The Q1 2025 Malware Trends Report from ANY.RUN offers a data-driven view of current attacker behavior — based on the sandbox execution of 142,008 malware samples.

These samples were uploaded by over 15,000 organizations, and observed by 500,000 analysts, using ANY.RUN’s interactive sandbox platform.

📊 Malware Categories – Most Common Threat Types

• 🥇 Stealers – 36,043
• 🥈 Loaders – 15,523
• 🥉 RATs (Remote Access Trojans) – 13,147
• 💣 Ransomware – 10,385 (+77% vs Q4 2024)
• 🕸️ Botnets – 5,272 (first time in the top 5)

Key Insight: Stealers dominate, reaffirming the focus on credential theft and initial access resale. Loaders and RATs form the backbone of modular, service-oriented malware chains.

⚠️ While the dataset is made of uploaded samples (which may include outdated or reanalyzed malware), it still offers reliable insights into how malware behaves in execution, making it highly useful for detection, simulation, and training.

🧬 Most Observed Malware Families

• Lumma Stealer – 8,224
• Xworm – 6,599
• Snake – 4,503
• AsyncRAT – 3,990
• Remcos – 3,881
• Agent Tesla – 2,587
• Plus: Amadey, DCRat, Stealc, Quasar

These are all well-known tools used in real campaigns — many offered as malware-as-a-service (MaaS).

📦 Obfuscation Trends – UPX Still Leading

Among packed or obfuscated samples, UPX remains the most commonly used packer.

It’s a staple for both attackers and trainers because:

• It’s free and fast
• It bypasses basic static detection
• It can be unpacked easily — ideal for malware analysis labs

💡 Training tip: UPX-packed malware is a perfect entry point for hands-on unpacking, static analysis, and detection writing exercises.

📈 Malware Type Evolution – Q1 2025 vs Q4 2024

The significant increase across categories suggests both active malware reuse and evolving campaign complexity.

⚙️ MITRE ATT&CK Techniques – Top TTPs Observed

1. T1547.001 – Registry Run Keys / Startup Folder → 52,415
2. T1036.003 – Masquerading: Rename System Utilities → 42,222
3. T1190 – Exploit Public-Facing Application → 37,579
4. T1053.005 – Scheduled Task / Job → 37,470
5. T1566.002 – Spearphishing Link → 34,799
6. T1059.003 – Windows Command Shell → 34,022
7. T1055 – Process Injection → 20,547
8. T1036.005 – Masquerading (Path-based) → 19,323
9. T1566.001 – Spearphishing Attachment → 18,889
10. T1543.003 – Windows Service Creation → 16,176

Notable changes compared to Q4:

• T1547.001 rose from 18K to 52K detections (+185%)
• T1053.005 doubled (Scheduled Tasks: +109%)
• T1190 re-entered the top list after being absent in Q4
• T1055 (Process Injection) appeared at scale
• Phishing-related TTPs (T1566.*) rose by 30% overall

These are not speculative — they reflect what malware actually executed in the sandbox. That makes them excellent training targets and emulation priorities.

🛡️ How to Train Based on These Insights

• Train/Reverse with relevant malware: Lumma, Xworm, AsyncRAT. Simulate stealer → loader → RAT chains. Include obfuscation and persistence techniques.
• Focus on behavior, not families: Use TTPs like T1547.001, T1053.005, T1055 as core lab elements.
• Teach adversarial logic: Reconstruct attack chains, map to MITRE, and build detection strategies based on actual execution flows.

📝 Conclusion

The ANY.RUN Q1 2025 report gives us more than raw stats — it shows us what malware is doing today, in a sandbox context.

While uploaded samples don’t always represent live campaigns, and may include outdated or reanalyzed binaries, they still reveal current tooling, packaging, and techniques in use.

For training, simulation, and detection design, this is invaluable intelligence.

📚 Read the Full Report

📄 ANY.RUN – Malware Trends Q1 2025 (Official Report)

Stay sharp. Train real with what's actually used.