In August 2017, we began to see a surge of emails that were tied to the Adwind remote access Trojan (RAT). This increased activity led to a peak in October 2017, when we observed a large spike in the number of emails—totaling over 1.5 million—all attempting to deliver several variants of Adwind. In November, Symantec blocked over 1.3 million malicious emails related to this threat, this represents a small dip from October but the activity trend is still definitely upwards.

Adwind (Backdoor.Adwind) is a cross-platform, multifunctional RAT also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket, and jRAT. It was first discovered in 2013 and can be used for logging keystrokes, using the webcam, stealing information, downloading potentially malicious files, as well as a host of other nasty activities.