HomeCybersecurity Lifehacks
Malware Trends Report: Q2, 2023 
HomeCybersecurity Lifehacks
Malware Trends Report: Q2, 2023 

Welcome to ANY.RUN’s Q2 2023 malware trends report. We’re continuing to share quarterly breakdowns of the most popular malware types, families, and TTPs.  


In our most recent quarterly review, ANY.RUN received 758,582 submissions. From this pool, we classified 226,418 tasks, or 29.9%, as malicious, and another 34,285, or 4.5%, as suspicious.  

Our users, through their analysis of these tasks, managed to gather approximately 45 million unique Indicators of Compromise (IOCs) and an accumulative total of 240,581,447 IOCs. 

In this report, we’ll: 

  • Look at the most widespread malware types and families in Q2 2023 
  • Compare our findings to Q1 2023 report
  • And provide insights into the most used MITRE ATT&CK TTPs  

Top Malware Types in Q2 2023 

Top Malware Types in Q2 2023 


In Q2 2023, the three most prevalent types of malware remained RAT, loader, and trojan, mirroring the trends from Q1 2023. 

Specifically, we observed a 12.8% increase in RAT instances, rising from 5296 in Q1 to 5974 in Q2. Conversely, loader instances saw a decrease of 27.3%, dropping from 7820 in Q1 to 5685 in Q2. Most notably, trojan instances experienced a significant decrease of 44.8%, plummeting from 7696 in Q1 to just 4246 in Q2. 

Top Malware Families in Q2 2023 

Top Malware Families in Q2 2023 


  • The hierarchy of top malware families remains unchanged. RedLine, the most prevalent malware family, saw a significant surge in instances, jumping 80.2% from 1895 in Q1 to 3415 in Q2. 
  • Remcos, holding steady as the second most frequently uploaded malware on ANY.RUN, experienced a marginal decrease of 1.2%, with instances dipping slightly from 1385 in Q1 to 1368 in Q2. 
  • Rounding out the top three, the njRat family exhibited a modest increase of 4.2%, with instances rising from 1096 in Q1 to 1142 in Q2. 

Analyze malware and collect IOCs in ANY.RUN 

Create free account

Top MITRE ATT&CK techniques in Q2 2023 

MITRE ATT&CK Technique  Count 
T1059.003 Command and Scripting Interpreter: Windows Command Shell  14,233 
T1059.001 Command and Scripting Interpreter: PowerShell  9,081 
T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion  8,130 
T1218.011 System Binary Proxy Execution: Rundll32  5,505 
T1053.005 Scheduled Task/Job: Scheduled Task  5,450 
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder  4,919 
T1574.002 Hijack Execution Flow: DLL Side-Loading  3,817 
T1059.005 Command and Scripting Interpreter: Visual Basic   3,672  
T1059.007 Command and Scripting Interpreter: JavaScript   3,054
T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification  2,986 


The data we’ve collected during the second quarter of 2023 indicates a significant shift in most-used TTPs. Here are some of the highlights: 

  • T1059.003, Command and Scripting Interpreter: Windows Command Shell, despite experiencing a significant drop in instances from 22,030 in Q1 to 14,233 in Q2 (a decrease of 35.4%), has moved up in the ranking to become the most prevalent technique in Q2. 
  • T1059.001, Command and Scripting Interpreter: PowerShell, has also climbed in the ranking, moving from the tenth position in Q1 to the second in Q2. This is in spite of a relatively small increase in instances from 8,209 in Q1 to 9,081 in Q2 (an increase of 10.6%). 
  • T1497.003, Virtualization/Sandbox Evasion: Time Based Evasion, has also risen in the ranking, moving from the seventh position in Q1 to the third in Q2. 
  • Notably, T1036.005, Masquerading: Match Legitimate Name or Location, which was the most prevalent technique in Q1 with 78,101 instances, is no longer in the top ten in Q2. 

Report methodology 

We’ve examined data submitted to our public threat database by a diverse community of researchers, who have opted to make their analyses public, totaling 758,582 tasks. 

ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis. 

Request a demo today and enjoy 14 days of free access to our Enterprise plan.  

Request demo → 

What do you think about this post?

8 answers

  • Awful
  • Average
  • Great

No votes so far! Be the first to rate this post.