2024 had its fair share of high-profile cyber attacks, with companies as big as Dell and TicketMaster falling victim to data breaches and other infrastructure compromises. In 2025, this trend will continue. So, to be prepared for any kind of malware attack, every organization needs to know its cyber enemy in advance. Here are 5 common malware families that you can start preparing to counter right now.
Lumma
Lumma is a widely available malware designed to steal sensitive information. It has been openly sold on the Dark Web since 2022. This malware can effectively collect and exfiltrate data from targeted applications, including login credentials, financial information, and personal details.
Lumma is regularly updated to enhance its capabilities. It can log detailed information from compromised systems, such as browsing history and cryptocurrency wallet data. It can be used to install other malicious software on infected devices. In 2024, Lumma was distributed through various methods, including fake CAPTCHA pages, torrents, and targeted phishing emails.
Analysis of a Lumma Attack
Proactive analysis of suspicious files and URLs within a sandbox environment can effectively help you prevent Lumma infection.
Let’s see how you can do it using ANY.RUN’s cloud-based sandbox. It not only delivers definitive verdicts on malware and phishing along with actionable indicators but also allows real-time interaction with the threat and the system.
Take a look at this analysis of a Lumma attack.
| ANY.RUN lets you manually open files and launch executables |
It starts with an archive which contains an executable. Once we launch the .exe file, the sandbox automatically logs all processes and network activities, showing Lumma’s actions.
| Suricata IDS informs us about a malicious connection to Lumma’s C2 server |
It connects to its command-and-control (C2) server.
| Malicious process responsible for stealing data from the system |
Next, it begins to collect and exfiltrate data from the machine.
| You can use the IOCs extracted by the sandbox to enhance your detection systems |
After finishing the analysis, we can export a report on this sample, featuring all the important indicators of compromise (IOCs) and TTPs that can be used to enrich defenses against possible Lumma attacks in your organization.
Try all features of ANY.RUN’s Interactive Sandbox for free with a 14-day trial
XWorm
XWorm is a malicious program that gives cybercriminals remote control over infected computers. First appearing in July 2022, it can collect a wide range of sensitive information, including financial details, browsing history, saved passwords, and cryptocurrency wallet data.
XWorm allows attackers to monitor victims’ activities by tracking keystrokes, capturing webcam images, listening to audio input, scanning network connections, and viewing open windows. It can also access and manipulate the computer’s clipboard, potentially stealing cryptocurrency wallet credentials.
In 2024, XWorm was involved in many large-scale attacks, including ones that exploited CloudFlare tunnels and legitimate digital certificates.
Analysis of a XWorm Attack
| Phishing emails are often the initial stage of XWorm attacks |
In this attack, we can see the original phishing email, which features a link to a Google drive.
| A Google Drive page with a download link to a malicious archive |
Once we follow the link, we are offered to download an archive which is protected with a password.
| Opened malicious archive with a .vbs file |
The password can be found in the email. After entering it, we can access a .vbs script inside the .zip file.
| XWorm uses MSBuild.exe to persist on the system |
As soon as we launch the script, the sandbox instantly detects malicious activities, which eventually lead to the deployment of XWorm on the machine.
AsyncRAT
AsyncRAT is another remote access trojan on the list. First seen in 2019, it was initially spread through spam emails, often exploiting the COVID-19 pandemic as a lure. Since then, the malware has gained popularity and been used in various cyber attacks.
AsyncRAT has evolved over time to include a wide range of malicious capabilities. It can secretly record a victim’s screen activity, log keystrokes, install additional malware, steal files, maintain a persistent presence on infected systems, disable security software, and launch attacks that overwhelm targeted websites.
In 2024, AsyncRAT remained a significant threat, often disguised as pirated software. It was also one of the first malware families to be distributed as part of complex attacks involving scripts generated by AI.
Analysis of an AsyncRAT Attack
| The initial archive with an .exe file |
In this analysis session, we can see another archive with a malicious executable inside.
| A PowerShell process used for downloading a payload |
Detonating the file kicks off the execution chain of XWorm, which involves the use of PowerShell scripts to fetch additional files needed to facilitate the infection.
Once the analysis is finished, the sandbox displays the final verdict on the sample.
Remcos
Remcos is a malware that has been marketed by its creators as a legitimate remote access tool. Since its launch in 2019, it has been used in numerous attacks to perform a wide range of malicious activities, including stealing sensitive information, remotely controlling the system, recording keystrokes, capturing screen activity, etc.
In 2024, campaigns to distribute Remcos used techniques like script-based attacks, which often start with a VBScript that launches a PowerShell script to deploy the malware, and exploited vulnerabilities like CVE-2017-11882 by leveraging malicious XML files.
Analysis of a Remcos Attack
| Phishing email opened in ANY.RUN’s Interactive Sandbox |
In this example, we are met with another phishing email that features a .zip attachment and a password for it.
| cmd process used during the infection chain |
The final payload leverages Command Prompt and Windows system processes to load and execute Remcos.
| MITRE ATT&CK matrix provides a comprehensive view of the malware’s techniques |
The ANY.RUN sandbox maps the entire chain of attack to the MITRE ATT&CK matrix for convenience.
LockBit
LockBit is a ransomware primarily targeting Windows devices. It is considered one of the biggest ransomware threats, accounting for a substantial portion of all Ransomware-as-a-Service (RaaS) attacks. The decentralized nature of the LockBit group has allowed it to compromise numerous high-profile organizations worldwide, including the UK’s Royal Mail and India’s National Aerospace Laboratories (in 2024).
Law enforcement agencies have taken steps to combat the LockBit group, leading to the arrest of several developers and partners. Despite these efforts, the group continues to operate, with plans to release a new version, LockBit 4.0, in 2025.
Analysis of a LockBit Attack
| LockBit ransomware launched in the safe environment of the ANY.RUN sandbox |
Check out this sandbox session, showing how fast LockBit infects and encrypts files on a system.
| ANY.RUN’s Interactive Sandbox lets you see static analysis of every modified file on the system |
By tracking file system changes, we can see it modified 300 files in less than a minute.
| Ransom note tells victims to contact attackers |
The malware also drops a ransom note, detailing the instructions for getting the data back.
Improve Your Proactive Security with ANY.RUN’s Interactive Sandbox
Analyzing cyber threats proactively instead of reacting to them once they become a problem for your organization is the best course of action any business can take. Simplify it with ANY.RUN’s Interactive sandbox by examining all suspicious files and URLs inside a safe virtual environment that helps you identify malicious content with ease.
With the ANY.RUN sandbox, your company can:
- Swiftly detect and confirm harmful files and links during scheduled checks.
- Investigate how malware operates on a deeper level to reveal its tactics and strategies.
- Respond to security incidents more effectively by collecting important threat insights through sandbox analysis.
Try all features of ANY.RUN with a 14-day free trial.
