Cyber criminals are becoming more brazen, and this month, research highlights the rise of SafePay, a relatively new but increasingly active ransomware group that has quickly established itself as a key player in the cyber crime ecosystem. Meanwhile, FakeUpdates remains a dominant force, continuing to impact global organizations at an alarming rate. The education sector remains the most targeted industry, illustrating persistent vulnerabilities across institutions.

SafePay Leads the Ransomware Group Rankings

SafePay, first identified in November 2024, has emerged as the most prevalent ransomware group this month. SafePay uses a double-extortion strategy: encrypting files while exfiltrating sensitive data to further pressure victims into paying ransoms. Notably, SafePay’s malware includes a Cyrillic-language exclusion, suggesting possible ties to Russian-affiliated threat actors.

The group employs aggressive negotiation tactics, including direct phone calls to victims, and operates a “shame site” where stolen data from non-paying victims is published. Despite not following the RaaS model, SafePay has already listed over 200 victim organizations, with a distinct focus on German targets, which make up nearly one-fifth of its victims. This marks a clear deviation from typical global ransomware targeting trends.

Europol and Partners Take Down Lumma Infostealer

In May, Europol, the FBI, Microsoft, and partners launched a major operation targeting Lumma, a prominent malware-as-a-service platform. The takedown caused significant disruption by seizing thousands of domains, although Lumma’s core Russia-based servers were claimed to have remained operational, while developers swiftly restored its infrastructure. The operation inflicted reputational harm by employing tactics like phishing and psychological pressure to sow distrust among Lumma users. Despite these setbacks, Lumma-related data continues to circulate, posing long-term risks.

Top Malware Families

The arrows indicate changes in rank compared to the previous month.

FakeUpdates is the most prevalent malware this month with an impact of 5% worldwide organizations, followed by Remcos and Androxgh0st both with an impact of 3% each.

  1. ↔  FakeUpdates – Fakeupdates (AKA SocGholish) is a downloader malware that was initially discovered in 2018. It is spread through drive-by downloads on compromised or malicious websites, prompting users to install a fake browser update. Fakeupdates malware is associated with a Russian hacking group, Evil Corp, and is used to deliver various secondary payloads after the initial infection.
  2. ↔  Remcos – Remcos is a remote access Trojan (RAT) first observed in 2016, often distributed through malicious documents in phishing campaigns. It is designed to bypass Windows security mechanisms, such as UAC, and execute malware with elevated privileges, making it a versatile tool for threat actors.
  3. ↑ Androxgh0st – AndroxGh0st is a Python-based malware that targets applications using the Laravel PHP framework by scanning for exposed .env files containing sensitive information such as login credentials for services like AWS, Twilio, Office 365, and SendGrid. It operates by utilizing a botnet to identify websites running Laravel and extracting confidential data. Once access is gained, attackers can deploy additional malware, establish backdoor connections, and exploit cloud resources for activities like cryptocurrency mining.
  4. ↑ AsyncRat – AsyncRAT is a remote access Trojan (RAT) targeting Windows systems, first identified in 2019. It exfiltrates system information to a command-and-control server and executes commands such as downloading plugins, terminating processes, capturing screenshots, and updating itself. Commonly distributed via phishing campaigns, it is used for data theft and system compromise.
  5. ↑ Formbook – Formbook, first identified in 2016, is an infostealer malware that primarily targets Windows systems. The malware harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute additional payloads. The malware spreads via phishing campaigns, malicious email attachments, and compromised websites, often disguised as legitimate files.
  6. ↓ AgentTesla – AgentTesla is an advanced RAT (remote access Trojan) that functions as a keylogger and password stealer. Active since 2014, AgentTesla can monitor and collect the victim’s keyboard input and system clipboard, and can record screenshots and exfiltrate credentials entered for a variety of software installed on the victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is openly sold as a legitimate RAT with customers paying $15 – $69 for user licenses.
  7. ↑ Phorpiex – Phorpiex, also known as Trik, is a botnet that has been active since at least 2010, primarily targeting Windows systems. At its peak, Phorpiex controlled more than a million infected hosts. Phorpiex is notorious for distributing other malware families, including ransomware and cryptominers, via spam campaigns, and has been involved in large-scale sextortion campaigns.
  8. ↓  Lumma – Lumma Stealer, first detected in August 2022, is a Malware-as-a-Service (MaaS) information stealer that exfiltrates sensitive data from infected Windows systems, including credentials, cryptocurrency wallets, and browser information. It spreads through phishing campaigns, malicious websites, and social engineering tactics like the ClickFix method, where users are tricked into executing attacker-provided PowerShell commands.
  9. ↔  Amadey – Amadey is a modular botnet that emerged in 2018, primarily targeting Windows systems. It functions as both an infostealer and a malware loader, capable of reconnaissance, data exfiltration, and deploying additional payloads, including banking Trojans and DDoS tools. Amadey is primarily distributed by exploit kits such as RigEK and Fallout EK, and through phishing emails and other malware like SmokeLoader.
  10. ↔  Raspberry Robin – RaspberryRobin is a worm, that first emerged in September 2021. It is primarily spread through infected USB drives and is noted for its sophisticated techniques to evade detection and establish persistence on compromised systems. Once a system is infected, Raspberry Robin can facilitate the download and execution of additional malicious payloads.
Top Ransomware Groups

Ransomware continues to dominate the cyber crime landscape. This month, SafePay emerges as the most significant ransomware threat, with a new generation of operators targeting both large enterprises and smaller businesses. The tactics used by these groups are becoming increasingly sophisticated, and the competition between them is intensifying.

  1. SafePay – SafePay is a ransomware group first observed in November 2024, with indicators suggesting a possible Russian affiliation. The group operates a double extortion model—encrypting victims’ files while exfiltrating sensitive data to increase pressure for payment. Despite not operating as a ransomware-as-a-service (RaaS), SafePay has listed an unusually high number of victims. Its centralized, internally driven structure leads to consistent tactics, techniques, and procedures (TTPs) and focused targeting.
  2. Qilin – Qilin, also referred to as Agenda, is a ransomware-as-a-service criminal operation that collaborates with affiliates to encrypt and exfiltrate data from compromised organizations, subsequently demanding a ransom. This ransomware variant was first detected in July 2022 and is developed in Golang. Agenda is known for targeting large enterprises and high-value organizations, with a particular focus on the healthcare and education sectors. Qilin typically infiltrates victims via phishing emails containing malicious links to establish access to their networks and exfiltrate sensitive information. Once inside, Qilin usually moves laterally through the victim’s infrastructure, seeking critical data to encrypt.
  3. Play – Play Ransomware, also referred to as PlayCrypt, is a ransomware that first emerged in June 2022. This ransomware has targeted a broad spectrum of businesses and critical infrastructure across North America, South America, and Europe, affecting approximately 300 entities by October 2023. Play Ransomware typically gains access to networks through compromised valid accounts or by exploiting unpatched vulnerabilities, such as those in Fortinet SSL VPNs. Once inside, it employs techniques like using living-off-the-land binaries (LOLBins) for tasks such as data exfiltration and credential theft.
Top Mobile Malware

Mobile malware remains a growing concern, with more advanced threats targeting Android devices. This month, Anubis leads the list as a versatile banking trojan, while Necro gains traction and returns to the top 3. The evolution of mobile malware highlights the increasing threats posed to users who rely on smartphones for sensitive transactions.

  1. ↔ Anubis – Anubis is a versatile banking trojan that originated on Android devices and has evolved to include advanced capabilities such as bypassing multi-factor authentication (MFA) by intercepting SMS-based one-time passwords (OTPs), keylogging, audio recording, and ransomware functions. It is often distributed through malicious apps on the Google Play Store and has become one of the most prevalent mobile malware families. Additionally, Anubis includes remote access trojan (RAT) features, enabling extensive surveillance and control over infected systems.
  2. ↔ AhMyth – AhMyth is a remote access trojan (RAT) targeting Android devices, typically disguised as legitimate apps like screen recorders, games, or cryptocurrency tools. Once installed, it gains extensive permissions to persist after reboot and exfiltrate sensitive information such as banking credentials, cryptocurrency wallet details, multi-factor authentication (MFA) codes, and passwords. AhMyth also enables keylogging, screen capture, camera and microphone access, and SMS interception, making it a versatile tool for data theft and other malicious activities.
  3. ↑ Necro Necro is a malicious Android downloader that retrieves and executes harmful components on infected devices based on commands from its creators. It has been discovered in several popular apps on Google Play, as well as modified versions of apps on unofficial platforms like Spotify, WhatsApp, and Minecraft. Necro is capable of downloading dangerous modules to smartphones, enabling actions such as displaying and clicking on invisible ads, downloading executable files, and installing third-party apps. It can also open hidden windows to run JavaScript, potentially subscribing users to unwanted paid services. Furthermore, Necro can reroute internet traffic through compromised devices, turning them into part of a proxy botnet for cyber criminals. 
Top-Attacked Industries

The education sector continues to be the most targeted industry in May 2025, followed closely by government and telecommunications sectors. These industries remain prime targets due to their critical infrastructure and large user bases, making them vulnerable to a wide range of cyber attacks.

  1. Education
  2. Government
  3. Telecommunications
Threat Index per country

The global risk index for May 2025 reveals distinct regional hotspots, with certain countries and regions experiencing significantly higher malware activity. The risk index map (darker red indicates higher risk) highlights these areas of concern, demonstrating the main risk areas around the world.

While the education sector remained the top target globally, regional breakdowns offer a more detailed perspective. In Latin America and Eastern Europe, the rise in activity was particularly driven by FakeUpdates and Phorpiex infections, highlighting the continued prevalence of commodity malware in these regions. In Asia, countries such as Nepal, Georgia, and Vietnam reported an increased presence of Remcos and AgentTesla, showing the persistent reliance on phishing-based campaigns targeting sensitive data. In Western Europe, a broader range of malware was observed, with countries like Spain and France facing a surge in Lumma Stealer and Raspberry Robin infections.

These regional variations emphasize the need for tailored defense strategies and threat intelligence. Local vulnerabilities and tactics, including phishing and exploit kits, should guide the development of defensive measures.

Check Point’s Global Threat Impact Index and ThreatCloud Map are powered by Check Point’s Threat Cloud AI intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide over networks, endpoints, and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the intelligence and research arm of Check Point.

Conclusion

May’s data highlights the continued rise of sophisticated, multi-stage malware campaigns, with SafePay emerging as a prominent ransomware threat. As FakeUpdates maintains its position as the most widespread malware, new actors like SafePay and the ongoing operations against Lumma infostealer illustrate the evolving complexity of cyber attacks. The education sector remains a prime target, further underscoring the need for organizations to adopt proactive, layered security measures to defend against these increasingly sophisticated threats.

Recommendations and Defensive Actions

Given the sophistication of malware campaigns and the continued rise in multi-stage infection chains, organizations must adopt a prevention-first approach. This should include anti-phishing training for employees, regular patching to address vulnerabilities, and robust threat prevention solutions. Check Point Threat Emulation detects and stops unknown threats before they enter the network, while Check Point Harmony Endpoint provides real-time protection against malware, ransomware, and fileless attacks. Together, these solutions offer layered security that aligns with today’s complex threat landscape.

You may also like