Okrum
[Okrum] is a Windows backdoor that has been seen in use since December 2016 with strong links to [Ke3chang](https://attack.mitre.org/groups/G0004).(Citation: ESET Okrum July 2019)
Regin
[Regin] is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some [Regin] timestamps date back to 2003. (Citation: Kaspersky Regin)
Bonadan
[Bonadan] is a malicious version of OpenSSH which acts as a custom backdoor. [Bonadan] has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.(Citation: ESET ForSSHe December 2018)
SamSam
[SamSam] is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.(Citation: US-CERT SamSam 2018)(Citation: Talos SamSam Jan 2018)(Citation: Sophos SamSam Apr 2018)(Citation: Symantec SamSam Oct 2018)
Conti
[Conti] is a Ransomware-as-a-Service that was first observed in December 2019, and has being distributed via [TrickBot](https://attack.mitre.org/software/S0266). It has been used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using [Conti] steal sensitive files and information from compromised networks, and threate
Raindrop
[Raindrop] is a loader used by [APT29](https://attack.mitre.org/groups/G0016) that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)
Doki
[Doki] is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki] was used in conjunction with the [Ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)
TEXTMATE
[TEXTMATE] is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with [POWERSOURCE](https://attack.mitre.org/software/S0145) in February 2017. (Citation: FireEye FIN7 March 2017)
Fysbis
[Fysbis] is a Linux-based backdoor used by [APT28](https://attack.mitre.org/groups/G0007) that dates back to at least 2014.(Citation: Fysbis Palo Alto Analysis)
IcedID
[IcedID] is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. [IcedID] has been downloaded by [Emotet](https://attack.mitre.org/software/S0367) in multiple campaigns.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)