{"id":3361,"date":"2025-05-29T06:00:00","date_gmt":"2025-05-29T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3361"},"modified":"2025-05-29T06:00:00","modified_gmt":"2025-05-29T06:00:00","slug":"6-rising-malware-trends-every-security-pro-should-know","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3361","title":{"rendered":"6 rising malware trends every security pro should know"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Malware is evolving rapidly, driven by advances in AI and changes in computing infrastructures.<\/p>\n<p>Security professionals must continuously educate themselves on these trends to defend against increasingly sophisticated threats.<\/p>\n<p>The traditional game of cat and mouse between security attackers and defenders has got fiercer with fresh techniques evolving and older less effective approaches falling out of fashion.<\/p>\n<p>Here is a look at what\u2019s heating up in the world of malware \u2014 and what\u2019s cooling off.<\/p>\n<h2 class=\"wp-block-heading\">Infostealers commoditizing initial access<\/h2>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3951147\/infostealer-malware-poses-potent-threat-despite-recent-takedowns.html\">Infostealers have experienced huge growth<\/a> of late, with a 58% increase in infection attempts year-over-year, according to cybersecurity vendor Immersive.<\/p>\n<p>Malware such as <a href=\"https:\/\/www.csoonline.com\/article\/3993289\/feds-and-microsoft-crush-lumma-stealer-that-stole-millions-of-passwords.html\">Lumma Stealer<\/a>, StealC, and RisePro are now responsible for 75% of all stolen credentials.<\/p>\n<p>Infostealers steal browser cookies, VPN credentials, MFA (multi-factor authentication) tokens, crypto wallet data, and more. Cybercriminals sell the data that infostealers grab through <a href=\"https:\/\/www.csoonline.com\/article\/566577\/10-things-you-should-know-about-dark-web-websites.html\">dark web markets<\/a>, giving attackers easy access to corporate systems.<\/p>\n<p>\u201cThis shift commoditizes initial access, enabling nation-state goals through simple transactions rather than complex attacks,\u201d says <a href=\"https:\/\/www.immersivelabs.com\/author\/ben-mccarthy\">Ben McCarthy<\/a>, lead cyber security engineer at Immersive.<\/p>\n<h2 class=\"wp-block-heading\">Malicious packages targeting developer environments<\/h2>\n<p>Threat actors are systematically compromising the software supply chain by embedding malicious code within legitimate development tools, libraries, and frameworks that organizations use to build applications.<\/p>\n<p>\u201cThese supply chain attacks exploit the trust between developers and package repositories,\u201d Immersive\u2019s McCarthy tells CSO. \u201cMalicious packages often mimic legitimate ones while running harmful code, evading standard code reviews.\u201d<\/p>\n<p>In 2024, researchers found 512,847 malicious packages \u2014 a 156% year-over-year increase \u2014 across software development ecosystems such as <a href=\"https:\/\/www.csoonline.com\/article\/3995813\/hackers-drop-60-npm-bombs-in-less-than-two-weeks-to-recon-dev-machines.html\">NPM<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/3502920\/thousands-of-abandoned-pypi-projects-could-be-hijacked-report.html\">PyPI<\/a>, and AI platforms like <a href=\"https:\/\/www.csoonline.com\/article\/3819920\/attackers-hide-malicious-code-in-hugging-face-ai-model-pickle-files.html\">HuggingFace<\/a>.<\/p>\n<h2 class=\"wp-block-heading\">Ransomware becoming more targeted and sophisticated<\/h2>\n<p>The <a href=\"https:\/\/www.csoonline.com\/article\/3842496\/the-state-of-ransomware-fragmented-but-still-potent-despite-takedowns.html\">ransomware landscape<\/a> has shifted dramatically since law enforcement cracked down on major groups like LockBit.<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3838121\/the-dirty-dozen-12-worst-ransomware-groups-active-today.html\">Modern ransomware threat actors<\/a> such as RansomHub and Akira now favor smaller, highly targeted attacks, using ransomware as a final step after full infiltration and data exfiltration. This marks a move from broad, opportunistic strikes to focused, high-value campaigns.<\/p>\n<p>\u201cThese targeted approaches show threat actors\u2019 growing insight into specific vulnerabilities and their readiness to invest heavily in reconnaissance and tailored attack development,\u201d Immersive\u2019s McCarthy comments.<\/p>\n<p>These groups use advanced evasion techniques such as <a href=\"https:\/\/www.crowdstrike.com\/en-us\/cybersecurity-101\/cyberattacks\/living-off-the-land-attack\/\">living-off-the-land (LOTL) tactics<\/a> and legitimate admin tools to stay hidden. They\u2019re also shifting from file encryption to data theft and extortion, threatening public leaks to pressure victims.<\/p>\n<p>\u201cThere\u2019s been a notable uptick in the use of cloud-based services and remote management platforms as part of ransomware toolchains,\u201d says <a href=\"https:\/\/www.linkedin.com\/in\/jamiemoles\/?originalSubdomain=uk\">Jamie Moles<\/a>, senior technical marketing manager at network detection and response provider ExtraHop. \u201cThis aligns with a broader trend: Rather than relying solely on traditional malware payloads, adversaries are increasingly shifting toward abusing trusted platforms and \u2018living-off-the-land\u2019 techniques.\u201d<\/p>\n<p>Healthcare remains a <a href=\"https:\/\/www.csoonline.com\/article\/564832\/biggest-healthcare-security-threats.html\">top target of ransomware attacks<\/a>, while critical infrastructure faces increasing threats as attackers exploit the urgency that prompts quick ransom payments.<\/p>\n<h2 class=\"wp-block-heading\">Malware adopting social engineering techniques<\/h2>\n<p>Cybercriminals are increasingly adopting <a href=\"https:\/\/www.csoonline.com\/article\/3610611\/rising-clickfix-malware-distribution-trick-puts-powershell-it-policies-on-notice.html\">ClickFix<\/a> as a malware delivery method in attacks that rely on social engineering techniques to successfully infect end-user devices.<\/p>\n<p>ClickFix tricks users into executing malicious code \u2014 usually a PowerShell script \u2014 on their own systems.<\/p>\n<p>ClickFix is a rising threat that takes advantage of growing user fatigue in having to jump through online hoops to \u2018prove you\u2019re human.\u2019<\/p>\n<p>By hijacking trust in familiar CAPTCHA processes, threat actors are getting users to actively participate in their own compromise \u2014 copying and pasting malicious commands into their systems under the guise of simple verification.<\/p>\n<p>\u201cOver the past year, we\u2019ve seen this technique gain serious traction across phishing sites, compromised webpages, and social engineering campaigns,\u201d says <a href=\"https:\/\/www.sentinelone.com\/blog\/author\/jimw\/\">Jim Walter<\/a>, senior threat researcher at SentinelLABS. \u201cIt\u2019s simple, effective, and increasingly common.\u201d<\/p>\n<p>CISOs need to be wary of the threat because it bypasses many traditional detection methods by relying on human behavior rather than system vulnerabilities.<\/p>\n<p>\u201cRaising awareness, hardening endpoint execution policies, and deploying behavioral detection tools are essential to countering this wave of malware delivery,\u201d Walter advises.<\/p>\n<h2 class=\"wp-block-heading\">Malware targeting macOS enterprise users<\/h2>\n<p>Some security vendors report a sharp increase in malware campaigns targeting macOS users in the enterprise.<\/p>\n<p><a href=\"https:\/\/www.sentinelone.com\/blog\/author\/macoswriter\/\">Phil Stokes<\/a>, macOS malware researcher at SentinelLABS\/SentinelOne, tells CSO: \u201cWe\u2019re seeing everything from infostealers disguised as business tools to highly sophisticated modular backdoors \u2014 so threat actors have clearly stepped up their game when it comes to targeting Apple users in corporate environments.\u201d<\/p>\n<p>For example, the <a href=\"https:\/\/www.picussecurity.com\/resource\/blog\/atomic-stealer-amos-macos-threat-analysis\">Atomic Infostealer<\/a> spreads through fake versions of well-known enterprise apps, not just the usual cracked games or consumer tools that have long been a security headache.<\/p>\n<p>While ransomware and infostealers remain at the forefront of active threats, there\u2019s been a decline in the use of older commodity malware and hacking techniques.<\/p>\n<h2 class=\"wp-block-heading\">Polymorphic malware evading detection mechanisms<\/h2>\n<p>Polymorphicmalware automatically modifies its code each time it replicates or infects a new system, making it difficult for signature-based detection methods to identify it.<\/p>\n<p>This type of malware is challenging for antivirus software to detect and for security researchers to analyze.<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/alexanderhinchliffe\/?originalSubdomain=uk\">Alex Hinchliffe<\/a>, principal threat researcher at Unit 42, the threat intelligence and incident response arm at Palo Alto Networks, says, \u201cVery basic or specific detection mechanisms, such as hash-based scanners, are thwarted by polymorphism but it\u2019s worth noting that each time a malicious program is compiled \u2014 e.g., into an executable \u2014 it will yield a new unique fingerprint or hash. Add to this the plethora of free and commercially available compressor, packer, and protector tools, which can be applied to a compiled program, and the \u2018same\u2019 program will yield yet more variations and permutations of the same fingerprint.\u201d<\/p>\n<p>Polymorphic malware also often uses encryption to hide its payload, further complicating detection and analysis.<\/p>\n<h2 class=\"wp-block-heading\">Depreciated malware techniques<\/h2>\n<p>Some noticeable trends reflect a \u201cdownturn\u201d regarding both types malware and hacking techniques that have fallen out of fashion, mainly because their effectiveness has decreased due to advances in security defenses and practices.<\/p>\n<p>For example, threat actors rely more on legitimate admin tools (such as Sysinternals Suite and living-off-the-land binaries, or LOLBins) for defense evasion and persistence, and less on malicious executables.<\/p>\n<p>\u201cOn the hacking tool front, we observed a decrease in the use of more comprehensive tool suites like Cobalt Strike and Sliver,\u201d says <a href=\"https:\/\/www.huntress.com\/authors\/lindsey-odonnell-welch\">Lindsey Welch<\/a>, technical writer at managed detection and response vendor Huntress. \u201cHowever, threat actors continue to use specialized tools like Mimikatz and CrackMapExec for functionalities like password sniffing, memory dumping, privilege escalation, and lateral movement.\u201d<\/p>\n<p>Other once popular techniques that have fallen out a favour include:<\/p>\n<p><strong>Network worms<\/strong>, such as Conficker, because modern networks now feature segmentation, automated patching, and strong endpoint defenses, all of which limit worm propagation<\/p>\n<p><strong>Traditional botnets<\/strong><\/p>\n<p><strong>Exploit kits<\/strong>, which were once a prevalent method for delivering malware through web-based attacks by scanning users systems for known vulnerabilities in software like Adobe Flash, Java, or Internet Explorer, and then exploiting those weaknesses to install malware<\/p>\n<p><strong>Office macros<\/strong><\/p>\n<p><strong>USB-based malware<\/strong><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Malware is evolving rapidly, driven by advances in AI and changes in computing infrastructures. Security professionals must continuously educate themselves on these trends to defend against increasingly sophisticated threats. The traditional game of cat and mouse between security attackers and defenders has got fiercer with fresh techniques evolving and older less effective approaches falling out [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3362,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3361","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3361"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3361"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3361\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3362"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3361"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3361"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3361"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}