February 2025’s Malware Spotlight: AsyncRAT Emerges, Targeting Trusted Platforms

Check Point’s latest threat index highlights a new campaign involving the malware, AsyncRAT, a remote access trojan targeting Windows systems since 2019. The fourth most prevalent malware of the month, AsyncRAT, enables data theft, command execution, and system compromise. The latest attacks utilized TryCloudflare tunnels and malicious Python packages, starting with phishing emails that contained Dropbox URLs. This led to a multi-step infection chain involving LNK, JavaScript, and BAT files, culminating in an obfuscated AsyncRAT payload deployment. This campaign reflects a growing trend of exploiting legitimate platforms like Dropbox and TryCloudflare to evade detection and establish persistence.

The Increasing Threat of Ransomware

February was particularly successful for the Clop Ransom group, one of the most active organizations in the ransomware space. In February, they published a list of dozens of victims from various sectors on their website, including manufacturing, transportation, IT, and technical services, with several major companies among those affected. The group has remained highly active, focusing on exploiting the CLEO vulnerability as part of their strategy to take advantage of zero-day flaws in file-sharing software. This approach allows them to conduct large-scale data exfiltration and extortion. Clop’s operations primarily revolve around significant data extortion resulting from successful breaches. Notably, the group first gained widespread attention two years ago for its massive MOVEit attack, which impacted over 2,600 organizations and nearly 90 million individuals.

Top Malware Families

*The arrows relate to the change in rank compared to January.

FakeUpdates was the most prevalent malware in February, closely followed by Androxgh0st and Remcos, all impacting 3% of organizations worldwide.

1. ↔ FakeUpdates – FakeUpdates, also known as SocGholish, is a type of downloader malware first identified in 2018. It is primarily distributed through drive-by downloads on compromised or malicious websites, encouraging users to install a fake browser update. This malware is linked to the Russian hacking group Evil Corp and is often used to deliver secondary payloads following the initial infection.
2. ↑ Androxgh0st – AndroxGh0st is a Python-based malware targeting applications built on the Laravel PHP framework. It scans for exposed .env files, often containing sensitive information such as login credentials for services like AWS, Twilio, Office 365, and SendGrid. The malware operates through a botnet that identifies websites running Laravel and extracts confidential data. Once the attackers gain access, they can deploy additional malware, establish backdoor connections, and exploit cloud resources for activities such as cryptocurrency mining.
3. ↔ Remcos—Remcos is a remote access trojan (RAT) first identified in 2016. It is commonly distributed through malicious documents in phishing campaigns. This RAT is designed to bypass Windows security features, such as user account control (UAC), allowing it to execute malware with elevated privileges. As a result, it serves as a versatile tool for cyber criminals.
4. ↑ AsyncRAT – AsyncRAT is a remote access trojan (RAT) that targets Windows systems and was first identified in 2019. It exfiltrates system information to a command-and-control server and can execute various commands, such as downloading plugins, terminating processes, capturing screenshots, and updating itself. Typically distributed through phishing campaigns, AsyncRAT is utilized for data theft and system compromise.
5. ↑ AgentTesla—AgentTesla is an advanced RAT (remote access trojan) that functions as a keylogger and password stealer. Active since 2014, AgentTesla can monitor and collect the victim’s keyboard input and system clipboard, record screenshots, and exfiltrate credentials entered for a variety of software installed on the victim’s machine (including Google Chrome, Mozilla Firefox, and Microsoft Outlook email client). AgentTesla is openly sold as a legitimate RAT, with customers paying $15 – $69 for user licenses.
6. ↓ Formbook – Formbook, first identified in 2016, is an infostealer malware that primarily targets Windows systems. The malware harvests credentials from various web browsers collects screenshots, monitors and logs keystrokes, and can download and execute additional payloads. The malware spreads via phishing campaigns, malicious email attachments, and compromised websites, often disguised as legitimate files.
7. ↑ Rilide – Rilide is a malicious browser extension targeting Chromium-based browsers like Chrome, Edge, Brave, and Opera. Disguised as a legitimate Google Drive extension, it enables threat actors to monitor browsing history, take screenshots, and inject malicious scripts to withdraw funds from cryptocurrency exchanges. Notably, Rilide can simulate dialogs to trick users into disclosing two-factor authentication (2FA) details, facilitating unauthorized cryptocurrency transactions. Its distribution methods include malicious Microsoft Publisher files and deceptive Google Ads promoting fake software installers.
8. ↓ Phorpiex – Phorpiex, also known as Trik, is a botnet active since at least 2010, primarily targeting Windows systems. At its peak, Phorpiex controlled more than a million infected hosts. Phorpiex is notorious for distributing other malware families, including ransomware and crypto miners, via spam campaigns and has been involved in large-scale sextortion campaigns.
9. ↔ Amadey – Amadey is a modular botnet that emerged in 2018, primarily targeting Windows systems. It functions as both an infostealer and a malware loader, capable of reconnaissance, data exfiltration, and deploying additional payloads, including banking trojans and distributed denial-of-service (DDoS) tools. Amadey is primarily distributed by exploit kits such as RigEK and Fallout EK, as well as through phishing emails and other malware like SmokeLoader.
10. ↑ Mirai – Mirai is a malware strain that transforms networked devices running Linux, particularly Internet of Things (IoT) devices like IP cameras and home routers, into remotely controlled bots forming a botnet. First identified in August 2016, Mirai gained notoriety for orchestrating some of the largest DDoS attacks recorded, including those against the website of security journalist Brian Krebs and the DNS provider Dyn. The malware propagates by scanning the internet for IoT devices still configured with default factory login credentials, exploiting these to gain control. Numerous variants have emerged after the public release of its source code in October 2016.

Top Mobile Malware

This past month, Anubis was in 1^st place for the most prevalent mobile malware, followed by Necro and AhMyth.

1. ↔ Anubis – Anubis is a versatile banking trojan that originated on Android devices and has evolved to include advanced capabilities such as bypassing multi-factor authentication (MFA) by intercepting SMS-based one-time passwords (OTPs), keylogging, audio recording, and ransomware functions. It is often distributed through malicious apps on the Google Play Store and has become one of the most prevalent mobile malware families. Additionally, Anubis includes remote access trojan (RAT) features, enabling extensive surveillance and control over infected systems.
2. ↑ Necro – Necro is a malicious Android downloader that retrieves and executes harmful components on infected devices based on commands from its creators. It has been discovered in several popular apps on Google Play and modified versions of apps on unofficial platforms like Spotify, WhatsApp, and Minecraft. Necro can download dangerous modules to smartphones, enabling actions such as displaying and clicking on invisible ads, downloading executable files, and installing third-party apps. It can also open hidden windows to run JavaScript, potentially subscribing users to unwanted paid services. Furthermore, Necro can reroute internet traffic through compromised devices, turning them into part of a proxy botnet for cyber criminals.
3. ↓ AhMyth – AhMyth is a remote access trojan (RAT) targeting Android devices, typically disguised as legitimate apps like screen recorders, games, or cryptocurrency tools. Once installed, it gains extensive permissions to persist after reboot and exfiltrate sensitive information such as banking credentials, cryptocurrency wallet details, multi-factor authentication (MFA) codes, and passwords. AhMyth also enables keylogging, screen capture, camera and microphone access, and SMS interception, making it a versatile tool for data theft and other malicious activities.

Top-Attacked Industries Globally

In February, education was the most attacked industry globally, followed by telecommunications and government.

1. Education
2. Telecommunications
3. Government

Top Ransomware Groups

The data is based on insights from ransomware “shame sites” run by double-extortion ransomware groups that posted victim information. In February, Clop was the most prevalent ransomware group, responsible for 35% of the published attacks, followed by RansomHub with 11% and Akira with 6%.

1. Clop – Clop is a ransomware strain, active since 2019, that targets industries worldwide, including healthcare, finance, and manufacturing. Derived from CryptoMix, Clop encrypts victims’ files using the .clop extension and employs “double extortion,” threatening to leak stolen data unless a ransom is paid. Operated as a ransomware-as-a-service (RaaS) model, Clop exploits vulnerabilities, phishing, and other methods to infiltrate systems, turns off security defenses like Windows Defender, and has been linked to high-profile attacks, such as exploiting the MOVEit file transfer software vulnerability in 2023.
2. RansomHub – RansomHub is a RaaS operation that emerged as a rebranded version of the previously known Knight ransomware. Surfacing prominently in early 2024 in underground cybercrime forums, RansomHub has quickly gained notoriety for its aggressive campaigns targeting various systems, including Windows, macOS, Linux, and VMware ESXi environments. This malware is known for employing sophisticated encryption methods.
3. Akira –  Akira Ransomware, first reported at the beginning of 2023, targets Windows and Linux systems. It uses symmetric encryption with CryptGenRandom() and Chacha 2008 for file encryption, similar to the leaked Conti v2 ransomware. Akira is distributed through various means, including infected email attachments and exploits in VPN endpoints. Upon infection, it encrypts data and appends a “.akira” extension to file names, then presents a ransom note demanding payment for decryption.

Threat Index Per Country

The map below displays the global risk index (darker red—higher risk), demonstrating the main risk areas worldwide.

Check Point’s Global Threat Impact Index and its ThreatCloud Map are powered by Check Point’s Threat Cloud AI intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide over networks, endpoints, and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the intelligence and research arm of Check Point.

Conclusion

Check Point’s Threat Emulation and Harmony Endpoint offer robust protection against a wide range of attack methods, file types, and operating systems, including the malware families and attack types discussed in this blog. Threat Emulation analyzes files to detect malicious activity before they can infiltrate a user’s network, effectively revealing unknown threats and zero-day vulnerabilities. When used alongside Harmony Endpoint, which conducts real-time file analysis, Threat Emulation evaluates each file, allowing users to quickly access a secure version while the original file undergoes a thorough examination. This proactive approach not only enhances security by providing rapid access to safe content but also systematically identifies and addresses potential threats, thereby preserving the network’s integrity.