Statistics across all threats

The percentage of ICS computers on which malicious objects were blocked has been decreasing since the beginning of 2024. In Q4 2025, it was 19.7%. Over the past three years, the percentage has decreased by 1.36 times, and by 1.25 times since Q4 2023.

Regionally, in Q4 2025, the percentage of ICS computers on which malicious objects were blocked ranged from 8.5% in Northern Europe to 27.3% in Africa.

Four regions saw an increase in the percentage of ICS computers on which malicious objects were blocked. The most notable increases occurred in Southern Europe and South Asia. In Q3 2025, East Asia experienced a sharp increase triggered by the local spread of malicious scripts, but the figure has since returned to normal.

Feature of the quarter: worms in email

In Q4 2025, the percentage of ICS computers on which wormsinemailattachments were blocked increasedinallregions of the world.

Many of the blocked threats were related to the worm Backdoor.MSIL.XWorm. This malware is designed to persist on the system and then remotely control it.

Interestingly, this threat was not detected on ICS computers in the previous quarter, yet it appeared in all regions in Q4 2025.

A study found that the active spread of Backdoor.MSIL.XWorm via phishing emails was likely linked to the use by hackers of another malware obfuscation technique that was actively used during massive phishing campaigns in Q4 2025. These campaigns have been known since 2024 as “Curriculum-vitae-catalina”.

The attackers distributed phishing emails to HR managers, recruiters, and employees responsible for hiring. The messages were disguised as responses from job applicants with subjects such as “Resume” or “Attached Resume” and contained a malicious executable file under the guise of a curriculum vitae. Typically, the file was named Curriculum Vitae-Catalina.exe. When executed, it infected the system.

In Q4 2025, the threat spread across regions in two waves — one in October and another in November. Russia, Western Europe, South America, and North America (Canada) were attacked in October. A spike in Backdoor.MSIL.XWorm blocking was observed in other regions in November. The attack subsided in all regions in December.

The highest percentage of ICS computers on which Backdoor.MSIL.XWorm was blocked was observed in regions where threats from email clients had been historically blocked at high rates on ICS computers: Southern Europe, South America, and the Middle East.

At the same time, in Africa, where USB storage media are still actively used, the threat was also detected when removable devices were connected to ICS computers.

Selected industries

The biometrics sector has historically led the rankings of industries and OT infrastructures surveyed in this report in terms of the percentage of ICS computers on which malicious objects were blocked.

These systems are characterized by accessibility to and from the internet, as well as minimal cybersecurity controls by the consumer organization.

In Q4 2025, the percentage of ICS computers on which malicious objects were blocked increased only in one sector: oil and gas. The corresponding figures increased in two regions: Russia, and Central Asia and the South Caucasus.

However, if we look at a broader time span, there is a downward trend in all the surveyed industries.

Diversity of detected malicious objects

In Q4 2025, Kaspersky protection solutions blocked malware from 10,142 different malware families of various categories on industrial automation systems.

In Q4 2025, there was an increase in the percentage of ICS computers on which worms, and miners in the form of executable files for Windows were blocked. These were the only categories that exhibited an increase.

Main threat sources

Depending on the threat detection and blocking scenario, it is not always possible to reliably identify the source. The circumstantial evidence for a specific source can be the blocked threat’s type (category).

The internet (visiting malicious or compromised internet resources; malicious content distributed via messengers; cloud data storage and processing services and CDNs), email clients (phishing emails), and removable storage devices remain the primary sources of threats to computers in an organization’s technology infrastructure.

In Q4 2025, the percentage of ICS computers on which malicious objects from various sources were blocked decreased. All sources except email clients saw their lowest levels in three years.

The same computer can be attacked by several categories of malware from the same source during a quarter. That computer is counted when calculating the percentage of attacked computers for each threat category, but is only counted once for the threat source (we count unique attacked computers). In addition, it is not always possible to accurately determine the initial infection attempt. Therefore, the total percentage of ICS computers on which various categories of threats from a certain source were blocked can exceed the percentage of computers affected by the source itself.

• In Q4 2025, the percentage of ICS computers on which threats from the internet were blocked decreased to 7.67% and reached its lowest level since the beginning of 2023. The main categories of internet threats are malicious scripts and phishing pages, and denylisted internet resources. The percentage ranged from 3.96% in Northern Europe to 11.33% in South Asia.
• The main categories of threats from email clients blocked on ICS computers were malicious scripts and phishing pages, spyware, and malicious documents. Most of the spyware detected in phishing emails was delivered as a password archive or a multi-layered script embedded in office document files. The percentage of ICS computers on which threats from email clients were blocked ranged from 0.64% in Northern Europe to 6.34% in Southern Europe.
• The main categories of threats that were blocked when removable media was connected to ICS computers were worms, viruses, and spyware. The percentage of ICS computers on which threats from removable media were blocked ranged from 0.05% in Australia and New Zealand to 1.41% in Africa.
• The main categories of threats that spread through network folders in Q4 2025 were viruses, AutoCAD malware, worms, and spyware. The percentage of ICS computers on which threats from network folders were blocked ranged from 0.01% in Northern Europe to 0.18% in East Asia.

Threat categories

Typical attacks blocked within an OT network are multi-step sequences of malicious activities, where each subsequent step of the attackers is aimed at increasing privileges and/or gaining access to other systems by exploiting the security problems of industrial enterprises, including OT infrastructures.

Malicious objects used for initial infection

In Q4 2025, the percentage of ICS computers on which denylisted internet resources were blocked decreased to 3.26%. This is the lowest quarterly figure since the beginning of 2022, and it has decreased by 1.8 times since Q2 2025.

Regionally, the percentage of ICS computers on which denylisted internet resources were blocked ranged from 1.74% in Northern Europe to 3.93% in Southeast Asia, which displaced Africa from first place. Russia rounded out the top three regions for this indicator.

The percentage of ICS computers on which malicious documents were blocked increased for three consecutive quarters. However, in Q4 2025 it decreased by 0.22 pp to 1.76%.

Regionally, the percentage ranged from 0.46% in Northern Europe to 3.82% in Southern Europe. In Q4 2025, the indicator increased in Eastern Europe, Russia, and Western Europe.

The percentage of ICS computers on which malicious scripts and phishing pages were blocked decreased to 6.58%. Despite the decline, this category led the rankings of threat categories in terms of the percentage of ICS computers on which they were blocked.

Regionally, the percentage ranged from 2.52% in Northern Europe to 10.50% in South Asia. The indicator increased in South Asia, South America, Southern Europe, and Africa. South Asia saw the most notable increase, at 3.47 pp.

Next-stage malware

Malicious objects used to initially infect computers deliver next-stage malware — spyware, ransomware, and miners — to victims’ computers. As a rule, the higher the percentage of ICS computers on which the initial infection malware is blocked, the higher the percentage for next-stage malware.

In Q4 2025, the percentage of ICS computers on which spyware, ransomware and web miners were blocked decreased. The rates were:

• Spyware: 3.80% (down 0.24 pp). For the second quarter in a row, spyware took second place in the rankings of threat categories in terms of the percentage of ICS computers on which it was blocked.
• Ransomware: 0.16% (down 0.01 pp).
• Web miners: 0.24% (down 0.01 pp), this is the lowest level observed thus far in the period under review.

The percentage of ICS computers on which miners in the form of executable files for Windows were blocked increased to 0.60% (up 0.03 pp).

Self-propagating malware

Self-propagating malware (worms and viruses) is a category unto itself. Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.

To spread across ICS networks, viruses and worms rely on removable media and network folders and are distributed in the form of infected files, such as archives with backups, office documents, pirated games and hacked applications. In rarer and more dangerous cases, web pages with network equipment settings, as well as files stored in internal document management systems, product lifecycle management (PLM) systems, resource management (ERP) systems and other web services are infected.

In Q4 2025, the percentage of ICS computers on which worms were blocked increased by 1.6 times to 1.60%. As mentioned above, this increase is related to a global phishing attack that spread the Backdoor.MSIL.XWorm backdoor worm across all regions of the world. The percentage increased in all regions. The biggest increase (up by 2.16 times) was in Southern Europe. The malware was primary distributed through email clients, and Southern Europe led the way in terms of the percentage of ICS computers on which threats from email clients were blocked.

The percentage of ICS computers on which viruses were blocked decreased to 1.33%.

AutoCAD malware

This category of malware can spread in a variety of ways, so it does not belong to a specific group.

After an increase in the previous quarter, the percentage of ICS computers on which AutoCAD malware was blocked decreased to 0.29% in Q4 2025.

For more information on industrial threats see the full version of the report.

Starting from the third quarter of 2025, we have updated our statistical methodology based on the Kaspersky Security Network. These changes affect all sections of the report except for the installation package statistics, which remain unchanged.

To illustrate trends between reporting periods, we have recalculated the previous year’s data; consequently, these figures may differ significantly from previously published numbers. All subsequent reports will be generated using this new methodology, ensuring accurate data comparisons with the findings presented in this article.

Kaspersky Security Network (KSN) is a global network for analyzing anonymized threat intelligence, voluntarily shared by Kaspersky users. The statistics in this report are based on KSN data unless explicitly stated otherwise.

The year in figures

According to Kaspersky Security Network, in 2025:

• Over 14 million attacks involving malware, adware or unwanted mobile software were blocked.
• Adware remained the most prevalent mobile threat, accounting for 62% of all detections.
• Over 815 thousand malicious installation packages were detected, including 255 thousand mobile banking Trojans.

The year’s highlights

In 2025, cybercriminals launched an average of approximately 1.17 million attacks per month against mobile devices using malicious, advertising, or unwanted software. In total, Kaspersky solutions blocked 14,059,465 attacks throughout the year.

Attacks on Kaspersky mobile users in 2025 (download)

Beyond the malware mentioned in previous quarterly reports, 2025 saw the discovery of several other notable Trojans. Among these, in Q4 we uncovered the Keenadu preinstalled backdoor. This malware is integrated into device firmware during the manufacturing stage. The malicious code is injected into libandroid_runtime.so – a core library for the Android Java runtime environment – allowing a copy of the backdoor to enter the address space of every app running on the device. Depending on the specific app, the malware can then perform actions such as inflating ad views, displaying banners on behalf of other apps, or hijacking search queries. The functionality of Keenadu is virtually unlimited, as its malicious modules are downloaded dynamically and can be updated remotely.

Cybersecurity researchers also identified the Kimwolf IoT botnet, which specifically targets Android TV boxes. Infected devices are capable of launching DDoS attacks, operating as reverse proxies, and executing malicious commands via a reverse shell. Subsequent analysis revealed that Kimwolf’s reverse proxy functionality was being leveraged by proxy providers to use compromised home devices as residential proxies.

Another notable discovery in 2025 was the LunaSpy Trojan.

Disguised as antivirus software, this spyware exfiltrates browser passwords, messaging app credentials, SMS messages, and call logs. Furthermore, it is capable of recording audio via the device’s microphone and capturing video through the camera. This threat primarily targeted users in Russia.

Mobile threat statistics

815,735 new unique installation packages were observed in 2025, showing a decrease compared to the previous year. While the decline in 2024 was less pronounced, this past year saw the figure drop by nearly one-third.

Detected Android-specific malware and unwanted software installation packages in 2022–2025 (download)

The overall decrease in detected packages is primarily due to a reduction in apps categorized as not-a-virus. Conversely, the number of Trojans has increased significantly, a trend clearly reflected in the distribution data below.

Detected packages by type

Distribution* of detected mobile software by type, 2024–2025 (download)

* The data for the previous year may differ from previously published data due to some verdicts being retrospectively revised.

A significant increase in Trojan-Banker and Trojan-Spy apps was accompanied by a decline in AdWare and RiskTool files. The most prevalent banking Trojans were Mamont (accounting for 49.8% of apps) and Creduz (22.5%). Leading the persistent adware category were MobiDash (39%), Adlo (27%), and HiddenAd (20%).

Share* of users attacked by each type of malware or unwanted software out of all users of Kaspersky mobile solutions attacked in 2024–2025 (download)

* The total may exceed 100% if the same users encountered multiple attack types.

Trojan-Banker malware saw a significant surge in 2025, not only in terms of unique file counts but also in the total number of attacks. Nevertheless, this category ranked fourth overall, trailing far behind the Trojan file category, which was dominated by various modifications of Triada and Fakemoney.

TOP 20 types of mobile malware

Note that the malware rankings below exclude riskware and potentially unwanted apps, such as RiskTool and adware.

Verdict	% 2024*	% 2025*	Difference in p.p.	Change in ranking
Trojan.AndroidOS.Triada.fe	0.04	9.84	+9.80
Trojan.AndroidOS.Triada.gn	2.94	8.14	+5.21	+6
Trojan.AndroidOS.Fakemoney.v	7.46	7.97	+0.51	+1
DangerousObject.Multi.Generic	7.73	5.83	–1.91	–2
Trojan.AndroidOS.Triada.ii	0.00	5.25	+5.25
Trojan-Banker.AndroidOS.Mamont.da	0.10	4.12	+4.02
Trojan.AndroidOS.Triada.ga	10.56	3.75	–6.81	–6
Trojan-Banker.AndroidOS.Mamont.db	0.01	3.53	+3.51
Backdoor.AndroidOS.Triada.z	0.00	2.79	+2.79
Trojan-Banker.AndroidOS.Coper.c	0.81	2.54	+1.72	+35
Trojan-Clicker.AndroidOS.Agent.bh	0.34	2.48	+2.14	+74
Trojan-Dropper.Linux.Agent.gen	1.82	2.37	+0.55	+4
Trojan.AndroidOS.Boogr.gsh	5.41	2.06	–3.35	–8
DangerousObject.AndroidOS.GenericML	2.42	1.97	–0.45	–3
Trojan.AndroidOS.Triada.gs	3.69	1.93	–1.76	–9
Trojan-Downloader.AndroidOS.Agent.no	0.00	1.87	+1.87
Trojan.AndroidOS.Triada.hf	0.00	1.75	+1.75
Trojan-Banker.AndroidOS.Mamont.bc	1.13	1.65	+0.51	+8
Trojan.AndroidOS.Generic.	2.13	1.47	–0.66	–6
Trojan.AndroidOS.Triada.hy	0.00	1.44	+1.44

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The list is largely dominated by the Triada family, which is distributed via malicious modifications of popular messaging apps. Another infection vector involves tricking victims into installing an official messaging app within a “customized virtual environment” that supposedly offers enhanced configuration options. Fakemoney scam applications, which promise fraudulent investment opportunities or fake payouts, continue to target users frequently, ranking third in our statistics. Meanwhile, the Mamont banking Trojan variants occupy the 6th, 8th, and 18th positions by number of attacks. The Triada backdoor preinstalled in the firmware of certain devices reached the 9th spot.

Region-specific malware

This section describes malware families whose attack campaigns are concentrated within specific countries.

Verdict	Country*	%**
Trojan-Banker.AndroidOS.Coper.a	Türkiye	95.74
Trojan-Dropper.AndroidOS.Hqwar.bj	Türkiye	94.96
Trojan.AndroidOS.Thamera.bb	India	94.71
Trojan-Proxy.AndroidOS.Agent.q	Germany	93.70
Trojan-Banker.AndroidOS.Coper.c	Türkiye	93.42
Trojan-Banker.AndroidOS.Rewardsteal.lv	India	92.44
Trojan-Banker.AndroidOS.Rewardsteal.jp	India	92.31
Trojan-Banker.AndroidOS.Rewardsteal.ib	India	91.91
Trojan-Dropper.AndroidOS.Rewardsteal.h	India	91.45
Trojan-Banker.AndroidOS.Rewardsteal.nk	India	90.98
Trojan-Dropper.AndroidOS.Agent.sm	Türkiye	90.34
Trojan-Dropper.AndroidOS.Rewardsteal.ac	India	89.38
Trojan-Banker.AndroidOS.Rewardsteal.oa	India	89.18
Trojan-Banker.AndroidOS.Rewardsteal.ma	India	88.58
Trojan-Spy.AndroidOS.SmForw.ko	India	88.48
Trojan-Dropper.AndroidOS.Pylcasa.c	Brazil	88.25
Trojan-Dropper.AndroidOS.Hqwar.bf	Türkiye	88.15
Trojan-Banker.AndroidOS.Agent.pp	India	87.85

* Country where the malware was most active.
** Unique users who encountered the malware in the indicated country as a percentage of all users of Kaspersky mobile solutions who were attacked by the same malware.

Türkiye saw the highest concentration of attacks from Coper banking Trojans and their associated Hqwar droppers. In India, Rewardsteal Trojans continued to proliferate, exfiltrating victims’ payment data under the guise of monetary giveaways. Additionally, India saw a resurgence of the Thamera Trojan, which we previously observed frequently attacking users in 2023. This malware hijacks the victim’s device to illicitly register social media accounts.

The Trojan-Proxy.AndroidOS.Agent.q campaign, concentrated in Germany, utilized a compromised third-party application designed for tracking discounts at a major German retail chain. Attackers monetized these infections through unauthorized use of the victims’ devices as residential proxies.

In Brazil, 2025 saw a concentration of Pylcasa Trojan attacks. This malware is primarily used to redirect users to phishing pages or illicit online casino sites.

Mobile banking Trojans

The number of new banking Trojan installation packages surged to 255,090, representing a several-fold increase over previous years.

Mobile banking Trojan installation packages detected by Kaspersky in 2022–2025 (download)

Notably, the total number of attacks involving bankers grew by 1.5 times, maintaining the same growth rate seen in the previous year. Given the sharp spike in the number of unique malicious packages, we can conclude that these attacks yield significant profit for cybercriminals. This is further evidenced by the fact that threat actors continue to diversify their delivery channels and accelerate the production of new variants in an effort to evade detection by security solutions.

TOP 10 mobile bankers

Verdict	% 2024*	% 2025*	Difference in p.p.	Change in ranking
Trojan-Banker.AndroidOS.Mamont.da	0.86	15.65	+14.79	+28
Trojan-Banker.AndroidOS.Mamont.db	0.12	13.41	+13.29
Trojan-Banker.AndroidOS.Coper.c	7.19	9.65	+2.46	+2
Trojan-Banker.AndroidOS.Mamont.bc	10.03	6.26	–3.77	–3
Trojan-Banker.AndroidOS.Mamont.ev	0.00	4.10	+4.10
Trojan-Banker.AndroidOS.Coper.a	9.04	4.00	–5.04	–4
Trojan-Banker.AndroidOS.Mamont.ek	0.00	3.73	+3.73
Trojan-Banker.AndroidOS.Mamont.cb	0.64	3.04	+2.40	+26
Trojan-Banker.AndroidOS.Faketoken.pac	2.17	2.95	+0.77	+5
Trojan-Banker.AndroidOS.Mamont.hi	0.00	2.75	+2.75

* Unique users who encountered this malware as a percentage of all users of Kaspersky mobile solutions who encountered banking threats.

In 2025, we observed a massive surge in activity from Mamont banking Trojans. They accounted for approximately half of all new apps in their category and also were utilized in half of all banking Trojan attacks.

Conclusion

The year 2025 saw a continuing trend toward a decline in total unique unwanted software installation packages. However, we noted a significant year-over-year increase in specific threats – most notably mobile banking Trojans and spyware – even though adware remained the most frequently detected threat overall.

Among the mobile threats detected, we have seen an increased prevalence of preinstalled backdoors, such as Triada and Keenadu. Consistent with last year’s findings, certain mobile malware families continue to proliferate via official app stores. Finally, we have observed a growing interest among threat actors in leveraging compromised devices as proxies.

All statistics in this report come from Kaspersky Security Network (KSN), a global cloud service that receives information from components in our security solutions voluntarily provided by Kaspersky users. Millions of Kaspersky users around the globe assist us in collecting information about malicious activity. The statistics in this report cover the period from November 2024 through October 2025. The report doesn’t cover mobile statistics, which we will share in our annual mobile malware report.

During the reporting period:

• 48% of Windows users and 29% of macOS users encountered cyberthreats
• 27% of all Kaspersky users encountered web threats, and 33% users were affected by on-device threats
• The highest share of users affected by web threats was in CIS (34%), and local threats were most often detected in Africa (41%)
• Kaspersky solutions prevented nearly 1,6 times more password stealer attacks than in the previous year
• In APAC password stealer detections saw a 132% surge compared to the previous year
• Kaspersky solutions detected 1,5 times more spyware attacks than in the previous year

To find more yearly statistics on cyberthreats view the full report.

IT threat evolution in Q3 2025. Mobile statistics
IT threat evolution in Q3 2025. Non-mobile statistics

The quarter at a glance

In the third quarter of 2025, we updated the methodology for calculating statistical indicators based on the Kaspersky Security Network. These changes affected all sections of the report except for the statistics on installation packages, which remained unchanged.

To illustrate the differences between the reporting periods, we have also recalculated data for the previous quarters. Consequently, these figures may significantly differ from the previously published ones. However, subsequent reports will employ this new methodology, enabling precise comparisons with the data presented in this post.

The Kaspersky Security Network (KSN) is a global network for analyzing anonymized threat information, voluntarily shared by users of Kaspersky solutions. The statistics in this report are based on KSN data unless explicitly stated otherwise.

The quarter in numbers

According to Kaspersky Security Network, in Q3 2025:

• 47 million attacks utilizing malware, adware, or unwanted mobile software were prevented.

• Trojans were the most widespread threat among mobile malware, encountered by 15.78% of all attacked users of Kaspersky solutions.
• More than 197,000 malicious installation packages were discovered, including:
  • 52,723 associated with mobile banking Trojans.
  • 1564 packages identified as mobile ransomware Trojans.

Quarterly highlights

The number of malware, adware, or unwanted software attacks on mobile devices, calculated according to the updated rules, totaled 3.47 million in the third quarter. This is slightly less than the 3.51 million attacks recorded in the previous reporting period.

Attacks on users of Kaspersky mobile solutions, Q2 2024 — Q3 2025 (download)

At the start of the quarter, a user complained to us about ads appearing in every browser on their smartphone. We conducted an investigation, discovering a new version of the BADBOX backdoor, preloaded on the device. This backdoor is a multi-level loader embedded in a malicious native library, librescache.so, which was loaded by the system framework. As a result, a copy of the Trojan infiltrated every process running on the device.

Another interesting finding was Trojan-Downloader.AndroidOS.Agent.no, which was embedded in mods for messaging and other apps. It downloaded Trojan-Clicker.AndroidOS.Agent.bl onto the device. The clicker received a URL from its server where an ad was being displayed, opened it in an invisible WebView window, and used machine learning algorithms to find and click the close button. In this way, fraudsters exploited the user’s device to artificially inflate ad views.

Mobile threat statistics

In the third quarter, Kaspersky security solutions detected 197,738 samples of malicious and unwanted software for Android, which is 55,000 more than in the previous reporting period.

Detected malicious and potentially unwanted installation packages, Q3 2024 — Q3 2025 (download)

The detected installation packages were distributed by type as follows:

Detected mobile apps by type, Q2* — Q3 2025 (download)

* Changes in the statistical calculation methodology do not affect this metric. However, data for the previous quarter may differ slightly from previously published figures due to a retrospective review of certain verdicts.

The share of banking Trojans decreased somewhat, but this was due less to a reduction in their numbers and more to an increase in other malicious and unwanted packages. Nevertheless, banking Trojans, still dominated by Mamont packages, continue to hold the top spot. The rise in Trojan droppers is also linked to them: these droppers are primarily designed to deliver banking Trojans.

Share* of users attacked by the given type of malicious or potentially unwanted app out of all targeted users of Kaspersky mobile products, Q2 — Q3 2025 (download)

* The total may exceed 100% if the same users experienced multiple attack types.

Adware leads the pack in terms of the number of users attacked, with a significant margin. The most widespread types of adware are HiddenAd (56.3%) and MobiDash (27.4%). RiskTool-type unwanted apps occupy the second spot. Their growth is primarily due to the proliferation of the Revpn module, which monetizes user internet access by turning their device into a VPN exit point. The most popular Trojans predictably remain Triada (55.8%) and Fakemoney (24.6%). The percentage of users who encountered these did not undergo significant changes.

TOP 20 most frequently detected types of mobile malware

Note that the malware rankings below exclude riskware and potentially unwanted software, such as RiskTool or adware.

Verdict	%* Q2 2025	%* Q3 2025	Difference in p.p.	Change in ranking
Trojan.AndroidOS.Triada.ii	0.00	13.78	+13.78
Trojan.AndroidOS.Triada.fe	12.54	10.32	–2.22	–1
Trojan.AndroidOS.Triada.gn	9.49	8.56	–0.93	–1
Trojan.AndroidOS.Fakemoney.v	8.88	6.30	–2.59	–1
Backdoor.AndroidOS.Triada.z	3.75	4.53	+0.77	+1
DangerousObject.Multi.Generic.	4.39	4.52	+0.13	–1
Trojan-Banker.AndroidOS.Coper.c	3.20	2.86	–0.35	+1
Trojan.AndroidOS.Triada.if	0.00	2.82	+2.82
Trojan-Dropper.Linux.Agent.gen	3.07	2.64	–0.43	+1
Trojan-Dropper.AndroidOS.Hqwar.cq	0.37	2.52	+2.15	+60
Trojan.AndroidOS.Triada.hf	2.26	2.41	+0.14	+2
Trojan.AndroidOS.Triada.ig	0.00	2.19	+2.19
Backdoor.AndroidOS.Triada.ab	0.00	2.00	+2.00
Trojan-Banker.AndroidOS.Mamont.da	5.22	1.82	–3.40	–10
Trojan-Banker.AndroidOS.Mamont.hi	0.00	1.80	+1.80
Trojan.AndroidOS.Triada.ga	3.01	1.71	–1.29	–5
Trojan.AndroidOS.Boogr.gsh	1.60	1.68	+0.08	0
Trojan-Downloader.AndroidOS.Agent.nq	0.00	1.63	+1.63
Trojan.AndroidOS.Triada.hy	3.29	1.62	–1.67	–12
Trojan-Clicker.AndroidOS.Agent.bh	1.32	1.56	+0.24	0

* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.

The top positions in the list of the most widespread malware are once again occupied by modified messaging apps Triada.ii, Triada.fe, Triada.gn, and others. The pre-installed backdoor Triada.z ranked fifth, immediately following Fakemoney – fake apps that collect users’ personal data under the guise of providing payments or financial services. The dropper that landed in ninth place, Agent.gen, is an obfuscated ELF file linked to the banking Trojan Coper.c, which sits immediately after DangerousObject.Multi.Generic.

Region-specific malware

In this section, we describe malware that primarily targets users in specific countries.

Verdict	Country*	%**
Trojan-Dropper.AndroidOS.Hqwar.bj	Turkey	97.22
Trojan-Banker.AndroidOS.Coper.c	Turkey	96.35
Trojan-Dropper.AndroidOS.Agent.sm	Turkey	95.10
Trojan-Banker.AndroidOS.Coper.a	Turkey	95.06
Trojan-Dropper.AndroidOS.Agent.uq	India	92.20
Trojan-Banker.AndroidOS.Rewardsteal.qh	India	91.56
Trojan-Banker.AndroidOS.Agent.wb	India	85.89
Trojan-Dropper.AndroidOS.Rewardsteal.ab	India	84.14
Trojan-Dropper.AndroidOS.Banker.bd	India	82.84
Backdoor.AndroidOS.Teledoor.a	Iran	81.40
Trojan-Dropper.AndroidOS.Hqwar.gy	Turkey	80.37
Trojan-Dropper.AndroidOS.Banker.ac	India	78.55
Trojan-Ransom.AndroidOS.Rkor.ii	Germany	76.90
Trojan-Dropper.AndroidOS.Banker.bg	India	75.12
Trojan-Banker.AndroidOS.UdangaSteal.b	Indonesia	75.00
Trojan-Dropper.AndroidOS.Banker.bc	India	74.73
Backdoor.AndroidOS.Teledoor.c	Iran	70.33

* The country where the malware was most active.
** Unique users who encountered this Trojan modification in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same modification.

Banking Trojans, primarily Coper, continue to operate actively in Turkey. Indian users also attract threat actors distributing this type of software. Specifically, the banker Rewardsteal is active in the country. Teledoor backdoors, embedded in a fake Telegram client, have been deployed in Iran.
Notable is the surge in Rkor ransomware Trojan attacks in Germany. The activity was significantly lower in previous quarters. It appears the fraudsters have found a new channel for delivering malicious apps to users.

Mobile banking Trojans

In the third quarter of 2025, 52,723 installation packages for mobile banking Trojans were detected, 10,000 more than in the second quarter.

Installation packages for mobile banking Trojans detected by Kaspersky, Q3 2024 — Q3 2025 (download)

The share of the Mamont Trojan among all bankers slightly increased again, reaching 61.85%. However, in terms of the share of attacked users, Coper moved into first place, with the same modification being used in most of its attacks. Variants of Mamont ranked second and lower, as different samples were used in different attacks. Nevertheless, the total number of users attacked by the Mamont family is greater than that of users attacked by Coper.

TOP 10 mobile bankers

Verdict	%* Q2 2025	%* Q3 2025	Difference in p.p.	Change in ranking
Trojan-Banker.AndroidOS.Coper.c	13.42	13.48	+0.07	+1
Trojan-Banker.AndroidOS.Mamont.da	21.86	8.57	–13.28	–1
Trojan-Banker.AndroidOS.Mamont.hi	0.00	8.48	+8.48
Trojan-Banker.AndroidOS.Mamont.gy	0.00	6.90	+6.90
Trojan-Banker.AndroidOS.Mamont.hl	0.00	4.97	+4.97
Trojan-Banker.AndroidOS.Agent.ws	0.00	4.02	+4.02
Trojan-Banker.AndroidOS.Mamont.gg	0.40	3.41	+3.01	+35
Trojan-Banker.AndroidOS.Mamont.cb	3.03	3.31	+0.29	+5
Trojan-Banker.AndroidOS.Creduz.z	0.17	3.30	+3.13	+58
Trojan-Banker.AndroidOS.Mamont.fz	0.07	3.02	+2.95	+86

* Unique users who encountered this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

Mobile ransomware Trojans

Due to the increased activity of mobile ransomware Trojans in Germany, which we mentioned in the Region-specific malware section, we have decided to also present statistics on this type of threat. In the third quarter, the number of ransomware Trojan installation packages more than doubled, reaching 1564.

Verdict	%* Q2 2025	%* Q3 2025	Difference in p.p.	Change in ranking
Trojan-Ransom.AndroidOS.Rkor.ii	7.23	24.42	+17.19	+10
Trojan-Ransom.AndroidOS.Rkor.pac	0.27	16.72	+16.45	+68
Trojan-Ransom.AndroidOS.Congur.aa	30.89	16.46	–14.44	–1
Trojan-Ransom.AndroidOS.Svpeng.ac	30.98	16.39	–14.59	–3
Trojan-Ransom.AndroidOS.Rkor.it	0.00	10.09	+10.09
Trojan-Ransom.AndroidOS.Congur.cw	15.71	9.69	–6.03	–3
Trojan-Ransom.AndroidOS.Congur.ap	15.36	9.16	–6.20	–3
Trojan-Ransom.AndroidOS.Small.cj	14.91	8.49	–6.42	–3
Trojan-Ransom.AndroidOS.Svpeng.snt	13.04	8.10	–4.94	–2
Trojan-Ransom.AndroidOS.Svpeng.ah	13.13	7.63	–5.49	–4

* Unique users who encountered the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

IT threat evolution in Q3 2025. Mobile statistics
IT threat evolution in Q3 2025. Non-mobile statistics

Quarterly figures

In Q3 2025:

• Kaspersky solutions blocked more than 389 million attacks that originated with various online resources.
• Web Anti-Virus responded to 52 million unique links.
• File Anti-Virus blocked more than 21 million malicious and potentially unwanted objects.
• 2,200 new ransomware variants were detected.
• Nearly 85,000 users experienced ransomware attacks.
• 15% of all ransomware victims whose data was published on threat actors’ data leak sites (DLSs) were victims of Qilin.
• More than 254,000 users were targeted by miners.

Ransomware

Quarterly trends and highlights

Law enforcement success

The UK’s National Crime Agency (NCA) arrested the first suspect in connection with a ransomware attack that caused disruptions at numerous European airports in September 2025. Details of the arrest have not been published as the investigation remains ongoing. According to security researcher Kevin Beaumont, the attack employed the HardBit ransomware, which he described as primitive and lacking its own data leak site.

The U.S. Department of Justice filed charges against the administrator of the LockerGoga, MegaCortex and Nefilim ransomware gangs. His attacks caused millions of dollars in damage, putting him on wanted lists for both the FBI and the European Union.

U.S. authorities seized over $2.8 million in cryptocurrency, $70,000 in cash, and a luxury vehicle from a suspect allegedly involved in distributing the Zeppelin ransomware. The criminal scheme involved data theft, file encryption, and extortion, with numerous organizations worldwide falling victim.

A coordinated international operation conducted by the FBI, Homeland Security Investigations (HSI), the U.S. Internal Revenue Service (IRS), and law enforcement agencies from several other countries successfully dismantled the infrastructure of the BlackSuit ransomware. The operation resulted in the seizure of four servers, nine domains, and $1.09 million in cryptocurrency. The objective of the operation was to destabilize the malware ecosystem and protect critical U.S. infrastructure.

Vulnerabilities and attacks

SSL VPN attacks on SonicWall

Since late July, researchers have recorded a rise in attacks by the Akira threat actor targeting SonicWall firewalls supporting SSL VPN. SonicWall has linked these incidents to the already-patched vulnerability CVE-2024-40766, which allows unauthorized users to gain access to system resources. Attackers exploited the vulnerability to steal credentials, subsequently using them to access devices, even those that had been patched. Furthermore, the attackers were able to bypass multi-factor authentication enabled on the devices. SonicWall urges customers to reset all passwords and update their SonicOS firmware.

Scattered Spider uses social engineering to breach VMware ESXi

The Scattered Spider (UNC3944) group is attacking VMware virtual environments. The attackers contact IT support posing as company employees and request to reset their Active Directory password. Once access to vCenter is obtained, the threat actors enable SSH on the ESXi servers, extract the NTDS.dit database, and, in the final phase of the attack, deploy ransomware to encrypt all virtual machines.

Exploitation of a Microsoft SharePoint vulnerability

In late July, researchers uncovered attacks on SharePoint servers that exploited the ToolShell vulnerability chain. In the course of investigating this campaign, which affected over 140 organizations globally, researchers discovered the 4L4MD4R ransomware based on Mauri870 code. The malware is written in Go and packed using the UPX compressor. It demands a ransom of 0.005 BTC.

The application of AI in ransomware development

A UK-based threat actor used Claude to create and launch a ransomware-as-a-service (RaaS) platform. The AI was responsible for writing the code, which included advanced features such as anti-EDR techniques, encryption using ChaCha20 and RSA algorithms, shadow copy deletion, and network file encryption.

Anthropic noted that the attacker was almost entirely dependent on Claude, as they lacked the necessary technical knowledge to provide technical support to their own clients. The threat actor sold the completed malware kits on the dark web for $400–$1,200.

Researchers also discovered a new ransomware strain, dubbed PromptLock, that utilizes an LLM directly during attacks. The malware is written in Go. It uses hardcoded prompts to dynamically generate Lua scripts for data theft and encryption across Windows, macOS and Linux systems. For encryption, it employs the SPECK-128 algorithm, which is rarely used by ransomware groups.

Subsequently, scientists from the NYU Tandon School of Engineering traced back the likely origins of PromptLock to their own educational project, Ransomware 3.0, which they detailed in a prior publication.

The most prolific groups

This section highlights the most prolific ransomware gangs by number of victims added to each group’s DLS. As in the previous quarter, Qilin leads by this metric. Its share grew by 1.89 percentage points (p.p.) to reach 14.96%. The Clop ransomware showed reduced activity, while the share of Akira (10.02%) slightly increased. The INC Ransom group, active since 2023, rose to third place with 8.15%.

Number of each group’s victims according to its DLS as a percentage of all groups’ victims published on all the DLSs under review during the reporting period (download)

Number of new variants

In the third quarter, Kaspersky solutions detected four new families and 2,259 new ransomware modifications, nearly one-third more than in Q2 2025 and slightly more than in Q3 2024.

Number of new ransomware modifications, Q3 2024 — Q3 2025 (download)

Number of users attacked by ransomware Trojans

During the reporting period, our solutions protected 84,903 unique users from ransomware. Ransomware activity was highest in July, while August proved to be the quietest month.

Number of unique users attacked by ransomware Trojans, Q3 2025 (download)

Attack geography

TOP 10 countries attacked by ransomware Trojans

In the third quarter, Israel had the highest share (1.42%) of attacked users. Most of the ransomware in that country was detected in August via behavioral analysis.

	Country/territory*	%**
1	Israel	1.42
2	Libya	0.64
3	Rwanda	0.59
4	South Korea	0.58
5	China	0.51
6	Pakistan	0.47
7	Bangladesh	0.45
8	Iraq	0.44
9	Tajikistan	0.39
10	Ethiopia	0.36

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

	Name	Verdict	%*
1	(generic verdict)	Trojan-Ransom.Win32.Gen	26.82
2	(generic verdict)	Trojan-Ransom.Win32.Crypren	8.79
3	(generic verdict)	Trojan-Ransom.Win32.Encoder	8.08
4	WannaCry	Trojan-Ransom.Win32.Wanna	7.08
5	(generic verdict)	Trojan-Ransom.Win32.Agent	4.40
6	LockBit	Trojan-Ransom.Win32.Lockbit	3.06
7	(generic verdict)	Trojan-Ransom.Win32.Crypmod	2.84
8	(generic verdict)	Trojan-Ransom.Win32.Phny	2.58
9	PolyRansom/VirLock	Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom	2.54
10	(generic verdict)	Trojan-Ransom.MSIL.Agent	2.05

* Unique Kaspersky users attacked by the specific ransomware Trojan family as a percentage of all unique users attacked by this type of threat.

Miners

Number of new variants

In Q3 2025, Kaspersky solutions detected 2,863 new modifications of miners.

Number of new miner modifications, Q3 2025 (download)

Number of users attacked by miners

During the third quarter, we detected attacks using miner programs on the computers of 254,414 unique Kaspersky users worldwide.

Number of unique users attacked by miners, Q3 2025 (download)

Attack geography

TOP 10 countries and territories attacked by miners

	Country/territory*	%**
1	Senegal	3.52
2	Mali	1.50
3	Afghanistan	1.17
4	Algeria	0.95
5	Kazakhstan	0.93
6	Tanzania	0.92
7	Dominican Republic	0.86
8	Ethiopia	0.77
9	Portugal	0.75
10	Belarus	0.75

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Attacks on macOS

In April, researchers at Iru (formerly Kandji) reported the discovery of a new spyware family, PasivRobber. We observed the development of this family throughout the third quarter. Its new modifications introduced additional executable modules that were absent in previous versions. Furthermore, the attackers began employing obfuscation techniques in an attempt to hinder sample detection.

In July, we reported on a cryptostealer distributed through fake extensions for the Cursor AI development environment, which is based on Visual Studio Code. At that time, the malicious JavaScript (JS) script downloaded a payload in the form of the ScreenConnect remote access utility. This utility was then used to download cryptocurrency-stealing VBS scripts onto the victim’s device. Later, researcher Michael Bocanegra reported on new fake VS Code extensions that also executed malicious JS code. This time, the code downloaded a malicious macOS payload: a Rust-based loader. This loader then delivered a backdoor to the victim’s device, presumably also aimed at cryptocurrency theft. The backdoor supported the loading of additional modules to collect data about the victim’s machine. The Rust downloader was analyzed in detail by researchers at Iru.

In September, researchers at Jamf reported the discovery of a previously unknown version of the modular backdoor ChillyHell, first described in 2023. Notably, the Trojan’s executable files were signed with a valid developer certificate at the time of discovery.

The new sample had been available on Dropbox since 2021. In addition to its backdoor functionality, it also contains a module responsible for bruteforcing passwords of existing system users.

By the end of the third quarter, researchers at Microsoft reported new versions of the XCSSET spyware, which targets developers and spreads through infected Xcode projects. These new versions incorporated additional modules for data theft and system persistence.

TOP 20 threats to macOS

Unique users* who encountered this malware as a percentage of all attacked users of Kaspersky security solutions for macOS (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

The PasivRobber spyware continues to increase its activity, with its modifications occupying the top spots in the list of the most widespread macOS malware varieties. Other highly active threats include Amos Trojans, which steal passwords and cryptocurrency wallet data, and various adware. The Backdoor.OSX.Agent.l family, which took thirteenth place, represents a variation on the well-known open-source malware, Mettle.

Geography of threats to macOS

TOP 10 countries and territories by share of attacked users

Country/territory	%* Q2 2025	%* Q3 2025
Mainland China	2.50	1.70
Italy	0.74	0.85
France	1.08	0.83
Spain	0.86	0.81
Brazil	0.70	0.68
The Netherlands	0.41	0.68
Mexico	0.76	0.65
Hong Kong	0.84	0.62
United Kingdom	0.71	0.58
India	0.76	0.56

IoT threat statistics

This section presents statistics on attacks targeting Kaspersky IoT honeypots. The geographic data on attack sources is based on the IP addresses of attacking devices.

In Q3 2025, there was a slight increase in the share of devices attacking Kaspersky honeypots via the SSH protocol.

Distribution of attacked services by number of unique IP addresses of attacking devices (download)

Conversely, the share of attacks using the SSH protocol slightly decreased.

Distribution of attackers’ sessions in Kaspersky honeypots (download)

TOP 10 threats delivered to IoT devices

Share of each threat delivered to an infected device as a result of a successful attack, out of the total number of threats delivered (download)

In the third quarter, the shares of the NyaDrop and Mirai.b botnets significantly decreased in the overall volume of IoT threats. Conversely, the activity of several other members of the Mirai family, as well as the Gafgyt botnet, increased. As is typical, various Mirai variants occupy the majority of the list of the most widespread malware strains.

Attacks on IoT honeypots

Germany and the United States continue to lead in the distribution of attacks via the SSH protocol. The share of attacks originating from Panama and Iran also saw a slight increase.

Country/territory	Q2 2025	Q3 2025
Germany	24.58%	13.72%
United States	10.81%	13.57%
Panama	1.05%	7.81%
Iran	1.50%	7.04%
Seychelles	6.54%	6.69%
South Africa	2.28%	5.50%
The Netherlands	3.53%	3.94%
Vietnam	3.00%	3.52%
India	2.89%	3.47%
Russian Federation	8.45%	3.29%

The largest number of attacks via the Telnet protocol were carried out from China, as is typically the case. Devices located in India reduced their activity, whereas the share of attacks from Indonesia increased.

Country/territory	Q2 2025	Q3 2025
China	47.02%	57.10%
Indonesia	5.54%	9.48%
India	28.08%	8.66%
Russian Federation	4.85%	7.44%
Pakistan	3.58%	6.66%
Nigeria	1.66%	3.25%
Vietnam	0.55%	1.32%
Seychelles	0.58%	0.93%
Ukraine	0.51%	0.73%
Sweden	0.39%	0.72%

Attacks via web resources

The statistics in this section are based on detection verdicts by Web Anti-Virus, which protects users when suspicious objects are downloaded from malicious or infected web pages. These malicious pages are purposefully created by cybercriminals. Websites that host user-generated content, such as message boards, as well as compromised legitimate sites, can become infected.

TOP 10 countries that served as sources of web-based attacks

This section gives the geographical distribution of sources of online attacks (such as web pages redirecting to exploits, sites hosting exploits and other malware, and botnet C2 centers) blocked by Kaspersky products. One or more web-based attacks could originate from each unique host.

To determine the geographic source of web attacks, we matched the domain name with the real IP address where the domain is hosted, then identified the geographic location of that IP address (GeoIP).

In the third quarter of 2025, Kaspersky solutions blocked 389,755,481 attacks from internet resources worldwide. Web Anti-Virus was triggered by 51,886,619 unique URLs.

Web-based attacks by country, Q3 2025 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of malware infection via the internet for users’ computers in different countries and territories, we calculated the share of Kaspersky users in each location on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

This ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

	Country/territory*	%**
1	Panama	11.24
2	Bangladesh	8.40
3	Tajikistan	7.96
4	Venezuela	7.83
5	Serbia	7.74
6	Sri Lanka	7.57
7	North Macedonia	7.39
8	Nepal	7.23
9	Albania	7.04
10	Qatar	6.91
11	Malawi	6.90
12	Algeria	6.74
13	Egypt	6.73
14	Bosnia and Herzegovina	6.59
15	Tunisia	6.54
16	Belgium	6.51
17	Kuwait	6.49
18	Turkey	6.41
19	Belarus	6.40
20	Bulgaria	6.36

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users targeted by web-based Malware attacks as a percentage of all unique users of Kaspersky products in the country/territory.
On average, over the course of the quarter, 4.88% of devices globally were subjected to at least one web-based Malware attack.

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer by infecting files or removable media, or initially made their way onto the computer in non-open form. Examples of the latter are programs in complex installers and encrypted files.

Data in this section is based on analyzing statistics produced by anti-virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media: flash drives, camera memory cards, phones, and external drives. The statistics are based on detection verdicts from the on-access scan (OAS) and on-demand scan (ODS) modules of File Anti-Virus.

In the third quarter of 2025, our File Anti-Virus recorded 21,356,075 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users on whose computers File Anti-Virus was triggered during the reporting period. This statistic reflects the level of personal computer infection in different countries and territories around the world.

Note that this ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

	Country/territory*	%**
1	Turkmenistan	45.69
2	Yemen	33.19
3	Afghanistan	32.56
4	Tajikistan	31.06
5	Cuba	30.13
6	Uzbekistan	29.08
7	Syria	25.61
8	Bangladesh	24.69
9	China	22.77
10	Vietnam	22.63
11	Cameroon	22.53
12	Belarus	21.98
13	Tanzania	21.80
14	Niger	21.70
15	Mali	21.29
16	Iraq	20.77
17	Nicaragua	20.75
18	Algeria	20.51
19	Congo	20.50
20	Venezuela	20.48

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users on whose computers local Malware threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.
On average worldwide, local Malware threats were detected at least once on 12.36% of computers during the third quarter.