Malware Trends: FakeUpdates, Remcos, AgentTesla Dominate April Threat Landscape

Check Point’s latest malware report for April 2025 shows a sharp increase in stealthy attack techniques, even as familiar malware families like FakeUpdates, Remcos, and AgentTesla remain active, Hackread reports. Attackers are blending basic commodity malware with advanced tactics, making detection and response more difficult for defenders. The education sector continues to be the most targeted industry, followed by government and telecom.

Most campaigns began with phishing emails masquerading as order confirmations. These contained concealed 7-Zip files, which unpacked obfuscated scripts designed to evade detection. Once executed, the scripts installed malware such as AgentTesla, known for credential theft and system surveillance, and Remcos, a remote access tool that can bypass Windows defenses.

FakeUpdates topped the global malware charts, leveraging fake browser updates on compromised sites to infect users. Other high-ranking threats included Formbook, Lumma Stealer, and Raspberry Robin. On the ransomware front, Akira remained the most prominent group, while SatanLock made headlines by claiming victims previously listed by other ransomware gangs—suggesting growing competition among threat actors.

Mobile malware also saw continued evolution, with Anubis, Hydra, and AhMyth leading the list. These threats now offer remote access and MFA bypass capabilities, expanding the mobile attack surface. Regionally, Latin America and Eastern Europe saw higher rates of FakeUpdates and Phorpiex, while Asia experienced more Remcos and AgentTesla infections—indicating that attack strategies are being tailored to local conditions.