Malware Trends, January - March 2022

Contributed by Dave Piscitello, Interisle Consulting Group

Our quarterly Malware Activity pages report where we observe malware by Top-level Domains, Domain Registrars, and Hosting Networks. Here, we share some closer looks at the malware landscape.

Mozi malware is by far the most frequently identified IoT malware.

The most frequently identified endpoint malware for the period was remote access trojan (RAT, a.k.a. “backdoor”).

Loaders and information stealers are prevalent among malware identified as targeting endpoint devices.

Malware that infects Internet of Things devices continues to be the most prevalently reported malware.

34% of remote access trojans and 44% of botnet malware were hosted on IPv4 addresses delegated to China-Unicom.

14% of malware identified as information stealers (e.g., banking trojans) were hosted on IPv4 addresses delegated to Microsoft.

10% of malware identified as loaders were hosted on IPv4 addresses delegated to Cloudflare.

66% of malware URLs containing domain names were associated with four registered domains.

The malware trends reported here complement the malware activity reported for Top-level Domains, domain registrars, and hosting networks during the January 1, 2022 - March 31, 2022 period.

If you have a novel use for Cybercrime Information Center Data and are interested in sharing with
our community, contact us at

criminaldomainabuse@interisle.net