspy | APT39 | Backdoor | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
CrackMapExec | APT39 | Post-exploitation / credential validation tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
MechaFlounder | APT39 | Backdoor | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Mimikatz | APT39 | Credential access tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
NBTscan | APT39 | Network scanner | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
PsExec | APT39 | Remote execution utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Remexi | APT39 | Malware / collection tool | Medium | Hash not committed; use MITRE references and original vendor reports. |
Windows Credential Editor | APT39 | Credential access tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
ftp | APT39 | Living-off-the-land utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
pwdump | APT39 | Credential access tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
NICECURL | APT42 | Backdoor / C2 tool | Medium | Hash not committed; retrieve current IOCs from linked source or vendor appendix. |
POWERPOST | APT42 | Script / collection tool | Medium | Hash not committed; source-linked behavior only. |
TAMECAT | APT42 | Backdoor / C2 tool | Medium | Hash not committed; retrieve current IOCs from linked source or vendor appendix. |
ASPXSpy | Agrius | Web shell | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Apostle | Agrius | Wiper / ransomware-like malware | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
BFG Agonizer | Agrius | Wiper | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
BlackShadow | Agrius | Ransomware / persona | Medium | Hash not committed; persona claims require corroboration. |
DEADWOOD | Agrius | Wiper | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
IPsec Helper | Agrius | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Mimikatz | Agrius | Credential access tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Moneybird | Agrius | Ransomware / destructive malware | Medium | Hash not committed; source IOC appendix should be used if needed. |
MultiLayer Wiper | Agrius | Wiper | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
NBTscan | Agrius | Network scanner | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
WezRat | Cotton Sandstorm | Modular infostealer / RAT | High | Hash not committed; use Check Point and government IOC references for current sample hashes, lure senders, domains, and C2 paths. |
Cyber Toufan supplier-access playbook | Cyber Toufan | Credential and admin-interface abuse | Medium | Not malware; no hash. Track claims and exposure indicators. |
IOControl | CyberAv3ngers | OT/IoT malware | High | Claroty-published SHA256 1b39f9b2b96a6586c4a11ab2fdbff8fdf16ba5a0ac7603149023d73f33b84498; VT enrichment found an ELF with public detections and label trojan.iocontrol/multiverze. |
Unitronics Vision PLC Web/HMI | CyberAv3ngers | Targeted technology | High | Not malware; no hash. Exposure and configuration indicators only. |
DarkBit ransomware | DarkBit | Pseudo-ransomware / destructive malware | Medium | Hash not committed; incident-specific IOCs should come from INCD/Microsoft source material. |
IMAPLoader | Imperial Kitten | .NET downloader / loader | High | Hash not committed; use PwC or vendor IOC appendix/current report for current sample hashes and mail-account indicators. |
StandardKeyboard | Imperial Kitten | Backdoor / C2 tool | Medium | Hash not committed; use CrowdStrike source if available. |
Caterpillar WebShell | Lebanese Cedar | Web Shell | Medium | Hash not committed; use ClearSky report references. |
Explosive RAT | Lebanese Cedar | Remote Access Trojan | Medium | Hash not committed; use ClearSky report references. |
BITSAdmin | Lyceum | Living-off-the-land binary | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
DanBot | Lyceum | Remote Access Trojan | Medium | Hash not committed; use MITRE references and primary reports. |
DnsSystem | Lyceum | Backdoor | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Empire | Lyceum | Post-exploitation framework | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Kevin | Lyceum | Backdoor | Low | Hash not committed; use MITRE references and primary reports. |
Milan | Lyceum | Backdoor | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Mimikatz | Lyceum | Credential access tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Ping | Lyceum | Network utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
PoshC2 | Lyceum | Post-exploitation framework | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Shark | Lyceum | Backdoor | Low | Hash not committed; use MITRE references and primary reports. |
ipconfig | Lyceum | System discovery utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
netstat | Lyceum | System discovery utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
CharmPower | Magic Hound | PowerShell backdoor | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
DownPaper | Magic Hound | Backdoor | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
FRP / Plink | Magic Hound | Dual-use tunneling / proxy tooling | Medium | No malware hash; dual-use binary monitoring and local allowlisting required. |
Impacket | Magic Hound | Python network protocol toolkit | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Mimikatz | Magic Hound | Credential access tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Mimikatz / SQLMap / Havij | Magic Hound | Public offensive/security tooling | Medium | No stable actor-specific hash; use process, command-line, and control-plane telemetry. |
Net | Magic Hound | System administration utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Ping | Magic Hound | Network utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
PowerLess | Magic Hound | Backdoor | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
PsExec | Magic Hound | Remote execution utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Pupy | Magic Hound | RAT / post-exploitation framework | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Systeminfo | Magic Hound | System discovery utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
ipconfig | Magic Hound | System discovery utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
netsh | Magic Hound | Network configuration utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
BlackBeard | MuddyWater | Backdoor | Medium | Hash not committed; use INCD source-linked IOCs. |
BugSleep | MuddyWater | Backdoor | High | Hash not committed from source page; use Check Point IOC appendix/current report if sample-level matching is required. |
ConnectWise | MuddyWater | Remote monitoring and management tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
CrackMapExec | MuddyWater | Post-exploitation / credential validation tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
DCHSpy | MuddyWater | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Dindoor | MuddyWater | Backdoor | Low | Hash not committed; use source-linked IOCs only. |
Empire | MuddyWater | Post-exploitation framework | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Fakeset | MuddyWater | Backdoor | Low | Hash not committed; use source-linked IOCs only. |
Fooder / MuddyViper | MuddyWater | Loader and backdoor | Medium | Hash not committed; validate ESET IOC availability before IOC-level use. |
Koadic | MuddyWater | Post-exploitation framework | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
LP-Notes | MuddyWater | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
LaZagne | MuddyWater | Credential access tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Mimikatz | MuddyWater | Credential access tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Mori | MuddyWater | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Out1 | MuddyWater | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
POWERSTATS | MuddyWater | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
PowGoop | MuddyWater | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
PowerSploit | MuddyWater | PowerShell post-exploitation framework | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Rclone | MuddyWater | Cloud sync / exfiltration utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Remote Monitoring and Management tools | MuddyWater | Living-off-the-land tooling | High | No malware hash; inventory and signed binary allowlist required. |
RemoteUtilities | MuddyWater | Remote administration tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
RustyWater | MuddyWater | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
SHARPSTATS | MuddyWater | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
STARWHALE | MuddyWater | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Small Sieve | MuddyWater | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Tsundere Botnet | MuddyWater | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
BONDUPDATER | OilRig | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Helminth | OilRig | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
ISMInjector | OilRig | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
LaZagne | OilRig | Credential access tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Mango | OilRig | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Mimikatz | OilRig | Credential access tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Net | OilRig | System administration utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
ODAgent | OilRig | MITRE-listed software/tool | High | Imported SHA1 seed 7E498B3366F54E936CB0AF767BFC3D1F92D80687 returned VT not_found and remains unpromoted pending primary hash verification. |
OilBooster | OilRig | Downloader | High | Primary source confirms tool behavior; imported SHA1 seed 1B2FEDD5F2A37A0152231AE4099A13C8D4B73C9E returned VT not_found and remains unpromoted pending primary hash verification. |
OilCheck | OilRig | MITRE-listed software/tool | High | Imported SHA1 seed 8D84D32DF5768B0D4D2AB8B1327C43F17F182001 returned VT not_found and remains unpromoted pending primary hash verification. |
OopsIE | OilRig | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
POWRUNER | OilRig | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
PowerExchange | OilRig | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
PsExec | OilRig | Remote execution utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
QUADAGENT | OilRig | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
RDAT | OilRig | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
RGDoor | OilRig | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Reg | OilRig | Registry utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
SEASHARPEE | OilRig | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Saitama | OilRig | DNS-tunneling backdoor | High | Hash not committed; use Unit 42 IOC references if needed. |
SampleCheck5000 | OilRig | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
SideTwist | OilRig | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Solar | OilRig | MITRE-listed software/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Systeminfo | OilRig | System discovery utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Tasklist | OilRig | Process discovery utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
ZeroCleare | OilRig | Wiper | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
certutil | OilRig | Living-off-the-land binary | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
ftp | OilRig | Living-off-the-land utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
ipconfig | OilRig | System discovery utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
netstat | OilRig | System discovery utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
ngrok | OilRig | Tunneling / proxy tooling | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
NGROK / Ligolo | Pioneer Kitten | Tunneling / proxy tooling | High | No malware hash; monitor tool binary, process, account, and network usage against approved admin list. |
Liontail | Scarred Manticore | Passive backdoor framework | High | Hash not committed; use Check Point source report references and local IIS module baselines. |
IronWind | TA402 | Initial access downloader / staged malware | High | Proofpoint-published SHA256 indicators include 9b2a16cbe5af12b486d31b68ef397d6bc48b2736e6b388ad8895b588f1831f47, 5d773e734290b93649a41ccda63772560b4fa25ba715b17df7b9f18883679160, 19f452239dadcd7544f055d26199cb482c1f6ae5486309bde1526174e926146a, A4bf96aee6284effb4c4fe0ccfee7b32d497e45408e253fb8e1199454e5c65a3, and 26cb6055be1ee503f87d040c84c0a7cacb245b4182445e3eee47ed6e073eca47; use full Proofpoint IOC list for operational use. |
CRYPTOSLAY | UNC1860 | Associated family | Medium | Family confirmed by Malpedia; no per-sample hash committed in this repo. |
PipeSnoop | UNC1860 | Referenced tool/family term | Low | Reference confirmed by Malpedia; no per-sample hash committed in this repo. |
SASHEYAWAY | UNC1860 | Dropper / access-enablement tooling | High | Mandiant publishes activity-level MD5 IOCs and a VT collection; this repo does not map every hash to SASHEYAWAY. |
STAYSHANTE | UNC1860 | Web shell / handoff tooling | High | Mandiant publishes activity-level MD5 IOCs and a VT collection; this repo does not map every hash to STAYSHANTE. |
TEMPLEDOOR | UNC1860 | Passive backdoor family | High | Representative Mandiant MD5s include c57e59314aee7422e626520e495effe0 and b219672bcd60ce9a81b900217b3b5864. VT enrichment found b219672bcd60ce9a81b900217b3b5864 as Win32 EXE/System.dll with 47 malicious public detections; c57e59314aee7422e626520e495effe0 returned VT not_found. |
TEMPLEDROP | UNC1860 | Passive backdoor / driver-abuse implant | High | Mandiant reports related Sheed AV MD5 0c93cac9854831da5f761ee98bb40c37 and WINTAPIX/TOFUDRV MD5s 286bd9c2670215d3cb4790aac4552f22 and b4b1e285b9f666ae7304a456da01545e in the same report; VT enrichment found the Sheed AV reference as signed and not malicious by public verdicts. |
TEMPLELOCK | UNC1860 | Defense-evasion utility | High | Hash not committed; use Mandiant activity-level IOC list. |
TEMPLEPLAY | UNC1860 | GUI malware controller | High | Mandiant reports MD5 c517519097bff386dc1784d98ad93f9d for TEMPLEPLAY; VT enrichment returned not_found on 2026-05-16. |
VIROGREEN | UNC1860 | GUI exploitation / post-exploitation framework | High | Hash not committed; use Mandiant source and technical annex where accessible. |
SUGARUSH / SUGARDUMP | UNC3890 | Information stealer | Medium | Hash not committed; use Mandiant source references. |
BiBi / BiBi Wiper lineage | Void Manticore / Handala | Wiper / destructive malware lineage | Medium | Hash not committed; use primary wiper reports for active IOCs. |
CHIMNEYSWEEP | Void Manticore / Handala | Wiper | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Handala-linked destructive installer chains | Void Manticore / Handala | Installer-led destructive chain | Medium | Hash not committed; chain behavior matters more than static IOCs. |
Impacket | Void Manticore / Handala | Python network protocol toolkit | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
Mimikatz | Void Manticore / Handala | Credential access tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
ROADSWEEP | Void Manticore / Handala | Wiper | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
RawDisk | Void Manticore / Handala | Disk access driver/tool | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
ZeroCleare | Void Manticore / Handala | Wiper | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
ftp | Void Manticore / Handala | Living-off-the-land utility | Medium | Hash not committed; use the linked MITRE references and original source reports for current IOCs. |
AshTag | WIRTE | Modular .NET malware suite | High | Representative Unit 42 SHA256s include f554c43707f5d87625a3834116a2d22f551b1d9a5aff1e446d24893975c431bc, 739a5199add1d970ba22d69cc10b4c3a13b72136be6d45212429e8f0969af3dc, 6bd3d05aef89cd03d6b49b20716775fe92f0cf8a3c2747094404ef98f96e9376, 30490ba95c42cefcca1d0328ea740e61c26eaf606a98f68d26c4a519ce918c99, and 66ab29d2d62548faeaeadaad9dd62818163175872703fda328bb1b4894f5e69e; use full Unit 42 IOC table for coverage. |
SameCoin | WIRTE | Wiper | High | Check Point publishes lure hash b7c5af2d7e1eb7651b1fe3a224121d3461f3473d081990c02ef8ab4ace13f785; component hashes should be pulled from the primary Check Point/HarfangLab references before blocking. |