US and Australian cyber security authorities have jointly revealed the top malware strains that targeted organisations in 2021, with two of them in operation for longer than a decade.
The US’ CISA and Australia’s ACSC said the most pervasive strains included remote access trojans (RATs), banking trojans, information stealers, and ransomware.
Qakbot and Ursnif are two of the top strains that have been in operation for the longest. Both authorities said this is because they have been under active development, with operators consistently adding new capabilities and methods to evade detection.
Most strains in the list have been in operation for longer than five years and their respective codebases evolved over that time into various variations.
The most prolific of the bunch, the authorities said, were stealers of financial or personal information, and ransomware.
The top 11 malware strains of 2021
| Malware strain | Type of malware | Active since | Delivery method |
| Agent Tesla | Information stealer, RAT | 2014 | Phishing (attachments) |
| AZORult | Information stealer | 2016 | Phishing, exploit kits, infected websites |
| Formbook | Information stealer | 2016 | Phishing (attachments) |
| Ursnif | Banking trojan | 2007 | Phishing (attachments) |
| LokiBot | Trojan, information stealer | 2015 | Phishing (attachments) |
| MOUSEISLAND | Macro downloader | 2019 | Phishing (attachments) |
| NanoCore | RAT | 2013 | Phishing (attachments), cloud storage |
| Qakbot | Multi-use trojan | 2007 | Phishing (attachments, hyperlinks, embedded images) |
| Remcos | RAT | 2016 | Phishing (attachments) |
| Trickbot | Trojan | 2016 | Phishing (hyperlink) |
| GootLoader | Malware loader | 2020 | Compromised websites |
Overview of 2021's most pervasive malware strains
Agent Tesla
Around since 2014, the powerful tool can be used to steal information from email clients, web browsers, and file transfer protocol (FTP) servers, as well as capture screenshots and video from a desktop environment.
AZORult
An information stealer that can be found available on underground hacking forums, AZORult is under constant development, the authorities said, and its capabilities include stealing browser data, user credentials, and cryptocurrency information.
Formbook
Formbook is a malware strain that's consistently changed, according to the latest threats published in the common vulnerabilities and exposures (CVS) list, aiming to infect systems that have been left unpatched to the latest threats.
It's capable of keylogging and capturing passwords, and has been used in a variety of attacks in the past year such as those specifically targeting corporate email inboxes.
Ursnif
The banking Trojan Ursnif has been around since 2007, tying with Qakbot as the longest-running malware strain on the list. It has evolved to adopt a persistence mechanism, meaning that it can live on a system after it has rebooted, and can also avoid sandboxes and virtual machines, the authorities said.
Lokibot
This Trojan is designed to various types of steal sensitive information, such as user credentials and those to access cryptocurrency wallets. In circulation since 2015, it had a notable variant in 2020 that disguised itself as a launcher for the popular video game Fortnite.
MOUSEISLAND
This is one that's likely to drop off the list next year now Microsoft has blocked VBA macros by default, but the macro downloader has been prolific since 2019 and is thought to be used in the initial stages of some ransomware attacks.
NanoCore
The RAT NanoCore can allow attackers to spy on victims through webcams while also doubling as a stealer of passwords and emails. It's one of the oldest strains on the list beginning operation in 2013.
Qakbot
Qakbot was originally a banking Trojan, but since its 2007 inception, its capabilities have evolved to include data exfiltration and the capacity to deliver other malicious payloads. It’s modular in nature, allowing attackers to tailor its capabilities to their needs.
Remcos
A lexical blend that’s short for Remote Control and Surveillance, Remcos is presented as a legitimate penetration testing tool but has been abused by cyber attackers, much like Cobalt Strike and more recently Brute Ratel C4. It can steal personal data and login credentials, and was used heavily in COVID-19-themed phishing campaigns.
TrickBot
This Trojan is thought to be operated and maintained by a sophisticated threat group, and has been used in the past as the initial exploit to deploy Conti and Ryuk ransomware. It has also been used against healthcare organisations to steal data and disrupt services.
Gootloader
Around since 2020 and now a multi-payload malware platform, Gootloader has evolved in recent years from a simple malware loader, typically associated with GootKit malware. It often provides attackers with the initial access exploit, usually via search engine poisoning.
What mitigations can your business deploy?
The authorities recommend reviewing and implementing all the necessary mitigations to defend against these malware strains - the ones targeting businesses the most.
The full list of instructions can be found in the complete joint advisory issued by CISA and ACSC this week, but recommendations include updating software against known vulnerabilities, enforcing the use of multi-factor authentication (MFA) across the organisations, monitor use of remote desktop protocol and maintain offline backups of data.
-
Third time lucky? Microsoft finally begins roll-out of controversial Recall featureNews The Windows Recall feature has been plagued by setbacks and backlash from security professionals
-
The UK government wants quantum technology out of the lab and in the hands of enterprisesNews The UK government has unveiled plans to invest £121 million in quantum computing projects in an effort to drive real-world applications and adoption rates.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
-
The Zservers takedown is another big win for law enforcementNews LockBit has been dealt another blow by law enforcement after Dutch police took 127 of its servers offline
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
