AsyncRAT emerges most wanted malware in February 2025 targeting trusted platforms

African countries among the most targeted, with Ethiopia retaining top spot as cybercriminals continue to exploit legitimate platforms to evade detection and establish persistence.

Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a pioneer and global leader of cyber security solutions, has released its Global Threat Index for February 2025, highlighting the rise of AsyncRAT, a remote access Trojan (RAT) that continues to evolve as a serious threat within the cyber landscape.

RELATED: Government and military sectors in Africa most impacted by malware attacks

Once again, Ethiopia retained its top spot as the most targeted followed by Zimbabwe, Uganda, Nigeria, Angola, Kenya, Mozambique and Ghana as among the Top 20 most targeted countries. Nigeria was ranked 10th with a Normalised Risk Index of 63,1- down from 11th last month.

Security researchers have observed that AsyncRAT is being utilised in increasingly sophisticated campaigns, leveraging platforms like TryCloudflare and Dropbox to distribute malware. This reflects the growing trend of exploiting legitimate platforms to bypass security defenses and ensure persistence across targeted networks. The attacks typically begin with phishing emails containing Dropbox URLs, leading to a multi-step infection process involving LNK, JavaScript, and BAT files.

Maya Horowitz, VP of Research at Check Point Software, commented, “Cybercriminals are leveraging legitimate platforms to deploy malware and avoid detection. Organisations must remain vigilant and implement proactive security measures to mitigate the risks of such evolving threats.”

ADVERTISEMENT

African countries featured in top 20

Threat Index Per African Country

• Ethiopia remains in 1st place with a Normalised Risk Index of 100.
• Zimbabwe was ranked 6th dropping its Normalised Risk Index from 77,7 to 74,8.
• Uganda was ranked 9th with a Normalised Risk Index of 64,8.
• Nigeria was ranked 10th moving from position 11 with a Normalised Risk Index of 63,1.
• Angola was ranked 11th with a Normalised Risk Index of 62,6
• Kenya was ranked 13th with a higher Normalised Risk Index of 61,1.
• Mozambique was ranked 14th with a Normalised Risk Index of 60,3.
• Ghana remained in 16th position with a Normal Risk Index of 59,4

Egypt was once again the best performing country in Africa out of the 109 surveyed in the Index. Sitting at position 107th, with a significantly decreased Normalised Risk Index of 25,9 from 31,1 the previous month.

ADVERTISEMENT

“Despite Nigeria being the largest economy in Africa, it continues to face one of the highest frequencies of cyber-attacks, with organisations being attacked on average 3,759 times per week. In 2024, ransomware has become the most significant cyber threat in Nigeria, with attacks exploiting zero-day vulnerabilities and causing widespread damage to both public and private entities,” says Kingsley Oseghale, Country Manager West Africa, Check Point software Technologies.

Top Malware Families

The arrows indicate the change in rank compared to the previous month. FakeUpdates was the most prevalent malware in February, closely followed by Androxgh0st and Remcos all impacting 3% of organisations worldwide.

1. ↔ FakeUpdates – FakeUpdates (AKA SocGholish) continues to dominate, delivering secondary payloads through drive-by downloads on compromised or malicious websites. This malware is often linked to the Russian hacking group Evil Corp and remains a significant threat for organisations globally.

2. ↑ Androxgh0st – Androxgh0st, a Python-based malware targeting Laravel applications, has risen in the ranks. It scans for exposed .env files, often containing sensitive information such as login credentials, which it then exfiltrates. Once access is gained, additional malware can be deployed, and cloud resources can be exploited.

3. ↔ Remcos – Remcos, a Remote Access Trojan (RAT), remains a top malware strain, frequently used in phishing campaigns. Its ability to bypass security mechanisms, such as User Account Control (UAC), makes it a versatile tool for cybercriminals.

4. ↑ AsyncRAT – AsyncRAT is a remote access Trojan (RAT) that targets Windows systems and was first identified in 2019. It exfiltrates system information to a command-and-control server and can execute various commands, such as downloading plugins, terminating processes, capturing screenshots, and updating itself. Typically distributed through phishing campaigns, AsyncRAT is utilised for data theft and system compromise.

5. ↑ AgentTesla—AgentTesla is an advanced RAT (remote access Trojan) that functions as a keylogger and password stealer. Active since 2014, AgentTesla can monitor and collect the victim’s keyboard input and system clipboard, record screenshots, and exfiltrate credentials entered for a variety of software installed on the victim’s machine (including Google Chrome, Mozilla Firefox, and Microsoft Outlook email client). AgentTesla is openly sold as a legitimate RAT, with customers paying $15 – $69 for user licenses.

Top Mobile Malware

1. ↔ Anubis – Anubis continues to rank as the top mobile malware. It remains a significant banking trojan, capable of bypassing multi-factor authentication (MFA), keylogging, and performing ransomware functions.

2. ↑ Necro – Necro, a malicious Android downloader, has moved up in rank. It allows cybercriminals to execute harmful components based on commands from its creators, enabling a range of malicious actions on infected devices.

3. ↓ AhMyth – AhMyth, a remote access trojan (RAT) targeting Android devices, has slightly decreased in prevalence. It remains a significant threat due to its ability to exfiltrate sensitive information such as banking credentials and MFA codes.

Top-Attacked Industries Globally

1. Education
2. Telecommunications
3. Government

Top Ransomware Groups

Clop remains the most prevalent ransomware group, responsible for 35% of the published attacks. It is followed by RansomHub and Akira.

1. Clop – Clop continues to be a major player in the ransomware space, utilising the “double extortion” tactic to threaten victims with the public release of stolen data unless a ransom is paid.
2. RansomHub – A prominent Ransomware-as-a-Service (RaaS) operation, RansomHub emerged as a rebranded version of Knight ransomware. It has quickly gained notoriety for its sophisticated and widespread campaigns targeting various systems, including Windows, macOS, and Linux.
3. Akira – Akira, a newer ransomware group, focuses on targeting Windows and Linux systems. The group has been linked to phishing campaigns and exploits in VPN endpoints, making it a serious threat for organisations.

For the full February 2025 Global Threat Index and additional insights, visit the Check Point blog.

ADVERTISEMENT