The toolsets used by threat actors to attack their targets are rapidly evolving, with a 127% spike in malware complexity over the past six months, according to OPSWAT, a cybersecurity company focusing on critical infrastructure.
In its inaugural Threat Landscape Report, published on August 6 during Black Hat USA, the firm estimated that this significant increase is primarily driven by three major factors combined
- Multi-stage execution chains
- Heavily obfuscated loaders (e.g. NetReactor)
- Evasive behaviors that slip past traditional antivirus and endpoint detection and response (EDR) solutions
Adversaries Combine Lightweight Scripts to Bypass Detection
According to OPSWAT’s report, threat actors increasingly rely on chaining lightweight, obfuscated scripts to bypass detection.
Initial access vectors observed this year range from uncommon file types like .lnk shortcuts to more traditional phishing documents.
Then they typically leverage a combination of scripts (Batch, PowerShell, VBS, JavaScript…), each obfuscating the next stage, chained together in varying orders and depth.
“These script chains are designed for simplicity and modularity, which paradoxically makes them harder to catch. The execution is fast, and traces are minimal. A standout example was seen in targeted espionage campaigns across Eastern Europe, where LNK files served as silent launchers for heavily obfuscated script chains,” the OPSWAT report reads.
Additionally, OPSWAT has observed an increased use of the ‘ClickFix’ technique from both cybercriminals and nation-state threat actors.
Read more: ClickFix Attacks Surge 517% in 2025
Adversaries Favor Stealth Over Scale
One specificity observed during the past six months was a clear shift toward precision-based attack strategies, favoring stealth and evasion over sheer volume.
Threat actors increasingly relied on exploiting obscure or previously unknown techniques, often zero-day evasion methods, not just for initial compromise but to systematically bypass detection pipelines.
Key tactics included:
- Malformed file delivery, such as corrupted Office documents designed to evade parsing logic
- Obfuscation tricks targeting detection blind spots, like embedding UTF-16 BOM markers in batch scripts to disrupt analysis
- Unconventional payload formats, including compiled JavaScript or Python, are rarely associated with traditional malware
Adding another layer of sophistication, many operations incorporated geo-aware logic, where payloads were delivered or executed only in specific regions. This deliberate isolation minimized visibility, allowing campaigns to evade traditional sandboxing and remain undetected.
Similarly, adversaries tend to favor stealth over scale when selecting their payloads. Typical payloads hide in formats like .NET bitmaps and steganographic images, with Google services repurposed for covert command-and-control (C2) infrastructure.
OPSWAT’s 2025 Threat Landscape Report is based on behavioral telemetry from over 890,000 sandbox scans over the past 12 months using Filescao.io, a malware analysis platform.
The malware complexity metric is based on the average emulation nodes on multi-stage malware, calculated by the OPSWAT researchers based on their telemetry.
