16,104 hidden variants exposed across 769 threat reports — and most tools missed them.
SUNNYVALE, Calif – September 16, 2025 – Stairwell, a cybersecurity innovator using AI-powered file analysis to outmaneuver known and unknown malware, released its Hidden Malware Report: Uncovering Malware Variants in the Wild, a sweeping analysis of 769 threat reports published between 2023 and mid-2025.
The report reveals that for every known malicious file identified in public threat reports, there are significantly more hidden variants silently slipping past traditional defenses. Using its proprietary continuous file analysis and malware variant discovery engine, Stairwell uncovered 16,104 previously undetected malware variants, expanding coverage over the reported hashes by 157%.
This massive variant gap highlights a critical flaw in conventional security tooling: a reliance on exact file hashes. By going beyond static signatures and analyzing structural and behavioral similarities, Stairwell offers a new lens for security teams to detect what others miss — the unseen variants that lurk in enterprise environments long after an IOC is published.
“Every threat report is just a snapshot of a moment in time. But attackers don’t stand still, and neither should detection. What we’ve uncovered is that the vast majority of malicious activity exists beyond what’s reported, in variants designed to slip past legacy defenses,” said Mike Wiacek, CTO and Founder of Stairwell.
If you're relying on static hashes, you're fighting yesterday’s threats. Stairwell gives defenders the ability to uncover what's hiding in the shadows, not just what was seen. This is how we shift from reactive defense to proactive detection.
Key findings from the Hidden Malware Report:
- 769 threat reports analyzed from 2023 to mid-2025
- 10,262 SHA256 hashes originally published by security vendors
- 16,104 additional malware variants detected by Stairwell
- 21 new variants detected per threat report on average
- Top hash publishers by volume: Talos, Palo Alto Unit 42, and Checkpoint
This report makes one thing clear: point-in-time detection is no longer enough. Security teams must:
- Reevaluate Threat Coverage: Don’t rely solely on published IOCs. Treat threat reports as a starting point — not a final answer.
- Adopt Variant-Aware Detection: Use tools that analyze file structure and behavior, not just hashes or signatures, to detect polymorphic malware and related variants.
- Continuously Reanalyze Files: The threat landscape evolves daily. Continuous analysis ensures your defenses keep up with newly discovered malware variants
- Harden Against False Negatives: Invest in solutions that expose unseen malware to eliminate blind spots and reduce the risk of persistent threats.
The security community depends on shared intelligence — but most tools stop short of fully leveraging it. The Hidden Malware Report proves that attackers evolve faster than static defenses can respond. Relying on hashes alone gives a false sense of security and leaves gaps for adversaries to exploit.
Stairwell eliminates that blind spot. By continuously reanalyzing your file inventory and mapping the full tree of malware variants, we uncover what others miss — and give security teams the upper hand.
To see what’s hiding behind the hashes, download the full report and 1,006 shared malware hashes here.
About Stairwell
Stairwell solves the problem of detecting malware hiding in an enterprise by bringing a signal intelligence approach to gathering data that determines the connections from threat intelligence, malware libraries, threat report IOCs, to the actual files in your enterprise. Unlike log-centric solutions that are easily evaded, require costly and unsustainable storage, and take too long to search, Stairwell finds more malware by continuously analyzing your most important data set–your files. With Stairwell, you have a cost-effective platform that answers any question from your threat intelligence, SOC analysts, and incident response experts–in seconds. Stairwell is a search engine for malware and vulnerable or non-compliant files within your enterprise.
Stairwell was founded by Mike Wiacek, the founder of both Google Threat Analysis Group and Alphabet’s Chronicle, and is backed by Sequoia, Accel, and s32. With enterprise customers from financial services, healthcare, fintech, AI, media, and gaming, Stairwell brings the ease, scale, and speed of web search to modern security.