The May 2025 threat landscape, released by Check Point Software — a NASDAQ-listed cybersecurity firm — also indicates that Remcos and Androxgh0st followed FakeUpdates as the most active malware families in India. The report attributes these developments to increasingly sophisticated tactics employed by cybercriminals targeting critical sectors such as education, government, and telecommunications.
Top malware families in India – May 2025
| Rank | Malware | Description |
|---|---|---|
| 1 | FakeUpdates (↔) | A downloader malware distributed through fake browser update notifications on compromised websites. First identified in 2018, it is associated with the Russian group Evil Corp and delivers secondary payloads. |
| 2 | Remcos (↔) | A remote access trojan (RAT) delivered via malicious Office documents in phishing attacks. Renowned for evading Windows security features to execute malware with enhanced privileges. |
| 3 | Androxgh0st (↑) | Python-based malware focused on Laravel PHP applications by scanning for exposed .env files. Utilized to steal credentials for AWS, Twilio, Office 365, and other cloud solutions. |
Source: Check Point Global Threat Index
The company’s research revealed that attackers persist in exploiting fake software updates and phishing documents for malicious code distribution. FakeUpdates remained a prevalent issue globally, while Remcos and Androxgh0st demonstrated rising activity within Indian networks.
Top global ransomware groups – May 2025
| Rank | Ransomware Group | Description |
|---|---|---|
| 1 | SafePay | A double extortion ransomware group, first identified in late 2024, believed to have ties to Russia. Operates on a centralized model and has published numerous victim lists without utilizing a ransomware-as-a-service (RaaS) framework. |
| 2 | – | – |
| 3 | Qilin (Agenda) | A RaaS operation developed in Golang. Noted for focusing on high-value sectors like healthcare and education using phishing tactics and lateral movement to exfiltrate and encrypt sensitive information. |
| 4 | – | – |
| 5 | Play (PlayCrypt) | Active since mid-2022, this group targets both public and private sectors across various continents, employing tactics such as exploiting unpatched Fortinet VPNs and using LOLBins to retrieve data and credentials. |
Source: Check Point, based on ransomware ‘shame sites’
Check Point reported that SafePay’s double extortion approach — encrypting files while threatening to leak data — has positioned it as the most influential ransomware group in recent months. Its consistency in techniques, target selection, and operational structure distinguish it from competitors.
Top mobile malware – May 2025
| Malware | Status | Description |
|---|---|---|
| Anubis | ↔ | Android banking trojan featuring advanced capabilities like OTP interception, keylogging, remote access, and ransomware functionality. Frequently concealed within fake applications on Google Play. |
| AhMyth | ↔ | Android RAT masquerading as legitimate applications. Capable of data theft, keylogging, and complete device control, encompassing camera and microphone access. |
| Necro | ↑ | Downloader malware discovered in counterfeit versions of popular applications. Can execute harmful JavaScript, enroll users in premium services, and transform devices into proxy botnets. |
Source: Check Point
On mobile platforms, Anubis and AhMyth maintained their positions, while Necro rose in prominence due to sideloaded applications and modifications of legitimate apps from unofficial sources.
Top attacked industries – May 2025
| Rank | Industry |
|---|---|
| 1 | Education |
| 2 | Government |
| 3 | Telecommunications |
Source: Check Point Global Threat Index
Check Point reported that educational institutions continued to be the most targeted sector in India and worldwide. The sector’s susceptibility is linked to decentralized systems and large user bases with varying levels of security awareness.
The report also highlighted law enforcement efforts to disrupt cybercrime networks. In May, Europol, the FBI, Microsoft, and others coordinated a takedown targeting Lumma, a malware-as-a-service platform. Although thousands of domains were seized, servers based in Russia associated with Lumma reportedly remained operational. Check Point noted that the takedown strategy aimed to instill psychological deterrence among Lumma users, alongside technical disruption.
Lotem Finkelstein, Director of Threat Intelligence at Check Point Software, stated: “May’s Global Threat Index data highlights the increasing sophistication of cybercriminal tactics. With the emergence of groups like SafePay and the ongoing threat of FakeUpdates, organizations must implement proactive, multi-layered security measures. As cyber threats evolve, it’s essential to stay ahead of emerging attacks with real-time threat intelligence and robust defenses.”
What now?
The report concludes that multi-stage attacks and cloud credential theft are becoming more commonplace, with attackers increasingly targeting critical infrastructure and public services. Check Point recommends continuous monitoring, education, and the adoption of layered security frameworks to mitigate the threatening landscape.
Also read: India leads Asia-Pacific in cybersecurity, finds new Palo Alto Networks study
