BackBox.org News
  • BackBox.org
  • Linux
  • Community
  • News
  • Services
  • Sitemap
  • Contact
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
US Threat Landscape Alert: 30 Active Malware Families Ranked by Real Sandbox Data

US Threat Landscape Alert: 30 Active Malware Families Ranked by Real Sandbox Data

July 9, 2026/in Company Blogs

State of Cybersecurity in the US 

American organizations are processing more malware submissions than ever, and the mix keeps shifting under their feet. Phishing kits that hijack multi-factor authentication now sit alongside decades-old ransomware, commodity RATs sold for the price of a streaming subscription, and loaders built to slip payloads past EDR undetected.

For CISOs and SOC leaders, the challenge isn’t a lack of data — it’s knowing which of the hundreds of active families deserve budget, detection engineering time, and executive attention this month, not last quarter. 

This breakdown is built on real-time data from ANY.RUN’s Malware Trends Tracker (MTT), which ranks malware families by actual analysis volume rather than vendor surveys or annual retrospectives. The result is a live snapshot of what’s actually landing in American inboxes and endpoints right now. 

Key Takeaways

  • MFA alone no longer stops account takeover. Five of the top ten US threats this month are phishing kits built specifically to steal session cookies or OAuth tokens after MFA succeeds, not to guess passwords.
  • Device-code phishing is the newest board-level risk. Kali365 and EvilTokens abuse Microsoft’s legitimate device-authorization flow, meaning victims complete a real login on a real Microsoft page while attackers walk away with a valid token.
  • “Retired” malware isn’t retired. WannaCry and Emotet still show active monthly volume years after their most infamous incidents — a direct signal that legacy, unpatched exposure remains live exposure.
  • Commodity doesn’t mean low-risk. Cheap, widely available stealers and RATs (AsyncRAT, Vidar, XWorm, Stealc, RedLine, Formbook) account for a large share of monthly volume precisely because low cost keeps them in constant circulation.
  • Law enforcement takedowns shift the market, they don’t shrink it. RedLine, Lumma, and the AiTM phishing ecosystem all show the same pattern: disrupt one operator, and a successor (Remus Stealer, FlowerStorm) absorbs the demand within weeks.
  • Some detections are early ransomware warnings, not isolated events. Cobalt Strike beacons, Qbot infections, and DonutLoader activity have historically preceded ransomware deployment — treating them as urgent, not routine, is a high-leverage SOC decision.
  • Live, region-specific data beats annual retrospectives. Pairing Threat Intelligence Lookup for instant indicator-to-campaign context with Threat Intelligence Feeds for continuously updated blocklists lets security teams act on what’s happening in the US right now, rather than reacting to what already happened last quarter.

Biggest Malware Threats in America 

Three patterns stand out in the current US ranking. First, phishing-as-a-service (PhaaS) kits — Sneaky 2FA, EvilTokens, EvilProxy, Kali365, FlowerStorm, Tycoon 2FA — now occupy five of the top ten spots, a sign that credential and session-token theft has overtaken malware delivery as the fastest path into a corporate network.

Second, commodity RATs and stealers (AsyncRAT, Vidar, XWorm, Stealc, RedLine, Lumma) remain in constant, high-volume circulation because they’re cheap, effective, and endlessly repackaged.

Third, “retired” threats never really retire: Emotet and WannaCry both still register meaningful monthly activity years after their headline-grabbing debuts, a reminder that legacy exposure is still active exposure. 

US Phishing Attack Trends 

Phishing has changed its shape. The kits topping this month’s US data don’t rely on misspelled domains or obvious fake login pages — they abuse legitimate authentication flows. Kali365 and EvilTokens exploit Microsoft’s device-code authorization flow to capture OAuth tokens after a victim completes real MFA on Microsoft’s real infrastructure.

Lower your risk from today’s most active malware and phishing campaigns.
Explore ANY.RUN’s threat intelligence solutions.



Reduce Exposure


Sneaky 2FA, EvilProxy, Tycoon 2FA, and FlowerStorm run adversary-in-the-middle (AiTM) reverse proxies that harvest session cookies the instant a user logs in. In every case, the defender-facing lesson is the same: credential hygiene and MFA prompts alone no longer stop account takeover. Security teams need visibility into session and token abuse, not just password exposure.

What Is ANY.RUN’s Malware Trends Tracker? 

Malware Trends Tracker (MTT) is ANY.RUN’s free, continuously updated service that tracks the popularity and behavior of malware families in the wild. It draws its data directly from ANY.RUN’s Interactive Sandbox, where a global community of analysts submits and detonates suspicious files and URLs every day. Every submission that returns a malicious or suspicious verdict feeds into MTT’s rankings, giving the tracker a real-time pulse on what threat actors are actually deploying. 

Top malware this month by MTT

Analysts can filter by country, malware type (phishing kit, RAT, stealer, ransomware, loader, botnet, and more), and specific family, which is what makes it possible to isolate a view like “the 30 most active threats hitting the United States in the last 30 days.” That granularity turns raw sandbox telemetry into something SOC teams and business leaders can act on: proactive blocklist updates, sharper detection rules, and threat modeling grounded in what’s actually happening in their region rather than global averages that may not reflect their exposure. 

How ANY.RUN Helps You Detect and Understand Threats 

Knowing which malware families are trending in the US is only half the equation. The other half is being able to move fast when one of them shows up in your environment — and to understand the broader campaign behind it before it becomes an incident. 

Interactive Sandbox lets analysts detonate suspicious files, links, and phishing pages in a live, controllable Windows or Linux environment and interact with the sample in real time — clicking through a device-code prompt, entering credentials into a decoy page, or letting a loader unpack its next stage. 

For threats like Kali365 and EvilTokens, which hide their real payload behind browser-side JavaScript that only executes after the page renders, this in-browser visibility is often the only way to see the actual attack flow rather than a static, incomplete one. Every session automatically surfaces network indicators, a MITRE ATT&CK-mapped process tree, and a shareable report — cutting analysis time from hours to minutes. 

Once a threat is confirmed, Threat Intelligence Lookup lets teams pivot instantly from a single indicator — a hash, domain, IP, or even a YARA/Sigma rule — to the full universe of related sandbox sessions, infrastructure, and campaign context drawn from millions of public and private analyses.  

For teams that want threats blocked before they reach an inbox or endpoint, Threat Intelligence Feeds deliver continuously updated, high-confidence IOCs — IPs, domains, URLs — for actively tracked families like the ones below, in STIX/TAXII, CSV, or JSON formats that plug directly into SIEMs, firewalls, EDR, and SOAR platforms.  

Together, these three capabilities cover the full loop: spot what’s trending with MTT, understand exactly how it works with Interactive Sandbox, and get ahead of it with TI Lookup and TI Feeds. 

Don’t wait for these threats to reach your network.
Analyze and detect them with ANY.RUN.



Contact sales


Top 30 Threats in the US: Last Month’s Data 

1. Sneaky 2FA 

Sneaky 2FA is a phishing-as-a-service (PhaaS) kit that runs adversary-in-the-middle (AiTM) attacks against Microsoft 365 accounts, relaying real login traffic through a reverse proxy to capture credentials and session cookies in real time. It primarily targets any organization running Microsoft 365, with no particular industry spared.  

The kit is most notable for auto-filling the victim’s email address to boost credibility and for anti-bot checks that block security researchers and sandboxes from inspecting its pages. For businesses, it’s dangerous because it defeats standard MFA outright, handing attackers a live, authenticated session rather than just a stolen password. 

2. AsyncRAT 

AsyncRAT is an open-source remote access trojan (RAT) written in C#, originally published on GitHub as a legitimate remote administration tool before criminals repurposed it. It’s used indiscriminately across industries because it’s free, well-documented, and easy for low-skill actors to customize.  

AsyncRAT is most notable for its plugin-based architecture supporting keylogging, screen capture, and credential theft, plus its constant presence in phishing and malicious-script delivery chains. It’s dangerous for businesses because its ubiquity and endless minor variants make signature-based detection unreliable, and it often serves as the first foothold before a bigger compromise. 

3. EvilTokens 

EvilTokens is a phishing-as-a-service platform that abuses Microsoft’s legitimate OAuth 2.0 device-authorization flow to steal access tokens after a victim completes a real MFA challenge on Microsoft’s genuine login page — no fake login page, no stolen password. It concentrates heavily on finance, technology, manufacturing, education, and consulting firms running Microsoft 365.  

The kit is most notable for hiding its phishing payload inside AES-GCM-encrypted content that only decrypts in the browser, defeating static analysis, and for AI-assisted business email compromise (BEC) tooling built into its affiliate panel. That combination makes it a serious business risk: a single compromised inbox can cascade into fraud, data theft, and lateral movement across connected services. 

4. EvilProxy 

EvilProxy is a long-running adversary-in-the-middle phishing-as-a-service platform that lets affiliates rent turnkey reverse-proxy infrastructure to target Microsoft 365, Google Workspace, GitHub, and other MFA-protected services. It’s used broadly across finance, SaaS, and enterprise IT environments, wherever cloud account access has resale value to attackers.  

EvilProxy is most notable for popularizing the AiTM-as-a-service model years before its successors, effectively lowering the skill floor for MFA-bypass attacks industry-wide. For businesses, the danger is scale: a single subscription-based kit can power thousands of parallel campaigns against different targets simultaneously. 

5. Kali365 

Kali365 is an FBI-flagged phishing-as-a-service platform, first observed in April 2026, that steals Microsoft 365 OAuth tokens by abusing the legitimate device-code authentication flow rather than harvesting passwords. It targets any organization running Microsoft 365, with confirmed campaigns spanning finance, professional services, and general enterprise targets across North America.  

The kit is most notable for AI-generated phishing lures localized into 15 languages and for post-compromise automation that silently creates malicious inbox rules to suppress security warnings. It’s especially dangerous for business because it persists even through password resets — only session and token revocation stops it — and it enables direct fraud through compromised executive and finance mailboxes. 

6. Vidar 

Vidar is a malware-as-a-service (MaaS) information stealer that harvests browser-stored passwords, cookies, autofill data, cryptocurrency wallets, and two-factor authenticator data from infected machines. It’s distributed broadly via malvertising and cracked-software downloads, hitting individuals and businesses across every sector without a specific industry focus.  

Vidar is most notable for its resilient command-and-control model, using legitimate platforms like Telegram and Steam profiles as dead-drop resolvers to locate its real servers. For businesses, stolen credentials and session cookies from Vidar routinely end up feeding follow-on attacks, including corporate account takeover and access broker sales to ransomware affiliates. 

7. XWorm 

XWorm is a modular remote access trojan sold on underground forums, giving buyers remote desktop control, keylogging, webcam access, and an optional ransomware module in a single package. It spreads across industries through phishing attachments and loader chains, with no strong sector preference.  

XWorm is most notable for its low cost and active developer support, which keeps new builds circulating faster than signatures can keep up. The danger for businesses lies in its versatility — the same infection can pivot from espionage to data theft to on-demand file encryption depending on what the operator decides mid-campaign. 

8. Stealc 

Stealc is a malware-as-a-service info-stealer modeled closely on Vidar and Raccoon, built to harvest browser credentials, cryptocurrency wallets, and email client data at high volume and low cost to affiliates. It’s distributed indiscriminately, often bundled with cracked software and fake installers, touching businesses in every vertical whose employees browse from work devices.  

Stealc is most notable for rapidly filling the gap left when older stealer services shut down, thanks to aggressive underground marketing and frequent updates. For businesses, the risk is straightforward but severe: any employee credential harvested by Stealc can become the entry point for a much larger corporate breach. 

9. FlowerStorm 

FlowerStorm is an adversary-in-the-middle phishing kit that emerged to fill the gap left after a major AiTM phishing service was disrupted, and it now runs a similar reverse-proxy model against Microsoft 365 logins. It targets any organization dependent on Microsoft cloud services, with no specific industry exclusions.  

FlowerStorm is most notable for demonstrating how quickly the AiTM phishing ecosystem regenerates after takedowns — new kits absorb displaced affiliates within weeks. That resilience is exactly why it’s dangerous for business: disrupting one phishing-as-a-service operator rarely reduces the total volume of MFA-bypass attacks in the wild for long.  

10. Emotet 

Emotet began as a banking trojan and evolved into one of the most notorious malware-delivery botnets in history, spreading through malicious Office macros and acting as an initial-access broker for ransomware groups. It has hit organizations across finance, healthcare, government, and virtually every other sector over its long operational history.  

Emotet is most notable for surviving multiple law enforcement takedowns and re-emerging each time with updated delivery mechanics. For businesses, its danger isn’t just the initial infection — it’s what follows, since Emotet infections have historically preceded costly ransomware deployments from groups like Ryuk and Conti. 

11. Tycoon 2FA 

Tycoon 2FA is a phishing-as-a-service platform running adversary-in-the-middle attacks against Microsoft 365 and Gmail accounts, using a reverse proxy to relay real authentication traffic and steal session cookies. It’s rented broadly by criminal affiliates and used against organizations across virtually every industry with cloud email.  

The kit is most notable for its layered anti-detection measures, including Cloudflare Turnstile challenges designed to block security scanners from analyzing its phishing pages. Businesses should treat it as dangerous precisely because it targets the authentication layer itself — once a session cookie is stolen, MFA has already done its job and can’t stop the takeover. 

12. Remcos 

Remcos is marketed as a legitimate remote administration tool but is overwhelmingly deployed as a remote access trojan, giving attackers keylogging, screen capture, webcam and microphone access, and full remote control of infected machines. It spreads across industries via phishing email attachments, with no specific sector focus.

Remcos is most notable for its long shelf life and commercial-grade polish, since it’s sold openly rather than traded exclusively on criminal forums. For businesses, its full surveillance capability makes it a serious espionage and data-theft risk, particularly when it lands on machines used by finance or executive staff.

13. Agent Tesla

    Agent Tesla is a .NET-based keylogger, RAT, and information stealer distributed almost entirely through phishing email attachments disguised as invoices, orders, or shipping documents. It targets businesses across manufacturing, logistics, and professional services especially heavily, wherever document-based phishing lures land convincingly.

    Agent Tesla is most notable for exfiltrating stolen data over unconventional channels like SMTP, FTP, and Telegram bots, making network-based detection harder. The danger for business is its sheer popularity among low-skill actors, which keeps a constant, high-volume stream of Agent Tesla phishing campaigns hitting corporate inboxes.

    14. DCRat

      DCRat is a modular remote access trojan sold cheaply on underground forums, with a plugin architecture that lets buyers add keylogging, ransomware, or DDoS capability on top of core remote control. It’s used opportunistically across industries, largely wherever phishing or loader-based delivery succeeds.

      DCRat is most notable for its unusually low price point, which puts sophisticated RAT capability within reach of nearly any aspiring cybercriminal. For businesses, that accessibility is the real danger — DCRat infections can escalate in unpredictable directions depending on which plugins the operator chooses to load.

      15. WannaCry

        WannaCry is the ransomware worm that triggered a global outage in 2017 by self-propagating through the EternalBlue SMB vulnerability, encrypting files across entire networks without any user interaction. It disproportionately still resurfaces in healthcare, manufacturing, and other sectors running legacy or unpatched Windows systems.

        WannaCry is most notable for demonstrating how a single unpatched vulnerability can cause damage at a genuinely global scale within hours. Its continued presence in current sandbox data is a stark business risk indicator: any organization still detonating WannaCry samples almost certainly has unpatched systems exposed to far newer threats as well.

        16. RedLine

          RedLine is a malware-as-a-service info-stealer that harvests browser credentials, cryptocurrency wallets, VPN and FTP logins, and system information, sold cheaply to a wide base of criminal affiliates. It spreads through cracked software and malvertising, hitting businesses across every sector with no particular targeting.

          RedLine is most notable for having been one of the most widely deployed stealers on the market before a major law enforcement disruption in 2024, and for the fact that variants and rebrands are still circulating despite that action. For businesses, RedLine’s harvested credentials frequently surface later in initial access broker marketplaces, feeding ransomware intrusions well after the original infection.

          17. DonutLoader

            DonutLoader is an open-source, publicly available in-memory loader that converts executables, DLLs, and .NET assemblies into position-independent shellcode, letting attackers run payloads filelessly inside trusted processes. It’s used across the board — ransomware crews, APT groups, and commodity malware operators alike — because it’s free and effective.

            DonutLoader is most notable for defeating signature-based detection almost entirely by never writing a payload to disk, and it’s officially tracked under MITRE ATT&CK as S0695. That makes it dangerous for businesses in a very direct way: infections built on DonutLoader can sit undetected for hours or days while EDR tools look for artifacts that simply never touch the disk.

            18. QuasarRAT

              QuasarRAT is an open-source .NET remote access trojan published on GitHub as a legitimate administration tool, now widely repurposed by criminal and state-linked actors alike. It shows up across virtually every industry because its source code is freely available and easy to rebrand.

              QuasarRAT is most notable for serving as base code for numerous other RAT families and APT toolsets, making it a kind of foundational threat rather than a single standalone one. For businesses, that reuse means a QuasarRAT detection can indicate anything from a low-skill opportunistic attacker to a more targeted intrusion using a modified variant.

              19. Qbot

                Qbot (Qakbot) is a banking trojan and loader with a long history of serving as an initial-access foothold for ransomware groups including Conti and Black Basta. It has hit finance, professional services, and manufacturing organizations particularly hard over the years.

                Qbot is most notable for surviving a major FBI-led infrastructure takedown in 2023 only to resurface with updated delivery chains months later. The business danger here is what Qbot represents rather than what it does alone — its presence has historically been a leading indicator of an imminent, much more damaging ransomware event.

                20. Smoke Loader

                  Smoke Loader is a modular downloader and backdoor that’s been circulating since 2011, used primarily to deliver second-stage payloads like stealers, banking trojans, and ransomware onto infected machines. It spreads through phishing and exploit kits across a broad range of industries.

                  Smoke Loader is most notable for its longevity and plugin-based flexibility, letting operators swap in new capabilities without rebuilding the core malware. For businesses, its main danger is as a delivery mechanism — a Smoke Loader detection rarely means the attack is over, since the actual damaging payload usually arrives afterward.

                  21. LokiBot

                    LokiBot is a commodity information stealer and keylogger that targets browser credentials, email clients, FTP logins, and cryptocurrency wallets, typically delivered via phishing documents exploiting older Office vulnerabilities. It’s spread broadly across industries with minimal targeting discrimination.

                    LokiBot is most notable for its remarkable staying power despite being a known, well-signatured threat for years, largely due to constant minor code changes that dodge static detection. The business risk is less about sophistication and more about volume: LokiBot’s sheer prevalence means unpatched systems remain a constant, low-effort target for opportunistic attackers.

                    22. Lumma

                      Lumma is a subscription-based malware-as-a-service info-stealer that harvests browser credentials, cryptocurrency wallets, and two-factor authentication extension data, and was one of the most dominant stealers on the market before a major 2025 law enforcement and Microsoft-led disruption. It hit businesses across every sector indiscriminately through malvertising and cracked-software lures.

                      Lumma is most notable for spawning Remus Stealer as a direct technical successor after its core infrastructure was disrupted. For businesses, Lumma is a case study in how quickly a disrupted MaaS operation regenerates — the underlying criminal demand didn’t go away, it just migrated to a new codebase.

                      23. Mirai

                        Mirai is IoT botnet malware whose source code was leaked publicly in 2016, letting it spawn dozens of variants that infect routers, cameras, and other internet-connected devices using default or weak credentials. It targets any organization with exposed, poorly secured IoT infrastructure rather than a specific industry.

                        Mirai is most notable for powering some of the largest distributed denial-of-service (DDoS) attacks ever recorded. The danger for business is often indirect but severe: Mirai-infected devices on a corporate network can be weaponized against the business’s own infrastructure or rented out to attack someone else’s, with the compromised organization caught in the middle.

                        24. NetWire

                          NetWire is a commercially sold remote access trojan offering keylogging, credential theft, and webcam control across both Windows and Mac systems. It’s used opportunistically across industries wherever phishing delivery succeeds.

                          NetWire is most notable for having operated semi-openly as a paid product before its alleged operator was arrested in 2023, after which variants continued circulating regardless. For businesses, its cross-platform reach is the key risk factor — NetWire doesn’t spare Mac-heavy environments the way many commodity RATs do.

                          25. Formbook

                            Formbook is a cheap, widely available spyware and info-stealer sold as malware-as-a-service, specializing in form-grabbing, keylogging, and credential theft from browsers and email clients. It spreads through phishing campaigns across virtually every industry due to its low cost and ease of use.

                            Formbook is most notable for its long operational history since 2016 and for its macOS-targeting sibling, XLoader, which extended the same capability to Apple environments. The business danger is its accessibility — Formbook puts credential-stealing capability within reach of almost any attacker with a modest budget, keeping infection volume consistently high.

                            26. njRAT

                              njRAT (also known as Bladabindi) is a remote access trojan with roots in Middle Eastern hacking communities, offering remote desktop control, keylogging, webcam access, and USB-based self-propagation. It spreads across industries with no strong sector preference, largely through cracked software and phishing.

                              njRAT is most notable for its widely available, easy-to-use builder tool, which keeps new variants appearing constantly from low-skill operators. For businesses, that accessibility translates into unpredictable risk — infections range from petty credential theft to more serious espionage depending entirely on who’s behind the keyboard.

                              27. NanoCore

                                NanoCore is a plugin-based remote access trojan offering webcam and microphone control, keylogging, and file management, historically sold as a commercial product before its developer was convicted in the US in 2017. It’s used opportunistically across industries via phishing delivery.

                                NanoCore is most notable for the sheer number of surveillance-focused plugins available to buyers, making it a particularly invasive RAT even by commodity malware standards. The danger for business lies in that surveillance depth — a NanoCore infection can expose far more than credentials, including live audio and video from compromised machines.

                                28. Gh0st RAT

                                  Gh0st RAT is a remote access trojan of Chinese origin with a long operational history in state-linked and espionage-focused campaigns, offering full remote control, keylogging, and screen capture. It has been used against government, defense, and technology sector targets specifically, alongside broader opportunistic use.

                                  Gh0st RAT is most notable for its persistent association with advanced, targeted intrusions rather than purely commodity cybercrime. For businesses, particularly those in sensitive or regulated sectors, a Gh0st RAT detection warrants treating the incident as a potential targeted intrusion rather than routine opportunistic malware.

                                  29. Remus Stealer

                                    Remus Stealer is a 64-bit information stealer that emerged in early 2026 as a direct evolutionary successor to Lumma Stealer, built to harvest browser credentials, cookies, authentication tokens, and cryptocurrency wallets. It targets financial services, healthcare, government, technology, and managed service providers in particular.

                                    Remus is most notable for using EtherHiding — storing its command-and-control address inside an Ethereum smart contract — to make its infrastructure resistant to takedown, and for stealing active browser session cookies that bypass MFA outright. That session-hijacking capability makes it dangerous for business: it turns a single infected endpoint into a live, authenticated account takeover rather than just a stolen password.

                                    30. Cobalt Strike

                                      Cobalt Strike is a legitimate red-team and penetration-testing framework whose cracked and leaked versions have become one of the most widely abused command-and-control tools in ransomware and APT operations. It’s used across every industry, typically in the later stages of an intrusion rather than as an initial infection vector.

                                      Cobalt Strike is most notable for its “beacon” payload, which enables stealthy lateral movement, privilege escalation, and long-term persistence inside a compromised network. For businesses, seeing Cobalt Strike in an environment is a red flag with real urgency — it frequently signals that attackers already have a foothold and are actively preparing to escalate toward data theft or ransomware deployment.

                                      Cut your exposure to top threats before they cut into your bottom line.
                                      Integrate ANY.RUN’s threat intelligence solutions



                                      Contact sales


                                      Most Dangerous US Phishing Campaigns in 2026 

                                      If one theme defines the 2026 US phishing landscape, it’s the shift from stealing passwords to stealing sessions. Kali365 and EvilTokens represent the sharpest edge of this trend: both abuse Microsoft’s legitimate device-code authorization flow, meaning the victim completes a real login on a real Microsoft page, and the attacker walks away with a valid OAuth token instead of a password. Neither kit needs a convincing fake login page, which strips away most of the visual cues employees are trained to spot. The FBI’s public advisory on Kali365 — and the emergence of at least one related operator panel, ARToken, documented by Cisco Talos — underscores how quickly this technique has scaled into a genuine national security concern rather than a niche curiosity. 

                                      Running alongside device-code phishing is the older but still thriving adversary-in-the-middle (AiTM) model, represented in this month’s data by Sneaky 2FA, EvilProxy, Tycoon 2FA, and FlowerStorm. These kits use reverse proxies to sit between the victim and a real login page, capturing the session cookie the instant authentication succeeds.  

                                      The AiTM market has proven remarkably resilient to takedowns: when one operator is disrupted, affiliates simply migrate to the next kit, as FlowerStorm’s emergence demonstrated. For business leaders, the practical implication is that phishing-resistant MFA (hardware security keys, not push notifications or one-time codes) and tighter conditional access policies around device-code flows are now baseline requirements, not advanced hardening.  

                                      Ransomware Attacks Targeting US Companies 

                                      Direct ransomware payloads make up a smaller share of this month’s top 30 than commodity stealers and phishing kits, but the ransomware threat is far from diminished — it’s simply moved earlier in the attack chain. WannaCry remains a persistent reminder that unpatched, legacy-vulnerable systems are still being found and encrypted years after EternalBlue was first weaponized.  

                                      More significantly, several of this month’s top-ranked threats function as the access layer that ransomware operators depend on: Cobalt Strike for post-compromise lateral movement, Qbot and Emotet with their long histories as initial-access brokers for ransomware affiliates, and loaders like DonutLoader and Smoke Loader that quietly stage the next payload without tripping signature-based defenses. 

                                      This is the pattern US businesses need to internalize: by the time a ransom note appears, the actual compromise usually happened days or weeks earlier, through a phishing kit, a stealer, or a RAT that looked like a routine, low-severity incident at the time. Treating detections of Cobalt Strike beacons, Qbot infections, or session-token theft as early ransomware indicators — not isolated events — is one of the highest-leverage shifts a SOC can make in 2026. 

                                      Conclusion 

                                      This month’s US data makes one thing clear: the threats businesses face aren’t a static list to memorize once a year — they’re a moving target that shifts week to week. Phishing-as-a-service kits are getting better at defeating MFA. Decades-old malware like Emotet and WannaCry haven’t disappeared. And the line between “just a stealer infection” and “the opening move of a ransomware attack” keeps getting thinner. 

                                      Staying ahead of that requires the same thing MTT is built to provide: real, current visibility instead of last year’s threat report. Combined with the ability to safely detonate and understand a suspicious file or phishing page the moment it appears, and threat intelligence that turns a single indicator into full campaign context, security teams can move from reacting to these 30 threats to genuinely staying ahead of them. 

                                      About ANY.RUN 

                                      ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps organizations investigate threats faster and make response decisions based on clear behavioral evidence. 

                                      Its solutions include the Interactive Sandbox for enterprise-scale malware and phishing analysis, along with Threat Intelligence products built on investigation data from more than 15,000 organizations. This intelligence helps security teams enrich alerts, uncover active threats earlier, and add relevant context to detection, investigation, and response workflows. 

                                      ANY.RUN is SOC 2 Type II attested, demonstrating its commitment to strong security controls and customer data protection. For SOCs, MSSPs, and enterprise security teams, the platform helps reduce investigation uncertainty, accelerate triage, and turn threat analysis into actionable findings. 

                                      The post US Threat Landscape Alert: 30 Active Malware Families Ranked by Real Sandbox Data appeared first on ANY.RUN’s Cybersecurity Blog.

                                      ANY.RUN’s Cybersecurity Blog – ​Read More

                                      Share this entry
                                      • Share on Facebook
                                      • Share on X
                                      • Share on WhatsApp
                                      • Share on LinkedIn
                                      • Share on Vk
                                      • Share on Reddit
                                      • Share by Mail
                                      https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png 0 0 admin https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png admin2026-07-09 13:06:272026-07-09 13:06:27US Threat Landscape Alert: 30 Active Malware Families Ranked by Real Sandbox Data
                                      Search Search
                                      Copyright © BackBox.org
                                      • Link to X
                                      • Link to Facebook
                                      • Link to LinkedIn
                                      • Link to Youtube
                                      • Link to Telegram
                                      Link to: Madison Square Garden Kept a List of Gay Celebrities Link to: Madison Square Garden Kept a List of Gay Celebrities Madison Square Garden Kept a List of Gay CelebritiesMadison Square Garden Kept a List of Gay Celebrities Link to: I tested Norton Antivirus on my PC – and it found a hidden Trojan in 15 minutes Link to: I tested Norton Antivirus on my PC – and it found a hidden Trojan in 15 minutes I tested Norton Antivirus on my PC – and it found a hidden Trojan in 15...
                                      Scroll to top Scroll to top Scroll to top