The recent report by Picus Security highlights a surge in ‘hunter-killer’ malware [1], indicating a shift in attackers’ ability to bypass advanced enterprise defenses [1]. This specialized malware actively targets defensive systems with the aim of disabling them, and it has seen a significant increase in volume, comprising 26% of all detections in 2023 [4] [6]. Hunter-killer malware is utilized by various malicious groups, including ransomware and APT groups [5].


The report reveals that this category of malware is associated with three main MITRE ATT&CK techniques: process injection, command and scripting interpreter [3] [4] [6], and impair defenses [4] [6]. Notably, impairing defenses [2] [4] [6], tracked as T1562 Impair Defenses [2], was the third most observed technique in 2023 [2]. The use of hunter-killer malware aligns with a broader trend of threat actors employing stealth techniques and obfuscated files to evade cyber defenses.

One of the challenges posed by hunter-killer malware is its ability to remain undetected and difficult to stop. Even if security tools have been disabled or reconfigured [4], they may still appear to be functioning properly. To combat this surge in malware [5], organizations are advised to embrace machine learning [5], protect user credentials [5], and consistently validate their defenses against the latest tactics and techniques used by cybercriminals [5].

To assess the readiness of defensive systems and identify any vulnerabilities, security validation and proactive simulation of attacks are essential [6]. By remaining vigilant and continuously evaluating and updating their security measures, organizations can better protect themselves against the growing threat of hunter-killer malware and other advanced cyber attacks.


The rise of hunter-killer malware represents a new era in cyber warfare [3], where advanced techniques are employed to infiltrate networks [3], gather sensitive information [3], and maintain a persistent presence [3]. Picus Security’s research highlights the increasing sophistication of threat actors, who are becoming more proactive in targeting and disrupting cybersecurity defenses [3]. With geopolitical tensions on the rise [3], the involvement of sophisticated adversaries [3], including state-sponsored APT groups [3], adds further complexity to the cybersecurity landscape [3]. Continuous assessment and validation of security measures are crucial to safeguard against stealthy attacks and ensure the resilience of network defenses against relentless cyber threats [3].