Most Malicious Malware Threats of 2022 Ranked by OpenText

hacker on computer typing

For the fifth year in a row, OpenText Security Solutions has ranked the year’s “nastiest”  malware threats. After rummaging through data and analyzing behaviors, OpenText could determine which payloads proved to be the most malicious threats in 2022.


Significant Findings


  • In the first four months of 2022, OpenText found an 1100% increase in phishing attacks compared to last year.

  • Emotet regained its spot as the top malicious malware threat.



2022 Most Malicious Malware Ranked


1. Emotet 

First identified in 2014 by cybersecurity researchers, Emotet is a form of Trojan malware, most often spread via spam emails. Carefully disguised as legitimate emails, Emotet often hijacks a target’s contact lists to send malspam supposedly sent by family members, friends, and coworkers to persuade targets to give up sensitive financial and personal information. Once the malware is implanted on one computer, it can spread in a worm-like fashion to other connected computers, making it one of the most malicious malware types to exist. 



2. LockBit 3.0

LockBit 3.0 is the newest and most malicious variant of the notorious LockBit family of ransomware. They are carried out by an unknown group of hackers, this group targets organizations offering only the largest of payouts. This type of malware also operates under the Ransomware-as-a-Service (RaaS) model, which allows individuals to pay to use their LockBit ransomware services. The group’s newest and most malicious advancement includes the use of triple extortion. In addition to stealing data and demanding a ransom, now the group distributes a denial-of-service (DDoS) attack on the target’s entire system, which locks the whole system down, to further bully targets into paying the ransom demanded.  



3. Conti (AKA BlackByte, BlackCat, HelloKitty)

One of the most successful RaaS to date is Conti ransomware. Conti surpasses other ransomware types because of its speedy nature and ability to spread to other computer systems at a rapid rate. Conti malware’s entire process starts with the ransomware’s rapid deployment, which then automatically spreads, encrypts stolen data, creates copies of the data, and releases it into the open market for sale. Although the original Conti internal control servers have been dismantled, the Conti malware has been rebranded into several other operations, with some of the most notable being BlackByte, BlackCat, and HelloKitty.



4. QBot (AKA Qakbot, QuakBot)

Originating back in 2007, QBot is a form of Trojan distributed through phishing emails containing malicious attachments. Upon opening the attachment, the malicious payload is downloaded to the device, allowing the hacker to move throughout the network to access as much data as they want. The main purpose of QBot is to steal a target’s banking information. However, since its origin QBot has continued to be developed with new methods and techniques. 



5. Valyria

Valyria is another Trojan malware that spreads via malspam. Valyria’s attack process starts with the target receiving a spam email containing a malicious Microsoft Word document; upon opening the document, the executable launches and executes a PowerShell script via Windows Management Infrastructure (WMI). Next, the script downloads Valyria payload, which then calls out to command and control for additional malware downloads. The result of this attack is most often ransomware.



6. Cobalt Strike & Brute Ratel

Similarly, both Cobalt Strike and Brute Ratel malware are used by threat actors to deploy agents called “badgers” on compromised network devices and use them to execute commands from a remote location to spread the malware further. Though Cobalt Strike has been so frequently used that it is more easily detectable by cybersecurity software, many threat actors have switched to Brute Ratel as it is less detectable.  




OpenText furthermore stated that even though this list separates payloads into different categories of malware, these threat actors will enlist other groups who specialize in one type to work for them—resulting in each group becoming experts in their respective type. 

OpenText’s EVP and Chief Product Officer, Muhi Majzoub, concluded this year’s findings by commenting: 

“The key takeaway from this year’s findings is that malware remains center stage in the threats posed towards individuals, businesses, and governments. Cybercriminals continue to evolve their tactics, leaving the infosec community in a constant state of catch-up. With the mainstream adoption of ransomware payloads and cryptocurrency facilitating payments, the battle will continue. No person, no business—regardless of size—is immune to these threats.” 

To learn more about the findings of this year’s Nastiest Malware analysis, visit Webroot Community.


Written by Samantha Parker

Samantha Parker is a Partner Marketing Specialist at AgileBlue. She is a proud graduate of Kent State University. Samantha currently serves part-time as a soldier in the Army National Guard.

October 11, 2022

You May Also Like…

Request a Demo

AgileBlue is a software company with an innovative SOC-as-a-Service for 24X7 network monitoring, cloud security, data privacy and compliance.

Our modern SOC-as-a-Service is built on innovative machine learning and autonomous execution. If you would like to discuss our SOC-as-a-Service, Partner Program or schedule a brief demo please give us a little info and we will contact you immediately.