In September, a new breed of malware distributed via compromised Node Package Manager (npm) packages made headlines. It was dubbed “Shai-Hulud”, and we published an in-depth analysis of it in another post. Recently, a new version was discovered.
Shai Hulud 2.0 is a type of two-stage worm-like malware that spreads by compromising npm tokens to republish trusted packages with a malicious payload. More than 800 npm packages have been infected by this version of the worm.
According to our telemetry, the victims of this campaign include individuals and organizations worldwide, with most infections observed in Russia, India, Vietnam, Brazil, China, Türkiye, and France.
Technical analysis
When a developer installs an infected npm package, the setup_bun.js script runs during the preinstall stage, as specified in the modified package.json file.
Bootstrap script
The initial-stage script setup_bun.js is left intentionally unobfuscated and well documented to masquerade as a harmless tool for installing the legitimate Bun JavaScript runtime. It checks common installation paths for Bun and, if the runtime is missing, installs it from an official source in a platform-specific manner. This seemingly routine behavior conceals its true purpose: preparing the execution environment for later stages of the malware.
The installed Bun runtime then executes the second-stage payload, bun_environment.js, a 10MB malware script obfuscated with an obfuscate.io-like tool. This script is responsible for the main malicious activity.
Stealing credentials
Shai Hulud 2.0 is built to harvest secrets from various environments. Upon execution, it immediately searches several sources for sensitive data, such as:
GitHub secrets: the malware searches environment variables and the GitHub CLI configuration for values starting with ghp_ or gho_. It also creates a malicious workflow yml in victim repositories, which is then used to obtain GitHub Actions secrets.
Cloud credentials: the malware searches for cloud credentials across AWS, Azure, and Google Cloud by querying cloud instance metadata services and using official SDKs to enumerate credentials from environment variables and local configuration files.
Local files: it downloads and runs the TruffleHog tool to aggressively scan the entire filesystem for credentials.
Then all the exfiltrated data is sent through the established communication channel, which we describe in more detail in the next section.
Data exfiltration through GitHub
To exfiltrate the stolen data, the malware sets up a communication channel via a public GitHub repository. For this purpose, it uses the victim’s GitHub access token if found in environment variables and the GitHub CLI configuration.
After that, the malware creates a repository with a randomly generated 18-character name and a marker in its description. This repository then serves as a data storage to which all stolen credentials and system information are uploaded.
If the token is not found, the script attempts to obtain a previously stolen token from another victim by searching through GitHub repositories for those containing the text, “Sha1-Hulud: The Second Coming.” in the description.
Worm spreading across packages
For subsequent self-replication via embedding into npm packages, the script scans .npmrc configuration files in the home directory and the current directory in an attempt to find an npm registry authorization token.
If this is successful, it validates the token by sending a probe request to the npm /-/whoami API endpoint, after which the script retrieves a list of up to 100 packages maintained by the victim.
For each package, it injects the malicious files setup_bun.js and bun_environment.js via bundleAssets and updates the package configuration by setting setup_bun.js as a pre-installation script and incrementing the package version. The modified package is then published to the npm registry.
Destructive responses to failure
If the malware fails to obtain a valid npm token and is also unable to get a valid GitHub token, making data exfiltration impossible, it triggers a destructive payload that wipes user files, primarily those in the home directory.
Our solutions detect the family described here as HEUR:Worm.Script.Shulud.gen.
Since September of this year, Kaspersky has blocked over 1700 Shai Hulud 2.0 attacks on user machines. Of these, 18.5% affected users in Russia, 10.7% occurred in India, and 9.7% in Brazil.
TOP 10 countries and territories affected by Shai Hulud 2.0 attacks (download)
We continue tracking this malicious activity and provide up-to-date information to our customers via the Kaspersky Open Source Software Threats Data Feed. The feed includes all packages affected by Shai-Hulud, as well as information on other open-source components that exhibit malicious behaviour, contain backdoors, or include undeclared capabilities.
The global e‑commerce market is accelerating faster than ever before, driven by expanding online retail, and rising consumer adoption worldwide. According to McKinsey Global Institute, global e‑commerce is projected to grow by 7–9% annually through 2040.
At Kaspersky, we track how this surge in online shopping activity is mirrored by cyber threats. In 2025, we observed attacks which targeted not only e‑commerce platform users but online shoppers in general, including those using digital marketplaces, payment services and apps for everyday purchases. This year, we additionally analyzed how cybercriminals exploited gaming platforms during Black Friday, as the gaming industry has become an integral part of the global sales calendar. Threat actors have been ramping up their efforts during peak sales events like Black Friday, exploiting high demand and reduced user vigilance to steal personal data, funds, or spread malware.
This report continues our annual series of analyses published on Securelist in 2021, 2022, 2023, and 2024, which examine the evolving landscape of shopping‑related cyber threats.
Methodology
To track how the shopping threat landscape continues to evolve, we conduct an annual assessment of the most common malicious techniques, which span financial malware, phishing pages that mimic major retailers, banks, and payment services, as well as spam campaigns that funnel users toward fraudulent sites. In 2025, we also placed a dedicated focus on gaming-related threats, analyzing how cybercriminals leverage players’ interest. The threat data we rely on is sourced from the Kaspersky Security Network (KSN), which processes anonymized cybersecurity data shared consensually by Kaspersky users. This report draws on data collected from January through October 2025.
Key findings
In the first ten months of 2025, Kaspersky identified nearly 6.4 million phishing attacks which targeted users of online stores, payment systems, and banks.
As many as 48.2% of these attacks were directed at online shoppers.
We blocked more than 146,000 Black Friday-themed spam messages in the first two weeks of November.
Kaspersky detected more than 2 million phishing attacks related to online gaming.
Around 1.09 million banking-trojan attacks were recorded during the 2025 Black Friday season.
The number of attempted attacks on gaming platforms surged in 2025, reaching more than 20 million, a significant increase compared to previous years.
More than 18 million attempted malicious attacks were disguised as Discord in 2025, a more than 14-time increase year-over-year, while Steam remained within its usual five-year fluctuation range.
Shopping fraud and phishing
Phishing and scams remain among the most common threats for online shoppers, particularly during high-traffic retail periods when users are more likely to act quickly and rely on familiar brand cues. Cybercriminals frequently recreate the appearance of legitimate stores, payment pages, and banking services, making their fraudulent sites and emails difficult to distinguish from real ones. With customers navigating multiple offers and payment options, they may overlook URL or sender details, increasing the likelihood of credential theft and financial losses.
From January through to October 2025, Kaspersky products successfully blocked 6,394,854 attempts to access phishing links which targeted users of online stores, payment systems, and banks. Breaking down these attempts, 48.21% had targeted online shoppers (for comparison, this segment accounted for 37.5% in 2024), 26.10% targeted banking users (compared to 44.41% in 2024), and 25.69% mimicked payment systems (18.09% last year). Compared to previous years, there has been a noticeable shift in focus, with attacks against online store users now representing a larger share, reflecting cybercriminals’ continued emphasis on exploiting high-demand retail periods, while attacks on banking users have decreased in relative proportion. This may be related to online banking protection hardening worldwide.
Financial phishing attacks by category, January–October 2025 (download)
In 2025, Kaspersky products detected and blocked 606,369 phishing attempts involving the misuse of Amazon’s brand. Cybercriminals continued to rely on Amazon-themed pages to deceive users and obtain personal or financial information.
Other major e-commerce brands were also impersonated. Attempts to visit phishing pages mimicking Alibaba brands, such as AliExpress, were detected 54,500 times, while eBay-themed pages appeared in 38,383 alerts. The Latin American marketplace Mercado Libre was used as a lure in 8,039 cases, and Walmart-related phishing pages were detected 8,156 times.
Popular online stores mimicked by scammers, January–October 2025 (download)
In 2025, phishing campaigns also extensively mimicked other online platforms. Netflix-themed pages were detected 801,148 times, while Spotify-related attempts reached 576,873. This pattern likely reflects attackers’ continued focus on high-traffic digital entertainment services with in-service payments enabled, which can be monetized via stolen accounts.
How scammers exploited shopping hype in 2025
In 2025, Black Friday-related scams continued to circulate across multiple channels, with fraudulent email campaigns remaining one of the key distribution methods. As retailers increase their seasonal outreach, cybercriminals take advantage of the high volume of promotional communications by sending look-alike messages that direct users to scam and phishing pages. In the first two weeks of November, 146,535 spam messages connected to seasonal sales were detected by Kaspersky, including 2,572 messages referencing Singles day sales.
Scammers frequently attempt to mimic well-known platforms to increase the credibility of their messages. In one of the recurring campaigns, a pattern seen year after year, cybercriminals replicated Amazon’s branding and visual style, promoting supposedly exclusive early-access discounts of up to 70%. In this particular case, the attackers made almost no changes to the text used in their 2024 campaign, again prompting users to follow a link leading to a fraudulent page. Such pages are usually designed to steal their personal or payment information or to trick the user into buying non-existent goods.
Beyond the general excitement around seasonal discounts, scammers also try to exploit consumers’ interest in newly released Apple devices. To attract attention, they use the same images of the latest gadgets across various mailing campaigns, just changing the names of legitimate retailers that allegedly sell the brand.
Scammers use an identical image across different campaigns, only changing the retailer’s branding
As subscription-based streaming platforms also take part in global sales periods, cybercriminals attempt to take advantage of this interest as well. For example, we observed a phishing website where scammers promoted an offer for a “12-month subscription bundle” covering several popular services at once, asking users to enter their bank card details. To enhance credibility, the scammers also include fabricated indicators of numerous successful purchases from other “users,” making the offer appear legitimate.
In addition to imitating globally recognized platforms, scammers also set up fake pages that pretend to be local services in specific countries. This tactic enables more targeted campaigns that blend into the local online landscape, increasing the chances that users will perceive the fraudulent pages as legitimate and engage with them.
Non-existent Norwegian online store and popular Labubu toys sale
Banking Trojans
Banking Trojans, or “bankers,” are another tool for cybercriminals exploiting busy shopping seasons like Black Friday in 2025. They are designed to steal sensitive data from online banking and payment systems. In this section, we’ll focus on PC bankers. Once on a victim’s device, they monitor the browser and, when the user visits a targeted site, can use techniques like web injection or form-grabbing to capture login credentials, credit card information, and other personal data. Some trojans also watch the clipboard for crypto wallet addresses and replace them with those controlled by the malicious actors.
As online shopping peaks during major sales events, attackers increasingly target e-commerce platforms alongside banks. Trojans may inject fake forms into legitimate websites, tricking users into revealing sensitive data during checkout and increasing the risk of identity theft and financial fraud. In 2025, Kaspersky detected over 1,088,293* banking Trojan attacks. Among notable banker-related cases analysed by Kaspersky throughout the year, campaigns involving the new Maverick banking Trojan distributed via WhatsApp, as well as the Efimer Trojan which spread through malicious emails and compromised WordPress sites can be mentioned, both illustrating how diverse and adaptive banking Trojan delivery methods are.
*These statistics include globally active banking malware, and malware for ATMs and point-of-sale (PoS) systems. We excluded data on Trojan-banker families that no longer use banking Trojan functionality in their attacks, such as Emotet.
A holiday sales season on the dark web
Apparently, even the criminal underground follows its own version of a holiday sales season. Once data is stolen, it often ends up on dark-web forums, where cybercriminals actively search for buyers. This pattern is far from new, and the range of offers has remained largely unchanged over the past two years.
Threat actors consistently seize the opportunity to attract “new customers,” advertising deep discounts tied to high-profile global sales events. It is worth noting that year after year we see the same established services announce their upcoming promotions in the lead-up to Black Friday, almost as if operating on a retail calendar of their own.
We also noted that dark web forum participants themselves eagerly await these seasonal markdowns, hoping to obtain databases at the most favorable rates and expressing their wishes in forum posts. In the months before Black Friday, posts began appearing on carding-themed forums advertising stolen payment-card data at promotional prices.
Threats targeting gaming
The gaming industry faces a high concentration of scams and other cyberthreats due to its vast global audience and constant demand for digital goods, updates, and in-game advantages. Players often engage quickly with new offers, making them more susceptible to deceptive links or malicious files. At the same time, the fact that gamers often download games, mods, skins etc. from third-party marketplaces, community platforms, and unofficial sources creates additional entry points for attackers.
The number of attempted attacks on platforms beloved by gamers increased dramatically in 2025, reaching 20,188,897 cases, a sharp rise compared to previous years.
Attempts to attack users through malicious or unwanted files disguised as popular gaming platforms (download)
The nearly sevenfold increase in 2025 is most likely linked to the Discord block by some countries introduced at the end of 2024. Eventually users rely on alternative tools, proxies and modified clients. This change significantly expanded the attack surface, making users more vulnerable to fake installers, and malicious updates disguised as workarounds for the restriction.
It can also be seen in the top five most targeted gaming platforms of 2025:
Platform
The number of attempted attacks
Discord
18,556,566
Steam
1,547,110
Xbox
43,560
Uplay
28,366
Battle.net
5,538
In previous years, Steam consistently ranked as the platform with the highest number of attempted attacks. Its extensive game library, active modding ecosystem, and long-standing role in the gaming community made it a prime target for cybercriminals distributing malicious files disguised as mods, cheats, or cracked versions. In 2025, however, the landscape changed significantly. The gap between Steam and Discord expanded to an unprecedented degree as Steam-related figures remained within their typical fluctuation range of the past five years, while the number of attempted Discord-disguised attacks surged more than 14 times compared to 2024, reshaping the hierarchy of targeted gaming platforms.
Attempts to attack users through malicious or unwanted files disguised as Steam and Discord throughout the reported period (download)
From January to October, 2025, cybercriminals used a variety of cyberthreats disguised as popular related to gamers platforms, modifications or circumvention options. RiskTool dominated the threat landscape with 17,845,099 detections, far more than any other category. Although not inherently malicious, these tools can hide files, mask processes, or disable programs, making them useful for stealthy, persistent abuse, including covert crypto-mining. Downloaders ranked second with 1,318,743 detections. These appear harmless but may fetch additional malware among other downloaded files. Downloaders are typically installed when users download unofficial patches, cracked clients, or mods. Trojans followed with 384,680 detections, often disguised as cheats or mod installers. Once executed, they can steal credentials, intercept tokens, or enable remote access, leading to account takeovers and the loss of in-game assets.
Threat
Gaming-related detections
RiskTool
17,845,099
Downloader
1,318,743
Trojan
384,680
Adware
184,257
Exploit
152,354
Phishing and scam threats targeting gamers
In addition to tracking malicious and unwanted files disguised as gamers’ platforms, Kaspersky experts also analysed phishing pages which impersonated these services. Between January and October 2025, Kaspersky products detected 2,054,336 phishing attempts targeting users through fake login pages, giveaway offers, “discounted” subscriptions and other scams which impersonated popular platforms like Steam, PlayStation, Xbox and gaming stores.
Example of Black Friday scam using a popular shooter as a lure
The page shown in the screenshot is a typical Black Friday-themed scam that targets gamers, designed to imitate an official Valorant promotion. The “Valorant Points up to 80% off” banner, polished layout, and fake countdown timer create urgency and make the offer appear credible at first glance. Users who proceed are redirected to a fake login form requesting Riot account credentials or bank card details. Once submitted, this information enables attackers to take over accounts, steal in-game assets, or carry out fraudulent transactions.
Minor text errors reveal the page’s fraudulent nature. The phrase “You should not have a size limit of 5$ dollars in your account” is grammatically incorrect and clearly suspicious.
Another phishing page relies on a fabricated “Winter Gift Marathon” that claims to offer a free $20 Steam gift card. The seasonal framing, combined with a misleading counter (“251,110 of 300,000 cards received”), creates an artificial sense of legitimacy and urgency intended to prompt quick user interaction.
The central component of the scheme is the “Sign in” button, which redirects users to a spoofed Steam login form designed to collect their credentials. Once obtained, attackers can gain full access to the account, including payment methods, inventory items, and marketplace assets, and may be able to compromise additional services if the same password is used elsewhere.
Examples of scams on Playstation 5 Pro and Xbox series X
Scams themed around the PlayStation 5 Pro and Xbox Series X appear to be generated from a phishing kit, a reusable template that scammers adapt for different brands. Despite referencing two consoles, both pages follow the same structure which features a bold claim offering a chance to “win” a high-value device, a large product image on the left, and a minimalistic form on the right requesting the user’s email address.
A yellow banner promotes an “exclusive offer” with “limited availability,” pressuring users to respond quickly. After submitting an email, victims are typically redirected to additional personal and payment data-collection forms. They also may later be targeted with follow-up phishing emails, spam, or malicious links.
Conclusions
In 2025, the ongoing expansion of global e-commerce continued to be reflected in the cyberthreat landscape, with phishing, scam activity, and financial malware targeting online shoppers worldwide. Peak sales periods once again created favorable conditions for fraud, resulting in sustained activity involving spoofed retailer pages, fraudulent email campaigns, and seasonal spam.
Threat actors also targeted users of digital entertainment and subscription services. The gaming sector experienced a marked increase in malicious activity, driven by shifts in platform accessibility and the widespread use of third-party tools. The significant rise in malicious detections associated with Discord underscored how rapidly attackers adjust to changes in user behavior.
Overall, 2025 demonstrated that cybercriminals continue to leverage predictable user behavior patterns and major sales events to maximize the impact of their operations. Consumers should remain especially vigilant during peak shopping periods and use stronger security practices, such as two-factor authentication, secure payment methods, and cautious browsing. A comprehensive security solution that blocks malware, detects phishing pages, and protects financial data can further reduce the risk of falling victim to online threats.
In 2022, we published our research examining how IT specialists look for work on the dark web. Since then, the job market has shifted, along with the expectations and requirements placed on professionals. However, recruitment and headhunting on the dark web remain active.
So, what does this job market look like today? This report examines how employment and recruitment function on the dark web, drawing on 2,225 job-related posts collected from shadow forums between January 2023 and June 2025. Our analysis shows that the dark web continues to serve as a parallel labor market with its own norms, recruitment practices and salary expectations, while also reflecting broader global economic shifts. Notably, job seekers increasingly describe prior work experience within the shadow economy, suggesting that for many, this environment is familiar and long-standing.
The majority of job seekers do not specify a professional field, with 69% expressing willingness to take any available work. At the same time, a wide range of roles are represented, particularly in IT. Developers, penetration testers and money launderers remain the most in-demand specialists, with reverse engineers commanding the highest average salaries. We also observe a significant presence of teenagers in the market, many seeking small, fast earnings and often already familiar with fraudulent schemes.
While the shadow market contrasts with legal employment in areas such as contract formality and hiring speed, there are clear parallels between the two. Both markets increasingly prioritize practical skills over formal education, conduct background checks and show synchronized fluctuations in supply and demand.
Looking ahead, we expect the average age and qualifications of dark web job seekers to rise, driven in part by global layoffs. Ultimately, the dark web job market is not isolated — it evolves alongside the legitimate labor market, influenced by the same global economic forces.
What do hacktivist campaigns look like in 2025? To answer this question, we analyzed more than 11,000 posts produced by over 120 hacktivist groups circulating across both the surface web and the dark web, with a particular focus on groups targeting MENA countries. The primary goal of our research is to highlight patterns in hacktivist operations, including attack methods, public warnings, and stated intent. The analysis is undertaken exclusively from a cybersecurity perspective and anchored in the principle of neutrality.
Hacktivists are politically motivated threat actors who typically value visibility over sophistication. Their tactics are designed for maximum visibility, reach, and ease of execution, rather than stealth or technical complexity. The term “hacktivist” may refer to either the administrator of a community who initiates the attack or an ordinary subscriber who simply participates in the campaign.
Key findings
While it may be assumed that most operations unfold on hidden forums, in fact, most hacktivist planning and mobilization happens in the open. Telegram has become the command center for today’s hacktivist groups, hosting the highest density of attack planning and calls to action. The second place is occupied by X (ex-Twitter).
Distribution of social media references in posts published in 2025
Although we focused on hacktivists operating in MENA, the targeting of the groups under review is global, extending well beyond the region. There are victims throughout Europe and Middle East, as well as Argentina, the United States, Indonesia, India, Vietnam, Thailand, Cambodia, Türkiye, and others.
Hashtags as the connective tissue of hacktivist operations
One notable feature of hacktivist posts and messages on dark web sites is the frequent use of hashtags (#words). Used in their posts constantly, hashtags often serve as political slogans, amplifying messages, coordinating activity or claiming credit for attacks. The most common themes are political statements and hacktivist groups names, though hashtags sometimes reference geographical locations, such as specific countries or cities.
Hashtags also map alliances and momentum. We have identified 2063 unique tags in 2025: 1484 appearing for the first time, and many tied directly to specific groups or joint campaigns. Most tags are short-lived, lasting about two months, with “popular” ones persisting longer when amplified by alliances; channel bans contribute to attrition.
Operationally, reports of completed attacks dominate hashtagged content (58%), and within those, DDoS is the workhorse (61%). Spikes in threatening rhetoric do not by themselves predict more attacks, but timing matters: when threats are published, they typically refer to actions in the near term, i.e. the same week or month, making early warning from open-channel monitoring materially useful.
The full version of the report details the following findings:
How long it typically takes for an attack to be reported after an initial threat post
How hashtags are used to coordinate attacks or claim credit
Patterns across campaigns and regions
The types of cyberattacks being promoted or celebrated
Practical takeaways and recommendations
For defenders and corporate leaders, we recommend the following:
Prioritize scalable DDoS mitigation and proactive security measures.
Treat public threats as short-horizon indicators rather than long-range forecasts.
Invest in continuous monitoring across Telegram and related ecosystems to discover alliance announcements, threat posts, and cross-posted “proof” rapidly.
Even organizations outside geopolitical conflict zones should assume exposure: hacktivist campaigns seek reach and spectacle, not narrow geography, and hashtags remain a practical lens for separating noise from signals that demand action.
To download the full report, please fill in the form below.
In Q2 2025, the percentage of ICS computers on which malicious objects were blocked decreased by 1.4 pp from the previous quarter to 20.5%.
Percentage of ICS computers on which malicious objects were blocked, Q2 2022–Q2 2025
Compared to Q2 2024, the rate decreased by 3.0 pp.
Regionally, the percentage of ICS computers on which malicious objects were blocked ranged from 11.2% in Northern Europe to 27.8% in Africa.
Regions ranked by percentage of ICS computers on which malicious objects were blocked
In most of the regions surveyed in this report, the figures decreased from the previous quarter. They increased only in Australia and New Zealand, as well as Northern Europe.
Changes in percentage of ICS computers on which malicious objects were blocked, Q2 2025
Selected industries
The biometrics sector led the ranking of the industries and OT infrastructures surveyed in this report in terms of the percentage of ICS computers on which malicious objects were blocked.
Ranking of industries and OT infrastructures by percentage of ICS computers on which malicious objects were blocked
In Q2 2025, the percentage of ICS computers on which malicious objects were blocked decreased across all industries.
Percentage of ICS computers on which malicious objects were blocked in selected industries
Diversity of detected malicious objects
In Q2 2025, Kaspersky security solutions blocked malware from 10,408 different malware families from various categories on industrial automation systems.
Percentage of ICS computers on which the activity of malicious objects from various categories was blocked
The only increases were in the percentages of ICS computers on which denylisted internet resources (1.2 times more than in the previous quarter) and malicious documents (1.1 times more) were blocked.
Main threat sources
Depending on the threat detection and blocking scenario, it is not always possible to reliably identify the source. The circumstantial evidence for a specific source can be the blocked threat’s type (category).
The internet (visiting malicious or compromised internet resources; malicious content distributed via messengers; cloud data storage and processing services and CDNs), email clients (phishing emails), and removable storage devices remain the primary sources of threats to computers in an organization’s technology infrastructure.
In Q2 2025, the percentage of ICS computers on which threats from email clients were blocked continued to increase. The main categories of threats from email clients blocked on ICS computers are malicious documents, spyware, malicious scripts and phishing pages. The indicator increased in all regions except Russia. By contrast, the global average for other threat sources decreased. Moreover, the rates reached their lowest levels since Q2 2022.
Percentage of ICS computers on which malicious objects from various sources were blocked
The same computer can be attacked by several categories of malware from the same source during a quarter. That computer is counted when calculating the percentage of attacked computers for each threat category, but is only counted once for the threat source (we count unique attacked computers). In addition, it is not always possible to accurately determine the initial infection attempt. Therefore, the total percentage of ICS computers on which various categories of threats from a certain source were blocked exceeds the percentage of threats from the source itself.
The rates for all threat sources varied across the monitored regions.
The percentage of ICS computers on which threats from the internet were blocked ranged from 6.35% in East Asia to 11.88% in Africa
The percentage of ICS computers on which threats from email clients were blocked ranged from 0.80% in Russia to 7.23% in Southern Europe
The percentage of ICS computers on which threats from removable media were blocked ranged from 0.04% in Australia and New Zealand to 1.77% in Africa
The percentage of ICS computers on which threats from network folders were blocked ranged from 0.01% in Northern Europe to 0.25% in East Asia
Threat categories
A typical attack blocked within an OT network is a multi-stage process, where each subsequent step by the attackers is aimed at increasing privileges and gaining access to other systems by exploiting the security problems of industrial enterprises, including technological infrastructures.
It is worth noting that during the attack, intruders often repeat the same steps (TTPs), especially when they use malicious scripts and established communication channels with the management and control infrastructure (C2) to move laterally within the network and advance the attack.
Malicious objects used for initial infection
In Q2 2025, the percentage of ICS computers on which denylisted internet resources were blocked increased to 5.91%.
Percentage of ICS computers on which denylisted internet resources were blocked, Q2 2022–Q2 2025
The percentage of ICS computers on which denylisted internet resources were blocked ranged from 3.28% in East Asia to 6.98% in Africa. Russia and Eastern Europe were also among the top three regions for this indicator. It increased in all regions and this growth is associated with the addition of direct links to malicious code hosted on popular public websites and file-sharing services.
The percentage of ICS computers on which malicious documents were blocked has grown for two consecutive quarters. The rate reached 1.97% (up 0.12 pp) and returned to the level seen in Q3 2024. The percentage increased in all regions except Latin America.
The percentage of ICS computers on which malicious scripts and phishing pages were blocked decreased to 6.49% (down 0.67 pp).
Next-stage malware
Malicious objects used to initially infect computers deliver next-stage malware (spyware, ransomware, and miners) to victims’ computers. As a rule, the higher the percentage of ICS computers on which the initial infection malware is blocked, the higher the percentage for next-stage malware.
In Q2 2025, the percentage of ICS computers on which malicious objects from all categories were blocked decreased. The rates are:
Spyware: 3.84% (down 0.36 pp);
Ransomware: 0.14% (down 0.02 pp);
Miners in the form of executable files for Windows: 0.63% (down 0.15 pp);
Web miners: 0.30% (down 0.23 pp), its lowest level since Q2 2022.
Self-propagating malware
Self-propagating malware (worms and viruses) is a category unto itself. Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.
To spread across ICS networks, viruses and worms rely on removable media, network folders, infected files including backups, and network attacks on outdated software such as Radmin2.
In Q2 2025, the percentage of ICS computers on which worms and viruses were blocked decreased to 1.22% (down 0.09 pp) and 1.29% (down 0.24 pp). Both are the lowest values since Q2 2022.
AutoCAD malware
This category of malware can spread in a variety of ways, so it does not belong to a specific group.
In Q2 2025, the percentage of ICS computers on which AutoCAD malware was blocked continued to decrease to 0.29% (down 0.05 pp) and reached its lowest level since Q2 2022.
Hacktivism and geopolitically motivated APT groups have become a significant threat to many regions of the world in recent years, damaging infrastructure and important functions of government, business, and society. In late 2022 we predicted that the involvement of hacktivist groups in all major geopolitical conflicts from now on will only increase and this is what we’ve been observing throughout the years. With regard to the Ukrainian-Russian conflict, this has led to a sharp increase of activities carried out by groups that identify themselves as either pro-Ukrainian or pro-Russian.
The rise in cybercrime amid geopolitical tensions is alarming. Our Kaspersky Cyber Threat Intelligence team has been observing several geopolitically motivated threat actors and hacktivist groups operating in various conflict zones. Through collecting and analyzing extensive data on these groups’ tactics, techniques, and procedures (TTPs), we’ve discovered a concerning trend: hacktivists are increasingly interconnected with financially motivated groups. They share tools, infrastructure, and resources.
This collaboration has serious implications. Their campaigns may disrupt not only business operations but also ordinary citizens’ lives, affecting everything from banking services to personal data security or the functioning of the healthcare system. Moreover, monetized techniques can spread exponentially as profit-seeking actors worldwide replicate and refine them. We consider these technical findings a valuable resource for global cybersecurity efforts. In this report, we share observations on threat actors who identify themselves as pro-Ukrainian.
About this report
The main goal of this report is to provide technical evidence supporting the theory we’ve proposed based on our previous research: that most of the groups we describe here actively collaborate, effectively forming three major threat clusters.
This report includes:
A library of threat groups, current as of 2025, with details on their main TTPs and tools.
A technical description of signature tactics, techniques, procedures, and toolsets used by these groups. This information is intended for practical use by SOC, DFIR, CTI, and threat hunting professionals.
What this report covers
This report contains information on the current TTPs of hacktivists and APT groups targeting Russian organizations particularly in 2025, however they are not limited to Russia as a target. Further research showed that among some of the groups’ targets, such as CloudAtlas and XDSpy, were assets in European, Asian, and Middle Eastern countries. In particular, traces of infections were discovered in 2024 in Slovakia and Serbia. The report doesn’t include groups that emerged in 2025, as we didn’t have sufficient time to research their activity. We’ve divided all groups into three clusters based on their TTPs:
Cluster I combines hacktivist and dual-purpose groups that use similar tactics, techniques, and tools. This cluster is characterized by:
Shared infrastructure
A unique software suite
Identical processes, command lines, directories, and so on
Distinctive TTPs
Cluster II comprises APT groups that have different TTPs from the hacktivists. Among these, we can distinguish simple APTs (characterized by their use of third-party utilities, scripts that carry out all the malicious logic, shared domain registrars, and concealing their real infrastructure behind reverse proxy systems – for example, using Cloudflare services), and more sophisticated ones (distinguished by their unique TTPs).
Cluster III includes hacktivist groups for which we’ve observed no signs of collaboration with other groups described here.
Example: Cyberthreat landscape in Russia in 2025
Hacktivism remains the key threat to Russian businesses and businesses in other conflict areas today, and the scale and complexity of these attacks keep growing. Traditionally, the term “hacktivism” refers to a blend of hacking and activism, where attackers use their skills to achieve social or political goals. Over the past few years, these threat actors have become more experienced and organized, collaborating with one another and sharing knowledge and tools to achieve common objectives.
Additionally, a new phenomenon known as “dual-purpose groups” has appeared in the Russian threat landscape in recent years. We’ve detected links between hacktivists and financially motivated groups. They use the same tools, techniques, and tactics, and even share common infrastructure and resources. Depending on the victim, they may pursue a variety of goals: demanding a ransom to decrypt data, causing irreparable damage, or leaking stolen data to the media. This suggests that these attackers belong to a single complex cluster.
Beyond this, “traditional” categories of attackers continue to operate in Russia and other regions: groups engaged in cyberespionage and purely financially motivated threat actors also remain a significant problem. Like other groups, geopolitically motivated groups are cybercriminals who undermine the secure and trustworthy use of digitalization opportunities and they can change and adapt their target regions depending on political developments.
That is why it is important to also be aware of the TTPs used by threat actors who appear to be attacking other targets. We will continue to monitor geopolitically motivated threat actors and publish technical reports about their TTPs.
Recommendations
To defend against the threats described in this report, Kaspersky experts recommend the following:
Provide your SOC teams with access to up-to-date information on the latest attacker tactics, techniques, and procedures (TTPs). Threat intelligence feeds from reliable providers, like Kaspersky Threat Intelligence, can help with this.
Use a comprehensive security solution that combines centralized monitoring and analysis, advanced threat detection and response, and security incident investigation tools. The Kaspersky NEXT XDR platform provides this functionality and is suitable for medium and large businesses in any industry.
Protect every component of modern and legacy industrial automation systems with specialized OT security solutions. Kaspersky Industrial CyberSecurity (KICS) — an XDR-class platform — ensures reliable protection for critical infrastructure in energy, manufacturing, mining, and transportation.
Conduct regular security awareness training for employees to reduce the likelihood of successful phishing and other social engineering attacks. Kaspersky Automated Security Awareness Platform is a good option for this.
The report is available for our partners and customers. If you are interested, please contact report@kaspersky.com
Modern vehicles are transforming into full-fledged digital devices that offer a multitude of features, from common smartphone-like conveniences to complex intelligent systems and services designed to keep everyone on the road safe. However, this digitalization, while aimed at improving comfort and safety, is simultaneously expanding the vehicle’s attack surface.
In simple terms, a modern vehicle is a collection of computers networked together. If a malicious actor gains remote control of a vehicle, they could be able not only steal user data but also create a dangerous situation on the road. While intentional attacks targeting a vehicle’s functional safety have not become a widespread reality yet, that does not mean the situation will not change in the foreseeable future.
The digital evolution of the automobile
The modern vehicle is a relatively recent invention. While digital systems like the electronic control unit and onboard computer began appearing in vehicles back in the 1970s, they did not become standard until the 1990s. This technological advancement led to a proliferation of narrowly specialized electronic devices, each with a specific task, such as measuring wheel speed, controlling headlight modes, or monitoring door status. As the number of sensors and controllers grew, local automotive networks based on LIN and CAN buses were introduced to synchronize and coordinate them. Fast forward about 35 years, and modern vehicle is a complex technical device with extensive remote communication capabilities that include support for 5G, V2I, V2V, Wi-Fi, Bluetooth, GPS, and RDS.
Components like the head unit and telecommunication unit are standard entry points into the vehicle’s internal infrastructure, which makes them frequent objects for security research.
From a functional and architectural standpoint, we can categorize vehicles into three groups. The lines between these categories are blurred, as many vehicles could fit into more than one, depending on their features.
Obsolete vehicles do not support remote interaction with external information systems (other than diagnostic tools) via digital channels and have a simple internal architecture. These vehicles are often retrofitted with modern head units, but those components are typically isolated within a closed information environment because they are integrated into an older architecture. This means that even if an attacker successfully compromises one of these components, they cannot pivot to other parts of the vehicle.
Legacy vehicles are a sort of transitional phase. Unlike simpler vehicles from the past, they are equipped with a telematics unit, which is primarily used for data collection rather than remote control – though two-way communication is not impossible. They also feature a head unit with more extensive functionality, which allows changing settings and controlling systems. The internal architecture of these vehicles is predominantly digital, with intelligent driver assistance systems. The numerous electronic control units are connected in an information network that either has flat structure or is only partially segmented into security domains. The stock head unit in these vehicles is often replaced with a modern unit from a third-party vendor. From a cybersecurity perspective, legacy vehicles represent the most complex problem. Serious physical consequences, including life-threatening situations, can easily result from cyberattacks on these vehicles. This was made clear 10 years ago when Charlie Miller and Chris Valasek conducted their famous remote Jeep Cherokee hack.
Modern vehicles have a fundamentally different architecture. The network of electronic control units is now divided into security domains with the help of a firewall, which is typically integrated within a central gateway. The advent of native two-way communication channels with the manufacturer’s cloud infrastructure and increased system connectivity has fundamentally altered the attack surface. However, many automakers learned from the Jeep Cherokee research. They have since refined their network architecture, segmenting it with the help of a central gateway, configuring traffic filtering, and thus isolating critical systems from the components most susceptible to attacks, such as the head unit and the telecommunication module. This has significantly complicated the task of compromising functional safety through a cyberattack.
Possible future threat landscape
Modern vehicle architectures make it difficult to execute the most dangerous attacks, such as remotely deploying airbags at high speeds. However, it is often easier to block the engine from starting, lock doors, or access confidential data, as these functions are frequently accessible through the vendor’s cloud infrastructure. These and other automotive cybersecurity challenges are prompting automakers to engage specialized teams for realistic penetration testing. The results of these vehicle security assessments, which are often publicly disclosed, highlight an emerging trend.
Despite this, cyberattacks on modern vehicles have not become commonplace yet. This is due to the lack of malware specifically designed for this purpose and the absence of viable monetization strategies. Consequently, the barrier to entry for potential attackers is high. The scalability of these attacks is also poor, which means the guaranteed return on investment is low, while the risks of getting caught are very high.
However, this situation is slowly but surely changing. As vehicles become more like gadgets built on common technologies – including Linux and Android operating systems, open-source code, and common third-party components – they become vulnerable to traditional attacks. The integration of wireless communication technologies increases the risk of unauthorized remote control. Specialized tools like software-defined radio (SDR), as well as instructions for exploiting wireless networks (Wi-Fi, GSM, LTE, and Bluetooth) are becoming widely available. These factors, along with the potential decline in the profitability of traditional targets (for example, if victims stop paying ransoms), could lead attackers to pivot toward vehicles.
Which vehicles are at risk
Will attacks on vehicles become the logical evolution of attacks on classic IT systems? While attacks on remotely accessible head units, telecommunication modules, cloud services or mobile apps for extortion or data theft are technically more realistic, they require significant investment, tool development, and risk management. Success is not guaranteed to result in a ransom payment, so individual cars remain an unattractive target for now.
The real risk lies with fleet vehicles, such as those used by taxi and carsharing services, logistics companies, and government organizations. These vehicles are often equipped with aftermarket telematics and other standardized third-party hardware that typically has a lower security posture than factory-installed systems. They are also often integrated into the vehicle’s infrastructure in a less-than-secure way. Attacks on these systems could be highly scalable and pose significant financial and reputational threats to large fleet owners.
Another category of potential targets is represented by trucks, specialized machinery, and public transit vehicles, which are also equipped with aftermarket telematics systems. Architecturally, they are similar to passenger cars, which means they have similar security vulnerabilities. The potential damage from an attack on these vehicles can be severe, with just one day of downtime for a haul truck potentially resulting in hundreds of thousands of dollars in losses.
Investing in a secure future
Improving the current situation requires investment in automotive cybersecurity at every level, from the individual user to the government regulator. The driving forces behind this are consumers’ concern for their own safety and the government’s concern for the security of its citizens and national infrastructure.
Automotive cybersecurity is already a focus for researchers, cybersecurity service providers, government regulators, and major car manufacturers. Many automotive manufacturing corporations have established their own product security or product CERT teams, implemented processes for responding to new vulnerability reports, and made penetration testing a mandatory part of the development cycle. They have also begun to leverage cyberthreat intelligence and are adopting secure development methodologies and security by design. This is a growing trend, and this approach is expected to become standard practice for most automakers 10 years from now.
Simultaneously, specialized security operations centers (SOCs) for vehicles are being established. The underlying approach is remote data collection from vehicles for subsequent analysis of cybersecurity events. In theory, this data can be used to identify cyberattacks on cars’ systems and build a database of threat information. The industry is actively moving toward deploying these centers.
Since early March 2025, our systems have recorded an increase in detections of similar files with names like договор-2025-5.vbe, приложение.vbe, and dogovor.vbe (translation: contract, attachment) among employees at various Russian organizations. The targeted attack begins with bait emails containing malicious links, sent under the pretext of signing a contract. The campaign began in July 2024 and is still ongoing at the time of publication. The main goal of the attack is to infect organizations with the previously unknown Batavia spyware, which then proceeds to steal internal documents. The malware consists of the following malicious components: a VBA script and two executable files, which we will describe in this article. Kaspersky solutions detect these components as HEUR:Trojan.VBS.Batavia.gen and HEUR:Trojan-Spy.Win32.Batavia.gen.
First stage of infection: VBS script
As an example, we examined one of the emails users received in February. According to our research, the theme of these emails has remained largely unchanged since the start of the campaign.
Example of an email with a malicious link
In this email, the employee is asked to download a contract file supposedly attached to the message. In reality, the attached file is actually a malicious link: https://oblast-ru[.]com/oblast_download/?file=hc1-[redacted].
Notably, the sender’s address belongs to the same domain – oblast-ru[.]com, which is owned by the attackers. We also observed that the file=hc1-[redacted] argument is unique for each email and is used in subsequent stages of the infection, which we’ll discuss in more detail below.
When the link is clicked, an archive is downloaded to the user’s device, containing just one file: the script Договор-2025-2.vbe, encrypted using Microsoft’s proprietary algorithm (MD5: 2963FB4980127ADB7E045A0F743EAD05).
Snippet of the malicious script after decryption
The script is a downloader that retrieves a specially crafted string of 12 comma-separated parameters from the hardcoded URL https://oblast-ru[.]com/oblast_download/?file=hc1-[redacted]&vput2. These parameters are arguments for various malicious functions. For example, the script identifies the OS version of the infected device and sends it to the attackers’ C2 server.
#
Value
Description
1
\WebView.exe
Filename to save
2
Select * from Win32_OperatingSystem
Query to determine OS version and build number
3
Windows 11
OS version required for further execution
4
new:c08afd90-f2a1-11d1-8455-00a0c91f3880
ShellBrowserWindow object ID, used to open the downloaded file via the Navigate() method
5
new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B
WScript.Shell object ID,
used to run the file via the Run() method
6
winmgmts:\\.\root\cimv2
WMI path used to retrieve OS version and build number
7
77;90;80;0
First bytes of the downloaded file
8
&dd=d
Additional URL arguments for file download
9
&i=s
Additional URL arguments for sending downloaded file size
10
&i=b
Additional URL arguments for sending OS build number
11
&i=re
Additional URL arguments for sending error information
12
\winws.txt
Empty file that will also be created on the device
By accessing the address https://oblast-ru[.]com/oblast_download/?file=hc1-[redacted]&dd=d, the script downloads the file WebView.exe (MD5: 5CFA142D1B912F31C9F761DDEFB3C288) and saves it to the %TEMP% directory, then executes it. If the OS version cannot be retrieved or does not match the one obtained from the C2 server, the downloader uses the Navigate() method; otherwise, it uses Run().
Second stage of infection: WebView.exe
WebView.exe is an executable file written in Delphi, with a size of 3,235,328 bytes. When launched, the malware downloads content from the link https://oblast-ru[.]com/oblast_download/?file=1hc1-[redacted]&view and saves it to the directory C:\Users[username]\AppData\Local\Temp\WebView, after which it displays the downloaded content in its window. At the time of analysis, the link was no longer active, but we assume it originally hosted the fake contract mentioned in the malicious email.
At the same time as displaying the window, the malware begins collecting information from the infected computer and sends it to an address with a different domain, but the same infection ID: https://ru-exchange[.]com/mexchange/?file=1hc1-[redacted]. The only difference from the ID used in the VBS script is the addition of the digit 1 at the beginning of the argument, which may indicate the next stage of infection.
The spyware collects several types of files, including various system logs and office documents found on the computer and removable media. Additionally, the malicious module periodically takes screenshots, which are also sent to the C2 server. To avoid sending the same files repeatedly, the malware creates a file named h12 in the %TEMP% directory and writes a 4-byte FNV-1a_32 hash of the first 40,000 bytes of each uploaded file. If the hash of any subsequent file matches a value in h12, that file is not sent again.
Type
Full path or mask
Pending file rename operations log
c:\windows\pfro.log
Driver install and update log
c:\windows\inf\setupapi.dev.log
System driver and OS component install log
c:\windows\inf\setupapi.setup.log
Programs list
Directory listing of c:\program files*
Office documents
*.doc, *.docx, *.ods, *.odt, *.pdf, *.xls, *.xlsx
In addition, WebView.exe downloads the next-stage executable from https://oblast-ru[.]com/oblast_download/?file=1hc1-[redacted]&de and saves it to %PROGRAMDATA%\jre_22.3\javav.exe. To execute this file, the malware creates a shortcut in the system startup folder: %APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\Jre22.3.lnk. This shortcut is triggered upon the first device reboot after infection, initiating the next stage of malicious activity.
Third stage of infection: javav.exe
The executable file javav.exe (MD5: 03B728A6F6AAB25A65F189857580E0BD) is written in C++, unlike WebView.exe. The malicious capabilities of the two files are largely similar; however, javav.exe includes several new functions.
For example, javav.exe collects files using the same masks as WebView.exe, but the list of targeted file extensions is expanded to include these formats:
Image and vector graphic: *.jpeg, *.jpg, *.cdr
Spreadsheets: *.csv
Emails: *.eml
Presentations: *.ppt, *.pptx, *.odp
Archives: *.rar, *.zip
Other text documents: *.rtf, *.txt
Like its predecessor, the third-stage module compares the hash sums of the obtained files to the contents of the h12 file. The newly collected data is sent to https://ru-exchange[.]com/mexchange/?file=2hc1-[redacted].
Note that at this stage, the digit 2 has been added to the infection ID.
Additionally, two new commands appear in the malware’s code: set to change the C2 server and exa/exb to download and execute additional files.
In a separate thread, the malware regularly sends requests to https://ru-exchange[.]com/mexchange/?set&file=2hc1-[redacted]&data=[xxxx], where [xxxx] is a randomly generated 4-character string. In response, javav.exe receives a new C2 address, encrypted with a 232-byte XOR key, which is saved to a file named settrn.txt.
In another thread, the malware periodically connects to https://ru-exchange[.]com/mexchange/?exa&file=2hc1-[redacted]&data=[xxxx] (where [xxxx] is also a string of four random characters). The server responds with a binary executable file, encrypted using a one-byte XOR key 7A and encoded using Base64. After decoding and decryption, the file is saved as %TEMP%\windowsmsg.exe. In addition to this, javav.exe sends requests to https://ru-exchange[.]com/mexchange/?exb&file=2hc1-[redacted]&data=[xxxx], asking for a command-line argument to pass to windowsmsg.exe.
To launch windowsmsg.exe, the malware uses a UAC bypass technique (T1548.002) involving the built-in Windows utility computerdefaults.exe, along with modification of two registry keys using the reg.exe utility.
At the time of analysis, downloading windowsmsg.exe from the C2 server was no longer possible. However, we assume that this file serves as the payload for the next stage – most likely containing additional malicious functionality.
Victims
The victims of the Batavia spyware campaign were Russian industrial enterprises. According to our telemetry data, more than 100 users across several dozen organizations received the bait emails.
Number of infections via VBS scripts, August 2024 – June 2025 (download)
Conclusion
Batavia is a new spyware that emerged in July 2024, targeting organizations in Russia. It spreads through malicious emails: by clicking a link disguised as an official document, unsuspecting users download a script that initiates a three-stage infection process on their device. As a result of the attack, Batavia exfiltrates the victim’s documents, as well as information such as a list of installed programs, drivers, and operating system components.
To avoid falling victim to such attacks, organizations must take a comprehensive approach to infrastructure protection, employing a suite of security tools that include threat hunting, incident detection, and response capabilities. Kaspersky Next XDR Expert is a solution for organizations of all sizes that enables flexible, effective workplace security. It’s also worth noting that the initial infection vector in this campaign is bait emails. This highlights the importance of regular employee training and raising awareness of corporate cybersecurity practices. We recommend specialized courses available on the Kaspersky Automated Security Awareness Platform, which help reduce employees’ susceptibility to email-based cyberattacks.
Cyberattackers often view small and medium-sized businesses (SMBs) as easier targets, assuming their security measures are less robust than those of larger enterprises. In fact, attacks through contractors, also known as trusted relationship attacks, remain one of the top three methods used to breach corporate networks. With SMBs generally being less protected than large enterprises, this makes them especially attractive to both opportunistic cybercriminals and sophisticated threat actors.
At the same time, AI-driven attacks are becoming increasingly common, making phishing and malware campaigns easier to prepare and quickly adapt, thus increasing their scale. Meanwhile, cybersecurity regulations are tightening, adding more compliance pressure on SMBs.
Improving your security posture has never been more critical. Kaspersky highlights key attack vectors every SMB should be aware of to stay protected.
How malware and potentially unwanted applications (PUAs) are disguised as popular services
Kaspersky analysts have used data from the Kaspersky Security Network (KSN) to explore how frequently malicious and unwanted files and programs are disguised as legitimate applications commonly used by SMBs. The KSN is a system for processing anonymized cyberthreat-related data shared voluntarily by opted-in Kaspersky users. For this research, only data received from the users of Kaspersky solutions for SMBs were analyzed. The research focused on the following applications:
ChatGPT
Cisco AnyConnect
Google Drive
Google Meet
DeepSeek
Microsoft Excel
Microsoft Outlook
Microsoft PowerPoint
Microsoft Teams
Microsoft Word
Salesforce
Zoom
Between January and April 2025 alone, nearly 8,500 SMB users encountered cyberattacks in which malware or PUAs were disguised as these popular tools.
Among the detected threats, the highest number (1652) of unique malicious and potentially unwanted files mimicked Zoom, the widely used video conferencing platform. This accounted for nearly 41% of all unique files detected, a 14-percentage point increase compared to 2024. Microsoft Office applications remained frequent targets for impersonation: Outlook and PowerPoint each accounted for 16%, Excel for nearly 12%, while Word and Teams made up 9% and 5%, respectively.
Share of unique files with names mimicking the nine most popular legitimate applications in 2024 and 2025 (download)
A comparison of the threat landscape in 2024 and 2025 reveals a clear shift: with the growing popularity of AI services, cyberattackers are increasingly disguising malware as various AI tools. According to our analysis, the number of unique malicious files mimicking ChatGPT grew by 115%, reaching 177 in the first four months of 2025. This contributed to a three-percentage-point increase in the tool’s share among the most mimicked applications. DeepSeek, a large language model launched only in 2025, has immediately appeared on the list of impersonated tools.
Another cybercriminal tactic to watch for in 2025 is the growing use of collaboration platform brands to trick users into downloading or launching malware and PUAs. As mentioned above, the share of threats disguised as Zoom increased by 14 percentage points, reaching 1652 unique files, while Microsoft Teams and Google Drive saw increases of over three and one percentage points, respectively, with 206 and 132 cases. This pattern likely reflects the normalization of remote work and geographically distributed teams, which has made these platforms integral to business operations across industries.
Attackers are clearly leveraging the popularity and credibility of these services to increase the success rate of their campaigns.
Malicious file names mimicking popular services
2024
2025
2025 vs 2024
Zoom
26.24%
40.86%
14.62 p.p.
Microsoft Teams
1.84%
5.10%
3.25 p.p.
ChatGPT
1.47%
4.38%
2.9 p.p.
DeepSeek
0
2.05%
–
Google Drive
2.11%
3.26%
1.15 p.p.
The total number of unique malicious and unwanted files imitating legitimate applications slightly declined year-over-year, from 5,587 in 2024 to 4,043 in 2025.
Main types of threats affecting the SMB Sector, 2025 (download)
The top threats targeting SMBs in 2025 included downloaders, Trojans, and adware.
Leading the list are downloaders, potentially unwanted applications designed to install additional content from the internet, often without clearly informing the user of what’s being downloaded. While not inherently malicious, these tools are frequently exploited by attackers to deliver harmful payloads to victims’ devices.
Trojans ranked next. These are malicious programs that carry out unauthorized actions such as deleting, blocking, modifying, or copying data, or disrupting the normal operation of computers and networks. Trojans are among the most prevalent forms of malware, and cyberattackers continue to use them in a wide range of malicious campaigns.
Adware also made the top three list. These programs are designed to display advertisements on infected computers or substitute a promotional website for the default search engine in a browser. Adware often comes bundled with freeware or shareware, effectively serving as the price for using the free software. In some cases, Trojans silently download and install adware onto the victim’s machine.
Among other common types of threats were DangerousObject, Trojan-Dropper, Backdoor, Trojan-Downloader, HackTool, Trojan-PSW, and PSW-Tool. For instance, we recently identified a campaign involving a Trojan-Downloader called “TookPS“, which was distributed through fake websites imitating legitimate remote access and 3D modeling software.
How scammers and phishers trick victims into giving up accounts and money
We continue to observe a wide range of phishing campaigns and scams targeting SMBs. Attackers aim to steal login credentials for various services, from delivery platforms to banking systems, or manipulate victims into sending them money.
To do this, cyberattackers use a variety of lures, often imitating landing pages from brands commonly used by SMBs. One example is a phishing attempt targeting Google business accounts. The bait lures victims with the promise of promoting their company on X. It requires them to first log in to a dedicated platform using their Google account with credentials that will end up in cyberattackers’ hands.
Another fake landing page impersonated a bank that offered business loans: a “Global Trust Bank”. Since legitimate organizations with that name exist in multiple countries, this phishing attempt may have seemed believable. The attackers tried to lure users with favorable business loan terms – but only after victims submitted their online banking credentials, giving the criminals access to their accounts.
We also saw a range of phishing emails targeting SMBs. In one recent case detected by our systems, the attacker sent a fake notification allegedly from DocuSign, an electronic document-signing service.
SMBs can even find themselves targeted by classic Nigerian scams. In one recent example, the sender claimed to represent a wealthy client from Turkey who wanted to move $33 million abroad to allegedly avoid sanctions, and invited the recipient to handle the funds. In Nigerian scams, fraudsters typically cajole money. They may later request a relatively small payment to a manager or lawyer compared to the amount originally promised.
Beyond these threats, SMBs are bombarded daily with hundreds of spam emails. Some promise attractive deals on email marketing or loans; others offer services like reputation management, content creation, or lead generation. In general, these offers are crafted to reflect the typical needs of small businesses. Not surprisingly, AI has also made its way into the spam folder – with offers to automate various business processes.
We have also seen spammers offering dubious deals like purchasing a database of over 400,000 businesses for $100, supposedly to be used for selling the company’s B2B products, or manipulating reviews on a review platform.
Security tips
SMBs can reduce risks and ensure business continuity by investing in comprehensive cybersecurity solutions and increasing employee awareness. It is essential to implement robust measures such as spam filters, email authentication protocols, and strict verification procedures for financial transactions and the handling of sensitive information.
Another key step toward cyber resilience is promoting awareness about the importance of comprehensive security procedures and ensuring they are regularly updated. Regular security training sessions, strong password practices, and multi-factor authentication can significantly reduce the risk of phishing and fraud.
It is also worth noting that searching for software through search engines is an insecure practice, and should be prohibited in the organization. If you need to implement new tools or replace existing ones, make sure they are downloaded from official sources and installed on a centralized basis by your IT team.
Cybersecurity Action Plan for SMBs
Define access rules for corporate resources such as email accounts, shared folders, and online documents. Monitor and limit the number of individuals with access to critical company data. Keep access lists up to date and revoke access promptly when employees leave the company. Use cloud access security brokers to monitor and control employee activities within cloud services and enforce security policies.
Regularly back up important data to ensure the preservation of corporate information in case of emergencies or cyberincidents.
Establish clear guidelines for using external services and resources. Create well-defined procedures for coordinating specific tasks, such as implementing new software, with the IT department and other responsible managers. Develop short, easy-to-understand cybersecurity guidelines for employees, with a special focus on account and password management, email protection, and safe web browsing. A well-rounded training program will equip employees with the knowledge they need and the ability to apply it in practice.
Implement specialized cybersecurity solutions that provide visibility and control over cloud services, such as Kaspersky Next.
Login
