May 2025 Malware Spotlight: SafePay Surges To Forefront | #ransomware | #cybercrime

SafePay, a relatively new albeit rapidly growing ransomware group, has overtaken other threats in May to emerge as the most prevalent actor on the top ransomware group list, thanks to its double extortion strategy. Meanwhile, FakeUpdates continues to dominate as the most widespread malware impacting organisations worldwide. The most targeted sectors in Africa remain telecommunications, government and financial services sectors, with the education sector as the most targeted industry globally.

This is according to Check Point Software Technologies Ltd.’s Global Threat Index for May 2025.

Seven African countries are among the Top 20 countries most targeted by malware practitioners. Ethiopia continues to occupy the number one spot as the most targeted country of the 110 surveyed. Others on the continent include Nigeria, which ranks 5th most targeted with a Normalised Risk Index of 77.2 per cent, followed by Zimbabwe (7th) with a Normalised Risk Index of 73.2 per cent. Angola and Mozambique are 10th and 11th, respectively, with a Normalised Risk Index of 64.1 per cent and 64 per cent. Uganda and Ghana were ranked 13th and 20th, respectively, with Normalised Risk Indexes of 62 per cent and 57.7 per cent. Kenya occupied 21st position with a Normalised Risk Index of 57.7 per cent while South Africa ranked 47th, moving downwards from 53 per cent in April.

In May, Europol, the FBI, Microsoft, and other partners launched a major operation targeting Lumma, a prominent malware-as-a-service platform. This takedown seized thousands of domains, significantly disrupting the operation. However, Lumma’s core Russia-based servers were claimed to have remained operational, and developers swiftly restored their infrastructure. Despite this, the operation did cause reputational harm by using psychological tactics such as phishing and creating distrust among its users. While the technical disruption was significant, Lumma-related data continues to circulate, raising concerns about the long-term impact of the takedown.

Lotem Finkelstein, Director of Threat Intelligence at Check Point Software Technologies, stated, “May’s Global Threat Index data underscores the growing sophistication of cybercriminal tactics. With the rise of groups like SafePay and the persistent threat of FakeUpdates, organisations must adopt proactive, multi-layered security measures. As cyber threats become more advanced, it’s crucial to stay ahead of evolving attacks with real-time threat intelligence and robust defences.”

Top Malware Families

1. Fakeupdates (AKA SocGholish) is a downloader malware that was initially discovered in 2018. It is spread through drive-by downloads on compromised or malicious websites, prompting users to install a fake browser update. Fakeupdates malware is associated with a Russian hacking group, Evil Corp, and used to deliver various secondary payloads after the initial infection.
2. Remcos, a Remote Access Trojan (RAT) first observed in 2016, is often distributed through malicious documents in phishing campaigns. It is designed to bypass Windows security mechanisms, such as UAC, and execute malware with elevated privileges, making it a versatile tool for threat actors.
3. Androxgh0st, a Python-based malware that targets applications using the Laravel PHP framework by scanning for exposed .env files containing sensitive information such as login credentials for services like AWS, Twilio, Office 365, and SendGrid. It operates by utilising a botnet to identify websites running Laravel and extracting confidential data. Once access is gained, attackers can deploy additional malware, establish backdoor connections, and exploit cloud resources for activities like cryptocurrency mining.

Top Ransomware Groups

Ransomware continues to dominate the cybercrime landscape. This month, SafePay emerges as the most significant ransomware threat, with a new generation of operators targeting both large enterprises and smaller businesses. The tactics used by these groups are becoming increasingly sophisticated, and the competition between them is intensifying.

1. SafePay was first observed in November 2024, with indicators suggesting a possible Russian affiliation. The group operates a double extortion model—encrypting victims’ files while exfiltrating sensitive data to increase pressure for payment. Despite not operating as a Ransomware-as-a-Service (RaaS), SafePay has listed an unusually high number of victims. Its centralised, internally driven structure leads to consistent tactics, techniques, and procedures (TTPs) and focused targeting.
2. Qilin, also referred to as Agenda, is a ransomware-as-a-service criminal operation that collaborates with affiliates to encrypt and exfiltrate data from compromised organisations, subsequently demanding a ransom. This ransomware variant was first detected in July 2022 and is developed in Golang. Agenda is known for targeting large enterprises and high-value organisations, with a particular focus on the healthcare and education sectors. Qilin typically infiltrates victims via phishing emails containing malicious links to establish access to their networks and exfiltrate sensitive information. Once inside, Qilin usually moves laterally through the victim’s infrastructure, seeking critical data to encrypt.
3. Play Ransomware, also referred to as PlayCrypt, is a ransomware that first emerged in June 2022. This ransomware has targeted a broad spectrum of businesses and critical infrastructure across North America, South America, and Europe, affecting approximately 300 entities by October 2023. Play Ransomware typically gains access to networks through compromised valid accounts or by exploiting unpatched vulnerabilities, such as those in Fortinet SSL VPNs. Once inside, it employs techniques like using living-off-the-land binaries (LOLBins) for tasks such as data exfiltration and credential theft.

Top Mobile Malware

1. Anubis is a versatile banking trojan that originated on Android devices and has evolved to include advanced capabilities such as bypassing multi-factor authentication (MFA) by intercepting SMS-based one-time passwords (OTPs), keylogging, audio recording, and ransomware functions. It is often distributed through malicious apps on the Google Play Store and has become one of the most prevalent mobile malware families. Additionally, Anubis includes remote access trojan (RAT) features, enabling extensive surveillance and control over infected systems.
2. AhMyth is a remote access trojan (RAT) targeting Android devices, typically disguised as legitimate apps like screen recorders, games, or cryptocurrency tools. Once installed, it gains extensive permissions to persist after reboot and exfiltrate sensitive information such as banking credentials, cryptocurrency wallet details, multi-factor authentication (MFA) codes, and passwords. AhMyth also enables keylogging, screen capture, camera and microphone access, and SMS interception, making it a versatile tool for data theft and other malicious activities
3. Necro is a malicious Android downloader that retrieves and executes harmful components on infected devices based on commands from its creators. It has been discovered in several popular apps on Google Play, as well as modified versions of apps on unofficial platforms like Spotify, WhatsApp, and Minecraft. Necro is capable of downloading dangerous modules to smartphones, enabling actions such as displaying and clicking on invisible ads, downloading executable files, and installing third-party apps. It can also open hidden windows to run JavaScript, potentially subscribing users to unwanted paid services. Furthermore, Necro can reroute internet traffic through compromised devices, turning them into part of a proxy botnet for cybercriminals.

May’s data highlights the continued rise of sophisticated, multi-stage malware campaigns, with SafePay emerging as a prominent ransomware threat. As FakeUpdates maintains its position as the most widespread malware, new actors like SafePay and the ongoing operations against Lumma infostealer demonstrate the evolving complexity of cyberattacks. The education sector remains a prime target, further emphasising the need for organisations to adopt proactive, layered security measures to defend against these increasingly sophisticated threats.

For the full May 2025 Global Threat Index and additional insights, visit the Check Point Blog.