InnaputRAT
[InnaputRAT] is a remote access tool that can exfiltrate files from a victim’s machine. [InnaputRAT] has been seen out in the wild since 2016. (Citation: ASERT InnaputRAT April 2018)
Kessel
[Kessel] is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. [Kessel] has been active since its C2 domain began resolving in August 2018.(Citation: ESET ForSSHe December 2018)
LookBack
[LookBack] is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using [LookBack](https://attack.mitre.org/software/S0582).(Citation: Proofpoint LookBack Malware Aug 2019)(Citation: Dragos TALONITE)(Citation: Dragos Threat Report 2020)
NetTraveler
[NetTraveler] is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. (Citation: Kaspersky NetTraveler)
YAHOYAH
[YAHOYAH] is a Trojan used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) as a second-stage backdoor.(Citation: TrendMicro TropicTrooper 2015)
Lokibot
[Lokibot] is a malware designed to collect credentials and security tokens from an infected machine. [Lokibot] has also been used to establish backdoors in enterprise environments.(Citation: Infoblox Lokibot January 2019)(Citation: Morphisec Lokibot April 2020)
CallMe
[CallMe] is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. (Citation: Scarlet Mimic Jan 2016)
ROCKBOOT
[ROCKBOOT] is a [Bootkit](https://attack.mitre.org/techniques/T1542/003) that has been used by an unidentified, suspected China-based group. (Citation: FireEye Bootkits)
CloudDuke
[CloudDuke] is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2015. (Citation: F-Secure The Dukes) (Citation: Securelist Minidionis July 2015)
Egregor
[Egregor] is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between [Egregor] and Sekhmet ransomware, as well as [Maze](https://attack.mitre.org/software/S0449) ransomware.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cyble Egregor Oct 2020)(Citation: Security Boulevard Egregor Oct 2020)