Malware analysis reports
NCSC malware analysis reports (MARs) help network defenders understand selected malware threats in more technical depth, and provide indicators and TTPs to support threat hunting or modelling.
The reports focus on the technical detail features, components and structure of malware samples. We may also include analyst commentary to highlight notable techniques or approaches, but because of the risks around malware reuse and misinformation campaigns, MARs avoid statements on attribution or use by adversaries.
Sometimes reports may accompany wider NCSC advisories, which may explore adversaries and attribution.
While the NCSC makes every effort to assure the quality and accuracy of indicators and signatures, we remind you to use at your own risk and carry out your own validation before deploying them.
Content published in this section including reports, detection rules and STIX are licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3. Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
RayInitiator & LINE VIPER
A sophisticated bootkit and user-mode capability, targeting Cisco ASA devices. A significant advancement over LINE DANCER and LINE RUNNER.
Published: 25/09/2025
Updated: 13/10/2025
UMBRELLA STAND
SHOE RACK
A post-exploitation tool for remote shell access & TCP tunnelling through a victim device.
Published: 18/06/2025
AUTHENTIC ANTICS
Highly targeted credential and OAuth 2.0 token stealing malware targeting Outlook.
Published: 08/05/2025
DAMASCENED PEACOCK
A lightweight, staged downloader targeting Windows, delivered via spear-phishing.
Published: 11/04/2025
Pygmy Goat
Pygmy Goat is a native x86-32 ELF shared object that was discovered on Sophos XG firewall devices, providing backdoor access to the device.
Published: 30/10/2024
Updated: 07/11/2024
Line Dancer
In-memory shellcode loader targeting Cisco Adaptive Security Appliance (ASA) devices.
Published: 24/04/2024
Line Runner
A Lua webshell targeting Cisco Adaptive Security Appliance (ASA) devices and abusing CVE-2024-20359 for persistence.
Published: 24/04/2024
Infamous Chisel
A collection of components associated with Sandworm designed to enable remote access and exfiltrate information from Android phones.
Published: 31/08/2023
Smooth Operator
MacOS supply chain malware that exfiltrates victim data using a custom data encoding algorithm over HTTPS.
Published: 29/06/2023
Jaguar Tooth
Cisco IOS malware that collects device information and enables backdoor access.
Published: 18/04/2023
COLDSTEEL
Goofy Guineapig
Persistent Windows backdoor with HTTPS C2 communications.
Published: 13/12/2022
Busy Buzzard
SparrowDoor
A new variant of SparrowDoor with additional functionality.
Published: 28/02/2022
Cyclops Blink
Modular malware framework targeting SOHO network devices.
Published: 23/02/2022
Small Sieve
Telegram Bot API based Python backdoor with file download and execution capability.
Published: 27/01/2022
Cheeky Chipmunk
Windows malware implemented as an RPC server.
Published: 24/01/2022
Rhythmic Parry
Windows downloader utilising anti-analysis techniques.
Published: 10/01/2022
Jolly Jellyfish
Non-persistent downloader for shellcode embedded in image files.
Published: 15/12/2021
Updated: 15/12/2022
SpecCom
Infinite Second
Devil Bait
Malicious macro-enabled Microsoft Word document and VBScript.
Published: 03/08/2021
Updated: 20/09/2021
Wishful Woodchuck
Hexed Noodle
Mitigating malware and ransomware attacks
How to defend organisations against malware or ransomware attacks