Malware Trends Overview Report: 2023 

Let’s take a moment to reflect on 2023. We’ve analyzed the most prevalent malware families, types, and TTPs of the year, and we’re bringing you the highlights in this article. 

This report is based on the analysis of 2,991,551 public tasks created by our community in 2023. Out of these, 817,701 were tagged as malicious, and 148,124 as suspicious. Overall, ANY.RUN helped the cybersecurity community identify 640,158,713 IOCs in 2023.  

Top Malware Types in 2023 

Let’s begin by taking a closer look at the most common types of malware identified by ANY.RUN’s sandbox. In 2023, loaders, stealers, and RATs took the lead with 24,136, 18,290, and 17,431 detections respectively. Around 15,630 detections were attributed to trojans:  

• Loader: 24,136 
• Stealer: 18,290 
• Remote Access Trojan (RAT): 17,431 
• Trojan: 15,630 
• Ransomware: 12,820 
• Installer: 8,541 
• Keylogger: 4,049 
• Backdoor: 1,779 
• Miner: 1,043 

Top Malware Families in 2023  

In terms of malware families, Redline was by far the most popular (9205 detections), spotted more than twice as frequently as the second-most used malware Remcos (4407 detecitions). Redline is popular among cybercriminals because it’s easy to buy online and it can evade detection through polymorphic code, rootkit functionalities, and intricate obfuscation methods. 

Get the latest Redline IOCs and read more about this malware family in ANY.RUN’s Malware Trends Tracker. 

• Redline: 9,205 
• Remcos: 4,407 
• Agent Tesla: 4,215 
• njRAT: 3,939 
• AsyncRAT: 2,733 
• FormBook: 2,098 
• Amadey: 1,956 
• Vidar: 1,569 

Top MITRE ATT&CK techniques in 2023 

MITRE ATT&CK is a widely recognized framework used globally. It categorizes various adversary actions into tactics and techniques. It’s an essential tool for malware analysts to identify, assess, and address threats more effectively. 

ANY.RUN has a MITRE ATT&CK report that matches malware actions to specific techniques. In 2023, we made over 1.2 million matches, allowing us to put together this spreadsheet of TTPs adversaries employed most frequently in 2023: 

Top TTPs: highlights: 

• Masquerading Techniques (T1036.005): There’s a notable prelevance of Masquerading: Match Legitimate Name or Location technique. This indicates how common obfuscation via deceptive filenames and paths has been in 2023. This technique employs mimicry tactics to bypass heuristic detection. Effective countermeasures include behavioral analysis, focusing on anomaly detection in process tree execution and scrutinizing file path irregularities. 

• Security Software Discovery (T1518.001): Software Discovery: Security Software Discovery is indicative of sophisticated adversaries targeting security mechanisms. This method is a hallmark of APTs and targeted ransomware campaigns. 

• Increased Use of System Services for Execution (T1569.002): We’re seeing a lot of malware use system services to stay hidden and live of the land. This is a common technique in rootkits and sophisticated malware. This approach exploits system services to execute code at elevated privileges. 

• Email Collection: Local Email Collection (T1114.001): This technique takes place with malware that focuses on stealing sensitive information from emails, specifically from local email files such as cache or Outlook files. 

Report methodology  

In our report, we analyzed data from 2,991,551 tasks sent to our public threat database. This information is from researchers in our community who helped by running tasks in ANY.RUN. 

About ANY.RUN  

ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.    

Request a demo today and enjoy 14 days of free access to our Enterprise plan.     

Request demo →