April 2025 Malware Spotlight: FakeUpdates Dominates as Multi-Stage Campaigns Blend Commodity Malware with Stealth

Cyber criminals are raising the stakes. This month, researchers uncovered a sophisticated, multi-stage malware campaign delivering some of the most prevalent commodity malware—AgentTesla, Remcos, and XLoader—via stealthy techniques designed to evade detection. Meanwhile, FakeUpdates retains its top spot in the malware rankings, impacting 6% of organizations globally, and the education sector remains the most targeted industry.

Sophisticated Attack Chain Evades Detection

In April, attackers were found using phishing emails posing as order confirmations to launch a complex infection chain. These emails contain a malicious 7-Zip archive with a Jscript-encoded (.JSE) file that executes a Base64-encoded PowerShell payload. This, in turn, drops a second-stage executable written in .NET or AutoIt, which then injects the final payload into legitimate Windows processes like RegAsm.exe or RegSvcs.exe.

The malware families used in this campaign—AgentTesla, Remcos, and XLoader—have long been accessible to low level cyber criminals. But their use in highly obfuscated, layered attacks signals a dangerous convergence of commodity tools with advanced threat actor tactics.

This latest campaign exemplifies the growing complexity of cyber threats. Attackers are layering encoded scripts, legitimate processes, and obscure execution chains to remain undetected. What was once considered low-tier malware is now weaponized in advanced operations.

Top Malware Families

The arrows indicate changes in rank compared to the previous month.

1. ↔  FakeUpdates – Fakeupdates (AKA SocGholish) is a downloader malware that was initially discovered in 2018. It is spread through drive-by downloads on compromised or malicious websites, prompting users to install a fake browser update. Fakeupdates malware is associated with a Russian hacking group Evil Corp and used to deliver various secondary payloads after the initial infection.
2. ↔  Remcos – Remcos is a remote access Trojan (RAT) first observed in 2016, often distributed through malicious documents in phishing campaigns. It is designed to bypass Windows security mechanisms, such as UAC, and execute malware with elevated privileges, making it a versatile tool for threat actors.
3. ↔ AgentTesla – AgentTesla is an advanced RAT (remote access Trojan) that functions as a keylogger and password stealer. Active since 2014, AgentTesla can monitor and collect the victim’s keyboard input and system clipboard, and can record screenshots and exfiltrate credentials entered for a variety of software installed on the victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is openly sold as a legitimate RAT with customers paying $15 – $69 for user licenses.
4. ↑ Androxgh0st – AndroxGh0st is a Python-based malware that targets applications using the Laravel PHP framework by scanning for exposed .env files containing sensitive information such as login credentials for services like AWS, Twilio, Office 365, and SendGrid. It operates by utilizing a botnet to identify websites running Laravel and extracting confidential data. Once access is gained, attackers can deploy additional malware, establish backdoor connections, and exploit cloud resources for activities like cryptocurrency mining.
5. ↓ AsyncRat – AsyncRAT is a remote access Trojan (RAT) targeting Windows systems, first identified in 2019. It exfiltrates system information to a command-and-control server and executes commands such as downloading plugins, terminating processes, capturing screenshots, and updating itself. Commonly distributed via phishing campaigns, it is used for data theft and system compromise.
6. ↔ Formbook – Formbook, first identified in 2016, is an infostealer malware that primarily targets Windows systems. The malware harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute additional payloads. The malware spreads via phishing campaigns, malicious email attachments, and compromised websites, often disguised as legitimate files.
7. ↑  Lumma – Lumma Stealer, first detected in August 2022, is a malware-as-a-service (MaaS) information stealer that exfiltrates sensitive data from infected Windows systems, including credentials, cryptocurrency wallets, and browser information. It spreads through phishing campaigns, malicious websites, and social engineering tactics like the ClickFix method, where users are tricked into executing attacker-provided PowerShell commands.
8. ↓ Phorpiex – Phorpiex, also known as Trik, is a botnet that has been active since at least 2010, primarily targeting Windows systems. At its peak, Phorpiex controlled more than a million infected hosts. Phorpiex is notorious for distributing other malware families, including ransomware and cryptominers, via spam campaigns, and has been involved in large-scale sextortion campaigns.
9. ↑ Amadey – Amadey is a modular botnet that emerged in 2018, primarily targeting Windows systems. It functions as both an infostealer and a malware loader, capable of reconnaissance, data exfiltration, and deploying additional payloads, including banking Trojans and DDoS tools. Amadey is primarily distributed by exploit kits such as RigEK and Fallout EK, and through phishing emails and other malware like SmokeLoader.
10. ↑ Raspberry Robin – RaspberryRobin is a worm that first emerged in September 2021. It is primarily spread through infected USB drives and is noted for its sophisticated techniques to evade detection and establish persistence on compromised systems. Once a system is infected, Raspberry Robin can facilitate the download and execution of additional malicious payloads.

Top Ransomware Groups

April also saw the rapid emergence of new ransomware operators, most notably SatanLock. Despite appearing only recently, the group posted 67 victims to its leak site in a matter of weeks. Interestingly, over 65% of these victims had already been listed by other ransomware groups, indicating either shared infrastructure or a deliberate effort to “re-claim” compromised networks. Such behavior highlights the increasingly competitive and chaotic nature of the ransomware ecosystem, where victim double-posting is becoming a common tactic among opportunistic actors

Data based on insights from ransomware “shame sites” run by double-extortion ransomware groups. Akira is the most prevalent ransomware group this month, responsible for 11% of the published attacks, followed by SatanLock and Qilin with 10% each.

1. Akira – Akira Ransomware, first reported in the beginning of 2023, targets both Windows and Linux systems. It uses symmetric encryption with CryptGenRandom() and Chacha 2008 for file encryption and is similar to the leaked Conti v2 ransomware. Akira is distributed through various means, including infected email attachments and exploits in VPN endpoints. Upon infection, it encrypts data and appends a “.akira” extension to file names, then presents a ransom note demanding payment for decryption.
2. SatanLock – SatanLock is a new operation with public activity since early April. It has published 67 victims but as with many other new actors, more than 65% of them have been previously reported by other actors
3. Qilin – Qilin, also referred to as Agenda, is a ransomware-as-a-service criminal operation that collaborates with affiliates to encrypt and exfiltrate data from compromised organizations, subsequently demanding a ransom. This ransomware variant was first detected in July 2022 and is developed in Golang. Agenda is known for targeting large enterprises and high-value organizations, with a particular focus on the healthcare and education sectors. Qilin typically infiltrates victims via phishing emails containing malicious links to establish access to their networks and exfiltrate sensitive information. Once inside, Qilin usually moves laterally through the victim’s infrastructure, seeking critical data to encrypt.

Top Mobile Malware

Mobile malware threats continue to evolve, with Anubis, AhMyth, and Hydra topping the list this month. These Trojans have significantly expanded their capabilities, with Anubis offering full remote access features, ransomware functionality, and the ability to intercept MFA codes via SMS. AhMyth and Hydra also highlight a growing trend: attackers are increasingly embedding malware into legitimate-looking apps, from productivity tools to crypto wallets, which are distributed via unofficial app stores or occasionally even sneak past app store vetting. With the increasing use of smartphones for sensitive transactions and workplace access, mobile malware is no longer a fringe threat—it is central to today’s cyber crime toolkit.

1. ↔ Anubis – Anubis is a versatile banking Trojan that originated on Android devices and has evolved to include advanced capabilities such as bypassing multi-factor authentication (MFA) by intercepting SMS-based one-time passwords (OTPs), keylogging, audio recording, and ransomware functions. It is often distributed through malicious apps on the Google Play Store and has become one of the most prevalent mobile malware families. Additionally, Anubis includes remote access Trojan (RAT) features, enabling extensive surveillance and control over infected systems.
2. ↑ AhMyth – AhMyth is a remote access Trojan (RAT) targeting Android devices, typically disguised as legitimate apps like screen recorders, games, or cryptocurrency tools. Once installed, it gains extensive permissions to persist after reboot and exfiltrate sensitive information such as banking credentials, cryptocurrency wallet details, multi-factor authentication (MFA) codes, and passwords. AhMyth also enables keylogging, screen capture, camera and microphone access, and SMS interception, making it a versatile tool for data theft and other malicious activities
3. ↑ Hydra – Hydra is a banking Trojan designed to steal banking credentials by requesting victims to enable dangerous permission and access each time it connects with any banking app.

Top-Attacked Industries

For the third consecutive month, the education sector topped the list of most attacked industries globally. Its consistent presence at the top highlights a worrying trend: schools, universities, and research institutions are being heavily targeted not only because of their broad user bases, but also due to generally weaker cyber security infrastructure and distributed IT environments. Threat actors continue to exploit this complexity to deliver ransomware, steal sensitive data, or launch phishing campaigns. Government and telecommunications sectors followed closely, suggesting that critical infrastructure and public services remain high-value targets for cyber criminals—especially in regions where geopolitical tensions are high or digital transformation is rapidly advancing.

1. Education
2. Government
3. Telecommunications

Threat Index per country

The map below displays the risk index globally (darker red- higher risk), demonstrating the main risk areas around the world.

While the education sector remained the top target globally in April, regional breakdowns offer a more granular perspective. Latin America and Eastern Europe showed heightened malware activity, particularly involving FakeUpdates and Phorpiex. In Asia, countries like Nepal, Georgia, and Vietnam reported increased prevalence of Remcos and AgentTesla, suggesting a continued reliance on phishing-based infostealer campaigns. Meanwhile, in Western Europe, malware diversity increased, with organizations in Spain and France encountering higher instances of Lumma Stealer and Raspberry Robin. This variation underscores the need for region-specific threat intelligence and defense strategies.

Check Point’s Global Threat Impact Index and its ThreatCloud Map are powered by Check Point’s Threat Cloud AI intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide over networks, endpoints, and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the intelligence and research arm of Check Point.

Conclusion

April 2025 saw a sharp rise in stealthy, multi-stage attacks leveraging commodity malware like AgentTesla and Remcos within advanced delivery chains. FakeUpdates led global infections, while mobile Trojans such as Anubis and AhMyth expanded their capabilities. Ransomware activity remained high, with Akira dominating and the new group SatanLock quickly gaining traction. The education sector was once again the most targeted industry, followed by government and telecommunications. These trends point to a cyber crime landscape that is increasingly adaptive, persistent, and difficult to detect—demanding proactive, layered security strategies across all attack surfaces.

Recommendations and Defensive Actions

Given the increasing sophistication of malware campaigns and the rise in multi-stage infection chains, organizations should adopt a prevention-first strategy. This includes implementing anti-phishing training for employees, maintaining a strict patching schedule, and leveraging advanced threat prevention solutions. Check Point Threat Emulation detects and stops unknown threats before they enter the network, while Check Point Harmony Endpoint provides real-time protection against malware, ransomware, and fileless attacks. Together, these solutions offer layered security that aligns with today’s complex threat landscape.