April 2025’s Most Wanted Malware: FakeUpdates Leads Again as Advanced Campaigns Weaponize Commodity Malware

Eight African countries among the Top 20 most targeted by malware campaigns; education sector remains top target globally

Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading AI-powered, cloud-delivered cyber security platform provider, has published its Global Threat Index for April 2025. FakeUpdates remains the most prevalent malware this month, impacting 6% of organizations globally, followed closely by Remcos and AgentTesla.

Eight African countries are among the Top 20 countries most targeted by malware practitioners.  Ethopia continues to occupy the number 1 spot as the most targeted country of the 107 involved in the Check Point survey. Others on the continent include Zimbabwe, which is the third most targeted with a Normalised Risk Index of 85%, followed by Mozambique (9^th) with a Normalised Risk Index of 67%. Angola and Nigeria are 11^th and 12^th respectively, with a Normalised Risk Index of 66 and 66.2%. Ghana, Kenya and Uganda were ranked 17^th, 18^th and 19^th respectively, with Normalised Risk Indexes of 62.9-, 60.5- and 60.2%.

This month, researchers uncovered a sophisticated multi-stage malware campaign delivering AgentTesla, Remcos, and Xloader (a FormBook evolution). The attack begins with phishing emails disguised as order confirmations and lures victims into opening a malicious 7-Zip archive. This archive contains a JScript Encoded (.JSE) file that launches a Base64-encoded PowerShell script, which executes a second-stage .NET or AutoIt-based executable. The final malware is injected into legitimate Windows processes such as RegAsm.exe or RegSvcs.exe, significantly increasing stealth and detection evasion.

Commodity malware meets advanced tradecraft

These findings reflect a notable trend in cybercrime: the convergence of commodity malware with advanced tradecraft. Tools once sold openly for low cost, like AgentTesla and Remcos, are now integrated into complex delivery chains that mimic the tactics of state-sponsored actors—blurring the lines between financially and politically motivated threats.

Lotem Finkelstein, Director of Threat Intelligence at Check Point Software, commented:
“This latest campaign exemplifies the growing complexity of cyber threats. Attackers are layering encoded scripts, legitimate processes, and obscure execution chains to remain undetected. What we once considered low-tier malware is now weaponized in advanced operations. Organisations must adopt a prevention-first approach that integrates real-time threat intelligence, AI, and behavioral analytics.”

Top Malware Families

(The arrows indicate the change in rank compared to March.)

1. ?  FakeUpdates – Fakeupdates (AKA SocGholish) is a downloader malware that was initially discovered in 2018. It is spread through drive-by downloads on compromised or malicious websites, prompting users to install a fake browser update. Fakeupdates malware is associated with a Russian hacking group Evil Corp and used to deliver various secondary payloads after the initial infection. (Impact: 6%).

2. ?  Remcos – Remcos is a Remote Access Trojan (RAT) first observed in 2016, often distributed through malicious documents in phishing campaigns. It is designed to bypass Windows security mechanisms, such as UAC, and execute malware with elevated privileges, making it a versatile tool for threat actors. (Impact: 3%).

3. ? AgentTesla – AgentTesla is an advanced RAT (remote access Trojan) that functions as a keylogger and password stealer. Active since 2014, AgentTesla can monitor and collect the victim’s keyboard input and system clipboard and can record screenshots and exfiltrate credentials entered for a variety of software installed on the victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is openly sold as a legitimate RAT with customers paying $15 – $69 for user licenses (Impact: 3%).  

Top Ransomware Groups

Data based on insights from ransomware “shame sites” run by double-extortion ransomware groups. Akira is the most prevalent ransomware group this month, responsible for 11% of the published attacks, followed by SatanLock and Qilin with 10% each.

1. Akira – Akira Ransomware, first reported in the beginning of 2023, targets both Windows and Linux systems. It uses symmetric encryption with CryptGenRandom() and Chacha 2008 for file encryption and is like the leaked Conti v2 ransomware. Akira is distributed through various means, including infected email attachments and exploits in VPN endpoints. Upon infection, it encrypts data and appends a “. akira” extension to file names, then presents a ransom note demanding payment for decryption.
2. SatanLock – SatanLock is a new operation with public activity since early April. It has published 67 victims but as with many other new actors, more than 65% of them have been previously reported by other actors
3. Qilin – Qilin, also referred to as Agenda, is a ransomware-as-a-service criminal operation that collaborates with affiliates to encrypt and exfiltrate data from compromised organizations, subsequently demanding a ransom. This ransomware variant was first detected in July 2022 and is developed in Golang. Agenda is known for targeting large enterprises and high-value organizations, with a particular focus on the healthcare and education sectors. Qilin typically infiltrates victims via phishing emails containing malicious links to establish access to their networks and exfiltrate sensitive information. Once inside, Qilin usually moves laterally through the victim’s infrastructure, seeking critical data to encrypt.

Top Mobile Malware

1. ? Anubis – Anubis is a versatile banking trojan that originated on Android devices and has evolved to include advanced capabilities such as bypassing multi-factor authentication (MFA) by intercepting SMS-based one-time passwords (OTPs), keylogging, audio recording, and ransomware functions. It is often distributed through malicious apps on the Google Play Store and has become one of the most prevalent mobile malware families. Additionally, Anubis includes remote access trojan (RAT) features, enabling extensive surveillance and control over infected systems.  
2. ? AhMyth – AhMyth is a remote access trojan (RAT) targeting Android devices, typically disguised as legitimate apps like screen recorders, games, or cryptocurrency tools. Once installed, it gains extensive permissions to persist after reboot and exfiltrate sensitive information such as banking credentials, cryptocurrency wallet details, multi-factor authentication (MFA) codes, and passwords. AhMyth also enables keylogging, screen capture, camera and microphone access, and SMS interception, making it a versatile tool for data theft and other malicious activities
3. ? Hydra – Hydra is a banking Trojan designed to steal banking credentials by requesting victims to enable dangerous permission and access each time the enter any banking app.

Top-Attacked Industries Globally

For the third straight month, the education sector was the most targeted industry, due to its broad user base and typically weaker cybersecurity. Government and telecom followed, reflecting continued focus on critical infrastructure and public services, especially in high-risk or rapidly digitizing regions.

1. Education
2. Government
3. Telecommunications

April’s data reveals a growing use of stealthy, multi-stage malware campaigns and a continued focus on sectors with lower defenses. With FakeUpdates remaining the most prevalent threat and new ransomware actors like SatanLock emerging, organizations must prioritize proactive, layered security to stay ahead of evolving attacks.

For the full April 2025 Global Threat Index and additional insights, visit the Check Point Blog.