Malware never stands still, with thousands of families tracked each year as attackers create new ways to cause damage.
Mandiant’s report takes a closer look at the types of malware popular among hackers in 2025. It shows which families are newly discovered and which ones continue to appear in real investigations.
This article breaks down the key types of malware, shows which families made the biggest impact in 2024, and explains what their rise says about today’s online threats.
Key Takeaways
- Malware is a broad term for harmful software that can steal data, spy on users, lock files, or give attackers control of a system, with more than 600 new families tracked in 2024.
- Researchers look at malware in two ways, measuring 632 newly tracked families against 205 families observed in real attacks to see what is spreading and what is active.
- Backdoors and ransomware were the most common types of malware, making up 35% and 14% of observed cases, showing how attackers rely on proven methods.
- Examples of malware identified in 2024 include BEACON (5.4% of cases), GOOTLOADER (2.5%), WIREFIRE (2.5%), SYSTEMBC (1.8%), REDBIKE (1.8%), RANSOMHUB (1.8%), LOCKBIT (1.6%), and BASTA (1.6%).
- Computer malware continues to be a serious risk, with other forms like tunnelers, rootkits, and keyloggers still making up 25% of observed families in 2024.
What Is Malware?
Malware means “malicious software.” It is a broad term for programs created to cause problems on a computer or network. These programs can:
- Steal data such as passwords or bank details.
- Lock files, often with ransomware that asks for money to unlock them.
- Spy on activity by recording keystrokes or taking screenshots.
- Open doors for attackers by giving someone control of the system without permission.
The terms “malware virus” or “virus malware” often appear online, but a computer virus is only one type of malware. A virus spreads by attaching itself to other files or programs, while malware as a whole includes many other threats like ransomware, backdoors, and droppers.
In the next section, we’ll look at how researchers keep track of new malware families as well as those that appear in real-world attacks.
How Researchers Tracked Malware
When Mandiant’s cybersecurity specialists looked at the types of malware, they used two main points of view. Each one helped them understand a different side of the problem.
- Newly tracked families: These are malware families that were first identified in 2024. This view shows the supply side – how many fresh programs are being created and added to the landscape. Mandiant recorded more than 600 of them in that year alone, which shows how quickly new threats appear.
- Observed families: These are the families actually found during investigations in 2024. This view reflects the demand side, so it shows what attackers really used in their operations. The number here was smaller, around 200 families.
Both views are important. Newly tracked families show what is new, while observed families reveal the malware types that are most active in daily attacks.
Looking at the two together gives a clearer picture and helps defenders prepare for the threats that matter most.
Main Types of Malware
Malware can take many forms, each with its own purpose. Some give attackers secret access, while others spread harmful files, and a few are designed to steal data or lock systems.
The Mandiant report shows how often these families appeared in 2024, both as new discoveries and in real-world cases.
1. Backdoors
31% newly tracked, 35% observed
Backdoors create a hidden entry point into a system. Attackers use them to run commands, copy files, or watch activity.
Their strong presence in both sets of data shows how dependable this method remains, making backdoors one of the most common types of malware attacks.
2. Downloaders
19% newly tracked, 7% observed
Downloaders work as delivery tools, pulling other harmful programs into a system. Many new versions were found in 2024, but fewer were active in actual attacks. Even so, they serve as clear examples of malware.
3. Droppers
12% newly tracked, 8% observed
Droppers quietly install or launch other malicious software. They are often the first step in larger attacks, preparing the ground for more dangerous tools. This makes them a key part of many types of malware attacks.
4. Credential Stealers
6% newly tracked, 5% observed
These programs are designed to take usernames and passwords. With stolen credentials, attackers can move deeper into a network or sell the data. Even with smaller numbers, they remain one of the different types of malware that cause lasting damage.
5. Ransomware
5% newly tracked, 14% observed
Ransomware encrypts files and demands payment to unlock them. The gap between tracked and observed numbers shows how attackers prefer tried-and-tested families over new ones. They continue to be among the most common types of malware.
6. Other Malware Types
27% newly tracked, 25% observed
This group covers many programs, such as tunnelers, keyloggers, and rootkits. They may serve smaller tasks, like hiding traffic or recording user actions, but together they make up a large part of today’s computer malware.
Malware Examples
Looking at real malware families helps explain how malware operates. These malware examples were among the most frequently observed in Mandiant’s 2025 report. Each one appeared in a share of global investigations.
Here are eight notable examples of malware identified in Mandiant’s 2025 report:
GOOTLOADER (downloader): Seen in 2.5% of cases. Delivered as hidden JavaScript, it downloads a second script that installs the main malicious program.
WIREFIRE (web shell): Appeared in 2.5% of cases. Written in Python and linked to Pulse Secure appliances, it allows attackers to download files and execute commands.
SYSTEMBC (tunneler): Detected in 1.8% of cases. It routes internet traffic through a proxy, sometimes using Tor, and can also fetch and install more malware.
REDBIKE/Akira (ransomware): Present in 1.8% of cases. It encrypts files with ChaCha20 and leaves ransom notes. Parts of its code connect it to older ransomware families.
RANSOMHUB (ransomware): Also 1.8%. Written in Go, it can use different types of encryption and target local files, folders, or network drives. It can even run in safe mode.
LOCKBIT (ransomware): Reported in 1.6% of cases. Known for spreading quickly, it deletes backups, clears logs, and leaves files with the “.lockbit” extension.
BASTA (ransomware): Another 1.6%. Written in C++, it uses ChaCha20 to encrypt files and usually leaves a “.basta” extension, though some versions create random names.
Together, these families show how diverse modern malware can be. Some, like backdoors, stay hidden for long periods, while others, such as ransomware, cause immediate and costly disruption.
The Bottom Line
All these types of malware show how varied and persistent these threats have become. Backdoors, droppers, and ransomware still appear in many attacks, while new families are discovered each year. This mix proves that attackers rely on both fresh tools and older, trusted methods.
This makes clear that computer malware is an ongoing risk, and only by understanding its many forms can people and organizations strengthen their defenses.
FAQs
The seven different types of malware are viruses, worms, trojans, ransomware, spyware, adware, and rootkits. Each one works in its own way, but all are part of the wider world of computer malware.
Backdoors and ransomware remain the most common malware. A malware attack often relies on these types, as backdoors give hidden access while ransomware locks files and demands payment, making them powerful tools for intruders.
Good habits lower the risk. Keep software updated, use strong passwords, and back up files often. Avoid unknown downloads and links. These steps make it harder for a malware virus to take hold.
