Interactive Report Summary

Q1 2022 Threat Report

Use of malware, botnets and exploits expands; Mirai sees resurgence

Q1 2022 saw an increase in malware, botnet and exploitation events over Q4 2021. Learn more about the biggest threats we saw, including a slew of new vulnerabilities, in our latest report.

Download the Report

Top Findings at a Glance


VBA agents continue to dominate

Password-protected Microsoft Office files a close second


New STRRAT botnet engages in phishing campaign

45 unique botnets detected


Bruteforcing continues to dominate

Apache Log4j remains a popular exploit

SubaruDT Pre-Retailers

Industry Spotlight: Automotive

Automotive continues to be a popular industry target, fending off attacks from Conti Ransomware and Mofang (Superman).

Some of the most popular tactics used by ransomware gangs include spearphishing that leverages malicious Microsoft Office documents, bruteforcing exposed remote desktop protocol, deploying fake software updates and exploiting newly-announced vulnerabilities.


Hover over tiles to learn more


Collects threat intelligence and data from global sources, client devices and reputable third parties.


Data is analyzed by a combination of machine learning, algorithm scoring and anomaly detection.


Using Nuspire’s cloud-based SIEM, log data is ingested and alerts the security operations center (SOC). The SOC then notifies the client and works with them to remediate the threat.


Analysts further scrutinize the research, scoring and tracking of existing and new threats.


Analysts leverage the insights to constantly improve the SOC, alerting, and the community through the creation of detection rules, briefs, and presentations.

Q1 2022 in Review

January through March

Timeline graphic

February 1

New “high-priority” Linux vulnerability affects all supported Ubuntu releases

February 3

Critical vulnerabilities announced in Cisco Small Business RV Series routers

February 8

Microsoft to block Office VBA macros by default

February 9

Critical vulnerabilities affecting SAP applications employing internet communication manager (ICM)

February 24

Russian APT cyberattacks against Ukrainian assets

March 7

New Linux vulnerability gives root access on all major distributions

March 9

CISA releases advisory to patch two actively exploited Firefox zero-day attacks

March 14

Automotive giant Denso reveals ransomware attack

March 18

Russian state-sponsored threat actors exploit default MFA protocols and PrintNightmare

March 22

Okta confirms investigation into potential client breach

March 26

Google releases “emergency patch” for Chrome zero-day attack

March 28

Patch released for Sophos firewall vulnerability that allows remote code execution

March 31

Popular Java web app framework experiences zero-day dubbed “Spring4Shell”

Let's Dive Into the Data


Total Events


Unique Variants


Total Activity


As previously witnessed, VBA Agents continue to dominate malware activity; however, Microsoft’s announcement around blocking VBA macros by default on Office products will likely cripple this attack vector.


Total Events


Unique Variants


Total Activity


STRRAT botnet came on the scene in Q1 2022. STRRAT contains multiple capabilities such as information stealing, keystroke logging and credential harvesting from browsers and email clients. It is typically deployed via phishing campaigns and uses JavaScript agents and malicious Microsoft Excel files with embedded macros.


Total Events


Unique Variants


Total Activity


Bruteforcing was the top exploit in Q1 2022. Threat actors are consistently scanning for exposed services such as SMB and SSH, and if found, will immediately attempt to gain access.

Stay Vigilant

Unfortunately, there is more in store in the cybersecurity threatscape for the rest of 2022. Download the full report to find out how you can prepare and tighten your security controls around the expected challenges highlighted by our security experts.
Download the Report