As 2024 concludes, cybersecurity experts are reflecting on an eventful Q4 that witnessed evolving threats and heightened activity in the malware landscape.
ANY.RUN, a leading interactive malware analysis platform, has released its quarterly report, shedding light on emerging trends and highlighting the most active malware families, tools, and techniques used by cybercriminals.
Malware Analysis: Activity Surges Across the Board
In Q4 2024, ANY.RUN users conducted 1,151,901 public interactive analysis sessions a 5.6% increase from Q3. Of these, 22.6% were flagged as malicious and 6.2% as suspicious, signaling a rise in both malicious and suspicious activities compared to the prior quarter.
A staggering 712 million Indicators of Compromise (IOCs) were collected during Q4, reflecting the increasing complexity of analyzed threats.
Top Malware Types Observed
Stealers emerged as the most detected malware type in Q4, overtaking Loaders and showcasing a 53.5% uptick in activity compared to Q3. Below are the top malware types and their respective detections:
- Stealer – 25,341 detections (53.5% increase from Q3)
- Loader – 10,418 detections (27% increase)
- RAT (Remote Access Trojan) – 6,415 detections (10.8% decrease)
- Ransomware – 5,853 detections (1.9% decrease)
- Keylogger – 1,915 detections (39.5% decrease)
Interestingly, Adware entered the top ten list with 1,666 detections in Q4, marking its increasing presence in cybercriminal arsenals.
Malware Families: Lumma Leads Once Again
The most active malware families of Q4 included familiar names alongside rising threats:
- Lumma – 6,982 detections (+68.7% from Q3)
- Stealc – 4,790 detections (+136.3%)
- Redline – 4,321 detections (+26.7%)
- Amadey – 3,870 detections
- Xworm – 3,141 detections (+43.7%)
Lumma maintained its dominant position for the second consecutive quarter, while Stealc displayed explosive growth, more than doubling its detections from Q3.
Phishing Threats on the Rise
Phishing activity spiked in Q4 2024, with 82,684 phishing-related threats flagged. Key highlights include:
- Tycoon2FA emerged as the most common phishing kit, with 8,785 instances detected.
- Cybercriminal group Storm1747 uploaded 11,015 phishing-related samples, leading group activity metrics.
This escalation underscores how phishing tactics continue to evolve in complexity and scope, targeting unsuspecting victims worldwide.
Malware creators increasingly relied on protectors and packers to evade detection. The top tools included:
- UPX (12,262 detections)
- Netreactor (8,333 detections)
- Themida (4,627 detections)
These tools are critical for hiding malware code, making detection more challenging for defenders.
MITRE ATT&CK Techniques: Tactics in Focus
Adversaries leveraged several advanced techniques in Q4, with the Windows Command Shell (T1059.003) claiming the top spot with 44,850 detections. Other prominent techniques included:
- Masquerading through renamed system utilities (T1036.003)
- Spearphishing Links (T1566.002), which surged in activity compared to Q3
These techniques underline the continued innovation of cybercriminals in bypassing defenses.
Actionable Intelligence for Cyber Defenders
ANY.RUN’s Threat Intelligence Lookup (TI Lookup) provides crucial tools for tracking and analyzing emerging threats.
Security teams can study malware execution processes, explore Indicators of Compromise (IOCs), and identify patterns in attack data. For example, threat queries such as threatName:"stealer" paired with location filters can reveal regional trends in malware activity.
Get 50 free search requests to test TI Lookup – Contact ANY.RUN
A Call for Vigilance in 2025
The Q4 2024 report highlights how cybercriminals are diversifying their methods and scaling operations. Stealers’ dominance, the proliferation of phishing kits, and the use of advanced obfuscation techniques signal a need for heightened vigilance.
As we step into 2025, organizations are advised to stay proactive, leveraging platforms like ANY.RUN for actionable insights into the evolving threat landscape.
Continuous monitoring, robust defenses, and timely response strategies remain key in combating the ever-changing face of cybersecurity threats.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Its interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems.
ANY.RUN threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.