Quarterly Threat Bulletin: Q1 of 2022

Blog Author
Uptycs Threat Research

The Uptycs threat research team regularly monitors the TTPs (tactics, techniques and procedures) of the latest malware using our threat intelligence sources and systems. Organizations can use this bulletin as a tool to evaluate and form a more robust detection and protection posture against the latest cyber security threats in Windows, Linux and macOS platforms.

The threat bulletin covers several aspects, such as:

  1. Techniques used by the malware samples in our threat intel sources
  2. Commonly abused commands and utilities in Windows, Linux and macOS platforms
  3. Top prevalent malware families in the wild for Windows, Linux and macOS platforms
  4. Uptycs Threat Research articles published by the threat research team
  5. Threat actors observed for the quarter
  6. Malware/targeted attacks for the quarter
  7. Vulnerabilities/exploits in Windows, Linux and macOS platforms
  8. General recommendations based on our observations


The key highlights of our recently published Q1'2022 threat bulletin are:

  1. As a result of the ongoing Russian invasion of Ukraine, there have been many cyber attacks on Ukraine from the Russian threat actors, including destructive Wipers such as HermeticWiper, IsaacWiper and WhisperGate.
  2. In this quarter, we have observed the following prevalent malware
    1. Emotet and RedLine Stealer are the prevalent malware in Q1 2022 for Windows platforms, taking that spot from Formbook and IcedID in Q4 2021.
    2. Mirai and Prometei were seen in large numbers in Q1 2022 on the Linux platform.
    3. Shlayer continues to be evergreen in action on macOS.
  3. Rundll32.exe is the most abused utility for Windows and openssl has taken the top spot in abused utilities in Linux.
  4. Lapsus$ has disclosed numerous cyberattacks against large companies, with confirmed attacks against NVIDIA, Okta, Samsung, Vodafone, Ubisoft, and Mercado Libre.
  5. Threat actor activity from Primitive Bear APT, MuddyWater, Lazarus, APT27, APT41, OceanLotus, FIN7 has been reported.
  6. A new Linux kernel vulnerability (CVE 2022-0847) has been discovered affecting Linux kernel versions since 5.8 allowing attackers to escalate privilege.
  7. Two Google Chrome zero-day vulnerabilities (CVE-2022-0609 and CVE-2022-1096) were reported to be exploited in the wild.


An excerpt of the Commonly abused commands and utilities in Windows, Linux and macOS platforms (during January 2022 - March 2022) is shown below.


Image from iOS


Read the full report here

threat bulletin cta image