Introduction

In a new striking revelation from researchers at the University of Piraeus and Athena Research Center in Greece, along with Delft University of Technology in the Netherlands, it appears that malware authors are increasingly opting for less conventional programming languages like Delphi and Haskell to obscure their malicious code. This trend raises pressing concerns for cybersecurity experts who rely on static analysis—a technique that scrutinizes code without executing it—to detect malware.

Rising Malware Instances

The alarming statistics from antivirus evaluators AV-TEST indicate a staggering 26 million new instances of malware were reported just in 2025. Static analysis has been the cornerstone of malware detection, but clever authors are aware of how to exploit weaknesses in these analyses, leading to a growing deluge of undetected threats.

Research Insights

The research team, comprising Theodoros Apostolopoulos, Vasilios Koutsokostas, Nikolaos Totosis, Constantinos Patsakis, and Georgios Smaragdakis, published their findings in a paper intriguingly titled, “Coding Malware in Fancy Programming Languages for Fun and Profit.” They reveal that many cybercriminals are using uncommon programming languages precisely because they are less likely to be recognized by security software, which typically relies on languages like C or C++ for threat detection.

Evolution of Ransomware

Among the astonishing findings, the researchers note that sophisticated ransomware groups are continuously evolving. For instance, notorious actors like APT29 have utilized languages such as Python in their Masepie malware targeted against Ukraine and combined Delphi, Python, C#, and Go for their Zebrocy malware. In an alarming shift, the Akira ransomware, once predominantly using C++, has transitioned to Rust, while BlackByte shifted from C# to Go. This signifies a tactical pivot to languages that can better protect their coding and operational integrity.

Challenges of Static Analysis

Static analysis struggles primarily due to the programming languages’ execution models and the characteristics of their compilers. For instance, languages such as Haskell and Lisp present complex execution patterns that confound traditional detection methodologies. Furthermore, languages like Dart and Go can increase the intricacy of the binaries due to the numerous standard functions included, rendering even simple programs deceptively complicated.

Compiler Influence on Detection Rates

By analyzing around 400,000 Windows executables from Malware Bazaar, the researchers found that compiler choice significantly impacts malware detection rates. Surprisingly, less common programming languages like Rust and Nim demonstrated lower detection rates not merely due to their obscurity but because of the unique features of their compilers that lead to more complex code structures.

Byte Fragmentation and Detection Difficulty

Most tellingly, when assessing how well binaries resisted shellcode pattern matching—a critical technique for finding malicious instructions—their results revealed stark contrasts across different languages. Malware written in mainstream languages like C and C++ typically maintained a predictable byte sequence, making it easier for analysts to flag them. In contrast, programming languages such as Rust, Phix, Lisp, and Haskell showcased substantial byte fragmentation, making static detection much tougher.

Conclusion

The research underscores the idea that malware written in less common languages can significantly reduce detection opportunities while increasing the barriers for cybersecurity professionals tasked with reverse engineering. The authors emphasize that as malware evolves, so too must the tools and techniques used by the security community. They urge for a more focused approach to these unconventional languages in detection efforts, highlighting the critical need for enhanced tools capable of identifying malware in a more diverse programming landscape.

The Future of Cybersecurity

As the battle between cybercriminals and security researchers becomes increasingly sophisticated, it begs the question: What other hidden evils lie within the shadows of obscure programming languages? The cybersecurity field must evolve rapidly, or risk being left behind in the endless game of cat and mouse against malicious threats.