Check Point Software Technologies Ltd has published its Global Threat Index for May 2025. SafePay, a relatively new rapidly growing ransomware group, has overtaken other threats this month to emerge as the most prevalent actor on the top ransomware group list employing a double extortion strategy, while FakeUpdates continues to dominate as the most widespread malware, impacting organizations worldwide.
The education sector remains the most targeted industry, reflecting ongoing vulnerabilities across institutions. In India, the top malware threats include FakeUpdates, a downloader spread via fake browser update prompts on compromised websites followed by Remcos, a remote access Trojan delivered through malicious Office documents in spam emails; and Androxgh0st, a Python-based malware targeting Laravel-based applications to extract sensitive cloud service credentials.
In May, Europol, the FBI, Microsoft, and other partners launched a major operation targeting Lumma, a prominent malware-as-a-service platform. This takedown seized thousands of domains, significantly disrupting the operation. However, Lumma’s core Russia-based servers were claimed to have remained operational, and developers swiftly restored its infrastructure. Despite this, the operation did cause reputational harm by using psychological tactics such as phishing and creating distrust among its users. While the technical disruption was significant, Lumma-related data continues to circulate, raising concerns about the long-term impact of the takedown.
Lotem Finkelstein, Director of Threat Intelligence at Check Point Software, stated, “May's Global Threat Index data underscores the growing sophistication of cybercriminal tactics. With the rise of groups like SafePay and the persistent threat of FakeUpdates, organizations must adopt proactive, multi-layered security measures. As cyber threats become more advanced, it's crucial to stay ahead of evolving attacks with real-time threat intelligence and robust defenses.”
Top Malware Families
(The arrows indicate the change in rank compared to April.)
↔ FakeUpdates- Fakeupdates (AKA SocGholish) is a downloader malware that was initially discovered in 2018. It is spread through drive-by downloads on compromised or malicious websites, prompting users to install a fake browser update. Fakeupdates malware is associated with a Russian hacking group Evil Corp and used to deliver various secondary payloads after the initial infection.
↔ Remcos- Remcos is a Remote Access Trojan (RAT) first observed in 2016, often distributed through malicious documents in phishing campaigns. It is designed to bypass Windows security mechanisms, such as UAC, and execute malware with elevated privileges, making it a versatile tool for threat actors.
↔ Androxgh0st- AndroxGh0st is a Python-based malware that targets applications using the Laravel PHP framework by scanning for exposed .env files containing sensitive information such as login credentials for services like AWS, Twilio, Office 365, and SendGrid. It operates by utilizing a botnet to identify websites running Laravel and extracting confidential data. Once access is gained, attackers can deploy additional malware, establish backdoor connections, and exploit cloud resources for activities like cryptocurrency mining.
Top Ransomware Groups
Ransomware continues to dominate the cybercrime landscape. This month, SafePay emerges as the most significant ransomware threat, with a new generation of operators targeting both large enterprises and smaller businesses. The tactics used by these groups are becoming increasingly sophisticated, and the competition between them is intensifying.
SafePay is a ransomware group first observed in November 2024, with indicators suggesting a possible Russian affiliation. The group operates a double extortion model—encrypting victims’ files while exfiltrating sensitive data to increase pressure for payment. Despite not operating as a Ransomware-as-a-Service (RaaS), SafePay has listed an unusually high number of victims. Its centralized, internally driven structure leads to consistent tactics, techniques, and procedures (TTPs) and focused targeting.
Qilin, also referred to as Agenda, is a ransomware-as-a-service criminal operation that collaborates with affiliates to encrypt and exfiltrate data from compromised organizations, subsequently demanding a ransom. This ransomware variant was first detected in July 2022 and is developed in Golang. Agenda is known for targeting large enterprises and high-value organizations, with a particular focus on the healthcare and education sectors. Qilin typically infiltrates victims via phishing emails containing malicious links to establish access to their networks and exfiltrate sensitive information. Once inside, Qilin usually moves laterally through the victim's infrastructure, seeking critical data to encrypt.
Play Ransomware, also referred to as PlayCrypt, is a ransomware that first emerged in June 2022. This ransomware has targeted a broad spectrum of businesses and critical infrastructure across North America, South America, and Europe, affecting approximately 300 entities by October 2023. Play Ransomware typically gains access to networks through compromised valid accounts or by exploiting unpatched vulnerabilities, such as those in Fortinet SSL VPNs. Once inside, it employs techniques like using living-off-the-land binaries (LOLBins) for tasks such as data exfiltration and credential theft.
Data based on insights from ransomware "shame sites" run by double-extortion ransomware groups.
Top Mobile Malware
Anubis - Anubis is a versatile banking trojan that originated on Android devices and has evolved to include advanced capabilities such as bypassing multi-factor authentication (MFA) by intercepting SMS-based one-time passwords (OTPs), keylogging, audio recording, and ransomware functions. It is often distributed through malicious apps on the Google Play Store and has become one of the most prevalent mobile malware families. Additionally, Anubis includes remote access trojan (RAT) features, enabling extensive surveillance and control over infected systems.
AhMyth - AhMyth is a remote access trojan (RAT) targeting Android devices, typically disguised as legitimate apps like screen recorders, games, or cryptocurrency tools. Once installed, it gains extensive permissions to persist after reboot and exfiltrate sensitive information such as banking credentials, cryptocurrency wallet details, multi-factor authentication (MFA) codes, and passwords. AhMyth also enables keylogging, screen capture, camera and microphone access, and SMS interception, making it a versatile tool for data theft and other malicious activities
Necro - Necro is a malicious Android downloader that retrieves and executes harmful components on infected devices based on commands from its creators. It has been discovered in several popular apps on Google Play, as well as modified versions of apps on unofficial platforms like Spotify, WhatsApp, and Minecraft. Necro is capable of downloading dangerous modules to smartphones, enabling actions such as displaying and clicking on invisible ads, downloading executable files, and installing third-party apps. It can also open hidden windows to run JavaScript, potentially subscribing users to unwanted paid services. Furthermore, Necro can reroute internet traffic through compromised devices, turning them into part of a proxy botnet for cybercriminals.
Top-Attacked Industries
The education sector continues to be the most targeted industry in May 2025, followed closely by government and telecommunications sectors. These industries remain prime targets due to their critical infrastructure and large user bases, making them vulnerable to a wide range of cyberattacks.
Education
Government
Telecommunications
May’s data highlights the continued rise of sophisticated, multi-stage malware campaigns, with SafePay emerging as a prominent ransomware threat. As FakeUpdates maintains its position as the most widespread malware, new actors like SafePay and the ongoing operations against Lumma infostealer demonstrate the evolving complexity of cyberattacks. The education sector remains a prime target, further emphasizing the need for organizations to adopt proactive, layered security measures to defend against these increasingly sophisticated threats.
𝐒𝐭𝐚𝐲 𝐢𝐧𝐟𝐨𝐫𝐦𝐞𝐝 𝐰𝐢𝐭𝐡 𝐨𝐮𝐫 𝐥𝐚𝐭𝐞𝐬𝐭 𝐮𝐩𝐝𝐚𝐭𝐞𝐬 𝐛𝐲 𝐣𝐨𝐢𝐧𝐢𝐧𝐠 𝐭𝐡𝐞 WhatsApp Channel now! 👈📲
𝑭𝒐𝒍𝒍𝒐𝒘 𝑶𝒖𝒓 𝑺𝒐𝒄𝒊𝒂𝒍 𝑴𝒆𝒅𝒊𝒂 𝑷𝒂𝒈𝒆𝐬 👉 Facebook, LinkedIn, Twitter, Instagram
