FakeUpdates, Remcos, AgentTesla Top Malware Charts in Stealth Attack Surge

Check Point’s April 2025 malware report reveals increasingly sophisticated and hidden attacks using familiar malware like FakeUpdates, Remcos, and AgentTesla. Education remains the top targeted sector. Learn about the latest cyber threats and how to stay protected.

Check Point Research (CPR) has revealed its findings for April 2025, which describe a concerning trend of attackers using more complex and sneaky methods to deliver harmful software. Although some well-known malware families remain prevalent, the methods used to infect systems are becoming more sophisticated, making them harder to detect.

According to CPR, most attacks discovered in April involved phishing emails disguised as order confirmations. These emails contained a hidden 7-Zip file that released scrambled instructions, leading to the installation of common malware like AgentTesla, Remcos, and XLoader.

The attacks were particularly concerning due to their well-hidden nature, using encoded scripts and injecting malicious software into legitimate Windows processes. Researchers also noticed a “dangerous convergence of commodity tools with advanced threat actor tactics” means even basic malware is now being used in highly sophisticated operations, CPR’s blog post read.

Despite these new sneaky methods, some familiar names still topped the list of most prevalent malware in April, including the following:

This malware remained the most widespread, affecting 6% of organizations globally. It tricks users into installing fake browser updates from compromised websites has been linked to the Russian hacking group Evil Corp and is used to deliver further malicious software.

This remote access tool, often spread through malicious documents in phishing emails, can bypass Windows security features, giving attackers high-level control over infected systems.

AgentTesla, which is an advanced tool, can log keystrokes, steal passwords, take screenshots, and grab login details for various applications. It is openly sold online.

Malware families’ analysis revealed a rise in Androxgh0st usage, which targets web applications to steal sensitive information, while the use of remote access tool AsyncRat has declined. Other notable families included in the top ten include Formbook, Lumma Stealer, Phorpiex, Amadey, and Raspberry Robin.

In April, SatanLock emerged as a new ransomware group, listing numerous victims on their data leak site. However, most of these victims had already been claimed by other groups, indicating a potentially competitive environment within the cybercrime community. Moreover, Akira was the most prevalent ransomware group, followed by SatanLock and Qilin.

Mobile devices remain a significant target, with Anubis, AhMyth, and Hydra topping the list of mobile malware in April. Most concerning is that these malware are becoming increasingly sophisticated, offering remote access, ransomware capabilities, and multi-factor authentication interceptions.

Furthermore, for a third consecutive month, the education sector remained the most vulnerable globally, probably due to its large user base and weak cybersecurity infrastructure. Government and telecommunications sectors followed closely. Whereas, regional analysis showed varying malware trends, with Latin America and Eastern Europe experiencing more FakeUpdates and Phorpiex, and Asia witnessing increased activity of Remcos and AgentTesla.

Given this increasingly complex and persistent cyber threat environment, CPR recommends that organizations adopt a “prevention-first” strategy, including employee training on phishing, regular software updates, and the implementation of advanced threat prevention solutions to detect and block these sophisticated attacks before they can cause harm.