This project explores major malware categories and trends, including a detailed case study on Qilin ransomware, a Ransomware-as-a-Service (RaaS) operation observed in the wild. It presents classification examples, threat actor tactics, and real-world telemetry data.
The following categories are described and compared using behavior-based characteristics and operational roles:
- Backdoors β Enable stealthy, persistent access for threat actors
- Downloaders β Install secondary payloads post-infection; often used for persistence
- Worms β Self-replicating malware that spreads laterally across networks
- Command & Control (C2) β Facilitates attacker communication and remote management (botnets, proxies)
- Spyware / Keyloggers β Used for surveillance, credential theft, and user tracking
Data from recent AV telemetry and malware trend reports is used to illustrate modern usage and prevalence.
Qilin, also known as Agenda, is a RaaS threat actor known for:
- Double extortion tactics (data encryption + leak threats)
- Use of PowerShell, credential dumping, and persistence scripts
- Targeting both Windows and Linux platforms
- Lateral movement via RDP and SSH
- Disk wiping and system recovery disabling
Qilin leverages spear-phishing for initial access and deploys obfuscation strategies using junk code and encoded command payloads.
- AV-TEST global malware telemetry (Windows-focused)
- OSINT reports from HC3 and industry research
- Analysis of real-world ransomware campaigns and malware behaviors
Michael Twining
Cybersecurity Researcher | Malware & Threat Intelligence | GitHub: @usrtem
π« Contact: michael.twining@outlook.com
π Portfolio: LinkedIn | YouTube
This project is licensed under the Creative Commons Attribution 4.0 International License.