As 2024 ended, a new name surged to the top of the cyber threat charts: FunkSec. Emerging as a leading ransomware-as-a-service (RaaS) actor, FunkSec made waves in December by publishing over 85 victim profiles on its Data Leak Site (DLS). However, beneath its apparent dominance lies a more complex and controversial story, as uncovered in Check Point Research’s (CPR) Global Threat Index for December 2024.

FunkSec’s rapid ascent highlights the evolving tactics of RaaS operators. Utilizing artificial intelligence to scale operations, the group appears to rely heavily on AI-powered tools to generate ransomware and manage its double-extortion campaigns. While this innovative approach points to their adaptability, CPR’s analysis suggests a lack of sophistication. Many of FunkSec’s published claims have been flagged as recycled, forged, or unverified, raising questions about the group’s credibility and execution capabilities.

CPR’s investigation links FunkSec’s activities to Algeria, suggesting a blend of financial motives and hacktivist ideologies. This dual motivation sets FunkSec apart from more established ransomware groups, as they straddle the line between political disruption and profit-driven cyber crime.

Top Malware Families in December 2024

While FunkSec dominated the ransomware landscape, December’s malware rankings revealed the continuing evolution of threats targeting organizations worldwide. Here are the top three malware families. FakeUpdates (SocGholish) reclaimed its position as the most widespread malware, impacting 5% of organizations worldwide, followed by AgentTesla (3%) and Androxgh0st (3%). These malware variants employ tactics ranging from credential theft to cross-platform botnet exploits.

*The arrows relate to the change in rank compared to the previous month.

  1. ↑ FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payloads to disk prior to launching them. FakeUpdates led to further compromise via many additional malware.
  2. ↑ AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
  3. ↓ Androxgh0st – Androxgh0st is a botnet that targets Windows, Mac, and Linux platforms. For initial infection, Androxgh0st exploits multiple vulnerabilities, specifically targeting- the PHPUnit, Laravel Framework, and Apache Web Server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS key, etc. It uses Laravel files to collect the required information. It has different variants which scan for different information.
  4. ↑ Remcos – Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windowss UAC security and execute malware with high-level privileges.
  5. ↑ AsyncRat – Asyncrat is a Trojan that targets the Windows platform. This malware sends out system information about the targeted system to a remote server. It receives commands from the server to download and execute plugins, kill processes, uninstall/update itself, and capture screenshots of the infected system.
  6. ↑ NJRat – NJRat is a remote accesses Trojan, targeting mainly government agencies and organizations in the Middle East. The Trojan has first emerged on 2012 and has multiple capabilities: capturing keystrokes, accessing the victim’s camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim’s desktop. NJRat infects victims via phishing attacks and drive-by downloads, and propagates through infected USB keys or networked drives, with the support of Command & Control server software.
  7. ↑ Rilide – A malicious browser extension that targets Chromium-based browsers, mimicking legitimate software to infiltrate systems. It exploits browser functionalities to execute harmful activities like monitoring web browsing, capturing screenshots, and injecting scripts to steal cryptocurrency. Rilide operates by downloading other malware, recording user activities, and can even manipulate web content to deceive users into unauthorized actions.
  8. ↔ Phorpiex – Phorpiex is a botnet (aka Trik) that has been active since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.
  9. ↓ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
  10. Amadey – Amadey is a Trojan bot first discovered in October of 2018. A majority of its use is for collecting information about a victim’s environment, although it is also capable of delivering other malware. Amadey is primarily spread by exploit kits such as RigEK and Fallout EK.


Top Mobile Malwares

Mobile threats also remained prominent, with Anubis, a banking trojan, taking the top spot for December. Known for its remote access and ransomware capabilities, Anubis was followed by Necro, a trojan dropper, and Hydra, a malware targeting banking credentials.

  1. ↑ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
  2. ↑ Necro – Necro is an Android Trojan Dropper. It is capable of downloading other malware, showing intrusive ads and stealing money by charging paid subscriptions.
  3. ↑ Hydra– Hydra is a banking Trojan designed to steal banking credentials by requesting victims to enable dangerous permissions and access each time the enter any banking app.


Top-Attacked Industries Globally

For the fifth consecutive month, Education/Research ranked as the most attacked industry globally, followed by Communications and Government/Military sectors. These trends underline the persistent vulnerabilities in sectors that rely heavily on interconnected systems and sensitive data.

  1. Education/Research
  2. Communications
  3. Government/Military


Top Ransomware Groups

Data from ransomware “shame sites” placed FunkSec as December’s most active ransomware group, responsible for 14% of all posted attacks. It was followed by RansomHub and LeakeData, with 9% each.

  1. FunkSec – FunkSec is an emerging ransomware group that first appeared in December 2024, known for using double extortion tactics. Some reports suggest it has started it operations in September 2024. Notably, their DLS (Data Leak Site) combines reports of ransomware incidents with those of data breaches, contributing to an unusually high reported victim count.
  2. RansomHub – RansomHub is a Ransomware-as-a-Service (RaaS) operation that emerged as a rebranded version of the previously known Knight ransomware. Surfacing prominently in early 2024 in underground cyber crime forums, RansomHub has quickly gained notoriety for its aggressive campaigns targeting various systems including Windows, macOS, Linux, and particularly VMware ESXi environments. This malware is known for employing sophisticated encryption methods.
  3. LeakeData – LeakedData is a newly identified entity operating a clear web data leak site (DLS). The site lists alleged victims’ data and features countdowns for future releases. Despite presenting itself as an extortion group, the site lacks communication channels, leaving the entity’s actual nature, claimed victims, and intentions unclear.

Threat Index per country

The map below displays the risk index globally (darker red- higher risk), demonstrating the main risk areas around the world.

Conclusion

The December 2024 threat landscape underscores the rapidly evolving tactics of cyber criminals, with FunkSec’s rise illustrating the increasing adoption of AI-driven operations in ransomware. While its controversial methods raise questions about credibility, FunkSec’s activity serves as a reminder that even emerging groups can pose significant risks. Coupled with the dominance of malware like FakeUpdates and AgentTesla, the persistence of mobile threats, and vulnerabilities impacting critical industries, the data highlights the need for robust, proactive cyber security measures.

Organizations must adapt quickly, leveraging advanced technologies, real-time threat intelligence, and comprehensive defense strategies to counteract these threats. As we move into 2025, staying informed about the latest trends will be essential for mitigating risks and securing the digital future.

You may also like