Skip to content

Search the site

Over 200,000 unique malware samples found in 12 weeks, amid AI threat warnings

Signature-based detection is dying hard.

Security researchers at Blackberry saw over 200,000 unique malware samples in the first quarter of 2023.

That was approximately 2,252 unique malware samples per day; up 50% on the previous quarter.

Without explicitly citing a cause for the increase, Blackberry’s researchers did note in an April 26 report that “the release of ChatGPT marks a milestone advancing the threat of AI-generated malware…”

(The report comes after cybersecurity researchers at CyberArk said in a short January 17 blog that they had managed to use ChatGPT to create difficult to detect mutating or “polymorphic” malware, which uses ChatGPT on runtime to load and mutate new code and which is “highly evasive and difficult to detect”.)

The company did not highlight in any meaningful detail any of these supposed unique malware types, largely highlighting known malware and remote access trojan types like IcedID or DarkCrystal, among others.

Blackberry’s threat report is the latest in a flurry this week that capture evolving threat actor use behaviour.

Mandiant’s M-Trends report for example highlighted that dwell time – often a proxy for how long organisations take to detect incidents – is at its lowest ever, at 16 days (13 days for internal incidents). That’s pushing ransomware actors to trigger payloads faster too: The dwell time for ransomware in 2022 was nine days.

Blackberry tracked over 200,000 unique malware samples in 12 weeks, hints at AI generated threats
The most common threat behaviours as seen by Blackberry, mapped to SIGMA rules.

CISOs: Be mindful of Red Team tricks

Mutating malware and clever detections aside, CISOs need to be increasingly mindful of where physical and cybersecurity risk overlap and the criticality of security culture in avoiding that becoming a key threat vector.

One of The Stack's favourite Red Team campaigns was an attack on a pharma company that saw a security researcher spin up an email server at a cost of ~$20 for a typosquatted domain (e.g. instead of, and sit on it for a week until they received a mis-typed email addressed to the IT help desk.

They then simply responded to that query, masquerading as the IT help desk and then installed, remotely, with the blessing of the innocently unaware victim, every tool they needed to make their way to domain administrator.

Don't miss out: Follow us on LinkedIn

Novel intrusion vectors: Very sexy. Pretending to be the IT helpdesk? Timeless.

The ingredients to hack that multinational, in short: mere double digit dollars, a certain degree of patience, and a good telephone manner.

A successful Red Team campaign that Mandiant flagged in its M-Trends report meanwhile worked as follows.

The security researchers spun up a customised fake call center with a telephone  number similar to the customer’s own IT helpdesk number. The Red Team then called the reception desk at several branch offices to arrange an appointment for a “technician” to visit the site and install some new software (custom malware).

“Once a branch office confirmed the appointment, the red team tasked a consultant in that region to visit the office the same week. The consultant arrived at the site wearing a badge that had been fabricated based on images of employee badges the red team had gathered during open-source intelligence gathering. Client staff at the regional office provided the red team operator unsupervised access to each workstation. The operator used this access to install Mandiant’s custom command and control (C2) malware on each machine, ensuring the malware would restart if the device rebooted… modifying the Windows registry to direct applications that leverage Microsoft’s Component Object Model (COM) to load malicious code instead of legitimate binaries.”

That kind of focussed and well resourced approach may only fit the threat model of highly security sensitive organisations. Others are far more are likely to be hit by unpatched software on uncatalogued machines, or simple admin/password combinations on publicly exposed services. Yet the reports do emphasise just how fast the threat landscape is evolving and how persistently “switched on” organisations need to be at every level to ensure security.

We analysed 90k+ software vulns: Here’s what we learned