{"id":17461,"date":"2025-12-29T08:51:04","date_gmt":"2025-12-29T08:51:04","guid":{"rendered":"\/cybersecurity-blog\/?p=17461"},"modified":"2025-12-29T10:43:37","modified_gmt":"2025-12-29T10:43:37","slug":"malware-trends-report-q4-2025","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/","title":{"rendered":"Malware Trends Q4 2025: Inside ANY.RUN\u2019s Latest Threat Landscape Report\u00a0"},"content":{"rendered":"\n<p>We\u2019re glad to present our regular quarterly report highlighting the most prominent malicious trends of the last three months of 2025, as observed by <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_trends_q4_25&amp;utm_term=291225&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>\u2019s community.<\/p>\n\n\n\n<p>Following the release of&nbsp;our annual report on&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/annual-report-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\">key threats&nbsp;and&nbsp;milestones<\/a>, this&nbsp;report&nbsp;offers&nbsp;a&nbsp;closer&nbsp;look at&nbsp;the threat landscape of the&nbsp;final chapter&nbsp;of 2025.&nbsp;<\/p>\n\n\n\n<p>The Malware Trends report Q4 features top malware types, families, phishing kits, TTPs, APTs, and other notable insights.&nbsp;<\/p>\n\n\n\n<p>You can&nbsp;turn&nbsp;to&nbsp;the&nbsp;previous&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q3-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\">Q3&nbsp;report<\/a>&nbsp;for&nbsp;reference.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Threat activity remained steady, with&nbsp;<strong>sandbox usage up 6% quarter over quarter<\/strong>&nbsp;and over&nbsp;<strong>1 billion<\/strong>&nbsp;IOCs&nbsp;collected, reflecting sustained investigative demand rather than volume spikes.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stealers still dominate<\/strong>, even after a 16% decline, confirming credential theft as a primary attacker&nbsp;objective.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>RATs and backdoors gained momentum<\/strong>, with RATs up 28% and backdoors up 68%, signaling a shift toward persistent access and modular malware.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>XWorm&nbsp;and open-source RATs surged<\/strong>, with&nbsp;XWorm&nbsp;up 174%, showing attackers favor adaptable, widely shared toolsets over saturated stealer families.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Phishing continued to evolve<\/strong>, led by Tycoon and&nbsp;EvilProxy, underscoring the growing sophistication of&nbsp;PhaaS&nbsp;and 2FA bypass campaigns.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Summary&nbsp;<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"361\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Review-Q4-2025-1024x361.png\" alt=\"\" class=\"wp-image-17469\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Review-Q4-2025-1024x361.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Review-Q4-2025-300x106.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Review-Q4-2025-768x271.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Review-Q4-2025-1536x541.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Review-Q4-2025-2048x722.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Review-Q4-2025-370x130.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Review-Q4-2025-270x95.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Review-Q4-2025-740x261.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Sandbox activity summary<\/em><\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Total&nbsp;sandbox sessions:&nbsp;<\/strong>2,015,181&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Malicious:&nbsp;<\/strong>389,636&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Suspicious:&nbsp;<\/strong>75,113&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IOCs:&nbsp;<\/strong>1,015,431,934&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>During the last quarter of 2025,&nbsp;overall threat investigation activity remained&nbsp;stable&nbsp;\u2014&nbsp;no drastic growth&nbsp;in volume. The total number of&nbsp;sandbox analyses&nbsp;conducted&nbsp;in&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_trends_q4_25&amp;utm_term=291225&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive Sandbox<\/a> increased slightly by 6%,&nbsp;surpassing 2 million&nbsp;since Q3.&nbsp;<\/p>\n\n\n\n<p>Over&nbsp;one&nbsp;billion indicators were gathered&nbsp;by&nbsp;our&nbsp;community&nbsp;during analysis sessions.&nbsp;A total of 389,636&nbsp;samples&nbsp;were&nbsp;labeled as malicious, and 75,113 as suspicious.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Top Malware Types: Highlights&nbsp;<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-types-Q4-2025-1024x538.png\" alt=\"\" class=\"wp-image-17470\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-types-Q4-2025-1024x538.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-types-Q4-2025-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-types-Q4-2025-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-types-Q4-2025-1536x806.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-types-Q4-2025-2048x1075.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-types-Q4-2025-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-types-Q4-2025-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-types-Q4-2025-740x389.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Top malware types Q4 2025<\/em><\/figcaption><\/figure><\/div>\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/any.run\/malware-trends\/stealer\/\" target=\"_blank\" rel=\"noreferrer noopener\">Stealer<\/a><\/strong>: 36,685&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/any.run\/malware-trends\/rat\/\" target=\"_blank\" rel=\"noreferrer noopener\">RAT<\/a><\/strong>: 23,788&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/any.run\/malware-trends\/loader\/\" target=\"_blank\" rel=\"noreferrer noopener\">Loader<\/a><\/strong>: 19,070&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/any.run\/malware-trends\/backdoor\/\" target=\"_blank\" rel=\"noreferrer noopener\">Backdoor<\/a><\/strong>: 10,560&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/any.run\/malware-trends\/ransomware\/\" target=\"_blank\" rel=\"noreferrer noopener\">Ransomware<\/a><\/strong>: 7,317&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"6\" class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/any.run\/malware-trends\/adware\/\" target=\"_blank\" rel=\"noreferrer noopener\">Adware<\/a><\/strong>: 5,854&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"7\" class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/any.run\/malware-trends\/botnet\/\" target=\"_blank\" rel=\"noreferrer noopener\">Botnet<\/a><\/strong>: 5,149&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"8\" class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/any.run\/malware-trends\/trojan\/\" target=\"_blank\" rel=\"noreferrer noopener\">Trojan<\/a><\/strong>: 2,813&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"9\" class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/any.run\/malware-trends\/miner\/\" target=\"_blank\" rel=\"noreferrer noopener\">Miner<\/a><\/strong>: 2,668&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"10\" class=\"wp-block-list\">\n<li><strong><a href=\"https:\/\/any.run\/malware-trends\/keylogger\/\" target=\"_blank\" rel=\"noreferrer noopener\">Keylogger<\/a><\/strong>: 2,598&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Although the list of top malware types looks similar to Q3 at first glance, several notable changes in activity levels should be pointed out:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stealer&nbsp;<\/strong>dominance persists despite&nbsp;a&nbsp;16% drop. This signals&nbsp;that&nbsp;credential theft&nbsp;remains&nbsp;a&nbsp;priority for attackers targeting financial sectors.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Widespread&nbsp;families:<\/strong>&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/lumma\/\" target=\"_blank\" rel=\"noreferrer noopener\">Lumma<\/a>,&nbsp;&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/stealc\/\" target=\"_blank\" rel=\"noreferrer noopener\">Stealc<\/a>,&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/blankgrabber\/\" target=\"_blank\" rel=\"noreferrer noopener\">Blank Grabber<\/a>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>RAT&nbsp;<\/strong>surged&nbsp;(+28%),&nbsp;overtaking&nbsp;Loaders\u2019&nbsp;second&nbsp;place.&nbsp;A clear&nbsp;indication&nbsp;of&nbsp;remote access tools gaining traction for persistent post-exploitation in enterprise environments.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Widespread&nbsp;families:<\/strong>&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/XWorm\/\" target=\"_blank\" rel=\"noreferrer noopener\">XWorm<\/a>,&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/quasar\/\" target=\"_blank\" rel=\"noreferrer noopener\">Quasar RAT<\/a>,&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/asyncrat\/\" target=\"_blank\" rel=\"noreferrer noopener\">AsyncRAT<\/a>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Loader&nbsp;<\/strong>threats moved one&nbsp;place down&nbsp;despite a slight decrease in detections.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Widespread families:<\/strong>&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/smoke\/\" target=\"_blank\" rel=\"noreferrer noopener\">Smoke Loader<\/a>,&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/purecrypter\/\" target=\"_blank\" rel=\"noreferrer noopener\">PureCrypter<\/a>,&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/hijackloader\/\" target=\"_blank\" rel=\"noreferrer noopener\">HijackLoader<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Backdoor<\/strong>&#8216;s 68% activity growth reflects modular malware kits proliferating, enabling easier customization and evasion of traditional defenses.&nbsp;<\/p>\n\n\n\n<p><strong>Adware&nbsp;<\/strong>moved&nbsp;up&nbsp;two&nbsp;places&nbsp;with&nbsp;a 31%&nbsp;rise&nbsp;in&nbsp;activity,&nbsp;while&nbsp;ransomware&nbsp;detections&nbsp;decreased&nbsp;by&nbsp;the&nbsp;same&nbsp;percentage.&nbsp;<\/p>\n\n\n\n<p>At&nbsp;the&nbsp;lower&nbsp;end&nbsp;of&nbsp;the&nbsp;list&nbsp;there&nbsp;are&nbsp;<strong>Botnet&nbsp;<\/strong>with 5K&nbsp;detections,&nbsp;<strong>Trojan&nbsp;<\/strong>with 2.8K,&nbsp;<strong>Miner&nbsp;<\/strong>with 2.6K, and&nbsp;<strong>Keylogger&nbsp;<\/strong>with 2.5K.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Detect evasive threats with ANY.RUN\u2019s&nbsp;Interactive Sandbox&nbsp;&nbsp;&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-9-2048x1132-1-1024x566.png\" alt=\"\" class=\"wp-image-17487\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-9-2048x1132-1-1024x566.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-9-2048x1132-1-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-9-2048x1132-1-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-9-2048x1132-1-1536x849.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-9-2048x1132-1-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-9-2048x1132-1-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-9-2048x1132-1-740x409.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image3-9-2048x1132-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Multi-stage attack detonated inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>ANY.RUN&#8217;s Interactive Sandbox enables businesses and SOC teams to proactively identify cyber threats by analyzing files and URLs inside interactive Windows, Linux, Android VMs.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stronger Protection for Businesses:<\/strong>&nbsp;Early detection and shorter MTTD minimize risks, safeguarding&nbsp;infrastructure&nbsp;and reputation.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Higher Efficiency &amp; ROI:<\/strong>&nbsp;Faster investigations cut costs, reduce analyst load, and power quicker incident resolution.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Smarter Decision-Making:&nbsp;<\/strong>Flexible, enterprise-grade solution enhances visibility into threats, allowing for insight-driven action.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAchieve faster MTTR and boost detection rate<\/br>\n<span class=\"highlight\">with interactive analysis by ANY.RUN<\/span><\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=malware_trends_q4_25&#038;utm_term=291225&#038;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noopener\">\nStart\u00a0trial<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Top Malware Families&nbsp;<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-families-Q4-2025-2-1024x538.png\" alt=\"\" class=\"wp-image-17482\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-families-Q4-2025-2-1024x538.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-families-Q4-2025-2-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-families-Q4-2025-2-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-families-Q4-2025-2-1536x806.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-families-Q4-2025-2-2048x1075.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-families-Q4-2025-2-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-families-Q4-2025-2-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Malware-families-Q4-2025-2-740x389.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Top malware families Q4 2025<\/em><\/figcaption><\/figure><\/div>\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/xworm\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>XWorm<\/strong><\/a>: 13,945&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/asyncrat\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>AsyncRAT<\/strong><\/a>: 5,056&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/quasar\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Quasar<\/strong><\/a>: 4,711&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/vidar\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Vidar<\/strong><\/a>: 4,498&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/stealc\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Stealc<\/strong><\/a>: 4,432&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"6\" class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/remcos\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Remcos<\/strong><\/a>: 3,598&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"7\" class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/lumma\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Lumma<\/strong><\/a>: 3,399&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"8\" class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/blackmoon\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Blackmoon<\/strong><\/a>: 3,208&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"9\" class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/agenttesla\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>AgentTesla<\/strong><\/a>: 3,136&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"10\" class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/mirai\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Mirai<\/strong><\/a>: 3,067&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>This section&nbsp;indicates&nbsp;a number of&nbsp;drastic changes in intensity and volume of certain threats.&nbsp;Key observations include:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/malware-trends\/xworm\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>XWorm<\/strong><\/a><strong>,<\/strong>&nbsp;driven by its adaptability across industries like manufacturing and healthcare, showed a&nbsp;+174%&nbsp;surge.&nbsp;<\/p>\n\n\n\n<p><strong>XWorm&nbsp;IOCs from&nbsp;<\/strong><a href=\"https:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_trends_q4_25&amp;utm_term=291225&amp;utm_content=linktotilookup\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Threat Intelligence Lookup<\/strong><\/a>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>centre-instruction[.]gl[.]at[.]ply[.]gg&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>uk-compete[.]gl[.]at[.]ply[.]gg&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>176[.]113[.]73[.]167&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Find more IOCs in TI Lookup with this query:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_trends_q4_25&amp;utm_term=291225&amp;utm_content=linktotilookup#{%22query%22:%22threatName:%5C%22xworm%5C%22%20AND%20domainName:%5C%22%5C%22%22,%22dateRange%22:60}\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;xworm&#8221; AND\u00a0domainName:&#8221;&#8221;<\/a>\u00a0<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/asyncrat\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>AsyncRAT<\/strong><\/a><strong>&nbsp;<\/strong>and&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/quasar\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Quasar<\/strong><\/a>&nbsp;grew by 46%&nbsp;and&nbsp;27%, showing&nbsp;open-source RATs outpacing commercial stealers, fueled by underground sharing and rapid evolution.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>AsyncRAT&nbsp;IOCs from&nbsp;<\/strong><a href=\"https:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_trends_q4_25&amp;utm_term=291225&amp;utm_content=linktotilookup\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Threat Intelligence Lookup<\/strong><\/a><strong>&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>xoilac[.]livecdnem[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>asj299[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>94[.]154[.]35[.]160&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Find more IOCs in TI Lookup with this query:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_trends_q4_25&amp;utm_term=291225&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522asyncrat%255C%2522%2520AND%2520domainName:%255C%2522%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;asyncrat&#8221; AND domainName:&#8221;&#8221;<\/a>\u00a0<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/malware-trends\/lumma\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Lumma<\/strong><\/a>\u2019s&nbsp;fall&nbsp;from&nbsp;first&nbsp;to eighth place with a&nbsp;-65% plunge&nbsp;highlights&nbsp;attacker shifts&nbsp;to newer, less-detected families, reducing reliance on saturated stealer&nbsp;platforms.&nbsp;<\/p>\n\n\n\n<p><strong>Lumma&nbsp;IOCs from&nbsp;<\/strong><a href=\"https:\/\/intelligence.any.run\/??utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_trends_q4_25&amp;utm_term=291225&amp;utm_content=linktotilookup\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Threat Intelligence Lookup<\/strong><\/a><strong>&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>handpaw[.]click&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>mattykp[.]click&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>159[.]198[.]70[.]75&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Find more IOCs in TI Lookup with this query:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_trends_q4_25&amp;utm_term=291225&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522lumma%255C%2522%2520AND%2520domainName:%255C%2522%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;lumma&#8221; AND domainName:&#8221;&#8221;<\/a>\u00a0<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/malware-trends\/vidar\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Vidar<\/strong><\/a> and <a href=\"https:\/\/any.run\/malware-trends\/stealc\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Stealc<\/strong><\/a> with 4K+ detections each re-emerged in Q4, indicating a sudden end-of-year growth.<\/p>\n\n\n\n<p>Another addition to the chart is <a href=\"https:\/\/any.run\/malware-trends\/blackmoon\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Blackmoon<\/strong><\/a> with 3,208 detections. At the same time, <a href=\"https:\/\/any.run\/malware-trends\/agenttesla\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>AgentTesla<\/strong><\/a> and <a href=\"https:\/\/any.run\/malware-trends\/remcos\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Remcos<\/strong><\/a> threats saw a reduction in detections and went from second and fourth places to tenth and seventh respectively.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Ensure&nbsp;early&nbsp;threat&nbsp;detection via Threat Intelligence&nbsp;Feeds&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"530\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-5-2048x1060-3-1024x530.png\" alt=\"\" class=\"wp-image-17496\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-5-2048x1060-3-1024x530.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-5-2048x1060-3-300x155.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-5-2048x1060-3-768x398.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-5-2048x1060-3-1536x795.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-5-2048x1060-3-370x192.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-5-2048x1060-3-270x140.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-5-2048x1060-3-740x383.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-5-2048x1060-3.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Feeds provides fresh data from 15k organizations<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Gain a live view of the threat landscape with fresh, actionable IOCs delivered to you from investigations done across 15,000 companies.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Refine detection and response:<\/strong>&nbsp;Rich threat context and integration opportunities power your SOC for&nbsp;proactive&nbsp;defense.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Mitigate risks of breaches:&nbsp;<\/strong>Expanded threat coverage and visibility into threats help stay ahead of&nbsp;attackers&nbsp;without&nbsp;wasting time on false alarms.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Improve performance rates:&nbsp;<\/strong>Unique, noise-free indicators beat alert fatigue and promote early detection even for hidden and evasive threats.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">99% unique threat intel for your SOC<\/span><\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=malware_trends_q4_25&#038;utm_term=291225&#038;utm_content=linktotifeedslanding#contact-sales\" target=\"_blank\" rel=\"noopener\">\nIntegrate TI Feeds<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Top TTPs&nbsp;<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Mitre-techniques-Q4-2025-1024x538.png\" alt=\"\" class=\"wp-image-17474\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Mitre-techniques-Q4-2025-1024x538.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Mitre-techniques-Q4-2025-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Mitre-techniques-Q4-2025-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Mitre-techniques-Q4-2025-1536x806.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Mitre-techniques-Q4-2025-2048x1075.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Mitre-techniques-Q4-2025-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Mitre-techniques-Q4-2025-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Mitre-techniques-Q4-2025-740x389.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Top MITRE ATT&amp;CK TTPs Q4 2025<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The top 10 most detected techniques, tactics, and procedures (TTPs) show significant shifts from quarter to quarter \u2014 a reminder that threat actors never stop refining and changing their methods.<\/p>\n\n\n\n<p>The number of detections for TTPs mostly grew: the first place is taken up by <strong>Subvert Trust Controls: Install Root Certificate, T1553.004<\/strong> with 227,451 detections. In Q3, the first place was taken by a TTP with activity rate twice as small.<\/p>\n\n\n\n<p>Second&nbsp;place&nbsp;was&nbsp;still&nbsp;occupied&nbsp;by&nbsp;<strong>Masquerading: Rename&nbsp;Legitimate&nbsp;Utilities, T1036.003&nbsp;<\/strong>with 105,539 detections&nbsp;(+9%).&nbsp;<\/p>\n\n\n\n<p>A new addition to the list,&nbsp;<strong>Command and Scripting Interpreter:&nbsp;Windows Command&nbsp;Shell&nbsp;,<\/strong>&nbsp;T1059.003,&nbsp;came third with&nbsp;<strong>71,608 detections.<\/strong>&nbsp;<\/p>\n\n\n\n<p>1. Subvert Trust Controls: Install Root Certificate, T1553.004:&nbsp;<strong>227,451<\/strong>&nbsp;<\/p>\n\n\n\n<p>2. Masquerading: Rename&nbsp;Legitimate&nbsp;Utilities, T1036.003:&nbsp;<strong>105,539<\/strong>&nbsp;<\/p>\n\n\n\n<p>3. Command and Scripting Interpreter:&nbsp;Windows Command&nbsp;Shell,&nbsp;T1059.003:&nbsp;<strong>71,608<\/strong>&nbsp;<\/p>\n\n\n\n<p>4. Command and Scripting Interpreter:&nbsp;PowerShell,&nbsp;T1059.001:&nbsp;<strong>64,684<\/strong>&nbsp;<\/p>\n\n\n\n<p>5. Virtualization\/Sandbox Evasion: Time Based&nbsp;Checks, T1497.003:&nbsp;<strong>51,910<\/strong>&nbsp;<\/p>\n\n\n\n<p>6. Boot or Logon&nbsp;Autostart&nbsp;Execution: Registry Run Keys \/ Startup Folder, T1547.001:&nbsp;<strong>46,007<\/strong>&nbsp;<\/p>\n\n\n\n<p>7. System Services: Service Execution, T1569.002:&nbsp;<strong>38,515<\/strong>&nbsp;<\/p>\n\n\n\n<p>8. Masquerading: Match Legitimate Resource Name or Location, T1036.005:&nbsp;<strong>35,278<\/strong>&nbsp;<\/p>\n\n\n\n<p>9. Scheduled Task\/Job: Scheduled Task, T1053.005:&nbsp;<strong>21,460<\/strong>&nbsp;<\/p>\n\n\n\n<p>10. Signed Binary Proxy Execution:&nbsp;Rundll32,&nbsp;T1218.011:&nbsp;<strong>19,236<\/strong>&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Collect Fresh Threat Intelligence with Threat Intelligence&nbsp;Lookup&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"531\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-2-2048x1061-1-1024x531.png\" alt=\"\" class=\"wp-image-17490\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-2-2048x1061-1-1024x531.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-2-2048x1061-1-300x155.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-2-2048x1061-1-768x398.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-2-2048x1061-1-1536x796.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-2-2048x1061-1-370x192.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-2-2048x1061-1-270x140.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-2-2048x1061-1-740x383.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/image2-2-2048x1061-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup sharing info on threats&nbsp;submitted&nbsp;in Germany and relevant for finance companies&nbsp;<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_trends_q4_25&amp;utm_term=29122025&amp;utm_content=linktolookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>&nbsp;offers a searchable database of fresh Indicators \u2028of Compromise (IOCs), Attack (IOAs), and Behavior (IOBs) belonging to the latest&nbsp;cyber attacks&nbsp;on 15,000 companies.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Build proactive defense:&nbsp;<\/strong>Actionable threat intelligence drives targeted and insightful research for staying ahead.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ensure rapid triage and response:&nbsp;<\/strong>Instant enrichment of indicators with&nbsp;behavioral context makes for fast and smart decisions.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Optimize&nbsp;workload:&nbsp;<\/strong>Rich threat data empowers Tier 1 analysts to work sustainably, reducing escalations to Tier 2.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nInstant access to fresh threat data <\/br>\n<span class=\"highlight\">Streamline threat hunting<\/span> with TI Lookup<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/plans-ti\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=malware_trends_q4_25&#038;utm_term=291225&#038;utm_content=linktoplans#contact-sales\" target=\"_blank\" rel=\"noopener\">\nGet started<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Phishing Activity in Q4&nbsp;2025&nbsp;<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Phishing-activity-Q4-2025-1024x538.png\" alt=\"\" class=\"wp-image-17475\" style=\"width:650px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Phishing-activity-Q4-2025-1024x538.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Phishing-activity-Q4-2025-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Phishing-activity-Q4-2025-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Phishing-activity-Q4-2025-1536x806.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Phishing-activity-Q4-2025-2048x1075.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Phishing-activity-Q4-2025-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Phishing-activity-Q4-2025-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Phishing-activity-Q4-2025-740x389.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Phishing activity Q4 2025<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Overall&nbsp;phishing&nbsp;activity&nbsp;by&nbsp;uploads<strong>:&nbsp;<\/strong>159,592&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Activity by phishing kits&nbsp;&nbsp;<\/h3>\n\n\n\n<p>Phishkits:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/tycoon\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Tycoon<\/strong><\/a><strong>:&nbsp;<\/strong>41,046&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/evilproxy\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>EvilProxy<\/strong><\/a><strong>:&nbsp;<\/strong>14,258&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/sneaky2fa\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Sneaky2FA<\/strong><\/a><strong>:&nbsp;<\/strong>7,272&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/mamba\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Mamba2FA<\/strong><\/a><strong>:&nbsp;<\/strong>3,904&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/salty2fa\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Salty2FA<\/strong><\/a><strong>:&nbsp;<\/strong>350&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Q4\u2019s results align with our&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/annual-report-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\">annual report<\/a>\u2019s conclusions: phishing is a prevalent type of cyber threat and&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/tycoon\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Tycoon<\/strong><\/a><strong>&nbsp;<\/strong>dominates in this category:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It remained at the top of the list with double the intensity of detections. Same with <a href=\"https:\/\/any.run\/malware-trends\/evilproxy\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>EvilProxy<\/strong><\/a>: it stayed second with 51% increase in volume. This underscores PhaaS maturation, with kits now bundling advanced 2FA bypass for high-value targets.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/sneaky2fa\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Sneaky2FA<\/strong><\/a><strong>&nbsp;<\/strong>moved from fourth to third place with a whopping&nbsp;+138% rise&nbsp;in activity.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/salty2fa\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Salty2FA<\/strong><\/a><strong>&nbsp;<\/strong>moved two places down, pointing to 2FA fatigue exploitation&nbsp;accelerating in enterprise phishing campaigns.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/mamba\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Mamba2FA<\/strong><\/a>,&nbsp;absent from&nbsp;the list in the previous quarter,&nbsp;took&nbsp;fourth place with 3.9K detections.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Activity&nbsp;by&nbsp;cyber&nbsp;criminal&nbsp;groups&nbsp;<\/h3>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Storm1747:<\/strong>&nbsp;37,274&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>TA569:&nbsp;<\/strong>4,054&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>TA558:&nbsp;<\/strong>231&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><strong>Storm1575:<\/strong>&nbsp;21&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><strong>APT36:&nbsp;<\/strong>18&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Key observations&nbsp;regarding&nbsp;APT activity in Q4 2025:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Storm1747\u2019<\/strong>s&nbsp;dominance continued&nbsp;with a 51% rise in activity,&nbsp;likely tied&nbsp;to phishing infrastructure evolution targeting finance across EU\/NA regions.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>TA558<\/strong>&#8216;s&nbsp;jumped&nbsp;into top ranks&nbsp;with +83% detections,&nbsp;suggesting&nbsp;expanded operations,&nbsp;possibly&nbsp;leveraging&nbsp;modular loaders for broader campaign reach.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>At the lower part of the list, we can see APTs&#8217; displaying sharp 70-97% declines, likely due to the detection improvements or operational pauses. The focus shifted to more opportunistic actors.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Top Protectors and Packers&nbsp;<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Top-5-Protectors-and-Packers-1024x538.png\" alt=\"\" class=\"wp-image-17476\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Top-5-Protectors-and-Packers-1024x538.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Top-5-Protectors-and-Packers-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Top-5-Protectors-and-Packers-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Top-5-Protectors-and-Packers-1536x806.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Top-5-Protectors-and-Packers-2048x1075.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Top-5-Protectors-and-Packers-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Top-5-Protectors-and-Packers-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Top-5-Protectors-and-Packers-740x389.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Top protectors and packers Q4 2025<\/em><\/figcaption><\/figure><\/div>\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>UPX<\/strong>: 12,576&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>NetReactor<\/strong>: 4,300&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>Themida<\/strong>: 3,244&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><strong>ASPack<\/strong>: 1,263&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><strong>Confuser<\/strong>: 2,204&nbsp;&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Top 5 most detected protectors and packers&nbsp;correspond&nbsp;with those of Q3. However, there are differences in&nbsp;terms of their&nbsp;intensity:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>UPX&nbsp;<\/strong>remains&nbsp;dominant&nbsp;despite&nbsp;an&nbsp;11% drop,&nbsp;remaining&nbsp;attackers&#8217;&nbsp;go-to for simple, fast obfuscation across commodity malware.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>NetReactor&nbsp;<\/strong>and&nbsp;<strong>Themida<\/strong>\u2019s&nbsp;sharp declines (-49%&nbsp;and&nbsp;-37%&nbsp;respectively) signal detection improvements and attacker&nbsp;shift&nbsp;to newer .NET-focused protectors.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Confuser&nbsp;<\/strong>kept&nbsp;its fifth&nbsp;place&nbsp;with a&nbsp;48% growth&nbsp;that&nbsp;reflects&nbsp;.NET&nbsp;malware boom.&nbsp;Attackers favor it for evading static analysis in enterprise-targeted payloads.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>Q4 2025 shows a stable but evolving threat landscape. Key trends include persistent stealer activity, rising RATs and backdoors, and a dynamic phishing landscape. These insights underscore the importance of continuous monitoring and proactive threat analysis to stay ahead of emerging risks.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About&nbsp;ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN develops solutions for malware analysis and threat hunting. Its interactive <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_trends_q4_25&amp;utm_term=291225&amp;utm_content=linktosandboxanding\" target=\"_blank\" rel=\"noreferrer noopener\">malware analysis sandbox<\/a> is used by over 500,000 cybersecurity professionals worldwide. It enables detailed investigation of threats targeting Windows, Android, and Linux systems with hands-on analysis and instant visualization of malware behavior.<\/p>\n\n\n\n<p>ANY.RUN&#8217;s threat intelligence solutions, including <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_trends_q4_25&amp;utm_term=291225&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> and <a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_trends_q4_25&amp;utm_term=291225&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>, allow teams to quickly identify indicators of compromise, enrich alerts, and investigate incidents early on. As a result, analysts gain actionable insights, uncover hidden threats, and improve overall cybersecurity posture.<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malware_trends_q4_25&amp;utm_term=291225&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Start a 2-week&nbsp;ANY.RUN trial&nbsp;\u2192<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We\u2019re glad to present our regular quarterly report highlighting the most prominent malicious trends of the last three months of 2025, as observed by ANY.RUN\u2019s community. Following the release of&nbsp;our annual report on&nbsp;key threats&nbsp;and&nbsp;milestones, this&nbsp;report&nbsp;offers&nbsp;a&nbsp;closer&nbsp;look at&nbsp;the threat landscape of the&nbsp;final chapter&nbsp;of 2025.&nbsp; The Malware Trends report Q4 features top malware types, families, phishing kits, TTPs, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":17464,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[80],"tags":[57,10,34],"class_list":["post-17461","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-reports","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Malware Trends\u00a0Q4 2025\u00a0| ANY.RUN Threat Report\u00a0<\/title>\n<meta name=\"description\" content=\"Discover key threat landscape insights your SOC should know about: see\u00a0malware trends\u00a0report\u00a0Q4 2025\u00a0by\u00a0ANY.RUN.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Malware Trends Q4 2025: Inside ANY.RUN\u2019s Latest Threat Landscape Report\u00a0\",\"datePublished\":\"2025-12-29T08:51:04+00:00\",\"dateModified\":\"2025-12-29T10:43:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/\"},\"wordCount\":2058,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Reports\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/\",\"name\":\"Malware Trends\u00a0Q4 2025\u00a0| ANY.RUN Threat Report\u00a0\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-12-29T08:51:04+00:00\",\"dateModified\":\"2025-12-29T10:43:37+00:00\",\"description\":\"Discover key threat landscape insights your SOC should know about: see\u00a0malware trends\u00a0report\u00a0Q4 2025\u00a0by\u00a0ANY.RUN.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Reports\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/reports\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Malware Trends Q4 2025: Inside ANY.RUN\u2019s Latest Threat Landscape Report\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malware Trends\u00a0Q4 2025\u00a0| ANY.RUN Threat Report\u00a0","description":"Discover key threat landscape insights your SOC should know about: see\u00a0malware trends\u00a0report\u00a0Q4 2025\u00a0by\u00a0ANY.RUN.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Malware Trends Q4 2025: Inside ANY.RUN\u2019s Latest Threat Landscape Report\u00a0","datePublished":"2025-12-29T08:51:04+00:00","dateModified":"2025-12-29T10:43:37+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/"},"wordCount":2058,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Reports"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/","url":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/","name":"Malware Trends\u00a0Q4 2025\u00a0| ANY.RUN Threat Report\u00a0","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-12-29T08:51:04+00:00","dateModified":"2025-12-29T10:43:37+00:00","description":"Discover key threat landscape insights your SOC should know about: see\u00a0malware trends\u00a0report\u00a0Q4 2025\u00a0by\u00a0ANY.RUN.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-report-q4-2025\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Reports","item":"https:\/\/any.run\/cybersecurity-blog\/category\/reports\/"},{"@type":"ListItem","position":3,"name":"Malware Trends Q4 2025: Inside ANY.RUN\u2019s Latest Threat Landscape Report\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17461"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=17461"}],"version-history":[{"count":51,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17461\/revisions"}],"predecessor-version":[{"id":17547,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17461\/revisions\/17547"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/17464"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=17461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=17461"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=17461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}