The top malware and ransomware threats for April 2023
New ransomware gangs and malware abound as hackers continue to evolve their tactics


Alerts for new malware strains and active ransomware groups were spread widely across the security industry throughout March and the first half of April.
New strains of malware targeting organizations of all kinds were discovered, harnessing infection vectors that may not already be in their threat models.
It’s highly important that organizations stay on top of emerging threats and patch their systems against the most prevalent types of attacks.
Patching isn’t always an easy task to do, especially in large organizations, but as a bare minimum, it’s advised that active threats are protected against if a more comprehensive patch operation isn’t feasible.
Knowing what cyber security vulnerabilities and zero days to patch is one thing, but it’s equally important to pay close attention to the ways malware is evolving to bypass security detections so the workforce can be aware of what suspicious activity to look out for.
Here you’ll find a complete list of the most dangerous malware and ransomware threats of April 2023.
OneNote exploited to bypass macro attacks
Ever since Microsoft made the long-awaited decision to disable VBA macros in Office documents by default last year, cyber attackers have been experimenting with inventive ways to deliver malware in a trusted way.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Microsoft OneNote is installed on Windows by default, unlike Word, Excel, and PowerPoint, and can therefore allow all Windows users to open email attachments in the OneNote format regardless of whether they have a Microsoft 365 subscription.
The combination of using a malware-laden OneNote file to seem more legitimate and the weaker detection measures the application provides against embedded malware, now makes OneNote a more reliable threat vector than Office documents.
RELATED RESOURCE
Mapping the digital attack surface
Why global organisations are struggling to manage cyber risk
Zscaler’s ThreatLabz researchers found that a variety of scripts and malware have been observed running after successful phishing attacks led victims to download and open the files.
Remote access trojans (RATs) and information stealers have been installed following successful attacks.
Researchers also said that MSHTA, WSCRIPT, and CSCRIPT can be executed from within OneNote, using multi-layered obfuscation techniques to evade detection.
CHM, HTA, JS, WSF, and VBS scripts are also supported via OneNote documents.
Organizations should inform their staff about the dangers of OneNote attachments in emails. If an email seems suspicious, it should be checked by the organization’s security team before downloading any attachments.
Emotet returns again with new tricks
Trend Micro announced in March that the Emotet botnet has returned once again after another of its trademark periods of downtime.
Emotet was observed mimicking replies in existing email chains, increasing the perceived legitimacy of responses rather than it being a cold email from an unrecognized sender.
While OneNote is being exploited to bypass Microsoft’s VBA macro defenses, Emotet instead deploys social engineering tactics to trick victims into manually re-enabling macros, allowing malicious Office documents to execute commands, like downloading DLLs, and install malware.
The new version of Emotet also uses binary padding - crafting large files, such as 500MB Word documents, to bypass security scans.
The prevailing advice is that workers should remain mindful that attempts to re-enable VBA macros will likely lead to malicious activity and should be flagged to the security team as soon as possible.
Cl0p overtakes LockBit in ransomware rankings
Cl0p’s exploitation of the vulnerability in GoAnywhere MFT propelled it to the top of Malwarebytes’ ransomware rankings for April, overtaking LockBit by a small margin.
The group claimed to have breached more than 130 organizations in a month including Proctor and Gamble, Virgin Red, Saks Fith Avenue, and the UK’s Pension Protection Fund (PPF).
Although Cl0p operates its own namesake ransomware program, many of the GoAnywhere-related breaches are thought not to have involved ransomware.
Regardless, it overtook LockBit this month after it dominated in March with 126 attacks. For context, the second-place gang from last month, ALPHV, only registered 32 attacks.
The reliability of LockBit was questioned earlier this month by DarkTracer International, accusing it of running an inefficient website on the dark web.
The reliability of the RaaS service operated by LockBit ransomware gang seems to have declined. They appear to have become negligent in managing the service, as fake victims and meaningless data have begun to fill the list, which is being left unattended. pic.twitter.com/mfGhH93oYhApril 12, 2023
LockBit responded by attempting another of its ‘pranks’, like it has done in the past with the likes of Mandiant and Thales, but it ultimately backfired when its team, which doe snot speak English natively, confused DarkTracer with Cambridge, UK-based Darktrace.
This forced Darktrace to publicly deny that it had been attacked by LockBit, and the vent prompted many in the community to mock the ransomware gang’s mistake.
Earlier today @darktracer_int stated Lockbit ransomware group was declining and becoming negligent in managing their service.Lockbit responded to them on their onion domain. pic.twitter.com/3ISlwIZtPwApril 13, 2023
A patch for the GoAnywhere MFT vulnerability has been available since February and should be applied as a priority if it hasn’t been already to prevent further attacks from Cl0p.
Microsoft signals new ransomware gang on the block in Patch Tuesday
In yet another error-strewn Patch Tuesday from Microsoft, it highlighted an actively exploited zero-day vulnerability.
Researchers identified the new ransomware gang, known as Nokoyama, exploiting the vulnerability since February.
Trend Micro’s report on the group linked the operation to the recently taken down Hive group, which claimed attacks on the likes of New York Racing Association, Tata Power, and Altice.
The researchers said the two groups share a number of similarities in their attack chain such as the use of Cobalt Strike and phishing emails, but noted Hive’s double extortion technique hasn’t been used by Nokoyama yet.
FusionCore malware as a service operation
Researchers at CYFIRMA detailed an emerging threat actor believed to be operating from inside Europe earlier this month.
FusionCore has been described as a ‘one-stop shop’ for malware services, with a wide range of tools on offer, plus hacker-for-hire services too.
The malware on offer has been described as “cost-effective, yet customizable”, and its ransomware affiliate scheme provides both a ransomware payload and affiliate software to manage negotiations with victims.
“FusionCore typically provides sellers with a detailed set of instructions for any service or product being sold, enabling individuals with minimal experience to carry out complex attacks,” CYFIRMA said.
A number of indicators of compromise (IOCs) can be found on the researcher’s blog.
Chinese hackers targeting products with no EDR support
Mandiant’s blog in March highlighted a threat actor, which it tracks as UNC3886, targeting products that aren’t supported by endpoint detection and response (EDR) products.
These include firewalls, IoT devices, hypervisors, and VPNs from Fortinet, SonicWall, Pulse Secure, and others.
Dozens of attacks have been investigated by the security firm and have involved the exploitation of zero-day vulnerabilities and the use of custom malware to both steal credentials and maintain a lasting presence in a victim’s IT environment.
Full details of the attack scenarios, their methods, and the products being targeted can be found in Mandiant’s detailed blog.
The takeaway for admins here is that they should be communicating regularly with vendors to ensure any potential threats can be mitigated.
Developers beware of W4SP copycats
Sonatype said that one of the key malware trends for March this year was a continuation of malicious packages being uploaded to the PyPI registry - a destination for developers to download and use software built by the Python community.
It noticed a number of packages mimicking the W4SP stealer - a popular information stealer since the middle of 2022 used to carry out software supply chain attacks.
“These types of packages are a cause for concern as they pose a serious threat to developers who may inadvertently download and install them,” it said.
The packages have since been taken down, but with the ongoing attempts to poison the software supply chain, and the damage such attacks can cause - think 3CX as a recent example, then developers need to be especially vigilant when downloading open-source software, ensuring that it’s safe to use.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
Developers aren’t quite ready to place their trust in AI
News AI coding tools are delivering benefits for developers, but they’re still worried about security and compliance
-
Are chief AI officers here to stay?
In-depth Mainstay of the boardroom or short-term project leader, CAIOs are the subject of intense consideration
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
‘A huge national security risk’: Thousands of government laptops, tablets, and phones are missing and nowhere to be found
News A freedom of information disclosure shows more than 2,000 government-issued phones, tablets, and laptops have been lost or stolen, prompting huge cybersecurity concerns.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making