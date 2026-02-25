Organisations worldwide are increasingly facing cybersecurity threats capable of causing significant operational disruption. Recently, organisations have been targeted with “sleeping malware,” a dormant, or “sleeping,” implant embedded in an organisation’s systems that remains there undetected, sometimes for long periods of time, before an activation date or external trigger “awakens” it, causing a cyber incident.

Sleeping malware delays the cyber attack making it difficult for organisations to pinpoint where the threat has come from, and often can remain undetected making it too late to stop the attack.

Attacks can result in business disruption, loss of personal data, and reputational damage.

Organisations cannot entirely eliminate risk, but they can take precautions to reduce exposure and increase the likelihood of early detection and effective response.

Sleeping malware, such as Warp Panda and Brickstorm, are typically placed through subtle techniques, for instance, through phishing emails, supply chain compromise, infected external hard drives, or misuse of some internet webpages that may be embedded with malware. Once the malware becomes implanted in the organisation’s system it can self-modify to survive system reboots and routine maintenance checks. The malware then lies dormant in the system to avoid detection, often by leveraging native system tools rather than “typical” malicious software characteristics. This can mean that it remains in the system, sometimes for periods of two or more years, before an attack occurs.

Extended dormancy raises significant legal questions, including when breach notification obligations are triggered, whether cyber insurance policies with retroactive date limitations will respond, and the extent of regulatory exposure for the period during which the malware was active but undetected. While the malware is dormant insofar as causing disruption, it is often collecting information, including personal data and confidential business information, and scanning the system for weaknesses such as loopholes in security measures and unpatched systems while it waits for an activation date.

Activation dates are frequently aligned with moments of peak distraction or reduced staffing to maximise impact. Attacks can often occur during public holidays such as bank holidays, or preplanned maintenance downtime. For an organisation, the attacks can have serious consequences such as service outages, data breaches, destruction of data, and reputational damage.

Many organisations are already implementing a range of technical measures to protect against attacks such as the use of sandboxes, multifactor authentication systems, penetration testing, firewalls, and vulnerability management systems. However, as malware becomes more sophisticated and attacks become more frequent, these measures may not be offering complete protection. Often state of the art measures, which require heavy investment, are required to identify and protect from sleeping malware.

Commonly an organisation’s third-party service providers can be first to detect irregularities in the system. This may include suspicious update requests, unexpected coding patterns, or unusual service activity. Such activity can trigger notifications and investigations that reveal sleeping malware, requiring systems to be taken offline for periods of time to reset and contain the malware, resulting in negative impacts on business operations.

To mitigate the risks from sleeping malware, organisations may consider measures such as:

Regular review of technical measures to secure systems and implementing up-to-date and proportionate improvements, such as restricted system access and isolating IT networks to limit malware movement

Undertaking due diligence of third-party service providers relied on to deliver services

Establishing a cyber incident response plan and undertaking simulations

Providing regular staff training on phishing attacks and awareness of security threats

Providing clarity on how staff will manage communications regarding cyber incidents

Considering procuring cyber insurance, paying particular attention to retroactive date provisions and whether the policy responds to threats that were implanted before the policy period but discovered during it

Complying with applicable data protection laws and remaining current with legal timeframes for communicating cyber incidents to relevant authorities and individuals

