Last year witnessed an alarming escalation in cyber threats, with malware families evolving and attack tactics becoming more sophisticated than ever.
According to a detailed analysis by ANY.RUN, a prominent interactive malware analysis platform, 2024 marked significant changes in the global cybersecurity landscape with highest recorded sophisticated malware threats.
Surge in Malware Activity
ANY.RUN processed 4,001,036 public sandbox sessions in 2024, a 33% increase from 2023’s 2,991,551 sessions. Of these, 790,549 were confirmed as malicious, while 211,517 were classified as suspicious, reflecting an uptick in suspicious activity compared to the previous year’s 148,124 sessions.
Additionally, the analysis uncovered an astonishing 1.87 billion Indicators of Compromise (IOCs), nearly three times the 2023 figure of 640 million. This surge underscores both the growing use of advanced malware detection tools and the increasing sophistication of cybercriminal tactics.
Top Malware Types of 2024
Among the various malware types analyzed, Stealers emerged as the dominant threat in 2024, surging to 51,291 detections compared to 18,290 the previous year.
This indicates a significant rise in attackers prioritizing data theft. Other notable malware types included:
| Type | Detections |
|---|---|
| Stealer | 51,291 |
| Loader | 28,754 |
| RAT | 24,430 |
| Ransomware | 21,434 |
| Keylogger | 8,119 |
| Trojan | 6,156 |
| Miner | 5,803 |
| Adware | 4,591 |
| Exploit | 4,271 |
| Backdoor | 2,808 |
TI Lookup is a great resource for gathering up-to-date threat intelligence. By searching ANY.RUN’s vast database, you can access valuable insights into emerging cyber threats, enabling you to stay ahead of potential risks.
Most Prevalent Malware Families
2024 saw a shakeup in malware family rankings. The previously unreported Lumma Stealer skyrocketed to the top with 12,655 detections, signaling rapid adoption by threat actors.
Other notable shifts included:
| # | Name | Detections |
|---|---|---|
| 1 | Lumma | 12,655 |
| 2 | Agent Tesla | 8,443 |
| 3 | AsyncRAT | 8,257 |
| 4 | Remcos | 8,004 |
| 5 | Stealc | 7,653 |
| 6 | Xworm | 7,237 |
| 7 | Redline | 7,189 |
| 8 | Amadey | 5,902 |
| 9 | Snake | 4,304 |
| 10 | njRAT | 3,522 |
Popular names from 2023, such as Redline, saw a decline in prominence. However, the emergence of new challengers like Stealc and Xworm suggests the constant evolution of the threat landscape.
Get a 14-day free trial of ANY.RUN’s products to Analyse Advanced Malware Threats
Trends in MITRE ATT&CK Attack Techniques:
Leveraging the MITRE ATT&CK framework, ANY.RUN’s analysis identified significant trends in attacker tactics, techniques, and procedures (TTPs).
According to ANY.RUN report, In 2024, PowerShell abuse emerged as the top technique, with 162,814 detections, leveraging its flexibility for executing scripts on compromised systems.
Time-based sandbox evasion tactics also surged in popularity, with 134,260 detections, using time delays to avoid detection.
Additionally, email collection and spearphishing links remained potent tools for targeted attacks, underscoring the importance of user education and strong email security measures to defend against such threats.
| Rank | Technique ID | Technique Name | Detections |
|---|---|---|---|
| 1 | T1059.001 | Command and Scripting Interpreter: PowerShell | 162,814 |
| 2 | T1059.003 | Command and Scripting Interpreter: Windows CMD | 148,443 |
| 3 | T1497.003 | Virtualization/Sandbox Evasion: Time-Based | 134,260 |
| 4 | T1036.003 | Masquerading: Rename System Utilities | 126,008 |
| 5 | T1562.002 | Impair Defenses: Disable Antivirus Tools | 122,256 |
| 6 | T1218.011 | System Binary Proxy Execution: Rundll32 | 86,760 |
| 7 | T1114.001 | Email Collection: Local Email Collection | 85,546 |
| 8 | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys | 73,842 |
| 9 | T1053.005 | Scheduled Task/Job: Scheduled Task | 68,423 |
| 10 | T1569.002 | System Services: Service Execution | 51,345 |
| 11 | T1059.004 | Command and Scripting Interpreter: Python | 50,002 |
| 12 | T1036.005 | Masquerading: Match Legitimate Name or Location | 49,031 |
| 13 | T1497.001 | Virtualization/Sandbox Evasion: System Checks | 47,630 |
| 14 | T1543.002 | Create or Modify System Process: Windows Service | 39,231 |
| 15 | T1053.006 | Scheduled Task/Job: Cron | 39,228 |
| 16 | T1222.002 | File and Directory Permissions Modification: Linux | 38,760 |
| 17 | T1566.002 | Phishing: Spearphishing Link | 35,272 |
| 18 | T1059.005 | Command and Scripting Interpreter: Visual Basic | 27,213 |
| 19 | T1562.001 | Impair Defenses: Disable or Modify Tools | 24,133 |
| 20 | T1222.001 | File and Directory Permissions Modification: Windows | 19,275 |
The findings highlight the importance of advanced threat intelligence solutions.
Platforms like ANY.RUN’s interactive sandbox have proven invaluable for tracking emerging threats, offering over 40 search parameters to analyze malicious activity.
Their capability to detect and provide actionable insights into malware families and attack techniques is a crucial asset for staying ahead of attackers.
In 2024, cyber threats grew not only in number but also in complexity. The dramatic rise in Stealers, the rapid adoption of new malware like Lumma Stealer, and the dominance of scripting tools like PowerShell demonstrate that attackers are innovating at an unprecedented pace.
As we move into 2025, organizations must invest in layered defenses, advanced threat detection, and constant vigilance to combat the evolving cybersecurity landscape.
Are you from SOC/DFIR Teams? Try Free malware research with ANY.RUN