This analysis is based on a comprehensive study conducted by Xavier Mertens from the SANS Internet Storm Center, examining malware samples collected from February 2020 through early February 2026. The dataset includes 346,985 Portable Executable (PE) files from Windows malware archives totaling over 1.1 terabytes of data. Historically, 32-bit malware has been predominant because it runs on both 32-bit and 64-bit Windows systems, providing attackers with a broad target base. However, the study reveals a clear upward trend in 64-bit malware samples, which now constitute approximately 11% of all samples analyzed over the full period and approach near parity with 32-bit samples in recent daily counts. This shift suggests attackers are increasingly developing malware that targets native 64-bit Windows environments, likely to exploit architectural advantages and potentially bypass legacy detection mechanisms that focus on 32-bit code. The analysis includes detailed daily breakdowns showing days where 64-bit malware samples nearly equal or surpass 32-bit samples. Despite this trend, the overall threat level is currently considered low, as no known exploits in the wild are reported and the malware landscape remains mixed. The study underscores the importance of understanding architectural differences in malware development and adapting defensive tools accordingly. The ability of Windows to execute 32-bit code on 64-bit systems remains a factor in malware design, but the growing 64-bit malware presence signals a shift in attacker strategies.

For European organizations, the increasing prevalence of 64-bit malware represents a shift in the threat landscape that could impact endpoint security effectiveness. Many European enterprises run modern 64-bit Windows operating systems, especially in sectors like finance, manufacturing, and government, where up-to-date infrastructure is common. The rise of 64-bit malware may reduce the effectiveness of legacy security tools that primarily focus on 32-bit threats, potentially increasing the risk of successful infections. This could lead to confidentiality breaches, data integrity issues, and availability disruptions if malware executes payloads such as ransomware or data exfiltration tools. Additionally, the broad compatibility of 32-bit malware remains a concern, meaning organizations must defend against both architectures simultaneously. The impact is amplified in countries with high Windows market penetration and advanced IT environments, where attackers may focus efforts. While no active exploits are currently reported, the trend suggests that attackers are preparing for more sophisticated campaigns leveraging 64-bit capabilities, which could increase the attack surface and complicate incident response. Organizations failing to adapt may face increased risk of compromise and operational disruption.

European organizations should take proactive measures to address the evolving malware architecture landscape: 1. Ensure all endpoint detection and response (EDR) and antivirus solutions are fully updated and capable of detecting both 32-bit and 64-bit malware variants, including heuristic and behavioral analysis for native 64-bit code. 2. Conduct regular threat hunting exercises focusing on 64-bit malware indicators, leveraging updated YARA rules and threat intelligence feeds that include 64-bit samples. 3. Maintain strict application whitelisting and execution policies that consider architecture-specific binaries to reduce unauthorized code execution. 4. Implement robust patch management to minimize vulnerabilities that malware could exploit, especially on 64-bit Windows systems. 5. Train security teams on the differences between 32-bit and 64-bit malware behaviors and analysis techniques to improve incident detection and response. 6. Utilize sandboxing environments capable of executing and analyzing 64-bit malware samples safely to enhance malware research and signature development. 7. Monitor malware repositories and threat intelligence sources such as Malware Bazaar and SANS ISC for emerging 64-bit malware trends and indicators. 8. Review and update security policies and controls to reflect the architectural shift, ensuring comprehensive coverage across all Windows platforms. These targeted actions go beyond generic advice by focusing on architectural awareness and adapting security controls to the evolving threat landscape.