According to the Q2 report, malware notifications dropped 18 percent from Q1 2025. Despite that, CIS warns that malware threats are still real and advises users to take proper precautions.
The Center for Internet Security (CIS) recently
released their Top 10 Malware of Q2 2025 report. Among those listed were SocGholish, ZPHP and Agent Tesla. It’s also worth noting that the Mirai malware, which severely impacted security and IoT devices a few years back, has returned.
The CIS’s Cyber Threat Intelligence (CTI) Team runs a quarterly report on malware active during the period. According to the Q2 report, malware notifications dropped 18 percent from Q1 2025. Despite that, CIS warns that malware threats are still real and advises users to take proper precautions.
Attack vectors
The report first gives a word on common malware infection vectors, which are ways through which malware is spread. According to the report, the top malware infection vectors include the following:
Dropped: This is a mechanism where malware is delivered by other malware already on the system, or by an exploit kit, infected third-party software, or a cyber-threat actor;
Malspam: This is where malware is delivered via unsolicited emails, which either direct users to malicious websites or trick users into downloading or opening malware;
Malvertisement: In malvertisement, malware is introduced through malicious advertisements. According to the report, this was the most common malware infection vector during Q2 2025;
Multiple: The malware uses at least two vectors from the above.
Top 10 malware
The report then goes on to list the Top 10 malware of Q2 2025, by percentage of detections. Among them, the Top 4 are SocGholish, ZPHP, Agent Tesla and VenomRat.
SocGholish acts as a JavaScript downloader. It’s delivered through malicious or compromised websites via fake browser updates. Its capabilities include redirection, payload delivery, data theft, and facilitating remote access Trojans (RATs) or ransomware. Similarly, ZPHP, also known as SmartApeSG, also uses fake browser update notices on legitimate yet compromised websites to trick users into downloading the NetSupport RAT, a legitimate remote access tool exploited by attackers.
Agent Tesla is a RAT-type malware delivered through malspam. Its capabilities include keystroke and screenshot capture, credential theft, clipboard monitoring, file exfiltration, and secondary payload loading. VenomRAT, meanwhile, is an open-source RAT often dropped by other malware or spread via malspam.
“Since VenomRAT is open-source, there are multiple versions with varying capabilities. Most versions include keylogging, screen capture, password theft, data exfiltration, as well as downloading and executing additional files. In an observed campaign, VenomRAT used malicious domains mimicking antivirus software, such as Bitdefender, to trick victims into downloading it,” the report said.
The four are followed by CoinMiner, Mirai, NanoCore, ArechClient2 (SectopRAT), ClearFake and LandUpdate808.
The report also notes that some malware programs are making a comeback. These include Mirai, a malware botnet known to compromise Internet of Things (IoT) devices to conduct large-scale distributed denial of service (DDoS) attacks. Mirai is dropped after a cyber-threat actor exploits a device vulnerability for initial access.
Mirai gained widespread attention in October 2016, when a major
DDoS attack was launched against Dyn, a U.S.-based Internet performance and management company, resulting in shutdowns of various prestigious sites including Amazon, the Financial Times and Netflix. It was later found out that various networkable devices, including IP cameras and NVRs, were used as robotic attackers after being hit by the Mirai malware, which took advantage of the fact that most of these devices were operating on default usernames and passwords.
Active defense critical
Given the prevalence of malware threats, active defense has become more important than ever. This is where CIS can play a proactive role. “The CIS Community Defense Model (CDM) v2.0 can help users defend against 77 percent of MITRE ATT&CK (sub-)techniques associated with malware — regardless of the infection vector they use,” the report said. “The quarterly Top 10 Malware list is just one of the ways the CIS CTI team helps … organizations strengthen their cybersecurity posture. Members of the Multi-State Information Sharing and Analysis Center receive additional insights and threat intelligence from the CIS CTI team on an ongoing basis.”