According to Check Point State of Cybersecurity Report 2025, FakeUpdates was the most prevalent malware in the Europe, Middle East, and Africa (EMEA) region in 2024.
In general, organizations worldwide experienced a sharp rise in cyberattacks, averaging 1,673 weekly attacks per organization, representing a 44% increase compared to 2023.
Multipurpose malware, which includes Remote Access Trojans (RATs), botnets, and banking malware, was the most common type, impacting 39% of organizations, marking a 25% rise from the previous year.
Infostealer infection attempts surged by 58%, affecting 19% of organisations, driven by growing demand for stolen credentials.
Conversely, crypto miner attacks dropped significantly, affecting just 2% of organisations compared to 9% in 2023, likely due to decreased profitability.
Top 10 Malware Prevalent in EMEA
1. FakeUpdates (SocGholish): The report identifies FakeUpdates as the most prevalent malware in the EMEA region, impacting 16% of corporate networks. It details that this operation uses compromised websites to distribute malware disguised as fake browser or software update prompts. Users are tricked into downloading and executing a JScript-based downloader, which then installs further malware.
2. Agent Tesla: Agent Tesla, identified as the most dominant malware in Africa in March, was listed as being prevalent in the EMEA region impacting 12% of corporate networks. The report describes Agent Tesla as an infostealer specialized in stealing sensitive information from infected systems. It is frequently used in global campaigns and can extract data such as keystrokes, login credentials from web browsers, and credentials from email clients.
3. Remcos: Remcos is a powerful RAT that allows attackers to remotely control infected systems. It is often distributed via phishing campaigns with malicious Office documents exploiting vulnerabilities. Once installed, it provides full system access, enabling espionage, data exfiltration, and further malware deployment. In April 2022, African banks were heavily targeted in RemcosRAT malware campaigns, leading to potential data breaches and financial losses.
4. CloudEyE: Affecting 9% of corporate networks, CloudEyE primarily acts as a loader for various trojans and RATs by leveraging cloud-based services to deliver encrypted payloads. Attackers use CloudEyE to evade security mechanisms and execute malware stealthily.
5. Formbook: FormBook is an infostealer malware that was first discovered in 2016. It steals various types of data from infected systems, including credentials cached in web browsers, screenshots, and keystrokes. It also has the ability to act as a downloader, enabling it to download and execute additional malicious files. According to the report, the malware affected 9% of corporate networks.
6. AsyncRAT: AsyncRAT is a RAT designed to enable stealthy remote control of infected systems. Cybercriminals use AsyncRAT to execute commands, steal credentials, log keystrokes, and exfiltrate data. The malware is frequently distributed through phishing emails and malicious attachments.
7. Androxgh0st: Androxgh0st is a malware that operates as a botnet targeting web servers and cloud-based applications. It exploits vulnerabilities in web frameworks to deploy backdoors and steal sensitive data, including API keys and credentials.
8. Lumma: Lumma is identified as a high-risk infostealer, known for harvesting login credentials, cryptocurrency wallets, and browser-stored data. Cybercriminals sell stolen information from Lumma logs on underground forums, making it a significant tool for financial fraud and identity theft.
9. NJRAT: NJRAT is a RAT commonly used to spy on victims, log keystrokes, and gain unauthorized access to compromised systems. It is widely shared in underground hacking forums and has been leveraged by various cybercriminal groups for persistent attacks.
10.Nanocore: Nanocore is also a RAT with capabilities such as keylogging, screen capturing, and remote desktop control. Nanocore is frequently spread through phishing campaigns and malicious email attachments, allowing attackers to maintain prolonged access to infected systems.
Highlight of Global Attack Vectors
The following statistics shows the global attack vectors distribution:
- Email remained the primary initial attack vector, accounting for 68% of attacks.
- Web-delivered attacks increased to 32%.
- The top malicious file types in email attacks were HTML (61%) and PDF (22%).
- The top malicious file types in web attacks were EXE (54%), DLL (11%), and PDF (8%).
- Attackers increasingly used malicious ZIP, RAR, and 7z archive files to bypass security measures.
CISO Recommendations
The report outlined important security strategies from Chief Information Security Officers (CISOs) that you can apply in your organization:
- Implement a multi-layered security approach, including robust email filtering, endpoint detection and response (EDR), access controls, and incident response drills.
- Strengthen cloud security with API security, zero-trust architecture, and MFA.
- Enhance attack surface visibility by integrating identity, cloud, and endpoint security tools.
- Establish a Vulnerability and Risk Management Program to prioritize patching critical assets.
- Choose trusted security manufacturers with strong patching and response mechanisms.
- Leverage AI-driven automation to improve efficiency in security operations.
- Focus on resilience and incident response, ensuring operational segregation and effective disaster recovery planning.
About Author
