Tycoon 2FA is a phishing‑as‑a‑service operation that lets cybercriminals impersonate users and access email and online services—even with MFA enabled. It reflects a broader shift in cybercrime: identity is now the primary target, where one account can unlock entire digital ecosystems.

RedVDS was a subscription-based service that enabled cybercriminals to run mass phishing, account takeovers, and financial fraud using anonymous virtual machines, amplified by AI-driven face-swapping, voice cloning, and video manipulation to enhance deception.

RaccoonO365 was a phishing-as-a-service threat that used AI-assisted tooling, realistic lures, and CAPTCHA evasion to harvest Microsoft 365 credentials at scale, lowering the barrier for criminals to launch highly convincing attacks.

Lumma Stealer industrialized data theft by pairing malware-as-a-service with AI-enabled social engineering, automated loaders, and adaptive infrastructure, allowing criminals to steal credentials and sensitive information with minimal effort.

FizzDogg, tracked as Storm‑2139, ran a cybercrime‑as‑a‑service that weaponized generative AI—bypassing safeguards and monetizing illicit access to produce and share harmful, policy‑violating images at scale.

Fake ONNX, also known as Caffeine, was a phishing-as-a-service threat that fraudulently used the ONNX name to sell DIY phishing kits, enabling large-scale credential theft by industrializing MFA bypass and adversary-in-the-middle attack techniques.

Star Blizzard is a Russian nation-state threat that uses targeted spear-phishing and credential theft to exfiltrate sensitive information and interfere with the work of journalists, think tanks, NGOs, and other civil society organizations critical to democratic processes.

Storm-1152 is a cybercrime-as-a-service threat that acts as a gateway to cybercrime by using highly automated, AI-assisted tools to create and sell massive volumes of fraudulent Microsoft accounts, enabling phishing, fraud, identity theft, and other abuse at scale.

Cracked Cobalt Strike refers to illegally modified, legacy versions of Fortra’s legitimate security tool that cybercriminals repurposed to enable automated command-and-control, lateral movement, and ransomware deployment at scale across victim networks.

Smoke Sandstorm is an Iranian nation-state threat that uses targeted spear-phishing and social-engineering lures—often posing as recruiters—to compromise email accounts and gain persistent access for espionage across government, defense, and critical sectors. Previously tracked as Bohrium.

ZLoader is a malware-as-a-service botnet operated by an organized criminal gang whose goal is to steal and extort money by disabling security tools and distributing follow-on malware, including ransomware, across infected devices worldwide.

Nylon Typhoon is a China based nation-state cyberespionage threat that exploits unpatched systems and remote access services to steal credentials and maintain long-term access, primarily targeting governments, diplomatic organizations and NGOs for intelligence collection. Previously tracked as Nickel.

Emotet is a globally dispersed banking trojan and malware distribution botnet that spreads via spam and phishing emails, harvesting credentials, installing persistent backdoors, and delivering additional malware.

Trickbot was a globally dispersed banking trojan and malware distribution botnet that spread via phishing emails. It evolved to abuse compromised IoT routers as part of its command-and-control infrastructure, while infected systems harvested credentials, disabled security tools, and delivered additional malware.

Necurs was one of the world’s largest criminal botnets, used as a botnet-for-hire to distribute malware, spam, and financial scams at global scale, enabling credential theft, ransomware delivery, and other cybercrime activity.

Emerald Sleet is a North Korea-based cyberespionage threat actor targeting government employees, think tanks, university staff, and organizations focused on world peace, human rights, and nuclear nonproliferation—primarily in the United States, Japan, and South Korea. Previously tracked as Thallium.

Mint Sandstorm is an Iran-based threat actor targeting prominent individuals in business and government through tailored phishing and social engineering to steal credentials, conduct surveillance, and support state espionage—frequently focusing on activists, journalists, and Middle East policy communities. Previously tracked as Phosphorus.

Gamarue, also known as Andromeda, is a crimeware kit sold in hacker forums to monetize malware installs. It spread via email, social platforms, and USBs, disabled Windows security controls, and enabled largescale delivery of follow-on malware.

Avalanche was a criminal syndicate and botnet infrastructure used to conduct phishing, bank fraud, and ransomware at scale. It enabled malware hosting and distribution, credential and financial data theft, money-mule fraud schemes, and secondary attacks from compromised victim systems.

Brass Typhoon is a China–based nation-state threat actor targeting gaming and internet content companies to steal sensitive data using custom malware with credential theft, exploitation, and exfiltration capabilities. Previously tracked as Barium.

Forest Blizzard is a Russia-based nation-state threat actor that targets democratic institutions, governments, and NGOs through cyberespionage and influence operations. It played a prominent role in election interference and escalated cyber activity at the outset of Russia’s war against Ukraine. Previously tracked as Strontium.

Dorkbot was a multicomponent malware family designed to disable security protections, steal credentials and personal data, and spread aggressively via USB drives, instant messaging, and social networks. It leveraged infected devices to distribute itself, download additional payloads, and operate as part of large botnets enabling persistent compromise.

Ramnit is a financial fraud botnet focused on stealing online banking credentials. Its modular architecture enabled credential theft, web-inject attacks against banking sites, remote control of victim PCs, and disabling of security software. It spread via phishing emails and social networking platforms.

Simda was a financial fraud botnet built from multiple modules that enabled banking credential theft, backdoor access, traffic manipulation, cryptocurrency mining, and delivery of additional malware. It spread via spam, exploit kits, and compromised websites, enabling persistent largescale compromise.

Caphaw was a banking malware family that targeted major European financial institutions, enabling attackers to take full control of infected PCs and steal online banking credentials. It spread via social engineering on platforms like Facebook, YouTube, and Skype, as well as removable media and drive-by downloads.

GameOver Zeus was a banking malware and botnet spread via spam and phishing that hijacked online banking sessions to steal credentials and funds. It also delivered ransomware, combining financial fraud with extortion to maximize criminal impact.

Bladabindi and Jenxcus were pervasive remote access malware families that enabled cybercriminals to take full control of victim PCs for fraud and data theft. Widely promoted on social media with step-by-step guides, they spread via infected USB drives and other malware, exposing millions of users to abuse at global scale. Also tracked as B106.

ZeroAccess was a multicomponent Trojan and botnet designed to generate revenue through largescale pay-per-click fraud. It hijacked search results and redirected traffic to ads, driving illicit profits while exposing victims to additional malware, data theft, and broader online fraud. Also tracked as Sirefef.

Citadel was a sophisticated banking Trojan responsible for over $500M in losses, stealing credentials through keylogging and man-in-the-browser attacks. By injecting popups and monitoring web traffic on legitimate sites, it tricked victims into surrendering sensitive financial information.

Bamital was a click fraud and search hijacking malware that intercepted web traffic and redirected users to advertising and malicious sites to generate illicit revenue. Installed largely via drive by downloads, it stripped users of control and exposed them to identity theft and additional malware infections.

Nitol was a Trojan commonly bundled with corrupted peer-to-peer software that quietly conscripted infected PCs into botnets. Once active, it enabled large-scale DDoS attacks without user awareness, turning everyday consumer devices into infrastructure for disruptive cyberattacks.

Zeus was a prolific keylogging botnet that captured banking credentials by recording keystrokes and intercepting online sessions. Distributed through spam and drive-by downloads, it enabled identity theft, unauthorized fund transfers, and large-scale financial fraud against unsuspecting users. Also tracked as Zbot.

Kelihos was a highly adaptable botnet used to send massive spam campaigns, steal credentials and financial data, and download or execute additional malware. It enabled remote control of infected PCs, disabled security defenses, and installed ransomware or other payloads, making it a versatile and persistent cybercrime platform.

Rustock was a rootkit-enabled backdoor Trojan that powered one of the world’s largest spam botnets, flooding the internet with tens of billions of emails daily. Its scale showed how stealthy malware could industrialize abuse and undermine trust at global scale.

Conficker was a fast-moving network worm that exploited shared networks and removable media to spread at scale. Once inside an environment, it enabled follow-on malware and spam distribution, turning trusted enterprise networks into engines of criminal propagation.

Waledac was a sophisticated Trojan that powered large-scale cybercrime, harvesting email addresses to fuel massive spam campaigns. It also enabled denial-of-service attacks, malware delivery, data theft, and persistent control of infected systems at scale.