Get The Latest Insights

By Jessica Ellis | October 13, 2021

Malware delivered via email continues to be the primary source of damaging ransomware attacks targeting businesses and their brands. The malware threat landscape has been tumultuous over the course of 2021, with unskilled actors enjoying a lower barrier to entry through as-a-service models, allowing easy access to proven and sophisticated malicious software. These tools are in a constant state of mutation as families join forces with like-minded affiliates, leaving security teams to deal with enhanced features and a broad and changing scope of attribution.

As ransomware continues to improve its tactics and break records, PhishLabs is monitoring payload families reported in user inboxes that are used to facilitate these attacks. Below we break down the top malicious payloads targeting enterprises in Q3.

Top Payload Families
Top Payload Families


Q3 provided the instability that has become expected when tracking malware families, their affiliates, and their activity from quarter to quarter. BazaLoader, a top family in Q1 before falling off, accounted for 24.7% of attacks in Q3, making it the most reported payload. BazaLoader is believed to be the product of Trickbot operators and is classified as a backdoor/loader trojan. BazaLoader is often used to deploy Ryuk and Conti ransomware, which are also Trickbot-affiliated.

Operators have been known to distribute BazaLoader via two-pronged vishing attacks where victims receive a malicious email encouraging them to call the phone number provided in the email body. The fake call center they then engage with will guide the individual to take action that will infect their devices.

Agent Tesla

Previously demonstrating modest volume, Agent Tesla made its way to the second most commonly observed payload, representing just over 14% of reports in Q3. Agent Tesla is a Remote Access Trojan (RAT) first discovered in 2014. Available as a malware-as-a-service (MaaS), Agent Tesla creators previously advertised the tool as a benign RAT designed to monitor your personal computer. It has since established itself as a popular emissary of deception, known for stealing credentials, keystrokes, and other sensitive information from user devices.


Dridex, often used in the initial stages of a ransomware attack and associated with the operators behind Evil Corp, increased more than 9% during Q3 after contributing to just over 1% of malware activity in Q2. Dridex has been linked to a variety of ransomware families since its creation in 2012, and boasts a wide-range of information-stealing capabilities as well as enhanced obfuscation techniques.

Malware family antics and iterations continue to make attacks unpredictable and damaging as newer, lesser known threats emerge. There are multiple avenues of collaboration for malware and ransomware families, allowing trends to overlap and increasing the odds that an attack will be successful. As ransomware operators ruthlessly target critical infrastructure and healthcare facilities, government pushback is causing some families to quiet operations, allowing others the opportunity to step into the spotlight. PhishLabs will continue to monitor these attack methods to help keep security teams aware of the latest malware trends.

Additional Resources: