After serveral months (actually 15) from the Cybersecurity Observatory launch (you can find it HERE) I experienced a huge increment of classified Malware from the end of January 2021. The following picture shows how the average samples frequency is just more than twice if compared to the beginning of the month and to the past year as well. I am not talking about a specific malware family right now, but mostly every single family increased its volume in the last few months. From my side (backend) nothing changed, even the overall amount of processed suspicious files are close to the average processed files during the past 12 months, so just a big amount of Malware are going on out there !

General Malware Surface past 3 Months

Breaking down samples families from the very beginning of this esperience by counters, we might appreciate the following picture which represents Malware familieis totals. Emotet was a the “big boss” during 2020, while AgentTesla, Azorult and Ursnif are quickly increasing their presence during the first months of 2021. The following images are just a static instant picture taken from the dynamic page (updated every 24h) that you can find here, so if you are interested on today’s Malware surface, get there !

Principal Detected Malware

Focusing on Malware holders (droppers) classified by file types we observe the following graph. On the left hand we see the overall Malware holders (from the very beginning) and you would see the obvious .EXE files being in the first position with a huge numeric advantage if comprared to other extensions . On the right side hand of the following image the breakdown of Malware holders without .EXE extension in order to focus on the original infection vectors. Again Word documents followed by Excel and RTF are the most dangerous files for your systems. If you receive one of these files from somebody you really don’t know, please consider that file as a Malicious dropper (I know it is not always in that way, but if you prefer a paranoic security view, please act like this).

Infection Vectors

By clicking on the graph legenda (HERE) you may select the “line” (representing the Malware family) you want to study by hiding all the other data. In the following example I decided to focus on AgentTesla and so I removed (by clicking on them) all the other lines. From the beginning of February AgentTesla infections are decuplicated from a max of 10 per days (in term of unique Malware AgentTesla identified) to a new max pic of 97 unqique AgentTesla per single day. Average speaking, it’s something quite significative as well.


Make a one-time donation

Make a monthly donation

Choose an amount


If you think this content is helpful, please consider to make a little donation. It would help me in building and writing additional contributions to community. By donation you will contribute to community as well. Thank you !

If you think this content is helpful, please consider to make a little donation. It would help me in building and writing additional contributions to community. By donation you will contribute to community as well. Thank you !

DonateDonate monthly
AgentTesla Distrubution

While AgentTesla increased a lot its frequency, FormBook had a single detection pic on February 5 2021. From that day a slightly significative increment of samples but no big anomalies afterall. Indeed in the beginning of the detection series and the end of it are comparable. So just something happened on February 5 on AgentTesla, we should investigate further such a behaviour.

FormBook Distribution

Darkcomet is a neverending story. While we are not talking about the original Darkcomet, but mostly some of its evolutions, I experienced a sligthly increment after February 11th. The following graph shows hight frequencies in mid Februrary and an overall increment rate from February to beginning of March as well. If we analyze the lower rates it’s clear that it has been doubled. From 2 to 4 in the lowest rate per day and from 8 to 18 in the highest rate per single day. It fascinates me the symmetry of such a detections !

DarkComet Distribution

Ursnif is getting worst especially in EU contries. While the specific frequency pattern follows the overall multi-family pattern, the cardinality is quite highter if compared to previous families (with the exception of AgentTesla). The following picture shows the Ursnif frequency distrubution during the last months increased the cardinality from, let’s say, almost 10 per day to, let’s say 30 per day.

Ursnif Distribution

The current pandemic change the way we live, the way we eat, the way we meet family and dears, the way we work. Thanks to digital equipments most of us are able to keep working from home, to study from home and to virtually meet people. So attackers slowly changed, from the physical space they moved to a most digital space where it gets easy to steal information while hiding traces. 2021 started with a big increment of threts discovered on my automatic and personal detection engine.

If you are interested on discovering more up-to-date data or you want to make an opinion about nowadays malware familisies, please feek free to take a look to that page, happy hunting !