printer friendly version

Most wanted malware

Check Point Software Technologies unveiled its Global Threat Index for June 2025, highlighting a surge in new and evolving threats. Check Point Research has uncovered that AsyncRAT, a remote access Trojan (RAT), has risen to the top three in malware threats this month and has been exploiting Discord invitation links to distribute malicious payloads. Meanwhile, FakeUpdates remains the most prevalent malware, continuing to impact organisations worldwide. The Qilin ransomware group remains a significant actor in the cybercrime scene, with targeted attacks on large enterprises, particularly in the healthcare and education sectors.

African countries continue to be among the most vulnerable to cyberthreats, with eight countries ranked among the top 20 most targeted. Ethiopia occupies the number one spot of the 109 involved in the Check Point survey. Others on the continent include Nigeria, which maintained its fifth position with a Normalised Risk Index (NRI) of 77,6%, followed by Mauritius in 7th place with an NRI of 72,3%. Mozambique was ranked 10th with an NRI of 67,2%, Zimbabwe 11th with 66,4%, Uganda 12th and Angola 17th with NRIs of 65% and 59,8% respectively. Kenya was ranked 19th, with an NRI of 58.1%. South Africa was ranked 51st with an NRI of 44,8% up from 47th last month.

“As cybercriminals become more sophisticated, organisations must stay ahead of evolving threats with multi-layered security solutions. The June 2025 Global Threat Index emphasises the need for proactive measures to safeguard against the most advanced attacks of the year. This is particularly true among African countries, which remain among the most vulnerable to cyberthreats,” says Lionel Dartnall, country manager SADC for Check Point Software Technologies.

Lotem Finkelstein, director of threat intelligence at Check Point Software, commented, “The AsyncRAT campaign we discovered and the continued dominance of FakeUpdates showcase the evolving complexity of cyberattacks. With the advent of dominant ransomware groups like Qilin, we see more targeted and refined approaches to data theft and encryption. Organisations need to be proactive in their defence, implementing real-time threat intelligence and comprehensive security strategies.”

Key findings

• AsyncRAT continues to maintain a high position in the threat ranks in June 2025, exploiting trusted platforms like Discord for payload delivery and data exfiltration. It allows attackers to remotely access and control infected systems.

• FakeUpdates, still the most widespread malware globally, is associated with the Evil Corp hacking group and spreads via drive-by downloads. It delivers various secondary payloads after infection.

• Qilin, a ransomware-as-a-service group, continues to target high-value industries, including healthcare and education, utilising phishing emails to infiltrate networks and encrypt sensitive data.

Top malware families

1. FakeUpdates remains the most widespread malware, affecting 4% of organisations worldwide. This downloader malware is used to install fake updates, allowing attackers to deploy secondary payloads on compromised systems.

2. Androxgh0st, a Python-based malware, scans for exposed .env files to steal sensitive credentials from applications running on the Laravel PHP framework. It uses a botnet for cloud exploitation and cryptocurrency mining.

3. AsyncRAT, a remote access Trojan (RAT), has rapidly grown in prominence. It is used for data theft and system compromise, enabling attackers to execute commands like downloading plugins, terminating processes, and capturing screenshots.

Top ransomware groups

1. Qilin (also known as Agenda) remains the top ransomware group, responsible for 17% of attacks in June 2025. This ransomware-as-a-service group specialises in targeting large enterprises, particularly in the healthcare and education sectors.

2. SafePay continues to be a major ransomware threat, using a double-extortion model to encrypt victims’ files, while stealing sensitive data. This ransomware group has been active against both large organisations and small businesses.

3. Akira ransomware exploits vulnerabilities in VPN endpoints, encrypting data with a distinctive ‘.akira’ extension. It primarily targets enterprises with weak or outdated security measures.

Top mobile malware

1. Anubis is the most prevalent mobile malware, known for its ability to bypass multi-factor authentication (MFA) and steal banking credentials. It is often distributed through malicious apps available on the Google Play Store.

2. AhMyth, a remote access Trojan (RAT) for Android, is disguised as legitimate apps and grants attackers access to exfiltrate banking credentials, MFA codes, and perform keylogging and screen capture.

3. Necro is a malicious downloader that can execute harmful commands on Android devices, including downloading malware and ads, and rerouting internet traffic through compromised devices, turning them into part of a botnet.

Most attacked industries

1. Education – The education sector remains the most targeted globally, with educational institutions being vulnerable to attacks due to their large user bases and critical infrastructure.

2. Government – Government organisations continue to be major targets due to their sensitive data and public sector responsibilities.

3. Telecommunications – The telecommunications sector faces constant threats, with cybercriminals targeting its vast amount of sensitive data and communications infrastructure.

For additional insights, visit tinyurl.com/zkrezxxy

Share this article:

Further reading: