Check Point Software Technologies has released its Global Threat Index for February 2025, highlighting the rise of AsyncRAT, a remote access Trojan (RAT) that continues to evolve as a serious threat within the cyber landscape.
Once again, Ethiopia retained its top spot as the most targeted country by malware actors, followed by Zimbabwe, Uganda, Nigeria, Angola, Kenya, Mozambique and Ghana as among the Top 20 most targeted countries. South Africa was ranked 59th with a Normalised Risk Index of 40, down from 66th last month.
Security researchers have observed that AsyncRAT is being utilised in increasingly sophisticated campaigns, leveraging platforms like TryCloudflare and Dropbox to distribute malware. This reflects the growing trend of exploiting legitimate platforms to bypass security defenses and ensure persistence across targeted networks.
The attacks typically begin with phishing emails containing Dropbox URLs, leading to a multi-step infection process involving LNK, JavaScript, and BAT files.
Maya Horowitz, vice-president of research at Check Point Software, comments: “Cybercriminals are leveraging legitimate platforms to deploy malware and avoid detection. Organisations must remain vigilant and implement proactive security measures to mitigate the risks of such evolving threats.”
Threat Index Per African Country
- Ethiopia remains in first place with a Normalised Risk Index of 100.
- Zimbabwe was ranked sixth dropping its Normalised Risk Index from 77,7 to 74,8.
- Uganda was ranked ninth with a Normalised Risk Index of 64,8.
- Nigeria was ranked 10th moving from position 11 with a Normalised Risk Index of 63,1.
- Angola was ranked 11th with a Normalised Risk Index of 62,6
- Kenya was ranked 13th with a higher Normalised Risk Index of 61,1.
- Mozambique was ranked 14th with a Normalised Risk Index of 60,3.
- Ghana remained in 16th position with a Normal Risk Index of 59,4
Egypt was once again the best performing country in Africa out of the 109 surveyed in the Index. Sitting at position 107th, with a significantly decreased Normalised Risk Index of 25,9 from 31,1 the previous month.
“The cyber security landscape in South Africa reflects the broader challenges facing Africa. With increasing digital transformation in critical sectors such as finance, education, and government, we are also witnessing a sharp rise in sophisticated cyber threats,” says Lionel Dartnall, SADC country manager of Check Point Software Technologies.
Top Malware Families
The arrows indicate the change in rank compared to the previous month. FakeUpdates was the most prevalent malware in February, closely followed by Androxgh0st and Remcos all impacting 3% of organisations worldwide.
- ↔ FakeUpdates – FakeUpdates (AKA SocGholish) continues to dominate, delivering secondary payloads through drive-by downloads on compromised or malicious websites. This malware is often linked to the Russian hacking group Evil Corp and remains a significant threat for organisations globally.
- ↑ Androxgh0st – Androxgh0st, a Python-based malware targeting Laravel applications, has risen in the ranks. It scans for exposed .env files, often containing sensitive information such as login credentials, which it then exfiltrates. Once access is gained, additional malware can be deployed, and cloud resources can be exploited.
- ↔ Remcos – Remcos, a Remote Access Trojan (RAT), remains a top malware strain, frequently used in phishing campaigns. Its ability to bypass security mechanisms, such as User Account Control (UAC), makes it a versatile tool for cybercriminals.
- ↑ AsyncRAT – AsyncRAT is a remote access Trojan (RAT) that targets Windows systems and was first identified in 2019. It exfiltrates system information to a command-and-control server and can execute various commands, such as downloading plugins, terminating processes, capturing screenshots, and updating itself. Typically distributed through phishing campaigns, AsyncRAT is utilised for data theft and system compromise.
- ↑ AgentTesla — AgentTesla is an advanced RAT (remote access Trojan) that functions as a keylogger and password stealer. Active since 2014, AgentTesla can monitor and collect the victim’s keyboard input and system clipboard, record screenshots, and exfiltrate credentials entered for a variety of software installed on the victim’s machine (including Google Chrome, Mozilla Firefox, and Microsoft Outlook email client). AgentTesla is openly sold as a legitimate RAT, with customers paying $15 – $69 for user licenses.
Top Mobile Malware
- ↔ Anubis – Anubis continues to rank as the top mobile malware. It remains a significant banking trojan, capable of bypassing multi-factor authentication (MFA), keylogging, and performing ransomware functions.
- ↑ Necro – Necro, a malicious Android downloader, has moved up in rank. It allows cybercriminals to execute harmful components based on commands from its creators, enabling a range of malicious actions on infected devices.
- ↓ AhMyth – AhMyth, a remote access trojan (RAT) targeting Android devices, has slightly decreased in prevalence. It remains a significant threat due to its ability to exfiltrate sensitive information such as banking credentials and MFA codes.
Top-Attacked Industries Globally
- Education
- Telecommunications
- Government
Top Ransomware Groups
Clop remains the most prevalent ransomware group, responsible for 35% of the published attacks. It is followed by RansomHub and Akira.
- Clop – Clop continues to be a major player in the ransomware space, utilising the “double extortion” tactic to threaten victims with the public release of stolen data unless a ransom is paid.
- RansomHub – A prominent Ransomware-as-a-Service (RaaS) operation, RansomHub emerged as a rebranded version of Knight ransomware. It has quickly gained notoriety for its sophisticated and widespread campaigns targeting various systems, including Windows, macOS, and Linux.
- Akira – Akira, a newer ransomware group, focuses on targeting Windows and Linux systems. The group has been linked to phishing campaigns and exploits in VPN endpoints, making it a serious threat for organisations.