Check Point Releases Its Global Threat Index 2025

Cyber security solutions provider, Check Point Software Technologies, has released its Global Threat Index for February 2025. The report highlights the rise of AsyncRAT, a remote access Trojan (RAT) that continues to evolve as a serious threat within the cyber landscape.

Security researchers have observed that AsyncRAT is being utilized in increasingly sophisticated campaigns, leveraging platforms like TryCloudflare and Dropbox to distribute malware. This reflects the growing trend of exploiting legitimate platforms to bypass security defenses and ensure persistence across targeted networks. The attacks typically begin with phishing emails containing Dropbox URLs, leading to a multi-step infection process involving LNK, JavaScript, and BAT files.

“Cybercriminals are leveraging legitimate platforms to deploy malware and avoid detection. Organisations must remain vigilant and implement proactive security measures to mitigate the risks of such evolving threats,” Maya Horowitz, VP of Research at Check Point Software, commented.

Top Targeted Countries

The most targeted country, according to the Index, remains to be Ethiopia followed by Zimbabwe, Uganda, Nigeria, Angola, Kenya, Mozambique and Ghana. Kenya was ranked 13th with a Normalised Risk Index of 61.1.

Egypt was once again the best performing country in Africa out of the 109 surveyed in the Index. Sitting at position 107th, with a significantly decreased Normalised Risk Index of 25,9 from 31,1 the previous month.

“Kenya, in recent years, has witnessed a rapid increase in cyber incidents, emphasizing the urgent need for robust cyber security measures,” says John Paul Onyango, Country Manager, East Africa, Check Point Software Technologies.

Top Malware Families

The arrows indicate the change in rank compared to the previous month. FakeUpdates was the most prevalent malware in February, closely followed by Androxgh0st and Remcos all impacting 3% of organisations worldwide.

FakeUpdates (AKA SocGholish) continues to dominate, delivering secondary payloads through drive-by downloads on compromised or malicious websites. This malware is often linked to the Russian hacking group Evil Corp and remains a significant threat for organisations globally.

Androxgh0st,on the other hand, is a Python-based malware targeting Laravel applications, that has risen in the ranks. It scans for exposed .env files, often containing sensitive information such as login credentials, which it then exfiltrates. Once access is gained, additional malware can be deployed, and cloud resources can be exploited.

Remcos, a Remote Access Trojan (RAT), remains a top malware strain, frequently used in phishing campaigns. Its ability to bypass security mechanisms, such as User Account Control (UAC), makes it a versatile tool for cybercriminals.

Top Mobile Malware

Anubis continues to rank as the top mobile malware. It remains a significant banking trojan, capable of bypassing multi-factor authentication (MFA), keylogging, and performing ransomware functions.

Necro, a malicious Android downloader, has moved up in rank. It allows cybercriminals to execute harmful components based on commands from its creators, enabling a range of malicious actions on infected devices.

Lastly, AhMyth, a remote access trojan (RAT) targeting Android devices, has slightly decreased in prevalence. It remains a significant threat due to its ability to exfiltrate sensitive information such as banking credentials and MFA codes.

Top Ransomware Groups

Clop remains the most prevalent ransomware group, responsible for 35 percent of the published attacks. It is followed by RansomHub and Akira.

Clop continues to be a major player in the ransomware space, utilising the “double extortion” tactic to threaten victims with the public release of stolen data unless a ransom is paid.

A prominent Ransomware-as-a-Service (RaaS) operation, RansomHub emerged as a rebranded version of Knight ransomware. It has quickly gained notoriety for its sophisticated and widespread campaigns targeting various systems, including Windows, macOS, and Linux.

Akira, a newer ransomware group, focuses on targeting Windows and Linux systems. The group has been linked to phishing campaigns and exploits in VPN endpoints, making it a serious threat for organisations.