The rise of malware mainstream "acceptance" and "popularity" is thanks to the government

No, that isn't sarcasm.

Previously I wrote a semi-rhetorical post asking, "What the fuck happened? Why is malware cool and badass now?". I was happy to read the comment section where some people suggested I (or the vx-underground collective) was responsible for the mainstream (information security "mainstream") acceptance of malware. Unfortunately this isn't accurate. I wish it were, but I'm not that cool and badass. It would be inaccurate to assert myself, or our collective, as the single determining factor which resulted in it's acceptance.

If you review the vx-underground APT (Advanced Persistent Threat) collection you'll notice something interesting. Year after year the volume of APT activity being documented continues to grow. We now see hundreds of documented APT engagements a year whereas before 2010 it didn't really* exist (*it existed, but wasn't documented, rarely acknowledged, or rarely spoken about). To establish context, APT (Advanced Persistent Threat) is a special designated term used to define a malware family or Threat Group as being state-sponsored. In other words, APT's are government hackers (the military, or military contractors) working to establish and accomplish a military objective. This means our APT collection, which dates back to 2010, can illustrate the growth of government state-sponsored cyber activity.

Before we continue to the next segment I need to make something as clear as possible because it causes a great deal of confusion. Something being labeled an "APT" does NOT mean it is "Advanced". Anyone who studies state-sponsored activity can tell you many APT's are not advanced. In fact, some APT's make amateur mistakes. Sometimes we witness financially motivated Threat Groups being more sophisticated than some governments! In regards to APT's though, the term "Advanced Persistent Threat" is more assigning the adjective "Advanced" to the word "Persistent". A Threat Group may be persistent in nature, meaning they're financially or politically motivated and remain active, but an APT will remain "Persistent" in it's military objectives. A Threat Group may be apprehended by law enforcement but, in contrast, the likelihood of the Democratic People's Republic of Korea (DPRK, North Korea), state-sponsored Computer Network Operators (CNO, their "Hackers") all successfully being arrested and their government ceasing military operations is effectively ZERO. Basically, a government isn't going away. Other Threat Groups may go away, die, or be arrested.

Sometime in the twenty-teens (2013 - 2019), we witnessed a surge of governments becoming more active* online (*military objectives being digitally based, on the internet). Ultimately, governments became aware that it is strategically a better decision to switch away from traditional espionage (someone being physically present), and leaning into the digital era by committing digital espionage. It is arguably easier, safer, and provides much more plausible deniability. Beside espionage, you can also see destructive campaigns, or malware which targets Industrial Control Systems (Nuclear Reactors, Electrical Power Plants), but we (probably) shouldn't go down that rabbit hole too far because the APT activity discussion will boil down to geopolitical ideologies.

No, that isn't sarcasm. Previously I wrote a semi-rhetorical post asking, "What the fuck happened? Why is malware cool and badass now?". I was happy to read the comment section where some people suggested I (or the vx-underground collective) was responsible for the mainstream (information security "mainstream") acceptance of malware. Unfortunately this isn't accurate. I wish it were, but I'm not that cool and badass. It would be inaccurate to assert myself, or our collective, as the single determining factor which resulted in it's acceptance. If you review the vx-underground APT (Advanced Persistent Threat) collection you'll notice something interesting. Year after year the volume of APT activity being documented continues to grow. We now see hundreds of documented APT engagements a year whereas before 2010 it didn't really* exist (it existed, but wasn't documented, rarely acknowledged, or rarely spoken about). To establish context, APT (Advanced Persistent Threat) is a special designated term used to define a malware family or Threat Group as being state-sponsored. In other words, APT's are government hackers (the military, or military contractors) working to establish and accomplish a military objective. This means our APT collection, which dates back to 2010, can illustrate the growth of government state-sponsored cyber activity. Before we continue to the next segment I need to make something as clear as possible because it causes a great deal of confusion. Something being labeled an "APT" does NOT mean it is "Advanced". Anyone who studies state-sponsored activity can tell you many APT's are not advanced. In fact, some APT's make amateur mistakes. Sometimes we witness financially motivated Threat Groups being more sophisticated than some governments! In regards to APT's though, the term "Advanced Persistent Threat" is more assigning the adjective "Advanced" to the word "Persistent". A Threat Group may be persistent in nature, meaning they're financially or politically motivated and remain active, but an APT will remain "Persistent" in it's military objectives. A Threat Group may be apprehended by law enforcement but, in contrast, the likelihood of the Democratic People's Republic of Korea (DPRK, North Korea), state-sponsored Computer Network Operators (CNO, their "Hackers") all successfully being arrested and their government ceasing military operations is effectively ZERO. Basically, a government isn't going away. Other Threat Groups may go away, die, or be arrested. Sometime in the twenty-teens (2013 - 2019), we witnessed a surge of governments becoming more active online (*military objectives being digitally based, on the internet). Ultimately, governments became aware that it is strategically a better decision to switch away from traditional espionage (someone being physically present), and leaning into the digital era by committing digital espionage. It is arguably easier, safer, and provides much more plausible deniability. Beside espionage, you can also see destructive campaigns, or malware which targets Industrial Control Systems (Nuclear Reactors, Electrical Power Plants), but we (probably) shouldn't go down that rabbit hole too far because the APT activity discussion will boil down to geopolitical ideologies.

Coinciding with this increased government activity, we also witnessed the creation of "Red Tool Teams", such as Cobalt Strike (being created around 2012, although technically earlier), and it's usage in enterprise environments. As government activity became more active, the private-sector also established the need to enhance their security posture. This "need" isn't necessarily the governments doing, but the timeline ties together for an obvious reason: everything is digital, online, and interconnected. As state-sponsored active ramped up for the digital era, so did financially motivated Threat Actors. Hence, the cybersecurity industry had to "adapt" to this "change" (adapt, and change, emphasizing malware). Cybersecurity practitioners had to be concerned about both financially motivated Threat Actors and also (depending on their industry) state-sponsored Threat Actors. It was this time when the "first" (technically debatable) ransomware variants began to appear (Reveton ransomware). This appearance is also sometimes correlated to the rise of cryptocurrencies as "ransomware" was much more difficult to achieve prior to the raise of cryptocurrencies. Going down this rabbit hole is a different story, for a different time!

t was around 2016, give or take, you'll notice a shift. We began seeing the usage of Cobalt Strike (Red Team Tools) being used by Threat Actors (as you can see here). Likewise you see the emergence of ransomware (Petya, and shortly after NotPetya). You'll also see a strange uptick in state-sponsored activity around this time.

2010 - 8 documented APT campaigns 2011 - 14 documented APT campaigns 2012 - 27 documented APT campaigns 2013 - 29 documented APT campaigns 2014 - 28 documented APT campaigns 2015 - 125 documented APT campaigns 2016 - 125 documented APT campaigns ... 2024 - 355 documented APT campaigns

Where is all of this going? Cybersecurity practitioners are actively witnessing a shift in the ecosystem. Within the past 10 years state-sponsored activity doubled. Ransomware is rampant, with the emergence of Lockbit ransomware, the ALPHV family (RansomHub, ALPHV, BlackMatter, etc), and the sub-groups acting within these families such as the infamous Scattered Spider.

All of this concludes with a simple idea. Malware is everywhere. The governments are writing malware. Red Teamers need to write malware; good malware, evasive malware, or malware which mimics that which a state-sponsored and/or financially motivated group would deploy. This emulation is a requirement to test defenders. They must be prepared to defend against group(s) which will get "dirty", employ unusual tactics, and weaponize things which traditionally not meant to be weaponized (Malware: System Components and Abuse).

In my case with vx-underground, I created vx-underground during the midst of this change. I decided to create a website which documented malware techniques, malware samples, malware source code, etc. right in the midst of this metaphorical malware explosion. Hence, when people began looking for a resource to adapt to this change, I was sitting there ... by complete accident... Moving forward malware will continue to be a major player in the cybersecurity industry. Ransomware is not going away. Information Stealers are not going away. State-sponsored groups will only go away if a government collapses.

The future of malware is difficult to predict. However, seeing the trend of "engines", such as Polymorphic engines and Metamorphic engines, being "replaced" with traditional RATs, to then have them being replaced with Python scripts (compiled as .EXE) is interesting. Ultimately, these malicious Python malware payloads were replaced with Go, or Rust. There was a blip of LOLBIN ("Fileless" malware). There is the trend of BYOVD. We see the re-emergence of RTLO-malware, "binary inflation", and the recycling of dropping .XLL payloads. What's old is new, what's new is old.

Malware is cool now because cybersecurity is changing. The governments used it for espionage. Threat Groups are more focused on money more than ever. Malware must be studied and understood to be prepared to defend against these bad actors.

tl;dr malware is cool and badass