{"id":6558,"date":"2023-12-27T08:17:34","date_gmt":"2023-12-27T08:17:34","guid":{"rendered":"\/cybersecurity-blog\/?p=6558"},"modified":"2023-12-27T08:21:32","modified_gmt":"2023-12-27T08:21:32","slug":"malware-trends-q4-2023","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/","title":{"rendered":"Malware Trends Report: Q4, 2023"},"content":{"rendered":"\n<p><a href=\"http:\/\/any.run\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=q4_2023_stats&amp;utm_content=linktolanding&amp;utm_term=271223\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&#8216;s latest malware trends analysis for Q4 2023 is here, offering a quarterly update on the most prevalent malware families, types, and TTPs.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Summary<\/strong>&nbsp;<\/h2>\n\n\n\n<p>In the fourth quarter of 2023 ANY.RUN users created a total of 748,298 submissions. Within these, 170,202 tasks, or 22.7%, were identified as malicious, and 6.4% (48,180 tasks) \u2014 as suspicious.&nbsp;<\/p>\n\n\n\n<p>Comparing this to last quarter\u2019s numbers, the proportion malicious tasks stayed about the same (23.4% to 22.7%). The share of suspicious tasks, on the other hand, almost doubled from 4.5% to 6.4%.&nbsp;<\/p>\n\n\n\n<p>When it comes to Indicators of Compromises, our users collected a grand total of\u00a0210,469,912\u00a0IOCs this quarter.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"567\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/1-6-1024x567.png\" alt=\"\" class=\"wp-image-6559\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/1-6-1024x567.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/1-6-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/1-6-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/1-6-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/1-6-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/1-6-740x410.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/1-6.png 1263w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>In our report, we&#8217;re going to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check out the most common malware types and families in Q4 2023, based on data from ANY.RUN\u00a0<\/li>\n\n\n\n<li>Dive into the top MITRE ATT&amp;CK TTPs used in this quarter&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Let&#8217;s \u0441heck it out.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Top Malware Types in Q4 2023\u00a0<\/h2>\n\n\n\n<p>Here\u2019 is a closer look at the most frequent malware types identified by ANY.RUN&#8217;s sandbox. At ANY.RUN, we\u2019re processing a lot of submissions \u2014 about 14k a day \u2014 which gives us a unique vantage point over the threats that are most likely to impact your organization.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/2-6-1024x538.png\" alt=\"\" class=\"wp-image-6560\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/2-6-1024x538.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/2-6-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/2-6-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/2-6-1536x806.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/2-6-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/2-6-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/2-6-740x389.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/2-6.png 1800w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stealer<\/strong>: 6662\u00a0<\/li>\n\n\n\n<li><strong>Loader<\/strong>: 4752\u00a0<\/li>\n\n\n\n<li><strong>Ransomware<\/strong>: 3333\u00a0<\/li>\n\n\n\n<li><strong>Rat: <\/strong>2444\u00a0<\/li>\n\n\n\n<li><strong>Trojan:<\/strong> 1355\u00a0<\/li>\n\n\n\n<li><strong>Keylogger:<\/strong> 837\u00a0<\/li>\n\n\n\n<li><strong>Backdoor<\/strong>: 384&nbsp;<\/li>\n\n\n\n<li><strong>Miner<\/strong>: 334&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Top malware types: highlights&nbsp;<\/h3>\n\n\n\n<p>In Q4 2023, <a href=\"https:\/\/any.run\/malware-trends\/stealer\" target=\"_blank\" rel=\"noreferrer noopener\">stealers<\/a> became the most popular category, overtaking <a href=\"https:\/\/any.run\/malware-trends\/loader\" target=\"_blank\" rel=\"noreferrer noopener\">loaders<\/a>.In Q3, mind you, loaders were at the top spot, then stealers.\u00a0<\/p>\n\n\n\n<p>Breaking down the numbers, stealers hit 6,662 instances in Q4, which is up from 5,423 submissions in Q3. This represents a 22.8% jump. Consequently, loaders are now at 4,752 instances in Q4. This is a decrease from 6,203 in Q3, marking a 23.4% drop. It seems loaders are losing some ground in comparison to other malware types.&nbsp;<\/p>\n\n\n\n<p>Ransomware is now in third place with 3,333 instances, a slight increase from 3,283 in Q3. &nbsp;RATs, on the other hand, are down to 2,444 instances from 3,963 in Q3. This is a 38.3% decline.&nbsp; Trojans have dropped by a lot, to 1,355 instances from 2,426 in Q3, a 44.1% decrease. This is the biggest percentage change in all categories. &nbsp;&nbsp;<\/p>\n\n\n\n<p>Looking at other malware types, there&#8217;s a mix of changes. Keylogger usage is up, going to 837 from 752. Backdoors, however, decreased to 384 from 545. Miners also showed some growth, increasing to 334 from 231.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze malware and collect IOCs in <span class=\"highlight\">ANY.RUN<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\/\" rel=\"noopener\" target=\"_blank\">\nRegister for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Top Malware Families in Q4 2023 &nbsp;<\/h2>\n\n\n\n<p>Now that we\u2019ve taken a look at top malware categories, let\u2019s see which families were the most widely used.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-3-1024x538.png\" alt=\"\" class=\"wp-image-6561\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-3-1024x538.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-3-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-3-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-3-1536x806.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-3-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-3-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-3-740x389.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/3-3.png 1800w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Agent Tesla<\/strong>: 1769&nbsp;<\/li>\n\n\n\n<li><strong>Redline<\/strong> : 1586&nbsp;<\/li>\n\n\n\n<li><strong>Remcos: <\/strong>1081&nbsp;<\/li>\n\n\n\n<li><strong>NjRAT<\/strong>: 620&nbsp;<\/li>\n\n\n\n<li><strong>Formbook<\/strong>: 592&nbsp;<\/li>\n\n\n\n<li><strong>AsyncRAT<\/strong>: 533&nbsp;<\/li>\n\n\n\n<li><strong>Amadey: <\/strong>459&nbsp;<\/li>\n\n\n\n<li><strong>Smoke:<\/strong> 315&nbsp;<\/li>\n\n\n\n<li><strong>Vidar: <\/strong>281&nbsp;<\/li>\n\n\n\n<li><strong>Emotet<\/strong>: 261&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Top malware families: highlights&nbsp;<\/p>\n\n\n\n<p>In Q4 2023, Agent Tesla took the lead again, replacing RedLine as the most prevalent malware, and Remcos made a huge comeback. &nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/agenttesla\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Agent Tesla<\/strong><\/a> jumped to the top spot with 1769 instances, which is a 16.1% increase from 1524 in Q3. &nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/any.run\/malware-trends\/redline\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>RedLine<\/strong><\/a>, previously the most dominant, slipped to second place with 1586 instances, a drop of 31.4% from 2312 in Q3. &nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/any.run\/malware-trends\/remcos\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Remcos<\/strong><\/a><strong> <\/strong>climbed to the third position with 1081 instances, an increase of 40.0% from 772 in Q3.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Top MITRE ATT&amp;CK techniques in Q4 2023<\/strong>&nbsp;<\/h2>\n\n\n\n<p>MITRE ATT&amp;CK is a well-known framework worldwide, breaking down different enemy behaviors into tactics and techniques. It&#8217;s a crucial tool for malware analysts to spot, evaluate, and tackle threats more efficiently.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-3-1024x538.png\" alt=\"\" class=\"wp-image-6562\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-3-1024x538.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-3-300x158.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-3-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-3-1536x806.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-3-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-3-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-3-740x389.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/12\/4-3.png 1800w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>In ANY.RUN, we automatically match malware behaviors to specific techniques. This quarter, our service made 248,820 matches overall, which lets us put together this list:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-49\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"21\"\n           data-wpID=\"49\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        MITRE ATT&CK Technique \t\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Count\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1036.005 Masquerading: Match Legitimate Name or Location\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        98,578\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1036.003 Masquerading: Rename System Utilities\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        54,230\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1518.001 Software Discovery: Security Software Discovery\u00a0\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        53,690\u00a0\u00a0\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1114.001 Email Collection: Local Email Collection\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        27,258\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1218.011 Signed Binary Proxy Execution: Rundll32\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        21,426\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1059.003 Command and Scripting Interpreter: Windows Command Shell\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        20,097\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1059.001 Command and Scripting Interpreter: PowerShell\t\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        9,860\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1497.003 Virtualization\/Sandbox Evasion: Time Based Evasion\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        8,943\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1204.002 User Execution: Malicious File\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        7,303\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1569.002 System Services: Service Execution\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        7,119\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A12\"\n                    data-col-index=\"0\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1053.005 Scheduled Task\/Job: Scheduled Task\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B12\"\n                    data-col-index=\"1\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6,444\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A13\"\n                    data-col-index=\"0\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1547.001 Boot or Logon Autostart Execution: Registry Run Keys \/ Startup Folder\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B13\"\n                    data-col-index=\"1\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        5,295\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A14\"\n                    data-col-index=\"0\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1059.005 Command and Scripting Interpreter: Visual Basic\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B14\"\n                    data-col-index=\"1\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        5,149\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A15\"\n                    data-col-index=\"0\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1059.007 Command and Scripting Interpreter: JavaScript\/JScript\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B15\"\n                    data-col-index=\"1\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        3,627\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A16\"\n                    data-col-index=\"0\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B16\"\n                    data-col-index=\"1\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        3,121\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A17\"\n                    data-col-index=\"0\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1562.001 Impair Defenses: Disable or Modify Tools\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B17\"\n                    data-col-index=\"1\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2,452\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A18\"\n                    data-col-index=\"0\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1027.002 Obfuscated Files or Information: Software Packing\t\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B18\"\n                    data-col-index=\"1\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2,315\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A19\"\n                    data-col-index=\"0\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1564.001 Hide Artifacts: Hidden Files and Directories\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B19\"\n                    data-col-index=\"1\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2,276\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A20\"\n                    data-col-index=\"0\"\n                    data-row-index=\"19\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1562.006 Impair Defenses: Indicator Blocking\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B20\"\n                    data-col-index=\"1\"\n                    data-row-index=\"19\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1,895\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A21\"\n                    data-col-index=\"0\"\n                    data-row-index=\"20\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1564.003 Hide Artifacts: Hidden Window\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B21\"\n                    data-col-index=\"1\"\n                    data-row-index=\"20\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1,868\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-49'>\ntable#wpdtSimpleTable-49{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-49 td, table.wpdtSimpleTable49 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h3 class=\"wp-block-heading\">Top TTPs: highlights&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>T1036.005, Masquerading: Match Legitimate Name or Location had a big drop in numbers, going from 151,442 to 98,578 cases between Q3 and Q4. &nbsp;<\/li>\n\n\n\n<li>T1036.003, Masquerading: Rename System Utilities, popped into the top 3 TTPs in Q4 with 54,230 cases. &nbsp;<\/li>\n\n\n\n<li>T1518.001, Software Discovery: Security Software Discovery also saw a big decrease, cutting down from 108,077 to 53,690 instances.&nbsp;<\/li>\n\n\n\n<li>And T1059.001, &#8216;Command and Scripting Interpreter: PowerShell&#8217;, went up, from 7,715 to 9,860 instances, indicating that PowerShell is becoming a more popular tool for malicious activities.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Report methodology&nbsp;<\/h2>\n\n\n\n<p>For our report, we looked at data from 748,298 tasks that were sent to our public threat database. This information comes from researchers in our community who contributed by running public tasks in ANY.RUN.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>About ANY.RUN<\/strong>&nbsp;<\/h3>\n\n\n\n<p>ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.&nbsp; &nbsp;<\/p>\n\n\n\n<p>Request a demo today and enjoy 14 days of free access to our Enterprise plan.&nbsp;&nbsp; &nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=q4_2023_stats&amp;utm_content=linktodemo&amp;utm_term=271223\" target=\"_blank\" rel=\"noreferrer noopener\">Request demo \u2192<\/a>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>ANY.RUN&#8216;s latest malware trends analysis for Q4 2023 is here, offering a quarterly update on the most prevalent malware families, types, and TTPs.\u00a0 Summary&nbsp; In the fourth quarter of 2023 ANY.RUN users created a total of 748,298 submissions. Within these, 170,202 tasks, or 22.7%, were identified as malicious, and 6.4% (48,180 tasks) \u2014 as suspicious.&nbsp; [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":6564,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,34],"class_list":["post-6558","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Malware Trends Report: Q4, 2023 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Explore the key malware trends in Q4 2023. Discover the top malware types and families, as well as the most common MITRE ATT&amp;CK techniques.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Vlad Ananin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/\"},\"author\":{\"name\":\"Vlad Ananin\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Malware Trends Report: Q4, 2023\",\"datePublished\":\"2023-12-27T08:17:34+00:00\",\"dateModified\":\"2023-12-27T08:21:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/\"},\"wordCount\":765,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/\",\"name\":\"Malware Trends Report: Q4, 2023 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2023-12-27T08:17:34+00:00\",\"dateModified\":\"2023-12-27T08:21:32+00:00\",\"description\":\"Explore the key malware trends in Q4 2023. Discover the top malware types and families, as well as the most common MITRE ATT&CK techniques.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Malware Trends Report: Q4, 2023\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Vlad Ananin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/564ed55b05884a34062108096c0ed973?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/564ed55b05884a34062108096c0ed973?s=96&d=mm&r=g\",\"caption\":\"Vlad Ananin\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/vlad-ananin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malware Trends Report: Q4, 2023 - ANY.RUN&#039;s Cybersecurity Blog","description":"Explore the key malware trends in Q4 2023. Discover the top malware types and families, as well as the most common MITRE ATT&CK techniques.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/","twitter_misc":{"Written by":"Vlad Ananin","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/"},"author":{"name":"Vlad Ananin","@id":"https:\/\/any.run\/"},"headline":"Malware Trends Report: Q4, 2023","datePublished":"2023-12-27T08:17:34+00:00","dateModified":"2023-12-27T08:21:32+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/"},"wordCount":765,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/","url":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/","name":"Malware Trends Report: Q4, 2023 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2023-12-27T08:17:34+00:00","dateModified":"2023-12-27T08:21:32+00:00","description":"Explore the key malware trends in Q4 2023. Discover the top malware types and families, as well as the most common MITRE ATT&CK techniques.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q4-2023\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"Malware Trends Report: Q4, 2023"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Vlad Ananin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/564ed55b05884a34062108096c0ed973?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/564ed55b05884a34062108096c0ed973?s=96&d=mm&r=g","caption":"Vlad Ananin"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/vlad-ananin\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/6558"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=6558"}],"version-history":[{"count":3,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/6558\/revisions"}],"predecessor-version":[{"id":6745,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/6558\/revisions\/6745"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/6564"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=6558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=6558"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=6558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}