Malware Rankings for March: FakeUpdates Dominates in Germany

This month, security researchers uncovered a new infiltration campaign in which the ransomware group RansomHubinitiates its attacks via the FakeUpdates malware. The most widespread malware in March drew attention through a dangerous attack chain: in a series of incidents, it compromised websites, deployed fraudulent Keitaro TDS instances, and circulated fake browser update prompts to trick users into downloading FakeUpdates.

This obfuscated JavaScript loader enables data exfiltration, command execution, and persistent access for further exploitation. These findings highlight evolving hacker tactics, including the increasing abuse of legitimate platforms like Dropbox and TryCloudflare to evade detection and maintain persistence.

In addition, other researchers identified a massive Lumma Stealer phishing campaign that put over 1,150 companies and 7,000 users across North America, Southern Europe, and Asia at risk. Attackers distributed nearly 5,000 malicious PDFshosted on Webflow’s CDN, using fake CAPTCHA images to trigger PowerShell commands and install malware.

Experts also linked the Lumma Stealer to fake Roblox games and a pirated, trojan-infected Windows Total Commandertool spread through hijacked YouTube accounts. These findings come from Check Point’s monthly Global Threat Index.

Top Malware in Germany

(Arrows indicate ranking change compared to the previous month)

↑ FakeUpdates (4.87%)
Also known as SocGholish, FakeUpdates is a downloader malware first discovered in 2018. It’s distributed via drive-by downloads on compromised or malicious websites and tricks users into installing fake browser updates. The malware is associated with the Russian hacker group Evil Corp and is used to deliver various secondary payloads after initial infection.

↓ Androxgh0st (2.25%)
AndroxGh0st is a Python-based malware targeting applications built with the Laravel PHP framework. It searches for exposed .env files that may contain sensitive credentials for services like AWS, Twilio, Office 365, and SendGrid. It uses a botnet to find Laravel-powered websites and steal confidential data. Once access is gained, attackers can deploy additional malware, establish backdoors, and exploit cloud resources for activities like cryptocurrency mining.

↔ AsyncRat (1.48%)
AsyncRAT is a remote access Trojan (RAT) targeting Windows systems, first identified in 2019. It transmits system data to a command-and-control server and executes commands such as downloading plugins, terminating processes, taking screenshots, and self-updating. It’s often delivered through phishing campaigns and used for data theft and system breaches.

Top Mobile Malware

↔ Anubis
Originally developed for Android, Anubis is a multifunctional banking Trojan that has evolved to bypass multi-factor authentication (MFA) by intercepting SMS one-time passwords (OTPs), perform keylogging, record audio, and act as ransomware. Often spread through fake apps on the Google Play Store, Anubis is now one of the most prevalent mobile malware families. It also includes RAT capabilities for extensive monitoring and control of infected devices.

↔ Necro
Necro is a malicious Android downloader that retrieves and executes harmful components on infected devices based on commands from its operators. It has been found in several popular apps on Google Play and in modified versions of apps like Spotify, WhatsApp, and Minecraft on unofficial platforms. Necro can download dangerous modules, perform actions like clicking invisible ads, downloading executables, and installing third-party apps. It can also open hidden windows to run JavaScript, potentially signing users up for unwanted paid services. Additionally, Necro can redirect internet traffic, turning infected devices into proxy botnets for cybercriminals.

↔ AhMyth
AhMyth is a remote access Trojan (RAT) targeting Android devices, typically disguised as legitimate apps like screen recorders, games, or crypto tools. Once installed, it gains broad permissions to persist after reboots and steal sensitive information such as banking data, crypto wallet credentials, MFA codes, and passwords. AhMyth also supports keylogging, screen capture, access to the camera and microphone, and SMS interception, making it a versatile tool for data theft and cybercrime.

Most Active Ransomware Groups

1. RansomHub
RansomHub is a ransomware-as-a-service (RaaS) operation believed to be a rebranded version of the former Knightransomware. It emerged in early 2024 on underground cybercrime forums and quickly gained notoriety for aggressive campaigns targeting Windows, macOS, Linux, and especially VMware ESXi environments. RansomHub is known for using sophisticated encryption techniques.

2. Qilin
Also known as Agenda, Qilin is a criminal RaaS operation working with affiliates to encrypt and exfiltrate data from compromised organizations, demanding ransom payments in return. First observed in July 2022, Qilin is developed in Golang and is known to target large enterprises and high-value organizations, particularly in the healthcare and education sectors. Typically, Qilin gains entry through phishing emails containing malicious links, then moves laterally through the victim’s network to locate and encrypt sensitive data.

↑ Akira
First reported in early 2023, Akira targets both Windows and Linux systems. It uses CryptGenRandom() and ChaCha 2008 for symmetric encryption and is reminiscent of the leaked Conti v2 ransomware. Akira is spread through infected email attachments and VPN endpoint vulnerabilities. Once inside a system, it encrypts important data, appends a .akiraextension to file names, and displays a ransom note demanding payment for decryption.