Malware Threat Research 2020-2023

Maciej Bartłomiej Sikora
Content Writer
malware map

If you ask Google or AI what malware is, they'll likely break it down as software meant to disrupt your systems, networks, or devices — but this description alone might not convince you of its significant threat.

Your perspective on malware is likely to change when you engage with someone who has suffered greatly because of it or once you delve into the latest facts on cyber attacks. It's in these moments that you truly grasp the reality of malware as a legitimate and substantial threat.

In collaboration with independent third-party researchers, we analyzed cybersecurity incident data from January 2020 to September 2023 to assess and show you how big of a threat malware is today.

Here’s what we discovered…

Key findings from the research

1. With nearly 3 million attacks in 2023, malware has spread like a biological virus

While you may not find it surprising that the number of malware attacks has increased over the last few years, the speed at which this issue has been escalating might catch you off guard.

In 2020, approximately 614,144 malware-related incidents were reported. However, this number surged to 2,898,142 in 2021 and nearly doubled again in 2022, reaching 4,858,963. As you can see, these are not minor differences but massive leaps highlighting a substantial increase in the scale of the problem.

number of malware attacks 2020-2023 graph

In 2023, there were 2,678,841 malware attacks reported. However, before you assume that this signals a gradual resolution of the problem, let us highlight some details that — unfortunately — indicate it's not yet time to celebrate.

To start, the malware incident data we've examined covers only the first 9 months of 2023, implying that the total number of cases for the entire year will more than likely be higher.

Moreover, a troubling trend observed by numerous IT experts is the increasing frequency of successful attacks. This indicates that cybercriminals are employing more and more sophisticated hacking methods and focusing on more targeted approaches. Simply put, this means we're observing fewer malware attacks overall, but more of them are accurate. This is further evidenced by the continuous growth in the number of successfully executed unique email attacks, as depicted in the graph below.

number of successful unique email attacks graph

How does malware spread? Email is a common culprit, where spam and phishing tricks convince users to click on harmful links or download infected attachments. Careless browsing, like clicking on pop-ups, can also lead to visiting malicious websites that stealthily download malware.

Within organizations, coworkers clicking on malicious links can spread malware through the internal network, infecting multiple devices at the same time. Another risk comes from bundled software, where malware sneaks in with seemingly trustworthy downloads, causing users to unknowingly install various harmful programs — from annoying adware to data-stealing spyware.

2. Brazil, the USA, and India have the most malware-affected users

In the analysis of cybersecurity incidents, the focus was also on examining the global distribution of cases related to malware. Presented below are the top 15 countries with the highest number of malware-affected users (drawing from data spanning from October 2020 to November 2023):

  1. Brazil — 9,659,846 affected users

  2. USA — 6,966,426 affected users

  3. India — 6,914,742 affected users

  4. Indonesia — 5,354,246 affected users

  5. Vietnam — 3,611,798 affected users

  6. Egypt — 3,516,376 affected users

  7. Mexico — 3,042,467 affected users

  8. The Philippines — 2,926,483 affected users

  9. Turkey — 2,888,663 affected users

  10. Pakistan — 2,849,788 affected users

  11. Columbia — 2,655,695 affected users

  12. Thailand — 2,523,671 affected users

  13. Argentina — 2,300,732 affected users

  14. Peru — 2,215,622 affected users

  15. France — 2,142,316 affected users

Despite securing the top rank in the 2020 Global Cybersecurity Index (GCI) with a score of 100 index points, the United States of America holds second place for the most users impacted by malware — with a staggering number equivalent to the entire population of Massachusetts. Notably, five other nations in the Americas and seven in Asia are grappling with the impacts of the malware situation.

The study also reveals that France takes the lead for the highest number of users affected by malware in Europe. This may be attributed to several factors, such as the country's substantial internet usage (82% of the population) and the increased likelihood of economically and politically charged cyberattacks against French users.

3. RedLine is the most common type of malware

Malware comes in various types and forms like adware, spyware, ransomware, trojan horses, and keyloggers. Each one possesses specific functionalities that can compromise one’s digital security. However, certain types of malware are more popular than others.

According to the research, the most prevalent types of malware in the last four years have been:

  1. RedLine

    RedLine is a type of malware designed to collect data from web browsers, applications, email and messaging apps, and cryptocurrency wallets. In simple terms, it functions as a remote access trojan, enabling cybercriminals to steal and transfer sensitive user data, which is later sold on the dark web. The research reveals that RedLine attacks constitute 59% of the total records collected — surpassing the runner-up Vidar by 3.2 times.

  2. Vidar

    Vidar is malicious software designed to steal sensitive information, including login credentials, credit card details, cryptocurrency wallets, and browser history, from infected systems. The stolen data can be used for identity theft or financial fraud — or it can be sold on the dark web. As previously noted, RedLine constituted nearly two-thirds of all the analyzed attacks. However, Vidar remains a considerable threat, comprising 18% of the total number of attacks.

  3. Raccoon

    Raccoon, also known as Raccoon Stealer, is a type of information-stealing malware designed to extract sensitive data from the computers of its victims. This includes, but is not limited to, login credentials and credit card information.
    Raccoon Stealer typically spreads through malicious websites, phishing emails, or other deceptive methods. Once it infects a system, it can covertly send the stolen information to a server operated by cybercriminals.
    Raccoon cases account for 12% (21% between July 2022 and April 2023) of malware attacks analyzed for this research.

Other common types of malware include AZORult, CryptBot, Taurus, and Meta.

incidents by malware type graph

Why have these malware types become more widespread? One reason might be that they are easier to create and deploy. Furthermore, using these types of malicious software may offer greater financial rewards for cybercriminals compared to other methods. The popularity of specific malware is also influenced by the constantly evolving landscape of cyber threats, technological vulnerabilities, and shifts in the digital environment.

4. Tens of millions of credential records were stolen from social media and entertainment platforms

Given the widespread practice of storing sensitive data on cloud servers, email accounts, and social media, it comes as no surprise that these platforms are prime targets for cybercriminals. However, the actual numbers will raise a few eyebrows.

So brace yourself for some eye-opening statistics as we explore the top domains associated with the biggest number of data theft incidents caused by malware and unveil the staggering number of records that fell into the wrong hands.

Most targeted domains*:

  1. – 8.2 million of stolen records

  2. – 5.9 million of stolen records

  3. – 5.6 million of stolen records

  4. – 3.2 million of stolen records

  5. — 3.1 million of stolen records

  6. – 3.1 million of stolen records

  7. – 3 million of stolen records

  8. – 2.8 million of stolen records

  9. com.facebook.katana – 2.5 million of stolen

  10. records – 2.4 million of stolen

  11. records – 2.3 million of stolen records

  12. – 2.3 million of stolen records

The information above indicates a consistent trend of cybercriminals stealing data from widely used digital platforms. This highlights the necessity for enhanced cybersecurity measures to ensure secure data storage and access.

However, it is ultimately up to the user to take proactive steps to actively educate themselves on protecting their credentials and take appropriate follow-up measures.

*NordPass is not endorsed by, maintained, sponsored by, affiliated, or in any way associated with the owners of the mentioned domains. Domains are listed solely for the purpose of accurately reporting information related to cybersecurity incident data.

What you can do to protect yourself from malware threats

First and foremost, protection against malware – whether for individual users or entire organizations – relies on awareness and a sense of responsibility for implementing appropriate security measures for systems, platforms, and data in use. Therefore, everyone needs to take proactive steps in this regard, as without such engagement, achieving adequate protection becomes challenging.

Here are four actions you can take to enhance your protection against malware:

  1. Raise awareness: By learning about different types of malware and sharing this knowledge with others, you can effectively reduce the risk of being targeted. Awareness campaigns, for example, play a crucial role in helping people identify suspicious activities like phishing emails or dubious website links.

  2. Use antivirus software: Using antivirus software is essential for detecting and removing malware from your devices. A good antivirus constantly scans your system for known malware signatures and behaviors, offering a vital layer of defense against various threats.

  3. Update your systems regularly: Regularly updating your operating system, applications, and firmware is vital as it addresses known security vulnerabilities frequently targeted by malware. These updates typically include security patches and bug fixes, bolstering your system's defenses against potential cyber threats.

  4. Use a password manager: Using a password manager allows you to create and store unique, complex passwords for each of your accounts, lowering the risk of unauthorized access. By securely storing your credentials, password managers help prevent malware from stealing your login information and accessing sensitive accounts.

How NordPass can help protect your sensitive data and account access

NordPass is a cybersecurity solution designed to help businesses and individuals protect their data and minimize the threat of malware attacks. How so?

First, NordPass is an end-to-end encrypted credentials manager. This means you can use it to securely generate, store, manage, and share passwords, passkeys, credit card information, and personal data — and do so knowing that they are all protected by advanced encryption algorithms.

Second, NordPass facilitates the implementation of single sign-on (SSO) and multi-factor authentication (MFA). You can use it to present employees with a convenient yet highly secure method of logging in to the company accounts.

Third, organizations can use NordPass as an identity and access management (IAM) tool to control and monitor access to company resources in real time. In other words, with NordPass, a company can see exactly who accessed what and when and manage access privileges with ease.

In addition, NordPass goes the extra mile by utilizing a Master Password. Most browser password managers lack this feature, making them more susceptible to malware attacks.

Naturally, our product is equipped with many other features like Autofill, Data Breach Scanner, and Password Health, all designed to enhance your cybersecurity and help defend against malware-related attacks. If you're interested in exploring these features and gaining a comprehensive understanding of our platform, we invite you to visit our website.

Stay safe!


NordPass, in partnership with third-party researchers, analyzed various sets of credentials sourced from a 6.6TB database. The study involved examining the source website and the type of malware used to steal the data (such as Redline, Vidar, Taurus, Raccoon, Azorult, and Cryptbot). No personal data was acquired or purchased by NordPass to conduct this study.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.