Threat Report Heimdal

Heimdal Cyber-Security & Threat Intelligence Report 2022-2023

Marked by significant geopolitical shifts and unrest, 2022 has galvanized the cybersecurity landscape as well; war-profiteering fueled by endless media disputes has allowed the threat actors not only to operate unhindered but also to find safe harbor with states that choose to turn blind eye to cyber-criminal activity.

2023 will most likely be just as challenging as the previous few years, but I’m confident that the cybersecurity market has the right tools to deal with the constantly shifting cybercrime landscape and new/consolidated threats, whether we’re talking about supply chain attacks, ransomware, deepfakes or cyber espionage.

Glancing back at 2022’s Cyber Threats

The “new normal” foisted upon organizations as they accommodate a remote workforce has left them vulnerable to new attack vectors and facing huge alterations in the threat landscape, according to our annual Threat Report.

Worms, Trojans, and infected JS malware were the ones our SOC Team encountered most often. Although these varieties of malware often appear legitimate, they are actually designed to destroy, disrupt, or steal data, and they can quickly seize control of a device.

Looking more closely at how the cybersecurity landscape altered in 2022, we couldn’t help but notice that our clients have successfully been safeguarded from major cyber events thanks to our unified corporate security suite.

Without further ado, here’s a sneak peek of what Heimdal®’s 2023 Cyber-Security & Threat Intelligence Report brings to the table. We tackled the main areas of last year’s cybersecurity interests by putting together a list of:

  • Most Important Cyberattacks.
  • The Most Powerful Statistics of 2022.
  • Threatscape Predictions for 2023.

You can download the Heimdal® CyberSecurity & Threat Intelligence Report 2023 here.

Cyber Threat Report 2023 Key Takeaways

  • 100% of organizations that reported brute-force attempts were conducting fewer third-party patches (less than 100 improvement-carrying packages in the last 90 days) or had more legacy OS software.
  • Government, Health, and Transportation are 16.3% more likely to be targeted compared to other industries. (Based on Heimdal® data 2022).
  • 23% of connections to networks are malicious. Therefore, security awareness training and endpoint protection are needed to reduce cyber risk. (Based on Heimdal® data 2022).
  • Organizations using automatic patching can apply five times more OS-based patches compared to those relying on manual patching. (Based on Heimdal® data 2022)
  • Organizations using automatic patching can apply two times more third-party-based patches compared to those relying on manual patching. (Based on Heimdal® data 2022).

Heimdal Threat Report 2023 data for brute-force attacks, OS-based and third-party patching, ransomware incidents, and network-based attacks.

Detections & resolutions

  • 170,000,000 million DNS, HTTP, and HTTPS attacks were blocked by Heimdal® in 2022.
  • 50% of network-based attacks originated from .co Top-Level Domains.
  • 167% YoY (i.e., 2021 – 2022) increase Russia-based cyberattacks.
  • 10% of all emails hide malicious content.
  • 23.8% of all emails scanned by Heimdal® had a Critical severity score.
  • 6.35 network-based attacks per day were carried out between January 2021 and October 2022.
  • HTML endpoint-based malware and infected JavaScript were the most frequently detected attacks.
  • Custom attack ‘stationary’. Threat actors such as Cobalt Therapin, employed victim-tailored spear-phishing forms to increase the odds of success.

Heimdal Threat Report 2023 SOC Data

Key Predictions of Cyber ​​Threats and Trends for 2023

  • Centralized cybersecurity architectures will replace point-based solutions.
  • Overemphasis on tool automation and asset visibility.
  • SOAR and SIEM hybridization to replace conventional threat-hunting tools and approaches.
  • HVTs, MSPs in particular, will face additional challenges in protecting against multi-surface attacks.
  • ‘Web of Ransomware’ will make it difficult for authorities to track down cyber-criminals.
  • Time vs. effect. Attackers will spend more time staging attacks in order to increase likelihood of success.
  • Russia – Ukraine conflict to become a breeding ground for cyber-criminals.
  • A rise in state-sponsored cyberespionage.
  • Deepfakes to play a key role in social engineering.

In 2022 we witnessed not only a rise in cyber-threats all across the grid, but also increased friction when it comes to embracing non-traditional malware detection & mitigation tools. Despite the industry’s having a clear-cut trajectory, automatizations, be them all-inclusive or partial, carry inherent challenges and limitations (e.g., SIEM solutions are prone to alert fatigue, while SOAR-type responses are confined to low- and medium-level security incidents).

Other factors that encumber the adoption and implementation processes are licensing, medium- to long-term costs (i.e., setup, configuration, upscaling, and maintenance), and workforce, the latter being considered a deal-breaker for organizations seeking to embrace SIEM, SOAR, or hybrid approaches.

Such challenges highlight the importance of enhancing cyber resilience across society; nevertheless, cybersecurity requires more than just precautions; it is also critical to educate employees and the broader public about cyber protection and how to stay safe from such threats.

Heimdal Official Logo
CyberSecurity & Threat Intelligence Report
A review of the 2022 cyber-threat landscape and our predictions for 2023.

If you want to know more about what 2023 might bring in terms of cybersecurity you should read Morten’s article on the top trends we’ll see in cybersecurity.

Interested in learning more about the Heimdal® way? Join us at UK CyberWeek Conference & Expo (April 4-5th). We’ll be waiting for you at stand #A6 at the Business Design Centre, in London. Don’t miss the chance to see our award-winning products in action, or just meet the team. We will also be giving away a luxury, super-car driving experience to one lucky delegate! Could that be you? 

what is patch management

What Is Patch Management? Definition, Importance, Key Steps, and Best Practices

All You Need to Know About Patch Management And Why Automated Patch Management Will Improve Your Cybersecurity Posture.
Concept photo of DNS security by Heimdal

DNS Security 101: The Essentials You Need to Know to Keep Your Organization Safe

All you need to find out about DNS security. Ways to secure your company-owned DNS server.
How often should you conduct Penetration Testing?
New Phishing Kit: File Archivers in the Browser

New Phishing Kit: File Archivers in the Browser

This Phishing Kit Abuses ZIP Domains.

A new phishing kit, “File Archivers in the Browser” abuses ZIP domains. The kit displays bogus WinRAR or Windows File Explorer windows in the browser. The goal is to convince users to launch malicious processes.

Google just enabled this month a new feature that allows websites and emails to register ZIP TLD domains. For example, such a domain would be “

Weaponizing ZIP TLD Domains

Researchers are debating if ZIP TLD domains are a security risk or not. The main threat is that some websites will convert strings like “” into a link. This way cybercriminals could easily use it for malware delivery or phishing attacks.

For example, if you send someone instructions on downloading a file called, Twitter will automatically turn into a link, making people think they should click on it to download the file.

When you click on that link, your browser will attempt to open the site, which could redirect you to another site, show an HTML page, or prompt you to download a file.


Nevertheless, you must first persuade a user to open a file, which might be difficult, just like with any virus delivery.

How the Phishing Kit Works

Security researcher mr.d0x built a phishing kit able to create fake in-browser WinRar archives and File Explorer Windows. Both are shown as ZIP domains to make users believe that they are .zip files.

When a .zip domain is opened, the toolkit will embed a false WinRar window in the browser. This will give the impression that the user has opened a ZIP archive and is now viewing the files inside it.

New Phishing Kit: File Archivers in the Browser


To make it appear more like a WinRar window displayed on the screen, the address bar and scrollbar from the popup window can be removed. The creator of this kit also put in place a phony security scan button that, when clicked, claims that the files were scanned and no risks were found.

Using the Phishing Kit for Malware

Cybercriminals can leverage this phishing toolkit for stealing credentials and spread malware, for example.

Double-clicking a PDF in the bogus WinRar window can send the user to a different page that requests login information in order to view the file correctly.

The toolkit can also be used to deliver malware by displaying a PDF file that downloads a similarly named .exe instead when clicked. For example, the fake archive window could show a document.pdf file, but when clicked, the browser downloads document.pdf.exe.


The victim will see just a harmless PDF in its downloads folder. As Windows doesn’t show file extensions, the de user might click on it, not knowing it is executable.

When searching for files on Windows, if that file is not found, the system opens a searched-for string in a browser. The website will open if that string is a valid domain name; otherwise, Bing search results will be displayed. Cybercriminals can leverage this by registering a zip domain named as a common file name, and Windows will open the site in the browser automatically when someone searches for it on the operating system.

If that site hosted the ‘File Archivers in the Browser’ phishing kit, it could trick a user into thinking WinRar displayed an actual ZIP archive. This technique illustrates how ZIP domains can be abused to create clever phishing attacks and malware delivery or credential theft.


If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

CosmicEnergy malware 2

CosmicEnergy: The New Russian-Linked Malware Targets Industrial System

The Malware Is Said to Be Linked to Rostelecom-Solar.
buhti ransomware blackwing 1

Buhti Ransomware: Blacktail’s Newest Operation Affects Multiple Countries

The Threat Actors Use Leaked Windows and Linux Encryptors From LockBit and Babuk.