Summary of malware activity: October - December 2022

Mozi… on the rise again?

Mozi seemed to have slowed mid-2022 but a spike from 33,584 reports in the July -September period to 59,266 reports from October - December period suggests that it’s still a threat.

Mozi continues to be the most frequently reported IoT Malware. With only 6,401reports of Mirai and 2,449 reports of Hajime, Mozi accounts for the vast majority of IoT malware attacks.

IoT Malware increased 34%

The hosting networks (ASNs) with the most IoT malware activity reported during this period are based in China, India and the US.

For more insights, see Ranking of Hosting Networks (ASNs) by Number of Malware Records, Quarter over Quarter (October to December 2022).

Hover over a country in the image below to see the number of reported malware.

Endpoint malware increased 31%

Infostealers don’t attract the same attention as ransomware, but they are responsible for significant financial losses. Criminals also use infostealers to gather sensitive personal or corporate data.

Quakbot tops our list of malware that targets user-attended (endpoint) devices.

Nearly all malicious URLs associated with Quakbot include a domain name. The 121% increase in unique domain names reported for hosting malware over the July-September 2022 reporting period is largely due to Quakbot activity.

Criminals on the hunt…

Vulnerability scanners accounted for 61% of malware reports that we classified as malicious traffic sources, an increase from the 52% reported in the July-September 2022 quarter.

PHP Forum spam activity accounted for 45% of reported traffic injector malware.