Security teams rely on threat reports to understand what’s out there and to keep their organizations safe. But a new report shows that these reports might only reveal part of the story. Hidden malware variants are quietly slipping past defenses, leaving teams with a false sense of security.
Stairwell’s Hidden Malware Report 2025 analyzed 769 threat reports published between March 2023 and July 2025. These reports contained more than 10,000 malware file identifiers. By digging deeper into these files, researchers uncovered over 16,000 additional malware variants that were not included in the original reports.
What malware variants are and why they matter
Malware variants are slightly modified versions of existing malicious software. Attackers rarely build new malware from scratch. Instead, they take what works and make small changes, like repacking a file, tweaking code, or renaming parts of it. These changes are enough to generate a completely different hash, which is how most security tools track malware.
The problem is that many tools often rely on exact matches. If a file’s hash changes, it may no longer match known signatures, allowing it to slip past detection. This is how attackers stay ahead without needing to create entirely new threats.
For defenders, this means catching one malicious file is just the beginning. Without uncovering related variants, security teams may miss the bigger picture, leaving gaps where attackers can hide.
“If you’re relying on static hashes, you’re fighting yesterday’s threats,” said Mike Wiacek, CTO of Stairwell.
What the report found
The study highlights how widespread the variant problem has become. On average, each threat report included 13 hashes of known malware samples. When those same files were analyzed further, an average of 21 additional related malware variants were discovered.
Over time, the number of hashes shared in reports has also grown. In 2023, an average report contained 11 hashes. By 2025, that number had increased to 18. This shows that while vendors are sharing more information, the amount of undiscovered malware is growing even faster.
The report also points out that older malware families tend to have more variants. Successful malware is often copied and reused by attackers who make small adjustments to avoid detection. This leads to a cycle where even well-documented threats continue to evolve and evade defenses.
The risks of hidden threats
When malware variants go undetected, the result can be damaging. Security teams may believe a threat has been removed, while in reality, modified versions are still active in the environment. This creates blind spots that attackers can exploit for extended periods.
The biggest danger is false confidence. Believing that defenses are effective when they are not can lead to delayed response times and missed opportunities to stop an attack before it spreads.
How teams can respond
The report emphasizes the need for continuous analysis, rather than relying only on point-in-time scans or static signatures. Security teams can take steps to improve their defenses by:
- Continuously hunting for threats using a variety of detection methods.
- Writing and updating rules, such as YARA rules, to identify patterns beyond exact hashes.
- Searching across logs and systems for signs of compromise, not just known indicators.
- Reanalyzing files regularly as new threat intelligence becomes available.
Back to basics webinar: The ecosystem of CIS Security best practices
Source link
