Nuspire’s Q1 2023 Cyber Threat Report Shows Spike in Exploits, Botnets and Malware

Nuspire’s latest threat report, which analyzes threat data from Q1 2023, revealed the record-breaking threat numbers clocked in 2022 are showing no signs of slowing in 2023. Nuspire’s threat intelligence pros, Josh Smith, Cyber Threat Analyst, and Justin Heard, Director of Threat Intel & Hunting, dove into the data to not only discuss the key findings, but also provide actionable recommendations on how organizations can protect themselves. Read on to get the highlights.

Malware: New phishing methods emerging, likely to shift again soon

Q1 By the Numbers

  • 3,361,664 total
  • 673 unique variants detected
  • 280,138 detections per week
  • 40,019 detections per day
  • 39.19% increase in total activity from Q4 2022

Malware activity jumped in Q1 2023, with JavaScript variants nearly doubling.

“Microsoft’s blocking of macros has continued to force threat actors to shift their tactics,” said Josh. “In this case, adversaries are using JavaScript phishing scripts to create fake websites that can harvest login credentials from unwitting victims.”

Microsoft’s security measures haven’t stopped all threat actors from using its Office suite to launch attacks. While Microsoft Excel variant activity has dropped, there has been a notable increase in the use of OneNote files to embed scripts as threat actors evolve their methods.

“Thankfully, Microsoft responded quickly, announcing plans to block 120 dangerous file extensions in April,” said Josh. “Now the question is, where will they go next? We’ll have more to discuss in our next threat report, but initial indications are telling us QR code phishing might become a new favorite tactic.”

Botnets: Remote access trojan (RAT) activity on the rise

Q4 By the Numbers

  • 1,172,718 total
  • 36 unique botnets detected
  • 97,726 detections per week
  • 13,960 detections per day
  • 58.23% increase in total activity from Q4 2022

Out of Nuspire’s top five botnets, Torpig Mebroot continues to dominate; however, the company has seen two new botnets emerge: NetSupport RAT and FatalRAT.

“We hadn’t witnessed much activity from NetSupport RAT before March 2023, but during that month, activity was high enough to rank it as the second-most observed botnet in Q1,” said Josh. “NetSupport is tricky because it’s a legitimate tool for remote access. Threat actors are using it to do a variety of things, including creating fake games to gain access and ultimately take control over your computer.”

FatalRAT is another newcomer to the list and is popular with the PurpleFox threat actor group. The group uses FatalRAT to distribute trojanized installers that appear legitimate to bypass security software. Once inside, FatalRAT can log keystrokes, download and install additional payloads, and more.

Exploits: Activity more than doubles

Q4 By the Numbers

  • 253,906,769 total
  • 325 unique exploits detected
  • 21,158,897 exploits detected per week
  • 3,022,699 exploits detected per day
  • 151.66% increase in total activity from Q4 2022

Brute forcing continues to be the most popular exploit by a significant margin. The volume of attacks using this method is so high, that it makes it difficult to understand the impact of other exploits. With that in mind, the Nuspire team opted to exclude brute forcing from its Top 5 Exploits list to better visualize additional exploits and their impacts. The top exploit following brute forcing was once again Apache Log4j.

Other exploits to look out for include Zoho ManageEngine RCE and Hikvision product command injections. Zoho ManageEngine RCE came to light in mid-January.

“While there weren’t any indications of threat actors exploiting this vulnerability in the wild, it’s important to note that the ease of the exploit could allow for a ‘spray and pray’ approach, where threat actors can continually launch attempts until one succeeds,” Josh said. “Just because it hasn’t happened yet doesn’t mean it won’t.”

Josh added the importance of patching, and how organizations shouldn’t wait until a patch is publicly announced before they install it.

“Threat actors go after the organizations that are slow to patch, so it’s important you apply a patch as soon as the vendor releases it,” said Josh.

Case in point? The Hikvision product command injections exploit. Once the vulnerabilities in Hikvision technology were publicized, the number of exploitation attempts doubled from Q4 2022.

Industry Spotlight: Technology

Supply chain attacks are growing in popularity and scale, and organizations within the technology industry need to be on high alert. With supply chain attacks, not only is the company with the vulnerability at risk, but also every company that does business with that vulnerable company. What’s more, Nuspire cited the emergence of double supply chain attacks.

“3CX, which is a phone system software provider, was unknowingly breached, giving the threat actor access to 3CX’s clients,” said Josh. “It became a double supply chain attack when the threat actor created malicious copies of 3CX’s software and pushed it to their clients, many of which had whitelisted 3CX’s software updates.”

Josh added that he believes supply chain attacks have surpassed ransomware as the biggest threats to watch out for since they can affect a multitude of organizations.


Justin provided his recommendations that organizations can use to better protect themselves from a continuing onslaught of attacks.

“It’s important to remember to take a layered approach,” said Justin. “No one single piece of security technology is going to protect you.”

Justin reiterated the criticality of patching and added that it’s imperative to provide adequate employee education and training.

“With the sophistication of phishing attacks these days, it’s harder and harder for employees to discern which communications are legitimate,” said Justin. “By taking the time to continually bring awareness to new and evolving tactics, you can save a lot of time on the back end by not having to remediate preventable attacks.”

If you’d like to watch the webinar, you can access it on demand: Watch the Webinar.

To review Nuspire’s Q1 2023 threat data and analysis, you can download the full report.

Have you registered for our next event?