In 2022 (time flies!),\u00a0I wrote a diary about the 32-bits VS. 64-bits malware landscape[1<\/a>]. It demonstrated that, despite the growing number of 64-bits computers, the “old-architecture” remained the standard. In the SANS malware reversing training (FOR610[2<\/a>]), we quickly cover the main differences between the two architectures. One of the conclusions is that 32-bits code is still popular because it acts like a comme denominator and allows threat actors to target more Windows computers. Yes, Microsoft Windows can smoothly execute 32-bits code on 64-bits computers.\u00a0It is still the case in 2026? Did the situation evolved?<\/p>\n Last week, I make the exact same exercise and generated some statistics. I download the malware archive from Malware Bazaar[3<\/a>] and re-executed my YARA rule.<\/p>\n Some basic numbers:<\/p>\n First, an overview of the global malware trend over the complete time period:<\/p>\n Zoom on the last year:<\/p>\n Now the interesting graph: the 64-bits sample trend over the complete period:<\/p>\n Zoom on the last year:<\/p>\n We can clearly see that, compared to 2022, there is now a trend in 64-bits code! Have a look at the last 30 days:<\/p>\n We are getting close to a 50-50 repartition! Xavier Mertens (@xme) (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t\n
![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260216-1.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260216-2.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260216-3.png?ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260216-4.png?ssl=1\")
<\/p>\n\n\n
\n Date<\/td>\n Total Files<\/td>\n 32-bits<\/td>\n 64-bits<\/td>\n<\/tr>\n \n 2026-01-07<\/td>\n 65<\/td>\n 41<\/td>\n 24<\/td>\n<\/tr>\n \n 2026-01-08<\/td>\n 69<\/td>\n 41<\/td>\n 28<\/td>\n<\/tr>\n \n 2026-01-09<\/td>\n 117<\/td>\n 57<\/td>\n 60<\/td>\n<\/tr>\n \n 2026-01-10<\/td>\n 44<\/td>\n 25<\/td>\n 19<\/td>\n<\/tr>\n \n 2026-01-11<\/td>\n 41<\/td>\n 25<\/td>\n 16<\/td>\n<\/tr>\n \n 2026-01-12<\/td>\n 60<\/td>\n 40<\/td>\n 20<\/td>\n<\/tr>\n \n 2026-01-13<\/td>\n 53<\/td>\n 28<\/td>\n 25<\/td>\n<\/tr>\n \n 2026-01-14<\/td>\n 63<\/td>\n 41<\/td>\n 22<\/td>\n<\/tr>\n \n 2026-01-15<\/td>\n 59<\/td>\n 36<\/td>\n 23<\/td>\n<\/tr>\n \n 2026-01-16<\/td>\n 32<\/td>\n 21<\/td>\n 11<\/td>\n<\/tr>\n \n 2026-01-17<\/td>\n 27<\/td>\n 18<\/td>\n 9<\/td>\n<\/tr>\n \n 2026-01-18<\/td>\n 65<\/td>\n 33<\/td>\n 32<\/td>\n<\/tr>\n \n 2026-01-19<\/td>\n 96<\/td>\n 60<\/td>\n 36<\/td>\n<\/tr>\n \n 2026-01-20<\/td>\n 71<\/td>\n 41<\/td>\n 30<\/td>\n<\/tr>\n \n 2026-01-21<\/td>\n 56<\/td>\n 33<\/td>\n 23<\/td>\n<\/tr>\n \n 2026-01-22<\/td>\n 82<\/td>\n 35<\/td>\n 47<\/td>\n<\/tr>\n \n 2026-01-23<\/td>\n 77<\/td>\n 52<\/td>\n 25<\/td>\n<\/tr>\n \n 2026-01-24<\/td>\n 50<\/td>\n 15<\/td>\n 35<\/td>\n<\/tr>\n \n 2026-01-25<\/td>\n 44<\/td>\n 28<\/td>\n 16<\/td>\n<\/tr>\n \n 2026-01-26<\/td>\n 125<\/td>\n 102<\/td>\n 23<\/td>\n<\/tr>\n \n 2026-01-27<\/td>\n 90<\/td>\n 64<\/td>\n 26<\/td>\n<\/tr>\n \n 2026-01-28<\/td>\n 66<\/td>\n 29<\/td>\n 37<\/td>\n<\/tr>\n \n 2026-01-29<\/td>\n 121<\/td>\n 51<\/td>\n 70<\/td>\n<\/tr>\n \n 2026-01-30<\/td>\n 80<\/td>\n 39<\/td>\n 41<\/td>\n<\/tr>\n \n 2026-01-31<\/td>\n 68<\/td>\n 28<\/td>\n 40<\/td>\n<\/tr>\n \n 2026-02-01<\/td>\n 62<\/td>\n 27<\/td>\n 35<\/td>\n<\/tr>\n \n 2026-02-02<\/td>\n 129<\/td>\n 72<\/td>\n 57<\/td>\n<\/tr>\n \n 2026-02-03<\/td>\n 117<\/td>\n 53<\/td>\n 64<\/td>\n<\/tr>\n \n 2026-02-04<\/td>\n 84<\/td>\n 42<\/td>\n 42<\/td>\n<\/tr>\n \n 2026-02-05<\/td>\n 437<\/td>\n 395<\/td>\n 42<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\n\u200b\u200b\u200b\u200b\u200b\u200b\u200b
\n[1] https:\/\/isc.sans.edu\/diary\/32+or+64+bits+Malware\/28968<\/a>
\n[2] https:\/\/www.sans.org\/cyber-security-courses\/reverse-engineering-malware-malware-analysis-tools-techniques<\/a>
\n[3] https:\/\/bazaar.abuse.ch<\/a><\/p>\n
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
\n
<\/BR><\/p>\n