Skip Navigation
BlackBerry Blog

Top 11 Malware Strains of 2021 — And How to Stop Them

The top 11 malware strains observed during 2021 can steal your organization’s data, establish remote access into your network, or perhaps unleash a ransomware attack. This is according to a new multi-agency report that analyzed the most prevalent malware threats.

And while the majority of these malware strains have been around for more than five years, cybercriminals keep evolving their code into new variations. That trend is actually a helpful one for network defenders because when threat actors continue to use known malware strains, it offers organizations a better chance to identify and mitigate these attacks.

The List of Top 11 Malware Variants

The Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) recently created this list, and the BlackBerry Threat Research team has done considerable research on how to stop many of these malware strains from accessing and damaging your environment. We will link to that work throughout this post, and in most cases, the BlackBerry® resources include indicators of compromise (IoCs) and YARA rules.

Here are the top malware strains observed during 2021, condensed for easy scanning, to help you defend your organization:


1. Agent Tesla

Description: Agent Tesla is capable of stealing data from mail clients, web browsers, and File Transfer Protocol (FTP) servers. This malware can also capture screenshots, videos, and Windows® clipboard data. Agent Tesla is available online for purchase under the guise of being a legitimate tool for managing your personal computer.

BlackBerry Resources: How Agent Tesla Works and BlackBerry Prevents Agent Tesla Malware Attacks.

2. AZORult

Description: AZORult is used to steal information from compromised systems. It has been sold on underground hacker forums for exfiltrating browser data, user credentials, and cryptocurrency information.

BlackBerry Resources: Analyzing AZORult Infostealer Malware and the Department of Health and Human Services (HHS)’s AZORult brief.

3. FormBook

Description: FormBook is an information stealer advertised in hacking forums. FormBook is capable of keylogging and capturing browser or email client passwords.

BlackBerry ResourcesHow xLoader (AKA FormBook) Works and BlackBerry prevents xLoader Infostealer.

4. Ursnif

Description: Ursnif is a banking trojan that steals financial information. Also known as Gozi, Ursnif has evolved over the years to include a persistence mechanism, methods to avoid sandboxes and virtual machines, and search capability for disk encryption software to attempt key extraction for unencrypting files.

BlackBerry Resources: Threat Spotlight: Ursnif InfoStealer Malware and Cylance vs URSNIF Infostealer.

5. LokiBot

Description: LokiBot is a Trojan malware for stealing sensitive information, including user credentials, cryptocurrency wallets, and other credentials. A 2020 LokiBot variant was disguised as a launcher for the Fortnite multiplayer video game.

BlackBerry Resources: Mystery Bot: Do You Do Your Banking on Your Phone? and also see CISA’s LokiBot Malware alert.


Description: MOUSEISLAND is usually found within the embedded macros of a Microsoft® Word document and can download other payloads and may sometimes be the initial stage of a ransomware attack.

BlackBerry Resources: Macros, to Block or Not To Block and see MOUSEISLAND on malpedia.

7. NanoCore

Description: NanoCore is used for stealing victims’ information, including passwords and emails. NanoCore could also allow malicious users to activate computers’ webcams to spy on victims.

BlackBerry Resources: See .NET Stubs: Sowing the Seeds of Discord and the HHS publication, Remote Access Trojan Nanocore Poses Risk to HPH Sector.

8. Qakbot

Description: Originally observed as a banking Trojan, Qakbot has evolved in its capabilities to include performing reconnaissance, moving laterally, gathering and exfiltrating data, and delivering payloads. Also known as QBot or Pinksliplot, Qakbot is modular in nature, enabling malicious cyber actors to configure it to their needs.

BlackBerry Resources: The Return of Qakbot Malware and Cylance vs. Qakbot Malware.

9. Remcos

Description: Remcos is marketed as a legitimate software tool for remote management and penetration testing. Remcos, short for Remote Control and Surveillance, was leveraged by malicious cyber actors conducting mass phishing campaigns during the COVID-19 pandemic to steal personal data and credentials. Remcos installs a backdoor onto a target system, which malicious actors can then use to issue commands and gain administrator privileges — all while bypassing antivirus products, maintaining persistence, and running as legitimate processes.

Resources: See the MITRE ATT&CK page on Remcos.

10. TrickBot

Overview: TrickBot malware is often used to form botnets or to enable initial access for the Conti ransomware or Ryuk banking Trojan. TrickBot is developed and operated by a sophisticated group of malicious cyber actors and has evolved into a highly modular, multi-stage malware threat. In 2020, cybercriminals used TrickBot to target the healthcare and public health (HPH) sector, subsequently launching ransomware attacks, exfiltrating data, or disrupting healthcare services.

BlackBerry Resources: Threat Spotlight: TrickBot Infostealer Malware and Cylance vs. Smoke Loader and the TrickBot Trojan. Also, see the Joint CSA on TrickBot Malware.

11. GootLoader

Description: GootLoader is a malware loader historically associated with the GootKit malware. As its developers updated its capabilities, GootLoader evolved from downloading one specific malicious payload to becoming a multi-payload malware platform. As a loader, GootLoader is usually the first stage of a system compromise. By leveraging search engine poisoning, GootLoader’s developers may create or compromise websites that rank highly in search engine results, such as Google search results.

BlackBerry Resources: GootLoader, From SEO Poisoning to Multi-Stage Downloader.

CISA Recommended Malware Mitigations   

The Cybersecurity and Infrastructure Security Agency (CISA) highlighted the following mitigations to help stop malware attacks, and they put good cyber hygiene at the top of the list:

  • Applying timely patches to systems
  • Patch all systems especially for known, exploited vulnerabilities
  • Implement user training
  • Secure Remote Desktop Protocol (RDP)
  • Make offline backups of data
  • Enforce multifactor authentication (MFA)

BlackBerry Protects Against Malware

CylancePROTECT® provides automated malware prevention, application and script control, memory protection, and device policy enforcement. This AI-based Endpoint Protection Platform (EPP) blocks cyberattacks and provides controls for safeguarding against sophisticated threats—no human intervention, Internet connections, signature files, heuristics, or sandboxes required.

And CylanceGUARD® is a subscription-based 24x7 Managed Extended Detection and Response (XDR) service. Our expert analysts act as an extension of your team, correlating telemetry across devices and providing actionable intelligence to prevent threats quickly while minimizing alert fatigue.

Bruce Sussman

About Bruce Sussman

Bruce Sussman is Senior Managing Editor at BlackBerry.