Cyber threat categories and definitions

Cisco Umbrella’s security classifications give you more control over exactly what you’d like to enable and report. Our unique view of the internet provides unprecedented insight into malicious domains, IPs, and URLs. Users will find that use of this threat taxonomy delivers real-time context on malware, phishing, botnets, trojans and other threats, enabling faster, more confident incident investigation and response.

We use three levels of classification:

1. Cyber Threat Category
Categories are the highest level groups of threats that have methods and objectives in common

2. Cyber Threat Type
These are functional groups of specific threats that use similar techniques in the cyber attack chain

3. Individual Cyber Threat
Specific, named threats with a unique combination of tactics, techniques, and procedures (TTP) at the most granular level

Malware: Websites and other servers that host malicious software, drive-by downloads/exploits, mobile threats, and more.

Command and Control (C2) Callbacks: Compromised devices get instructions and malware downloads by communicating with attackers’ infrastructure.

Newly Seen Domains: Domains that have become active very recently. These are often used in new attacks.

Phishing Attacks: Fraudulent websites that aim to trick users into handing over personal or financial information.

Cryptomining: Cryptomining allows organizations to control cryptominer access to mining pools and web miners.

Dynamic DNS: Block sites that are hosting dynamic DNS content.

Potentially Harmful Domains: Domains that exhibit suspicious behavior and may be part of an attack.

DNS Tunneling VPN: VPN services that allow users to disguise their traffic by tunneling it through the DNS protocol. These can be used to bypass corporate policies regarding access and data transfer.

Adware: Adware, or advertising-supported software, is any software package that automatically renders advertisements in order to generate revenue for the author. The advertisements may be in the user interface of the software or presented in the web browser. Adware may cause tabs to open automatically that display advertising, make changes to the home page settings in your web browser, offer ad-supported links from search engines, or initiate redirects to advertising websites.

APT: An APT (Advanced Persistent Threat) is a set of stealthy and continuous computer hacking processes, often orchestrated by cyber criminals targeting a specific entity. An APT usually targets organizations and/or nations for business or political motives.

Backdoor: A Backdoor is a type of Trojan that enables threat actors to gain remote access and control over a system. The Backdoor is often the final stage in gaining full control over a system.

Botnet: A botnet is a number of Internet-connected systems infected with malware that communicate and coordinate their actions received from command and control (C&C) servers. The infected systems are referred to as bots. The most typical uses of botnets are DDoS attacks on selected targets and the propagation of spam.

Browser Hijacker: A Browser Hijacker is any malicious code that modifies a web browser’s settings without a user’s permission, to inject unwanted advertising into the user’s browser or redirect to fraudulent or malicious sites. It may replace the existing home page, error page, or search page with its own. It can also redirect web requests to unwanted destinations.

Bulletproof Hosting: Bulletproof hosting is a service provided by some domain hosting or web hosting firms that allows their customer considerable leniency in the kinds of material they may upload and distribute. This type of hosting is often used for spamming, phishing, and other illegal cyber activities.

Cryptojacking: Cryptojacking is malicious cryptomining and the covert use of a systems computer resources to mine cryptocurrency. Cryptojacking is initiated by malware or through webcryptominers embedded in website code.

Drive-by Download: Any download that happens without a person’s consent or knowledge.

Dropper: A dropper is a program or malware component that has been designed to “install” some sort of malware (ransomware, backdoor, etc.) to a target system. The dropper may download the malware to the target machine once it is received from the command and control server or from other remote locations.

Exploit Kit: An exploit kit is a software kit designed to run on web servers with the purpose of identifying software vulnerabilities in client machines communicating with it, and discovering and exploiting vulnerabilities to upload and execute malicious code on the client.

Fast Flux Botnet: Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures.

Information Stealer: An information stealer is a trojan that can harvest keystrokes, screenshots, network activity, and other information from systems where it is installed. It may also covertly monitor user behavior and harvest personally identifiable information (PII) including names and passwords, chat programs, websites visited, and financial activity. It may also be capable of covertly collecting screenshots, video recordings, or have the ability to activate any connected camera or microphone. Collected information may be stored locally and later retrieved, or may be transmitted to a command and control server.

Loader: A loader is a type of malware or malicious code used in the loading of a second-stage malware payload onto a victim’s system. The loader is able to hide a malware payload inside the actual loader code instead of contacting a remote location to download a second-stage payload.

Malvertising: Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Malvertising is often used in exploit kit redirection campaigns.

Mobile Trojan: A mobile trojan is a trojan designed to target and infect mobile phones running Android, iOS, Windows or other mobile operating systems.

Point-of-sale Malware: Point-of-sale malware (POS malware) is used by cybercriminals to target point of sale terminals with the intent to obtain credit card and debit card information by reading the device memory from the retail checkout point of sale system.

Ransomware: Ransomware is computer malware that installs covertly on a victim’s computer, encrypts files, and demands a ransom be paid to decrypt the files or to prevent the attacker from publishing the victim’s data publicly.

Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that allows covert surveillance or unauthorized access to a compromised system. RATs make use of specially configured communication protocols. The actions performed vary but follow typical trojan techniques of monitoring user behavior, exfiltrating data, lateral movement, and more.

Rootkit: A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.

Scareware: Scareware is a form of malicious software or website that uses social engineering to give the perception of a threat in order to manipulate users into buying or installing unwanted software. Scareware misleads users by using fake alerts to trick them into believing there is malware on their computer, and manipulates them into paying money for a fake malware removal tool or allowing an entity remote access to their system to clean the malware. Instead of remediation, the software or remote entity delivers malware to the computer.

Sinkhole: A DNS sinkhole, also known as a sinkhole server is a DNS server that gives out false information, to prevent the use of the domain names it represents. Traffic is redirected away from its intended target. DNS sinkholes are often used to disrupt botnet command and control servers.

Spam: Spam is an unwanted, unsolicited message that can be received through email or SMS texts. Spam is sent to many users in bulk. It is often sent through the means of a botnet. Spam can contain advertising, scams, or soliciting. In the case of malspam or malicious spam, it contains malicious attachments or links that lead to malware.

Spyware: Spyware gathers information about a person or organization without their knowledge. It may assert control over a computer without the user’s knowledge.

Trojan: A Trojan is malware which is used to compromise a system by misleading users of its true intent. Trojans typically create a backdoor, exfiltrate personal information, and can deliver additional malicious payloads.

Worm: A computer worm is malware that replicates itself in order to spread to other computers. Worms typically spread through the computer network or removable storage devices that are shared between systems, relying on security failures on the target computer.

This is a sample of the data stored in Umbrella. There are more than 235 individual threats that have been categorized as of June 2021 – and growing.

Dridex: Dridex/Cridex is a trojan that was first observed in 2012. Dridex is widely spread and is responsible for stealing banking credentials of approximately 300 banks and other financial institutions in over 40 countries. It is primarily spread through malspam with malicious document attachments.
Type: Trojan
Target geolocations: US, Europe

Emotet: Emotet was a banking trojan that was first detected in 2014. The trojan’s infrastructure was disrupted in January 2021 by authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. Emotet evolved into a massive botnet that delivered large amounts of malspam with malicious document attachments that lead to the Emotet trojan. The trojan also functioned as a dropper for 2nd stage payloads including, but not limited to, TrickBot, Qakbot and Ryuk.
Type: Trojan
Target geolocations: USA, Mexico, South Africa, Chile, India, Canada, Colombia, Germany, UK, Argentina

Glupteba: Glupteba is a trojan usually dropped by exploit kits. It can drop additional malware onto a system and add the affected system to a botnet. It has been seen masquerading as an updater for legitimate software.
Type: Trojan
Target geolocations: Europe, Canada, US

Hancitor: Hancitor (also known as Tordal or Chanitor) is a trojan spread through malspam with malicious document attachments or malicious download links. It was first observed in 2014. The main goal of Hancitor is to drop other malware onto a system. It has been associated with dropping additional malware payloads such as Vawtrak and Pony. New versions of Hancitor use a fileless attack technique. Recent campaigns deliver FlickerStealer to the infected users.
Type: Trojan
Target geolocations: Worldwide

IcedID: Also known as BokBot, IcedID is a modular banking trojan first discovered in 2017. IcedID has been seen most often distributed via a 2nd stage payload dropped by Emotet. The trojan uses redirection attacks by installing a local proxy to redirect users to clone banking sites and steal financial information, including login credentials for online banking sessions. Since 2017 trojan evolved and today it is often used as a loader for other malware including ransomware.
Type: Trojan
Target geolocations: US, Canada, UK

MageCart MirrorThief: MageCart MirrorThief is an information skimmer script that is usually located on the checkout pages of E-Commerce sites. This attack injects the skimmer scripts which target the checkout area and promptly steal credit card information during the victims checkout process.
Type: Information Stealer
Target geolocations: Europe, Canada, US

RigEK: RigEK is an Exploit Kit which uses drive-by techniques to check if the user’s computer has a driver file associated with a particular antivirus software product. The kit then looks for particular installed plugins and will attempt to exploit them accordingly. If the kit managed to successfully exploit any of these vulnerabilities, then malware is downloaded onto the victim’s computer. It has been found that Rig drops a range of different malware samples, including the banking trojans and ransomware.
Type: Exploit Kit
Target geolocations: Worldwide

Sodinokibi: Sodinokibi, also known REvil, is a ransomware identified in April 2019 which encrypts the data in the user’s directory of a Windows system and asks for ransom. It infects the machine by exploiting the vulnerabilities in web exposed systems as well as uses affiliate loader campaigns which provide initial access. It also deletes the shadow copies from the machine.
Type: Ransomware
Target geolocations: Asia, Europe, US

SUNBURST: A sophisticated supply-chain attack backdoor first seen in the SolarWind incident, where adversaries compromised updates to SolarWind’s Orion IT monitoring and management software. This backdoor can communicate to third party servers using HTTP. The backdoor is loaded by the executable before the legitimate code, so as not to alert the victim that anything is amiss. After a period of dormancy, which can last up to two weeks, the backdoor is able to execute commands to transfer and execute files, profile the system, reboot the machine, and disable system services.
Type: Backdoor
Target geolocations: Predominantly the U.S., but SUNBURST has been observed in Europe, Asia, and the Middle East as well.

Ursnif/Gozi: Ursnif is a banking trojan and a variant of the Gozi malware. It has been active for over a decade, continuously evolving over time. Ursnif is spread through malspam with malicious document attachments, malvertising and exploit kits.
Type: Trojan
Target geolocations: Japan, US, Asia, Italy

WebCryptoMiner: WebCryptoMiners are typically created in JavaScript and run within a user’s browser to utilize CPU resources to run hashing algorithms on hash blocks, with the goal of mining cryptocurrency for the individual or group that installed the javascript code.
Type: Cryptojacking
Target geolocations: Any