Check Point researchers have released a comprehensive cybersecurity threat index, highlighting key trends shaping the digital security landscape. According to the report, FakeUpdates remains the most prevalent malware, playing a pivotal role in ransomware attacks and impacting 4% of organizations globally. It is followed closely by Formbook and Remcos, each infiltrating 3% of enterprises worldwide.
The study reveals that cybercriminals are increasingly leveraging artificial intelligence and sophisticated obfuscation techniques to conceal malicious activities within systems. A recent attack orchestrated by the RansomHub group showcased the deployment of a Python-based backdoor, which was implanted immediately after initial infection via FakeUpdates. This tool facilitated persistent access, allowing adversaries to navigate the compromised network through RDP while scheduling automated tasks to maintain their foothold.
The ranking of the most prolific malware families is led by:
- FakeUpdates (SocGholish) – A malicious loader masquerading as a browser update on compromised websites. It is actively utilized by Evil Corp to deploy secondary payloads, including ransomware.
- Formbook – An infostealer designed to extract browser-stored credentials, capture screenshots, and log keystrokes. It spreads through phishing emails and infected websites.
- Remcos – A remote access trojan (RAT) capable of evading Windows security mechanisms and obtaining administrator privileges.
- AndroxGh0st – A Python-based malware targeting applications built on the Laravel PHP Framework, scanning for
.envfiles containing sensitive credentials for cloud services. - AsyncRat – A powerful RAT granting attackers full control over an infected system while enabling data exfiltration.
- SnakeKeylogger – A keylogging malware designed to steal user credentials by capturing keystrokes.
- Phorpiex – A botnet notorious for spam distribution, ransomware propagation, and large-scale fraudulent campaigns.
- Rilide – A malicious Chrome and Edge browser extension that exfiltrates user data and intercepts two-factor authentication codes.
- Amadey – A botnet functioning as a loader for additional malware, including banking trojans.
- AgentTesla – A sophisticated RAT that harvests browser credentials and conducts user surveillance.
In the mobile sector, the most active threats include:
- Anubis – An Android banking trojan designed to steal credit card information and record keystrokes.
- AhMyth – A malicious RAT capable of accessing a device’s camera, microphone, and SMS messages.
- Necro – A malware downloader that installs malicious modules on smartphones, enabling attackers to subscribe victims to premium services without consent.
The most frequently attacked industries remain:
- Education
- Government Institutions
- Telecommunications
Among the most active ransomware collectives, the following groups stand out:
- Clop – A group infamous for its double extortion tactics, combining file encryption with threats of data leaks.
- FunkSec – A relatively new actor that publicizes details of breaches, though the veracity of its claims remains uncertain.
- RansomHub – A Ransomware-as-a-Service (RaaS) operation targeting Windows, macOS, Linux, and VMware ESXi.
Additionally, a newly emerged group, Babuk Bjorka, has surfaced, though its credibility remains uncertain, and it has yet to be formally recognized as a major threat actor.
FakeUpdates continues to be a significant cybersecurity menace, facilitating the spread of ransomware. Meanwhile, cybercriminals are increasingly incorporating artificial intelligence to bypass security mechanisms. Check Point experts strongly advise organizations to implement proactive security measures, enhance threat monitoring, and adopt adaptive defense mechanisms to counter the ever-evolving landscape of cyber threats.
