Check Point Software’s latest threat index highlights that FakeUpdates continues to pose a significant threat in the cyber landscape, playing a crucial role in facilitating ransomware attacks. A recent investigation by security researchers revealed that an affiliate of RansomHub utilized a Python-based backdoor to maintain persistent access and deploy ransomware across various networks. Installed shortly after FakeUpdates gained initial access, this backdoor demonstrated advanced obfuscation techniques along with AI-assisted coding patterns. The attack involved lateral movement through remote desktop protocol (RDP) and established ongoing access by creating scheduled tasks.

The advanced techniques highlight an increasing reality: cyber criminals are evolving their methods and enhancing their capabilities through AI. Organizations need to move beyond traditional defenses and adopt proactive, adaptive security measures that anticipate emerging threats. This approach will allow them to effectively tackle these ongoing challenges.

Top Malware Families

*The arrows relate to the change in rank compared to the previous month.

FakeUpdates, the most prevalent malware, impacted 4% of worldwide organizations, followed by Formbook with 3% and Remcos with 3%.

  1. ↔ FakeUpdates—Fakeupdates (AKA SocGholish) is downloader malware initially discovered in 2018. It is spread through drive-by downloads on compromised or malicious websites, prompting users to install a fake browser update. FakeUpdates malware is associated with a Russian hacking group, Evil Corp, and is used to deliver secondary payloads after the initial infection.
  2. ↑ Formbook – Formbook, first identified in 2016, is an infostealer malware that primarily targets Windows systems. The malware harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute additional payloads. The malware spreads via phishing campaigns, malicious email attachments, and compromised websites, often disguised as legitimate files.
  3. ↑ Remcos—Remcos is a remote access Trojan (RAT) first observed in 2016. It is often distributed through malicious documents in phishing campaigns. It is designed to bypass Windows security mechanisms, such as UAC, and execute malware with elevated privileges, making it a versatile tool for threat actors.
  4. ↓ Androxgh0st—AndroxGh0st is a Python-based malware that targets applications using the Laravel PHP framework by scanning for exposed .env files containing sensitive information, such as login credentials for services like AWS, Twilio, Office 365, and SendGrid. It operates by utilizing a botnet to identify websites running Laravel and extract confidential data. Once access is gained, attackers can deploy additional malware, establish backdoor connections, and exploit cloud resources for activities like cryptocurrency mining.
  5. ↔ AsyncRat – AsyncRAT is a remote access Trojan (RAT) targeting Windows systems, first identified in 2019. It exfiltrates system information to a command-and-control server and executes commands such as downloading plugins, terminating processes, capturing screenshots, and updating itself. Commonly distributed via phishing campaigns, it is used for data theft and system compromise.
  6. ↑ SnakeKeylogger—Snake is a modular .NET keylogger and credential stealer first spotted in late November 2020. Its primary functionality is to record users’ keystrokes and transmit collected data to threat actors. Snake infections pose a major threat to users’ privacy and online safety, as the malware can steal all kinds of sensitive information and is particularly evasive and persistent.
  7. ↑ Phorpiex—Phorpiex, also known as Trik, is a botnet that has been active since at least 2010, primarily targeting Windows systems. At its peak, Phorpiex controlled more than a million infected hosts. Phorpiex is notorious for distributing other malware families, including ransomware and crypto miners, via spam campaigns and has been involved in large-scale sextortion campaigns.
  8. ↓ Rilide – Rilide is a malicious browser extension targeting Chromium-based browsers like Chrome, Edge, Brave, and Opera. Disguised as a legitimate Google Drive extension, it enables threat actors to monitor browsing history, take screenshots, and inject malicious scripts to withdraw funds from cryptocurrency exchanges. Notably, Rilide can simulate dialogs to trick users into disclosing two-factor authentication (2FA) details, facilitating unauthorized cryptocurrency transactions. Its distribution methods include malicious Microsoft Publisher files and deceptive Google Ads promoting fake software installers.
  9. ↑ Amadey – Amadey is a modular botnet that emerged in 2018, primarily targeting Windows systems. It functions as both an infostealer and a malware loader, capable of reconnaissance, data exfiltration, and deploying additional payloads, including banking Trojans and DDoS tools. Amadey is primarily distributed by exploit kits such as RigEK and Fallout EK, as well as through phishing emails and other malware like SmokeLoader.
  10. ↓ AgentTesla—AgentTesla is an advanced RAT (remote access Trojan) that functions as a keylogger and password stealer. Active since 2014, AgentTesla can monitor and collect the victim’s keyboard input and system clipboard, record screenshots, and exfiltrate credentials entered for a variety of software installed on the victim’s machine (including Google Chrome, Mozilla Firefox, and Microsoft Outlook email client). AgentTesla is openly sold as a legitimate RAT, with customers paying $15 – $69 for user licenses.
Top Mobile Malware

This month, Anubis is in 1st place for most prevalent Mobile malware, followed by AhMyth and Necro.

  1. ↔ Anubis – Anubis is a versatile banking Trojan that originated on Android devices and has evolved to include advanced capabilities such as bypassing multi-factor authentication (MFA) by intercepting SMS-based one-time passwords (OTPs), keylogging, audio recording, and ransomware functions. It is often distributed through malicious apps on the Google Play Store and has become one of the most prevalent mobile malware families. Additionally, Anubis includes remote access Trojan (RAT) features, enabling extensive surveillance and control over infected systems.
  2. ↑ AhMyth – AhMyth is a remote access Trojan (RAT) targeting Android devices, typically disguised as legitimate apps like screen recorders, games, or cryptocurrency tools. Once installed, it gains extensive permissions to persist after reboot and exfiltrate sensitive information such as banking credentials, cryptocurrency wallet details, multi-factor authentication (MFA) codes, and passwords. AhMyth also enables keylogging, screen capture, camera and microphone access, and SMS interception, making it a versatile tool for data theft and other malicious activities.
  3. ↓ Necro – Necro is a malicious Android downloader that retrieves and executes harmful components on infected devices based on commands from its creators. It has been discovered in several popular apps on Google Play and modified versions of apps on unofficial platforms like Spotify, WhatsApp, and Minecraft. Necro can download dangerous modules to smartphones, enabling actions such as displaying and clicking on invisible ads, downloading executable files, and installing third-party apps. It can also open hidden windows to run JavaScript, potentially subscribing users to unwanted paid services. Furthermore, Necro can reroute internet traffic through compromised devices, turning them into part of a proxy botnet for cyber criminals.
Top Attacked Industries Globally

This month, education is in 1st place among attacked industries globally, followed by government and telecommunications.

  1. Education
  2. Government
  3. Telecommunications
Top Ransomware Groups

The data is based on insights from ransomware “shame sites” run by double-extortion ransomware groups that posted victim information. This month, clop is the most prevalent ransomware group, responsible for 10% of the published attacks, followed by FunkSec with 8% and RansomHub with 7%.

  1. Clop – Clop is a ransomware strain, active since 2019, that targets industries worldwide, including healthcare, finance, and manufacturing. Derived from CryptoMix, Clop encrypts victims’ files using the .clop extension and employs “double extortion,” threatening to leak stolen data unless a ransom is paid. Operated as a ransomware-as-a-service (RaaS) model, Clop exploits vulnerabilities, phishing, and other methods to infiltrate systems, turns off security defenses like Windows Defender, and has been linked to high-profile attacks, such as exploiting the MOVEit file transfer software vulnerability in 2023.
  2. FunkSec – FunkSec is an emerging ransomware group that first surfaced in December 2024. Their data leak site (DLS) blends reports of ransomware incidents with data breaches, resulting in an unusually high reported victim count. However, the accuracy of these reports remains unverified, and their victim list includes numerous duplicates from other threat actor publications.
  3. RansomHub – RansomHub is a ransomware-as-a-service (RaaS) operation that emerged as a rebranded version of the previously known Knight ransomware. Surfacing prominently in early 2024 in underground cyber crime forums, RansomHub has quickly gained notoriety for its aggressive campaigns targeting various systems, including Windows, macOS, Linux, and VMware ESXi environments. This malware is known for employing sophisticated encryption methods.

*This month, we observed the emergence of a new group, Babuk Bjorka, which launched a data leak site (DLS). The group has listed multiple victims; however, their reliability is questionable. Due to concerns about credibility, we are excluding this group from our list for now. We will continue monitoring and provide updates if we can verify its activity.

Threat Index by Country

The map below displays the risk index globally (darker red—higher risk), demonstrating the main risk areas worldwide.

Conclusion

The cyber threat landscape remains increasingly complex and dynamic, with malware like FakeUpdates continuing to pose significant challenges to organizations worldwide. The persistence and sophistication of such threats underline the need for robust cyber security measures and continuous vigilance. As attackers evolve their techniques—leveraging advanced obfuscation, AI-assisted coding, and exploitative strategies—it’s essential for businesses and individuals to prioritize cyber hygiene, education, and the implementation of comprehensive security protocols. By understanding the current trends in malware and staying informed about emerging threats, organizations can better protect their assets and mitigate risks in an ever-evolving digital environment.

You may also like