Surge in “Hunter-killer” Malware Uncovered by Picus Security

The Picus Red Report 2024 reveals 333% increase in malware that targets and disables security controls.

San Francisco, February 13, 2024Picus Security, the Security Validation company, has released the Picus Red Report 2024. This fourth annual report shares learnings from an in-depth analysis of more than 600,000 real-world malware samples and identifies the most common techniques leveraged by attackers. This year, Picus uncovered a surge of “Hunter-killer” malware from the research findings, demonstrating a drastic shift in adversaries’ ability to identify and neutralize advanced enterprise defenses such as next-gen firewalls, antivirus, and EDR. According to the report, there was a 333% increase in malware that can actively target defensive systems in an attempt to disable them. 

“We are witnessing a surge in ultra-evasive, highly aggressive malware which shares the characteristics of hunter-killer submarines,” said Dr. Suleyman Ozarslan, Picus Security Co-founder and VP of Picus Labs. “Just as these subs move silently through deep waters and launch devastating attacks to defeat their targets’ defenses, new malware is designed to not only evade security tools but actively bring them down. We believe cybercriminals are changing tact in response to the security of average businesses being much-improved, and widely used tools offering far more advanced capabilities to detect threats. A year ago, it was relatively rare for adversaries to disable security controls. Now, this behavior is seen in a quarter of malware samples and is used by virtually every ransomware group and APT group.

The Red Report helps security teams better understand and battle cyber attacks by identifying the Top 10 most prevalent MITRE ATT&CK techniques exhibited by the latest malware. Its insights help prioritize defensive actions against commonly used techniques. Additional key findings include: 

  • Evolving tactics challenge detection and response: 70% of malware analyzed now employ stealth-oriented techniques by attackers, particularly those that facilitate evading security measures and maintaining persistence in networks.

  • Invisibility at the forefront of evasion: There was a 150% increase in the use of T1027 Obfuscated Files or Information. This highlights a trend toward hindering the effectiveness of security solutions and obfuscating malicious activities to complicate the detection of attacks, forensic analysis, and incident response efforts.

  • The ransomware saga continues: There was a 176% increase in the use of T1071 Application Layer Protocol, which is being strategically deployed for data exfiltration as part of sophisticated double extortion schemes.

To combat Hunter-killer malware and stay ahead of 2024 malware trends, Picus is urging organizations to embrace machine learning, protect user credentials, and consistently validate their defenses against the latest tactics and techniques used by cybercriminals. 

“It can be incredibly difficult to detect if an attack has disabled or reconfigured security tools, because they may still appear to be working as expected,” said Huseyin Can YUCEEL, Security Research Lead at Picus Security. “Preventing attacks that would otherwise operate under the radar requires the use of multiple security controls with a defense-in-depth approach. Security validation must be a starting point for organizations to better understand their readiness and identify gaps. Unless an organization is proactively simulating attacks to assess the response of its EDR, XDR, SIEM, and other defensive systems that may be weakened or eliminated by Hunter-killer malware, they will not know they are down until it is too late.” 

For more information: 


Between January 2023 and December 2023, Picus Labs, the research unit of Picus Security, analyzed 667,401 unique files, with 612,080 (92%) categorized as malicious. Sources of these files include but are not limited to commercial and open-source threat intelligence services, security vendors and researchers, malware sandboxes, malware databases, and forums. From these files, a total of 7,754,801 actions were extracted, an average of 13 malicious actions per malware. These actions were then mapped to 7,015,759 MITRE ATT&CK techniques, an average of 11 techniques per malware.

To compile the Picus Red Report 2024 Top Ten, Picus Labs researchers determined the number of malicious files that used each technique. They then calculated the percentage of malware in the dataset that utilized that technique. For example, the T1055 Process Injection technique was used in 195,044 (32%) of the 612,080 malicious files analyzed.

About Picus Security

Picus Security helps security teams consistently and accurately validate their security posture. Our Security Validation Platform simulates real-world threats to evaluate the effectiveness of security controls, identify high-risk attack paths to critical assets, and optimize threat prevention and detection capabilities.

As the pioneer of Breach and Attack Simulation, we specialize in delivering the actionable insights our customers need to be threat-centric and proactive. 

Picus has been named a ‘Cool Vendor’ by Gartner and is recognized by Frost & Sullivan as a leader in the Breach and Attack Simulation (BAS) market.

Media Contact