Summarizing the past year’s threat landscape based on activity observed in ANY.RUN’s Interactive Sandbox, this annual report provides insights into the most detected malware types, families, TTPs, and phishing threats of 2025. 

For additional insights, view ANY.RUN’s quarterly malware trends reports.  

Key Takeaways 

• Threat activity surged, with total sandbox sessions up 72% and malicious detections growing proportionally, reflecting increased frequency and depth of analysis among SOCs. 

• Stealers and RATs maintain dominance, tripling in activity compared to 2024. 

• Lumma and XWorm led malware family rankings, highlighting sustained reliance and mature and adaptable malicious ecosystems. 

• Phishing, driven by MFA-bypassing PhaaS kits like Tycoon 2FA and EvilProxy, evolved into an advanced malicious vector. 

• Widespread TTPs shifted toward stealth and trust abuse, with root certificate installation as the most detected technique of the year. 

Summary 

In 2025, ANY.RUN experienced significant growth alongside a rise in malicious activity. The numbers reflect a substantial growth of deep investigations and the detections of evasive threats facilitated by Interactive Sandbox: 

• 6.8 million sandbox sessions were launched — +72.2% compared to 2024. 

• The number of malicious samples grew by a similar number: 77.3%. This shows that the overall sandbox activity and malicious detections grow proportionally.  

• Suspicious samples more than doubled and rose from 211,517 in 2024 to 430,223 in 2025. 

• The total number of IOCs collected by ANY.RUN’s global community: 3.8 billion, nearly 2 billion more than the year before. 

As investigation volume and behavioral visibility increase, 15K+ security teams gain earlier detection, richer context, and faster response capabilities with ANY.RUN. 

Interactive Sandbox helps them ensure a strong, enterprise-grade defense system by enabling: 

• Early Detection: Minimize risks to safeguard your infrastructure and reputation with 36% higher detection rates. 

• Higher Efficiency & ROI: Cut MTTR by 21 minutes to power quicker incident resolution. 

• Smarter Decision-Making: Flexible solutions enhance visibility into threats for insights-driven action. 

Top Malware Types: Highlights

1. Stealer 155,741
2. RAT 72,114
3. Loader 69,651
4. Ransomware 42,220
5. Botnet 24,022
6. Backdoor 21,418
7. Keylogger 16,144
8. Adware 14,960
9. Trojan 10,016
10. Miner 8,442

The upper part of the most active malware types chart closely resembles that of 2024. The top four most detected threats remained unchanged, underscoring the long-term impact and growth in activity of Stealer and RAT (their intensity grew 3x), Loader (2.5x) and Ransomware (2x) malware. 

• Widespread stealers: Lumma,  Stealc, Blank Grabber 

• Widespread RATs: XWorm, Quasar RAT, AsyncRAT 

• Widespread loaders: Smoke Loader, PureCrypter, HijackLoader 

Other types have seen notable growth, too. Particularly dramatic increases are seen in Backdoor and Adware attacks. This points to an ongoing trend towards persistent access, credential theft, and multi-stage malware campaigns as opposed to short-spanned attacks. 

A new addition to the list is Botnet with 21K+ detections that secured fifth place for this malware type. 

Malware Families 

1. Lumma 31,111
2. XWorm 31,093 
3. AsyncRAT 16,372 
4. Remcos 16,002 
5. AgentTesla 14,584 
6. Snake 13,556 
7. Quasar 13,512 
8. Vidar 10,303 
9. Stealc 9,927 
10. Amadey 9,533 

From 2024 to 2025, most recurring malware families at least doubled in activity, as indicated by ANY.RUN’s statistics. 

XWorm that led the ranking in 2024 was detected 4.3x times more often in 2025. Despite the sharp growth, it moved a place down and gave way to Lumma, this year’s leader, which grew from 12K to 31K+ detections. 

Third and fourth places are taken by AsyncRAT and Remcos: both doubled in activity and were detected roughly 16K times. 

A notable 3x growth in activity is seen in Snake threats, which occupied sixth place with 13,556 total detections. 

Quasar and Vidar families newly entered the top list, signaling renewed RAT and stealer diversification. 

You can browse Threat Intelligence Lookup for further insights into threats relevant for you country or industry. For that, use requests like: 

threatName:”xworm” AND industry:”Finance” 

SOC teams can use these insights from a searchable indicator databases with IOCs, IOAs, and IOBs to: 

• Build Proactive Defense: Actionable threat intelligence drives targeted and insightful research for staying ahead. 

• Ensure Rapid Triage and Response: Instant enrichment of indicators with behavioral context makes for fast and smart decisions. 

• Optimize Workload: Rich threat data empowers Tier 1 analysts to work sustainably, reducing escalations to Tier 2. 

Phishing Threats 

Phishing APTs 

Phishing remained a key initial infection and credential-harvesting method 
throughout 2025. In ANY.RUN’s Interactive Sandbox, phishing-related activity was detected 541,225 times. 

• Among key APT groups, Storm-1747 dominated the list consistently from Q1 through Q4, accounting for a total of 92,147 detections. 

•  TA569 held second position from quarter to quarter as well, with 11K detections overall. 

The dominance of these actors over the months highlights the superiority of these groups on the threat landscape, which allows them to take up a disproportionately large share of phishing operations.  

The year’s top three is concluded by Storm-1575 with significantly fewer detections than the chart’s leaders, emphasizing the gap between the leading actors and other groups. 

Phishing Kits 

Tycoon2FA and EvilProxy reigned among most detected phishing kits throughout the year. Their total number of detections: 107,125 and 37,524 respectively, underscoring a clear dominance of phishing-as-a-service (PhaaS) platforms capable of bypassing multi-factor authentication at scale. 

Third place is taken by Sneaky2FA, another threat that has shown steady growth from quarter to quarter, reflecting focus on session hijacking and interception of credentials in real time. 

The top five in 2025 phishing threats is rounded out by Mamba2FA and WikiKit, with roughly 13.5K and 5K total detections respectively. 

These figures prove that phishing has evolved into a large-scale threat built around MFA abuse, modular tooling, and reusable infrastructures. 

You can ensure eraly threat detection of phishing threats like Tycoon2FA, EvilProxy, and more with Threat Intelligence Feeds delivering 99% unique threat data directly into your SIEM and other security solutions. 

• Refine Detection and Response: Indicators like IPs, URLs, and domains are enriched with threat context, making it possible to power your SOC for proactive defense. 

• Mitigate Breach Risks: 15,000 companies contribute to TI Feeds data in real time, instantly expanding your threat coverage and visibility to helps you stay ahead. 

• 3x Performance Rates: Filtered, noise-free indicators safely delivered via STIX/TAXII beat alert fatigue and enforce early detection. 

Protectors/Packers 

The list of top protectors and packers used by attackers during 2025 remained mostly stable throughout the year, reflecting continued reliance on established obfuscation tools. 

• The ultimate leader is UPX with a significant gap from other packers secured by 45K+ detections. 

• It’s followed by NETReactor with 24K+ detections and Themida with 16K+, both commonly leveraged to protect commodity malware and evade static analysis. 

TOP TTPs 

Among widespread TTPs, a new 2025 leader is T1553.004 – Subvert Trust Controls: Install Root Certificate with 385K+ detections. This technique didn’t appear on the list a year before, signaling a shift toward TLS interception, traffic inspection, and deep trust abuse. 

Second place is taken by T1036.003 – Masquerading: Rename Legitimate Utilities. This TTP moved two places up with a 2.4x growth in total detections. 

Other recurring TTPs like T1059.003 – Command and Scripting Interpreter: Windows Command Shell and T1497.003 – Virtualization/Sandbox Evasion: Time-Based Checks  
also experienced drastic increases in activity, confirming a rise in evasive behavior and the use of reliable execution methods, especially in phishing-delivered malware. 

Key Security Insights for Businesses in 2026 

• Credential theft remains the primary risk: Stealers and RATs tripled year over year, making identity compromise the fastest path to enterprise intrusion. 

• Phishing is now an access operation, not a one-off attack: MFA-bypassing PhaaS kits enable scalable, repeatable breaches targeting employees at all levels. 

• Persistence outweighs speed: Growth in backdoors, scheduled tasks, and autostart techniques shows attackers prioritize long-term access over quick impact. 

• Trust abuse is a top concern: Root certificate installation emerged as the most detected technique, enabling traffic interception and stealthy control. 

• Fewer actors, greater impact: A small number of mature threat groups drove a disproportionate share of phishing and malware activity. 

• Behavioral visibility is critical: The scale and sophistication of 2025 threats highlight the need for interactive analysis and fresh threat intelligence in 2026. 

ANY.RUN: Integrated Detection Accelerates SOC Performance 

Understanding what happened is the first step to knowing what to do next. This report is built on threat intelligence gathered from millions of real investigations conducted by 15,000+ SOC teams worldwide throughout 2025. For actionable insights, high-quality threat data, and in-depth, dynamic analysis available in your security system 24/7, integrate ANY.RUN: 

• Scalable Efficiency: Save time and resouces on manual triage and unneccessary escalations with analysts focused on high-impact work. 

• Risk Mitigation: SOC teams expose evasive threats in minutes, gaining real-time behavioral visibility investigate faster. 

• Smart Response: Each investigation is enriched with historical context from millions of prior analyses, delivering broader coverage and significantly more actionable indicators. 

Conclusion 

Overall, 2025 was marked by strong growth in investigation activity, increased malware sophistication, and a clear shift toward persistence, evasion, and trust abuse among threat actors, underscoring the need for continuous monitoring and proactive threat analysis. 

About ANY.RUN 

ANY.RUN builds advanced solutions for malware analysis and threat hunting. Its interactive malware analysis sandbox is trusted by 600,000+ cybersecurity professionals worldwide, enabling hands-on investigation of threats targeting Windows, Linux, and Android environments with real-time behavioral visibility. 

Threat Intelligence Lookup and Threat Intelligence Feeds help security teams quickly identify indicators of compromise, enrich alerts with context, and investigate incidents at early stages. This empowers analysts to gain actionable insights, uncover stealthy threats, and strengthen their overall security posture. 

Request ANY.RUN access for your company 

Frequently Asked Questions (FAQ) 

The post Malware Trends Overview Report: 2025  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Millions of IT systems — some of them industrial and IoT — may start behaving unpredictably on January 19. Potential failures include: glitches in processing card payments; false alarms from security systems; incorrect operation of medical equipment; failures in automated lighting, heating, and water supply systems; and many more less serious types of errors. The catch is — it will happen on January 19, 2038. Not that that’s a reason to relax — the time left to prepare may already be insufficient. The cause of this mass of problems will be an overflow in the integers storing date and time. While the root cause of the error is simple and clear, fixing it will require extensive and systematic efforts on every level — from governments and international bodies and down to organizations and private individuals.

The unwritten standard of the Unix epoch

The Unix epoch is the timekeeping system adopted by Unix operating systems, which became popular across the entire IT industry. It counts the seconds from 00:00:00 UTC on January 1, 1970, which is considered the zero point. Any given moment in time is represented as the number of seconds that have passed since that date. For dates before 1970, negative values are used. This approach was chosen by Unix developers for its simplicity — instead of storing the year, month, day, and time separately, only a single number is needed. This facilitates operations like sorting or calculating the interval between dates. Today, the Unix epoch is used far beyond Unix systems: in databases, programming languages, network protocols, and in smartphones running iOS and Android.

The Y2K38 time bomb

Initially, when Unix was developed, a decision was made to store time as a 32-bit signed integer. This allowed for representing a date range from roughly 1901 to 2038. The problem is that on January 19, 2038, at 03:14:07 UTC, this number will reach its maximum value (2,147,483,647 seconds) and overflow, becoming negative, and causing computers to “teleport” from January 2038 back to December 13, 1901. In some cases, however, shorter “time travel” might happen — to point zero, which is the year 1970.

This event, known as the “year 2038 problem”, “Epochalypse”, or “Y2K38”, could lead to failures in systems that still use 32-bit time representation — from POS terminals, embedded systems, and routers, to automobiles and industrial equipment. Modern systems solve this problem by using 64 bits to store time. This extends the date range to hundreds of billions of years into the future. However, millions of devices with 32-bit dates are still in operation, and will require updating or replacement before “day Y” arrives.

In this context, 32 and 64 bits refer specifically to the date storage format. Just because an operating system or processor is 32-bit or 64-bit, it doesn’t automatically mean it stores the date in its “native” bit format. Furthermore, many applications store dates in completely different ways, and might be immune to the Y2K38 problem, regardless of their bitness.

In cases where there’s no need to handle dates before 1970, the date is stored as an unsigned 32-bit integer. This type of number can represent dates from 1970 to 2106, so the problem will arrive in the more distant future.

Differences from the year 2000 problem

The infamous year 2000 problem (Y2K) from the late 20^th century was similar in that systems storing the year as two digits could mistake the new date for the year 1900. Both experts and the media feared a digital apocalypse, but in the end there were just numerous isolated manifestations that didn’t lead to global catastrophic failures.

The key difference between Y2K38 and Y2K is the scale of digitization in our lives. The number of systems that will need updating is way higher than the number of computers in the 20^th century, and the count of daily tasks and processes managed by computers is beyond calculation. Meanwhile, the Y2K38 problem has already been, or will soon be, fixed in regular computers and operating systems with simple software updates. However, the microcomputers that manage air conditioners, elevators, pumps, door locks, and factory assembly lines could very well chug along for the next decade with outdated, Y2K38-vulnerable software versions.

Potential problems of the Epochalypse

The date’s rolling over to 1901 or 1970 will impact different systems in different ways. In some cases, like a lighting system programmed to turn on every day at 7pm, it might go completely unnoticed. In other systems that rely on complete and accurate timestamps, a full failure could occur — for example, in the year 2000, payment terminals and public transport turnstiles stopped working. Comical cases are also possible, like issuing a birth certificate with a date in 1901. Far worse would be the failure of critical systems, such as a complete shutdown of a heating system, or the failure of a bone marrow analysis system in a hospital.

Cryptography holds a special place in the Epochalypse. Another crucial difference between 2038 and 2000 is the ubiquitous use of encryption and digital signatures to protect all communications. Security certificates generally fail verification if the device’s date is incorrect. This means a vulnerable device would be cut off from most communications — even if its core business applications don’t have any code that incorrectly handles the date.

Unfortunately, the full spectrum of consequences can only be determined through controlled testing of all systems, with separate analysis of a potential cascade of failures.

The malicious exploitation of Y2K38

IT and InfoSec teams should treat Y2K38 not as a simple software bug, but as a vulnerability that can lead to various failures, including denial of service. In some cases, it can even be exploited by malicious actors. To do this, they need the ability to manipulate the time on the targeted system. This is possible in at least two scenarios:

• Interfering with NTP protocol data by feeding the attacked system a fake time server
• Spoofing the GPS signal — if the system relies on satellite time

Exploitation of this error is most likely in OT and IoT systems, where vulnerabilities are traditionally slow to be patched, and the consequences of a failure can be far more substantial.

An example of an easily exploitable vulnerability related to time counting is CVE-2025-55068 (CVSSv3 8.2, CVSSv4 base 8.8) in Dover ProGauge MagLink LX4 automatic fuel-tank gauge consoles. Time manipulation can cause a denial of service at the gas station, and block access to the device’s web management panel. This defect earned its own CISA advisory.

The current status of Y2K38 mitigation

The foundation for solving the Y2K38 problem has been successfully laid in major operating systems. The Linux kernel added support for 64-bit time even on 32-bit architectures starting with version 5.6 in 2020, and 64-bit Linux was always protected from this issue. The BSD family, macOS, and iOS use 64-bit time on all modern devices. All versions of Windows released in the 21^st century aren’t susceptible to Y2K38.

The situation at the data storage and application level is far more complex. Modern file systems like ZFS, F2FS, NTFS, and ReFS were designed with 64-bit timestamps, while older systems like ext2 and ext3 remain vulnerable. Ext4 and XFS require specific flags to be enabled (extended inode for ext4, and bigtime for XFS), and might need offline conversion of existing filesystems. In the NFSv2 and NFSv3 protocols, the outdated time storage format persists. It’s a similar patchwork landscape in databases: the TIMESTAMP type in MySQL is fundamentally limited to the year 2038, and requires migration to DATETIME, while the standard timestamp types in PostgreSQL are safe. For applications written in C, pathways have been created to use 64-bit time on 32-bit architectures, but all projects require recompilation. Languages like Java, Python, and Go typically use types that avoid the overflow, but the safety of compiled projects depends on whether they interact with vulnerable libraries written in C.

A massive number of 32-bit systems, embedded devices, and applications remain vulnerable until they’re rebuilt and tested, and then have updates installed by all their users.

Various organizations and enthusiasts are trying to systematize information on this, but their efforts are fragmented. Consequently, there’s no “common Y2K38 vulnerability database” out there (1, 2, 3, 4, 5).

Approaches to fixing Y2K38

The methodologies created for prioritizing and fixing vulnerabilities are directly applicable to the year 2038 problem. The key challenge will be that no tool today can create an exhaustive list of vulnerable software and hardware. Therefore, it’s essential to update inventory of corporate IT assets, ensure that inventory is enriched with detailed information on firmware and installed software, and then systematically investigate the vulnerability question.

The list can be prioritized based on the criticality of business systems and the data on the technology stack each system is built on. The next steps are: studying the vendor’s support portal, making direct inquiries to hardware and software manufacturers about their Y2K38 status, and, as a last resort, verification through testing.

When testing corporate systems, it’s critical to take special precautions:

• Never test production systems.
• Create a data backup immediately before the test.
• Isolate the system being tested from communications so it can’t confuse other systems in the organization.
• If changing the date uses NTP or GPS, ensure the 2038 test signals cannot reach other systems.
• After testing, set the systems back to the correct time, and thoroughly document all observed system behaviors.

If a system is found to be vulnerable to Y2K38, a fixing timeline should be requested from the vendor. If a fix is impossible, plan a migration; fortunately, the time we have left still allows for updating even fairly complex and expensive systems.

The most important thing in tackling Y2K38 is not to think of it as a distant future problem whose solution can easily wait another five to eight years. It’s highly likely that we already have insufficient time to completely eradicate the defect. However, within an organization and its technology fleet, careful planning and a systematic approach to solving the problem will allow to actually make it in time.

Kaspersky official blog – ​Read More