Top 3 Malware Families in Q4: How to Keep Your SOC Ready

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

The third quarter of 2025 saw a concerning evolution in the malware landscape. The latest ANY.RUN Malware Trends quarterly report confirms a clear pattern: threat actors are prioritising fast monetisation and initial access operations.

The number of threats investigated in ANY.RUN’s Sandbox grew by 21.6% since Q2, compared to 9.8% growth between Q1 and Q2.

Malicious verdicts increased by 18%. The sandbox extracted 32.8% more IOCs than in Q2, respectively enriching threat data available via Threat Intelligence Lookup and TI Feeds.

****The Three Top Threats SOC Teams Must Watch****

Three malware families dominate the threat landscape due to their ability to quickly monetise stolen data and establish remote control:

Malware Family

Q3 Sandbox detections

Type

Primary Objective

Lumma

9,664

Stealer

Remote access, payload delivery, and file manipulation

AgentTesla

5,337

Stealer/RAT

Keylogging, clipboard/email creds, data exfiltration.

Xworm

5,085

RAT

Remote access, payload delivery, file manipulation

Top malware families by ANY.RUN’s Sandbox detections in Q3

Analysts must adapt by reducing triage time, switching from signature-based detection to behaviour-based detection, and enriching indicators with real-time threat context.

****1. Lumma Stealer – Credential Monetisation at Scale****

Lumma Stealer is currently the most active and prevalent malware family observed in the report. It specialises in stealing sensitive data from endpoints, focusing on browser-stored credentials, cryptocurrency wallets, form autofill data, saved credit cards, and session cookies. Lumma is particularly aggressive in industries such as finance and commerce in Europe and North America, where the stolen data has the highest monetary value.

For organisations, a single Lumma infection can result in corporate account compromise, lateral movement through SaaS access, and asset theft without triggering traditional ransomware alarms.

Lumma’s operators consistently update their infrastructure, rotating malicious domains and other C2 inventory. Threat Intelligence Lookup allows analysts to extract IOCs from the most recent sandbox sessions where Lumma samples were detonated and fuel detection and response systems. threatName:”Lumma” and domainName:””

Recently detected Lumma domains found via TI Lookup

****Where ANY.RUN’s Threat Intelligence Lookup Fits In****

TI Lookup is a real-time threat investigation platform that enriches indicators with context, not just reputation scores. It aggregates fresh IOCs, IOAs, and behaviour patterns (IOBs) directly from malware detonations performed in ANY.RUN’s Interactive Sandbox, powered by data contributed by more than 15,000 enterprise SOCs and security teams across multiple industries.

This gives analysts access to threat intelligence captured from real attacks happening right now, not stale feeds or public blocklists.

Besides the context, it enables analysts to reduce triage time, raise detection accuracy, and retain confidence in their decisions. For business, the key objectives gained are analyst efficiency and better judgment, faster MTTR, and measurable ROI.

In short, TI Lookup turns threat intelligence into operational efficiency: less time spent investigating means more time preventing breaches.

****2. AgentTesla – activity doubled quarter-over-quarter****

AgentTesla is a widely distributed credential stealer and remote access tool (RAT) with a multilayered set of functions, including keylogging, clipboard monitoring, credential extraction from browsers and email clients, and exfiltration via SMTP or HTTP.

The malware has recently seen a sharp increase in activity, doubling quarter-to-quarter. It is particularly common in industries with large numbers of external communications, transportation, logistics, and education. Its operational simplicity and low barrier to entry make it popular among less sophisticated cybercriminal groups.

Use Threat Intelligence Lookup to instantly check network artefacts and spot AgentTesla in your network.

domainName:”mail.funworld.co.id”

Domain proven to be associated with AgentTesla campaigns via TI Lookup

Explore the linked sandbox sessions to observe AgentTesla’s attack chain and behaviour patterns:

View analysis

AgentTesla detonation in ANY.RUN’s Sandbox

****3. Xworm (RAT) – modular, covert, highly scalable****

Xworm is a flexible, modular remote access Trojan, is often used as the first foothold in an intrusion, where it serves as a launcher for other malware, including stealers and ransomware. After execution, Xworm enables remote command execution, file manipulation, keylogging, surveillance, and exfiltration. It supports multiple communication channels, including C2 tunnelling through legitimate cloud services, which complicates detection.

Xworm infections are especially dangerous for organisations because the malware acts as a bridge to full compromise. The malware actively targets manufacturing, tourism, and healthcare: industries where business disruption can have immediate operational consequences.

Xworm samples added and analysed by sandbox users from Colombia

****To sum up:****

• Lumma steals access.
• AgentTesla steals communications.
• Xworm turns those stolen credentials into full control of the environment.

****Conclusion****

As Q4 2025 unfolds, Lumma Stealer, AgentTesla, and Xworm RAT will continue to evolve, adopting new evasion techniques and targeting mechanisms to bypass traditional defences.

For SOC analysts, the challenge isn’t just detecting these threats: it’s responding fast enough to minimise impact. The difference between a contained incident and a major breach often comes down to how quickly you can identify what you’re dealing with and implement the right countermeasures.

ANY.RUN’s Threat Intelligence Lookup bridges this critical gap, transforming unknown indicators into actionable intelligence within seconds. By combining comprehensive threat data with interactive analysis capabilities, it empowers your team to move from reactive detection to proactive defence.

The threat landscape will only grow more complex. Ensure your SOC has the intelligence infrastructure to stay one step ahead.

Stop paying for data without context – get visibility that drives decisions.
Choose your plan for intel sourced from 15K+ real SOCs