Connect with us

Hi, what are you looking for?


Malware & Threats

Hunter-Killer Malware Tactic Growing: Stealthy, Persistent and Aggressive

A malware tactic dubbed ‘hunter-killer’ is growing, based on an analysis of more than 600,000 malware samples. This may become the standard approach for advanced attacks.

Hunter Killer Malware

A malware tactic dubbed ‘hunter-killer’ is growing, based on an analysis of more than 600,000 malware samples. This may become the standard approach for advanced attacks.

There has been a notable rise in a malware tactic dubbed ‘hunter-killer’ malware. The name comes from modern submarine warfare: submarines remain hidden until they strike. The use of hunter-killer malware grew over 2023, and it is expected to continue growing. 

“We are witnessing a surge in ultra-evasive, highly aggressive malware which shares the characteristics of hunter-killer submarines,” said Dr. Suleyman Ozarslan, Picus Security co-founder, and VP of Picus Labs. He is talking about malware that evades detection and disables cybersecurity defenses. 

The submarine analogy could be taken further. The UK’s Vanguard submarines are designed to deliver a nuclear payload against the enemy. In the Picus analogy, this would be the delivery of a malware payload — such as ransomware. It is not, however, a part of the Picus hunter-killer malware definition.

The conclusions reached in the report, The Rise of Hunter-Killer Malware, are drawn from an analysis of the top ten most prevalent MITRE ATT&CK techniques. These are not necessarily the top ten in absolute numbers since Picus concentrates on post-compromise techniques (phishing, initial access, reconnaissance, for example, are not included).

Furthermore, while Picus analyzed 600,000 malware samples during 2023 (and mapped an average of 13 malicious activities per sample to the ATT@CK framework), it notes that this is only a subset of the overall malware landscape. “This limitation may introduce a bias in the visibility of malware types and behaviors,” the researchers warns.

Despite this, the firm’s conclusions are stark and clear. The top four most used techniques are all aspects of hunter-killer malware — and the use of each increased dramatically during 2023. The top four are T1055 (process injection); T1059 (command and scripting interpreter); T1562 (impair defenses); and T1082 (system information discovery). The ‘Vanguard’ element of the submarine analogy appears at #5, T1486 (data encrypted for impact) and #7, T1071 (application layer protocol).

The implication is obvious — there is increased use of evasion and defense impairment prior to dropping the malware payload. 

Advertisement. Scroll to continue reading.

T1055. Process injection is a key element of ‘living off the land’ evasion: the insertion of malicious code into a legitimate process. The primary use for the attacker is defense evasion (stealth) and privilege escalation. It was present in 32% (195,044) of the malware samples, up from 22% in 2022 (a 45% increase).

T1059. The command and scripting interpreter technique provides a similar effect. It allows the attacker to disguise malicious activity using native tools (such as PowerShell, VBScript, Unix Shell, AppleScript and more) and again sidestep traditional defenses. It was found in 174,118 (28%) of the 600,000 samples.

T1562. The impair defenses technique is used to disrupt defenses – it is effectively the more aggressive ‘killer’ side of evasion. The report includes several examples. The BabLock ransomware uses Windows Events Command Line Utility to remove certain Windows event logs; LockBit amends the Registry for the same effect. Qubitstrike exploits HISTCONTROL to prevent its own malicious commands from being recorded in the command history list. Other malwares may alter firewall rules: Glupteba RAT adds a firewall rule allowing incoming connections to its executable.

The defense evasion ATT@CK technique was found in 158,661 malware samples (26%). This is a 333% increase over the previous year. It marks, say the researchers, a significant shift in cyberattack strategies. “Threat actors are transforming malware into proactive ‘hunter-killers’ of cybersecurity defenses, directly targeting and disrupting the tools meant to protect networks.”

T1082. System information discovery is used to gather information about the network, including hardware, software, and network configurations. It can be used to locate systems known to be exploitable, or it can be used to discover software suitable to be used for more persistent, stealthy residence. “System Information Discovery rose from fifth to fourth place, indicating its growing importance in the successful use of native OS tools for discreet information gathering,” notes the report. The technique was found in 143,795 of the malware samples (23%).

The fifth and seventh most prevalent techniques help to explain the growth in the first four. #5 is T1486 (data encrypted for impact), and #7 is T1071 (application layer protocol). The former is an integral part of ransomware, so its prevalence is unsurprising. The incidence of wipers (encryption with no decryption capability) also increased over the last two years, often associated with the Russia/Ukraine war. 

The latter is T1071 (application layer protocol) which is used for data exfiltration. Picus connects data exfiltration and encryption with the growing incidence of double extortion ransomware, citing BlackCat/AlphV against NCR and Henry Schein, Cl0p targeting the US Department of Energy, Royal breaching the City of Dallas, LockBit’s assaults on Boeing, CDW, and MCNA, and  Scattered Spider infiltrating MGM Resorts and Caesars Entertainment as examples. 

Of course, ransomware may not be the only reason for an increase in the use of T1071 since the combination of stealth persistence and data exfiltration is a good combination for cyber espionage. Noticeably, T1547 is #8 in prevalence — boot or logon autostart execution for persistence.

By the numbers, T1486 was found in 129,969 samples (21%); T1071 was found in 108,373 samples (18%, but a 176% increase over the previous year); and T1547 was found in 90.009 samples (15%).

It is difficult to reach any conclusion other than attackers are becoming more sophisticated in their attacks, using hunter-killer submarine techniques to evade detection and dismantle defenses before moving to the Vanguard submarine purpose of delivering a payload. 

Picus suggests one cause of this combination of ATT@CK techniques may be the current global geopolitical tensions. “Collecting sensitive information and maintaining a presence within networks are hallmarks of advanced persistent threats (APTs). This could signal the involvement of sophisticated, well-funded adversaries. Notable entities such as Russia’s APT28 (Fancy Bear) and APT29 (Cozy Bear), along with Star Blizzard, China’s Volt Typhoon, and North Korea’s Lazarus Group have demonstrated significant activity during 2023. These groups’ strategic operations in 2023 indicate an escalating trend of state-sponsored attack campaigns.”

However, whether it is APT groups or simply more sophisticated criminal gangs, the result is the same: the attackers are increasingly using stealth and killing defenses to hide and prolong their residence. It becomes important for defenders to regularly check and ensure that their defenses are still working and have not been neutralized by attackers.

“It can be incredibly difficult to detect if an attack has disabled or reconfigured security tools, because they may still appear to be working as expected,” said Huseyin Can YUCEEL, security research lead at Picus. “Security validation must be a starting point for organizations to better understand their readiness and identify gaps.”

Related: MITRE Releases ATT&CK v14 With Improvements to Detections, ICS

Related: MITRE, CISA Release Open Source OT Attack Emulation Tool

Related: MITRE CWE Top 25 Most Dangerous Software Weaknesses

Related: The Ransomware Threat in 2024 Continues to Grow

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.