ThreatDown State of Malware report 2025

The ThreatDown State of Malware report focuses on a few key developments that we witnessed in 2024.

Released today, the ThreatDown State of Malware report focuses on the most critical threats your organization will face in 2025. 

The State of Malware 2025 details the lessons that organizations need to learn from 2024, and how the looming threat of autonomous AI attacks could upend the security landscape in 2025 

Agents and the future of AI threats 

In 2024, Artificial Intelligence (AI) helped both attackers and defenders, but overall, its impact was limited. Because generative AI models tend to provide efficiency rather than brand new capabilities, it was primarily used for improving existing attacks, rather than creating novel ones. 

However, the introduction of AI agents— AI models like OpenAI’s “Operator” that can plan, act, reason, and use tools—could turn that on its head. The arrival of agentic AI models in 2025 will start the transformation of AIs from helpful assistants into peers, or even experts, that can plan out tasks, interact with the world, and solve problems unaided. 

This will force the industry to rethink defense strategies. Security teams will have to embrace AI-powered threat detection and defense strategies to keep up with the evolving, agent-enhanced threat landscape. 

Ransomware is still the main threat 

2024 was the worst year ever when it comes to ransomware. The number of known attacks increased 13% year-over-year, and the largest ransomware payment ever was made when an unknown victim paid $75 million to the Dark Angels group. 

And it wasn’t just monetary losses that went sky high. A ransomware attack on Change Healthcare exposed the personal health information of over 190 million people and left huge numbers of medical practices, hospitals, and pharmacies unable to submit claims or receive payments. 

This growth in ransomware attacks occurred despite the downfall of two major ransomware groups, LockBit and ALPHV. Their decline was part of a larger trend that saw the influence of large ransomware-as-a-service groups wane, and the importance of smaller “dark horse” gangs grow.  

Ransomware tactics also evolved in 2024, with the majority of ransomware attacks the ThreatDown teams handled in the last 12 months occurring between 1 am and 5 am, while ransomware’s reliance on hard to detect Living-Off-the-Land (LOTL) tactics also grew. 

Rising risks across other platforms 

Mac malware saw a major shift towards sophisticated information stealers served through the same malvertising channels as their Windows counterparts.  

The notorious Atomic Stealer (AMOS) malware saw major updates, while Poseidon, an information stealer based on AMOS, overtook it as the dominant stealer. Notably, Poseidon didn’t replace AMOS and AMOS detections didn’t decline— Poseidon simply outpaced it by adding another 70% more detections on top of the existing stealer numbers. 

On Android, our analysts picked out phishing apps as the most dangerous threat faced by businesses. Phishing campaigns are hard to spot, scalable, low-cost, and adaptable. 

Android phishing apps come disguised as fully functional, regular apps, such as games or utilities, and with little to no malicious code, they are harder for Google Play to screen out than other forms of malware.  

To discover the security lessons you can learn from 2024, and what you need to know to defend your organization in 2025, download the full report