March 2025’s Most Wanted Malware: FakeUpdates and RansomHub Ransomware Group Dominate Cyber Threats

Check Point® Software Technologies Ltd., a pioneer and global leader in cyber security solutions, has released its Global Threat Index for March 2025, highlighting the continued dominance of FakeUpdates, a downloader malware that remains the most prevalent cyber threat worldwide. 

This month, researchers uncovered a new intrusion campaign delivering FakeUpdates, the most prevalent malware, and leading to RansomHub ransomware attacks. FakeUpdates continues to be the most prevalent malware, with a notable trend in March where the attack chain involves compromised websites, rogue Keitaro TDS instances, and fake browser update lures to trick users into downloading FakeUpdates malware. The obfuscated JavaScript loader enables data exfiltration, command execution, and persistent access for further exploitation. These findings underscore the evolving tactics cybercriminals employ, with legitimate platforms such as Dropbox and TryCloudflare being increasingly exploited to evade detection and maintain persistence. In India, Education remained the most impacted industry last month followed by Business Services and Government.

Meanwhile, researchers uncovered a massive Lumma Stealer phishing campaign, compromising over 1,150 organizations and 7,000 users across North America, Southern Europe, and Asia. Attackers distributed nearly 5,000 malicious PDFs hosted on Webflow’s CDN, using fake CAPTCHA images to trigger PowerShell execution and deploy malware. This growing trend of exploiting legitimate platforms to distribute malware reflects a shift in cybercriminal tactics aimed at evading detection. Additionally, researchers linked Lumma Stealer to fake Roblox games and a trojanized pirated Windows Total Commander tool promoted via hijacked YouTube accounts.

Maya Horowitz, VP of Research at Check Point Software, commented, “Cybercriminals continue to adapt their tactics, increasingly relying on legitimate platforms to distribute malware and evade detection. Organizations must remain vigilant and implement proactive security measures to mitigate the risks of these evolving threats.”

Top Malware Families

*The arrows relate to the change in rank compared to the previous month.

FakeUpdates is the most prevalent malware this month with an impact of 8% worldwide organizations, followed by Remcos and AgenTesla both with an impact of 3%.

1. ↔ FakeUpdates – Fakeupdates is a downloader malware that was initially discovered in 2018. It is spread through drive-by downloads on compromised or malicious websites, prompting users to install a fake browser update. Fakeupdates malware is associated with a Russian hacking group Evil Corp and used to deliver various secondary payloads after the initial infection.          
2. ↑ Remcos – Remcos is a Remote Access Trojan first observed in 2016, often distributed through malicious documents in phishing campaigns. It is designed to bypass Windows security mechanisms, such as UAC, and execute malware with elevated privileges, making it a versatile tool for threat actors.         
3. ↑ AgentTesla – AgentTesla is an advanced RAT (remote access Trojan) that functions as a keylogger and password stealer. Active since 2014, AgentTesla can monitor and collect the victim’s keyboard input and system clipboard, and can record screenshots and exfiltrate credentials entered for a variety of software installed on the victim’s machine. AgentTesla is openly sold as a legitimate RAT with customers paying $15 – $69 for user licenses.          

Top Ransomware Groups 

The data is based on insights from ransomware “shame sites. RansomHub is the most prevalent ransomware group this month, responsible for 12% of the published attacks, followed by Qilin and Akira, both with impact of 6%.

1. RansomHub – RansomHub is a Ransomware-as-a-Service (RaaS) operation that emerged as a rebranded version of the previously known Knight ransomware. Surfacing prominently in early 2024 in underground cybercrime forums, RansomHub has quickly gained notoriety for its aggressive campaigns targeting various systems including Windows, macOS, Linux, and particularly VMware ESXi environments. This malware is known for employing sophisticated encryption methods.
2. Qilin – Qilin, also referred to as Agenda, is a ransomware-as-a-service criminal operation that collaborates with affiliates to encrypt and exfiltrate data from compromised organizations, subsequently demanding a ransom. This ransomware variant was first detected in July 2022 and is developed in Golang. Agenda is known for targeting large enterprises and high-value organizations, with a particular focus on the healthcare and education sectors. Qilin typically infiltrates victims via phishing emails containing malicious links to establish access to their networks and exfiltrate sensitive information. Once inside, Qilin usually moves laterally through the victim’s infrastructure, seeking critical data to encrypt.
3. Akira – Akira Ransomware, first reported in the beginning of 2023, targets both Windows and Linux systems. It uses symmetric encryption with CryptGenRandom() and Chacha 2008 for file encryption and is similar to the leaked Conti v2 ransomware. Akira is distributed through various means, including infected email attachments and exploits in VPN endpoints. Upon infection, it encrypts data and appends a “.akira” extension to file names, then presents a ransom note demanding payment for decryption.

Top Mobile Malwares

This month Anubis in the 1^st place in the most prevalent Mobile malware, followed by Necro and AhMyth.

1. ↔ Anubis – Anubis is a versatile banking trojan that originated on Android devices and has evolved to include advanced capabilities such as bypassing multi-factor authentication by intercepting SMS-based one-time passwords, keylogging, audio recording, and ransomware functions. It is often distributed through malicious apps on the Google Play Store and has become one of the most prevalent mobile malware families. Additionally, Anubis includes remote access trojan features, enabling extensive surveillance and control over infected systems.   
2. ↔ Necro – Necro is a malicious Android downloader that retrieves and executes harmful components on infected devices based on commands from its creators. It has been discovered in several popular apps on Google Play, as well as modified versions of apps on unofficial platforms like Spotify, WhatsApp, and Minecraft. Necro is capable of downloading dangerous modules to smartphones, enabling actions such as displaying and clicking on invisible ads, downloading executable files, and installing third-party apps. It can also open hidden windows to run JavaScript, potentially subscribing users to unwanted paid services. Furthermore, Necro can reroute internet traffic through compromised devices, turning them into part of a proxy botnet for cybercriminals.
3. ↔ AhMyth – AhMyth is a remote access trojan targeting Android devices, typically disguised as legitimate apps like screen recorders, games, or cryptocurrency tools. Once installed, it gains extensive permissions to persist after reboot and exfiltrate sensitive information such as banking credentials, cryptocurrency wallet details, multi-factor authentication codes, and passwords. AhMyth also enables keylogging, screen capture, camera and microphone access, and SMS interception, making it a versatile tool for data theft and other malicious activities.         

Top-Attacked Industries Globally

This month Education in the 1st place in the attacked industries globally, followed by Telecommunications and Government.

1. Education
2. Telecommunications
3. Government

For the full March 2025 Global Threat Index and additional insights, visit the Check Point Blog.