Contact us

If you have any question, please send us an email

IMPORTANT: Onodo will close on June 30th. Please back up your data!

Initial Access & Malware Delivery Landscape

Created by
Node Type Description Visible
Agent Tesla Trojan/Backdoor Visibility
ALPHV/BlackCat Ransomware Visibility
Amadey Trojan/Backdoor Visibility
Anubis Trojan/Backdoor Visibility
AresLoader Loader Visibility
Arkei Infostealer Visibility
AsyncRAT Trojan/Backdoor Visibility
Atera Remote Administration Tool Visibility
Azorult Trojan/Backdoor Visibility
AzoRult Visibility
Batloader Loader Visibility
BitPaymer Ransomware TTP Summary: Visibility
BitRat Trojan/Backdoor Visibility
Black Basta Ransomware TTP Summary: Visibility
BLISTER Loader Visibility
BlueCrab Ransomware Visibility
Brute Ratel OST/Framework Visibility
Bumblebee Loader TTP Summary: Visibility
CHTHONIC Trojan/Backdoor Visibility
Clop Ransomware TTP Summary: Visibility
Cobalt Strike Beacon OST/Framework TTP Summary: Visibility
CoinSurf Cryptominer Visibility
Conti Ransomware TTP Summary: Visibility
DanaBot Trojan/Backdoor Visibility
Dark Cat Trojan/Backdoor Visibility
DarkVNC Trojan/Backdoor Visibility
DBatLoader Loader Visibility
DcRAT Trojan/Backdoor Visibility
Djvu Ransomware Visibility
DONUT Loader Visibility
DoppelPaymer Ransomware Visibility
Dridex Trojan/Backdoor TTP Summary: Visibility
Egregor Ransomware TTP Summary: Visibility
Emotet Trojan/Backdoor TTP Summary: Visibility
EMPIRE OST/Framework TTP Summary: Visibility
Entropy Ransomware Visibility
Formbook Loader TTP Summary: Visibility
Gootkit payload Trojan/Backdoor Visibility
Gootloader Loader TTP Summary: Visibility
Grace Packer Visibility
GuLoader Loader TTP Summary: Visibility
Hancitor Trojan/Backdoor TTP Summary: Visibility
Hidden VNC Trojan/Backdoor Visibility
Hive Ransomware TTP Summary: Visibility
IcedID Trojan/Backdoor TTP Summary: Visibility
Keyhole Trojan/Backdoor Visibility
KOADIC Trojan/Backdoor TTP Summary: Visibility
Kronos Trojan/Backdoor Visibility
LockBit Ransomware TTP Summary: Visibility
Lokibot Trojan/Backdoor TTP Summary: Visibility
Macaw Ransomware Visibility
Maze Ransomware TTP Summary: Visibility
Meterpreter OST/Framework Visibility
NanoCore Trojan/Backdoor TTP Summary: Visibility
NetSupport Trojan/Backdoor Visibility
Netwire Remote Administration Tool TTP Summary: Visibility
NjRAT Trojan/Backdoor TTP Summary: Visibility
Osiris Trojan/Backdoor Visibility
PhoenixLocker Ransomware Visibility
Play Ransomware Visibility
PoshC2 OST/Framework TTP Summary: Visibility
PrivateLoader Loader TTP Summary: Visibility
PsExec Remote Administration Tool TTP Summary: Visibility
PureCrypter Loader Visibility
QakBot Trojan/Backdoor TTP Summary: Visibility
Quantum Ransomware Visibility
Raccoon Stealer Infostealer TTP Summary: Visibility
Raccoon Stealer v2 Infostealer TTP Summary: Visibility
RansomExx Ransomware Visibility
Raspberry Robin Botnet/Worm Visibility
RedLine Stealer Infostealer TTP Summary: Visibility
Remcos Trojan/Backdoor TTP Summary: Visibility
REvil Ransomware TTP Summary: Visibility
ScreenConnect Remote Administration Tool Visibility
Sliver OST/Framework TTP Summary: Visibility
SmokeLoader Loader Visibility
Snake Keylogger Infostealer Visibility
SNOWCONE Loader Visibility
SocGholish Loader TTP Summary: Visibility
SunCrypt Ransomware Visibility
SVCReady Loader Visibility
SystemBC Trojan/Backdoor TTP Summary: Visibility
TrickBot Trojan/Backdoor TTP Summary: Visibility
Truebot Loader Visibility
Ursnif Trojan/Backdoor TTP Summary: Visibility
Vidar Stealer Infostealer TTP Summary: Visibility
Warzone RAT Trojan/Backdoor TTP Summary: Visibility
WastedLocker Ransomware TTP Summary: Visibility
Source Link Target Date
Amadey delivers AresLoader
Batloader delivers Atera
Batloader delivers Bumblebee
Batloader delivers Cobalt Strike Beacon
Batloader delivers RedLine Stealer
Batloader delivers SmokeLoader
Batloader delivers Ursnif
Batloader delivers Vidar Stealer
BLISTER delivers BitRat
BLISTER delivers Cobalt Strike Beacon
BLISTER delivers LockBit
Brute Ratel delivers ALPHV/BlackCat
Bumblebee delivers Cobalt Strike Beacon
Bumblebee delivers IcedID
Bumblebee delivers Meterpreter
Bumblebee delivers RedLine Stealer
Bumblebee delivers Sliver
Cobalt Strike Beacon delivers ALPHV/BlackCat
Cobalt Strike Beacon delivers Black Basta
Cobalt Strike Beacon delivers Clop
Cobalt Strike Beacon delivers Hive
Cobalt Strike Beacon delivers LockBit
Cobalt Strike Beacon delivers WastedLocker
DBatLoader delivers Formbook
DBatLoader delivers Remcos
Dridex delivers Entropy
Dridex delivers ScreenConnect
Emotet delivers ALPHV/BlackCat
Emotet delivers Bumblebee
Emotet delivers Cobalt Strike Beacon
Emotet delivers IcedID
Emotet delivers QakBot
Emotet delivers Quantum
Emotet delivers TrickBot
Gootloader delivers BlueCrab
Gootloader delivers Cobalt Strike Beacon
Gootloader delivers Gootkit payload
Gootloader delivers IcedID
Gootloader delivers Kronos
Gootloader delivers Osiris
Gootloader delivers PsExec
Gootloader delivers REvil
Gootloader delivers SNOWCONE
Gootloader delivers SunCrypt
Gootloader delivers SystemBC
GuLoader delivers Agent Tesla
GuLoader delivers Formbook
GuLoader delivers Netwire
Hancitor delivers Cobalt Strike Beacon
Hancitor delivers IcedID
IcedID delivers Anubis
IcedID delivers Cobalt Strike Beacon
IcedID delivers Conti
IcedID delivers Dark Cat
IcedID delivers DarkVNC
IcedID delivers Egregor
IcedID delivers Keyhole
IcedID delivers Maze
IcedID delivers Quantum
IcedID delivers RansomExx
IcedID delivers REvil
IcedID delivers Ursnif
PrivateLoader delivers Agent Tesla
PrivateLoader delivers DanaBot
PrivateLoader delivers Dridex
PrivateLoader delivers Formbook
PrivateLoader delivers IcedID
PrivateLoader delivers LockBit
PrivateLoader delivers NjRAT
PrivateLoader delivers QakBot
PrivateLoader delivers Raccoon Stealer
PrivateLoader delivers RedLine Stealer
PrivateLoader delivers SmokeLoader
PrivateLoader delivers TrickBot
PrivateLoader delivers Vidar Stealer
PureCrypter delivers Agent Tesla
PureCrypter delivers Arkei
PureCrypter delivers AsyncRAT
PureCrypter delivers Azorult
PureCrypter delivers DcRAT
PureCrypter delivers Lokibot
PureCrypter delivers NanoCore
PureCrypter delivers RedLine Stealer
PureCrypter delivers Remcos
PureCrypter delivers Snake Keylogger
PureCrypter delivers Warzone RAT
QakBot delivers Atera
QakBot delivers Black Basta
QakBot delivers Brute Ratel
QakBot delivers Cobalt Strike Beacon
QakBot delivers DarkVNC
QakBot delivers Hidden VNC
Raspberry Robin delivers Bumblebee
Raspberry Robin delivers Cobalt Strike Beacon
Raspberry Robin delivers Dridex
Raspberry Robin delivers IcedID
Raspberry Robin delivers LockBit
Raspberry Robin delivers SocGholish
Raspberry Robin delivers Truebot
SmokeLoader delivers CoinSurf
SmokeLoader delivers Djvu
SmokeLoader delivers IcedID
SmokeLoader delivers Raccoon Stealer v2
SmokeLoader delivers RedLine Stealer
SNOWCONE delivers IcedID
SocGholish delivers AzoRult
SocGholish delivers BitPaymer
SocGholish delivers BLISTER
SocGholish delivers CHTHONIC
SocGholish delivers Cobalt Strike Beacon
SocGholish delivers DONUT
SocGholish delivers DoppelPaymer
SocGholish delivers Dridex
SocGholish delivers EMPIRE
SocGholish delivers KOADIC
SocGholish delivers LockBit
SocGholish delivers Lokibot
SocGholish delivers Macaw
SocGholish delivers NetSupport
SocGholish delivers PhoenixLocker
SocGholish delivers PoshC2
SocGholish delivers WastedLocker
SVCReady delivers RedLine Stealer
SystemBC delivers AresLoader
SystemBC delivers Cobalt Strike Beacon
SystemBC delivers Play
TrickBot delivers Cobalt Strike Beacon
TrickBot delivers IcedID
Truebot delivers Clop
Truebot delivers Cobalt Strike Beacon
Truebot delivers Grace
Ursnif delivers Cobalt Strike Beacon


This graph covers several major & emerging threats typically used to gain initial access to victim systems, including remote access Trojans (RATs), loaders, and botnets/worms. Adversaries usually use access gained via these malware to ingress other, usually more impactful threats, such as ransomware or cryptominers, either directly or after loading other "malware delivery" threats, such as other loaders or Trojans. A map of the TTPs associated with many of these threats can be found in the matrix hosted in Tidal's free Community Edition app here (click the labels in the ribbon at the top for further details and sourcing):

Download the full underlying graph analysis dataset, including sourcing, here