Talk to an expert

Current Malware Trends: 5 Most Common Types of Malware in 2024

By Elliot Anderson  |  April 1, 2024

Threat actors are converging on similar tactics across the board. 

Cybercriminals are inventive and opportunistic, leveraging any advantage they can to gain access to sensitive data and assets.  

However, they’re not as individualistic as often portrayed. Threat actors invest time and energy into maintaining relationships with other hackers, ransomware gangs, and criminal organizations. This can give them an edge when the threat landscape changes and new opportunities arise. 

Now, several factors are contributing to major changes in the way cybercriminals operate. This article will cover some of those trends and explain how they influence the five most common malware attacks happening in 2024 so far. 

Threat actor operations are converging along similar themes 

Malware developers and cybercriminal operators are leveraging a combination of emerging technologies, under secured device formats, and structural deficiencies in the security industry. Here are some of the main themes influencing the types of malware cybercriminals are relying on the most in 2024: 

AI gives cybercriminals new capabilities and lets them refine old ones 

Threat actors already know how to use generative AI to write malicious code. This helps less proficient threat actors improve their technical capabilities and allows ransomware gangs to scale operations more effectively. It also breaks down language barriers, leading to much more sophisticated phishing and social engineering attacks. 

Voice simulation software has already been used to run elaborate scams on corporate leadership. One CEO transferred a quarter of a million dollars to a hacker who simulated the voice of the parent company’s leader. Emerging video capabilities will only make the problem worse in the short term. 

Mobile devices with both personal and corporate data are valuable targets 

For cybercriminals, a mobile device used purely for personal use isn’t nearly as valuable as a business device. The problem is that organizations typically secure their devices with robust prevention-based policies that keep attackers out. 

 Organizations with loose Bring-Your-Own-Device (BYOD) policies make a much more compelling target. Security teams don’t always have the same level of visibility into mixed-use employee mobile devices, making them high-value targets. 

The cybersecurity skills shortage gives cybercriminals the upper hand 

The longstanding cybersecurity skills gap still complicates security efforts for small businesses, large enterprises, and everyone in between. Demand for information security talent continues to outpace supply, straining teams that must address bigger workloads.  

This is a strong tailwind for malware developers and operators. Talent shortages increase mean time-to-detect (MTTD) and mean time-to-respond (MTTR) metrics. Even relatively poor-quality malware can reliably evade detection long enough to execute on a victim’s network. 

Top 5 most common types of malware in 2024

1.) Ransomware 

The ransomware surge of the Pandemic era is a clear example of cybercriminals consolidating their tactics. After two years of reduced activity, ransomware began trending upwards again in 2023. 

Several things have changed since ransomware first started making headlines, though. Instead of targeting large enterprises with highly involved attacks, cybercriminals are leveraging Ransomware-as-a-Service (RaaS) kits to carry out large-scale, high-frequency attacks against small businesses. 

LockBit remains the most common ransomware tool set in use today by far. An international law enforcement operation seized 34 LockBit servers in February 2024, but it proved to be a short-lived setback for the threat actors in question. Only five days later, LockBit3.0 appeared. 

What you can do: 

Ransomware is a serious threat, but also one of the simplest risks to mitigate. Deploying a robust system of secure backups makes your organization resistant to almost all ransomware attacks. Organizations with high-quality backups can effectively ignore ransom demands and continue business as usual with no disruption. 

2.) Spyware 

Spyware can provide cybercriminals with login credentials, screenshots of sensitive data, and chat history data. In many cases, a successful spyware infection is all an attacker needs to gain entry to the network and become an insider threat.  

Pegasus is an example of a popular spyware variant that collects data from Android and iOS mobile devices. It is well-suited for giving cybercriminals initial access to protected networks with BYOD policies, allowing them to conduct lateral movement and find more valuable assets to compromise. 

Pegasus can exfiltrate emails, SMS messages, app data, location services, audio recordings, and photos. This makes it a powerful tool for cybercriminals who aim to gain privileged insider access to network assets. The ability to exfiltrate one-time-passwords from multi-factor authentication systems makes it particularly dangerous. 

 What you can do:

Safeguarding network assets against insider threats demands combining multiple technologies and approaches. Zero Trust architecture limits the damage associated with compromised accounts, while User Entity and Behavioral Analytics (UEBA) enables insider risk teams to detect malicious insiders based on their observed activity. 

3.) Remote Access Trojans (RATs) 

Trojans trick users into running malicious executions by disguising themselves as legitimate applications. RATs are a particular type of trojan that is gaining in popularity among cybercriminals. By granting remote access, they enable hackers to directly control endpoint devices. 

This allows the attacker to carry out multiple types of cyberattacks with great flexibility. Attackers may even sell insider access to other hackers, or lay dormant for long periods of time while waiting for the opportune moment to strike. 

Gh0st is a RAT (Remote Access Trojan) used to gain control over infected endpoints. Unlike many other common types of malware, Gh0st is manually dropped into victims’ networks as a payload. That means Gh0st victims are necessarily already compromised by at least one other type of malware. 

What you can do: 

Web application firewalls are the first line of defense against remote access trojans. Organizations must also implement Zero Trust security architecture and invest in comprehensive insider risk programs. Behavioral analytics enriched with detailed historical log data is vital for distinguishing between malicious remote access and false positives. 

4.) Cryptojacking miners 

Cryptojacking fell out of favor after the price of Bitcoin crashed in 2022. As of March 2024, the cryptocurrency has surged to new all-time highs — and made cryptojacking more profitable than ever. 

Most cryptojacking malware does not mine Bitcoin, but lesser-known alternatives that are computationally easier to distribute. CoinMiner is an entire family of cryptojacking solutions that mine Monero and Zcash. They typically spread across networks by abusing Windows Management Instrumentation and establish persistence using WMI Standard Event Consumer scripting. 

Cryptojacking is not often considered a high-priority threat because it steals processing power and bandwidth instead of data or money. However, cryptojacking forces organizations to increase IT expenditure and leads to unpredictable IT performance. This can lead to downtime, additional security vulnerabilities, and other negative outcomes. 

What you can do: 

Network detection and response (NDR) solutions can provide key insight into cryptojacking attacks. Analysis might show that certain devices are exhibiting poor performance and making unusual connections outside the network. Analysts can then investigate and check users’ web activity to find out if employees visited suspicious web pages. 

5.) Multi-use malware 

Not all malware is designed for a single use case scenario. Sophisticated variants like SocGholish can perform multiple actions in response to threat actor commands. 

 For example, threat actors can use SocGholish to redirect traffic, and deliver malware payloads masquerading as software updates, subsequently obtaining information from the victim’s system. They can force the system to download additional exploit kits and even ransomware. 

These capabilities add to software bloat, making tools like SocGholish easier to detect than other types of malware. However, they can also make malware neutralization more difficult. This type of malware may structure its actions in multiple stages and use a variety of obfuscation and evasion methods.  

What you can do: 

Multi-use malware is easy to detect because it interacts with many different parts of your IT infrastructure. Connecting the dots between these interactions is key. Make sure your Security Information and Event Management (SIEM) platform provides complete visibility into your IT infrastructure so you can quickly piece together the chain of events that indicates a multi-use malware attack. 

Stay ahead of the latest threats with Lumifi 

Lumifi’s 24/7 managed detection and response solution provides comprehensive protection to organizations facing new and emerging threats. Gain visibility into your network and leverage our proprietary SOC automation service to safeguard your most valuable assets from cybercriminals. 

By Elliot Anderson
Current Malware Trends: 5 Most Common Types of Malware in 2024

Topics Covered

Share This

Subscribe for Exclusive Updates

Stay informed with the most recent updates, threat briefs, and useful tools & resources. You have the option to unsubscribe at any time.

Related Articles


Lumifi's Acquisition of Netsurion!

Learn More.
Privacy PolicyTerms & ConditionsSitemapSafeHotline
magnifiercrossmenuchevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram