Doctor Web’s virus activity review for 2025

January 15, 2026

In 2025, trojans designed to display ads were one of the most active threats. Users also encountered various malicious scripts and trojan programs that launch other malware in infected systems. In email traffic, trojan downloaders, backdoors, exploits, malicious scripts, and phishing documents were most commonly detected.

Among mobile threats, the most widespread were ad-displaying trojans and fake apps used in a variety of fraudulent schemes. An increase in banking trojan activity was also observed. At the same time, Doctor Web’s virus analysts discovered dozens of new malicious, unwanted, and adware programs on Google Play.

Compared to 2024, Doctor Web received fewer user requests to decrypt files affected by encoder trojans. Meanwhile, over the last year, our Internet analysts detected more fraudulent websites created to steal Telegram accounts. Moreover, unwanted financial websites were popular once again.

In 2025, Doctor Web’s anti-virus laboratory investigated several targeted attacks, one of which was carried out on a Russian engineering company. During the attack, threat actors used a number of malicious apps in an attempt to obtain confidential data from infected computers. Our experts ascertained that the Scaly Wolf hacker group was involved in the attack. Another incident occurred when a Russian government organization was attacked by the Cavalry Werewolf hacker group. Doctor Web’s virus analysts discovered many of the malicious tools used by these threat actors and also studied the features of the group and the actions it typically performs in compromised networks.

Throughout last year, Doctor Web also reported on other information security incidents. In January, our anti-virus laboratory discovered an active campaign that was being orchestrated by cybercriminals who were using a variety of different malware programs to mine Monero cryptocurrency. In April, we informed users about a trojan that cybercriminals had imbedded in the firmware of several budget Android smartphone models in order to use it to steal cryptocurrency. Also in April, our experts identified an Android trojan that malicious actors had embedded into a version of a popular mapping software program and were using to spy on Russian military personnel.

In July, Doctor Web informed users about a new family of trojans designed to steal cryptocurrency and passwords. Malicious actors distributed them under the guise of game mods, patches, and cheats. In August, our virus analysts warned about the distribution of a multi-functional backdoor for mobile devices that was targeting employees of Russian businesses. Cybercriminals remotely controlled this malware and used it to steal confidential data and spy on victims.

In October, we published information about a backdoor for Android devices that cybercriminals were distributing as part of modified versions of the Telegram X messenger. This malicious program steals logins and passwords for Telegram accounts and other sensitive data. With its help, the attackers can control the victims’ hacked accounts and gain full control over the messenger itself, performing various actions on behalf of account owners.

In December, we released an article about a trojan that artificially increases the popularity of websites by pretending to be a real human so that its actions are not blocked by the anti-bot protection on the sites. This malware independently seeks out target websites in search engines, opens them, and performs clicks on the opened web pages, based on the parameters it receives from the threat actors.

The year 2025 also saw a rise in the popularity of ClickFix attacks, in which malicious actors use social engineering to trick users into running malicious code on their devices.

The most notable events of 2025

In January 2025, Doctor Web’s specialists uncovered a campaign to mine Monero cryptocurrency using the malicious miner SilentCryptoMiner. Its files were disguised as various software, like programs for making video calls. When infecting computers, they removed other miners that might have been previously installed in the system. As part of this campaign, the attackers used steganography, a technique that allows certain data to be hidden among other data (for example, in images), to distribute some of the malicious components. After the specially crafted images were downloaded, the corresponding SilentCryptoMiner components were extracted from them and launched.

In April, our virus analysts informed users about the Android.Clipper.31 trojan found in the firmware of a number of budget Android smartphone models. Threat actors built this trojan into a modified version of WhatsApp messenger, which they then preinstalled on devices after compromising the supply chain of some manufacturers. Android.Clipper.31 intercepts messages sent in the trojanized messenger, searches for the Tron and Ethereum crypto wallet addresses in them, and replaces the addresses with those that belong to the attackers. At the same time, the malware conceals this substitution, and victims see the correct crypto wallet addresses in such messages.

Later in April, Doctor Web’s experts discovered the Android.Spy.1292.origin trojan, which cybercriminals embedded into a version of Alpine Quest mapping software and used it to spy on Russian military personnel. The malware collected confidential information and allowed the attackers to steal files from the infected devices.

In July, Doctor Web released news material on its website covering Trojan.Scavenger malicious programs, which are designed to steal cryptocurrency and passwords. The attackers distributed these under the guise of game mods, cheats, patches, etc. The trojans were launched using legitimate software, including via the exploitation of DLL Search Order Hijacking class vulnerabilities.

In August, our specialists notified users about the spread of the multi-functional backdoor Android.Backdoor.916.origin, which was targeting representatives of Russian companies. The malware, disguised as anti-viruses, was distributed via direct messages in messengers. Once the target devices were infected, Android.Backdoor.916.origin collected confidential data and allowed the attackers to spy on victims.

Also in August, Doctor Web’s anti-virus laboratory released a study on a targeted attack that was perpetrated by the Scaly Wolf group against a Russian engineering company. Cybercriminals deployed a number of malicious tools, one of the main ones being the modular backdoor Updatar. It allowed the attackers to collect confidential data from the infected computers.

In October, Doctor Web’s experts warned about the Android.Backdoor.Baohuo.1.origin backdoor built into maliciously modified versions of the Telegram X messenger. Android.Backdoor.Baohuo.1.origin steals logins and passwords for Telegram accounts along with some other confidential data. The malware allows threat actors to gain full control over a user’s account and to control the messenger, performing actions in it on behalf of the victim. For example, the attackers can covertly join and leave Telegram channels and also conceal newly authorized devices in the interface of the trojanized Telegram X.

In November, we published a study on a targeted attack that the Cavalry Werewolf hacker group had carried out against a Russian government organization. During their investigation of the incident, Doctor Web’s experts discovered many of the attackers’ malicious tools, including open-source instruments. Our virus analysts studied the group’s features and found that the threat actors prefer to use reverse shell backdoors and often use the Telegram API to control infected computers. Moreover, they begin their attacks by sending phishing emails purporting to come from government agencies and attach malware disguised as various official documents to these messages.

In December, Doctor Web published its analysis of the Trojan.ChimeraWire malware, which artificially increases the popularity of websites, while pretending to be human. This trojan searches target sites via the Google and Bing search engines, opens the sites it has found, and performs clicks on their web pages in accordance with tasks received from the malicious actors. Trojan.ChimeraWire is installed on computers by a number of malicious programs that exploit DLL Search Order Hijacking class vulnerabilities.

During 2025, attacks using the ClickFix method became more popular. This method is based on social engineering, when cybercriminals trick potential victims into running malicious code themselves. When users visit a malicious or compromised website, it informs them of a supposed error or the need to update their browser and offers to “fix” the problem. Depending on the attack variant involved, users are either asked to copy the strings provided on the web page or to just click the corresponding button (for example, “Update” or “Fix”). In the latter case, the contents that the attackers need will be automatically copied into the clipboard. Next, users are encouraged to run a command line or a PowerShell terminal, paste the clipboard contents in there, and press the “Enter” button on their keyboard. As a result, victims will execute malicious code themselves, which will initiate an infection chain. More information about ClickFix attacks can be found in the corresponding article on our website.

The malware landscape

According to statistics collected by the Dr.Web anti-virus, the total number of threats detected in 2025 increased by 5.45%, compared to 2024. The number of unique threats decreased by 15.89%. Users most often encountered various malicious scripts and adware trojans. In addition, trojans that launch other malicious apps were commonly detected. Users were also targeted by trojans created in the AutoIt scripting language and distributed as part of other malware to make the latter more difficult to detect.

VBS.KeySender.6

VBS.KeySender.7

A malicious script that, in an infinite loop, searches for windows containing the text mode extensions, разработчика, and розробника and sends them an Escape key press event, forcibly closing them.

Trojan.BPlug.4242

The detection name for a malicious component of the WinSafe browser extension. This component is a JavaScript file that displays intrusive ads in browsers.

Trojan.Starter.8319

Trojan.Starter.8326

Trojan.Starter.8332

The detection name for malicious XML scripts that launch Trojan.AutoIt.289 malware and its components.

JS.Siggen5.44590

Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with the time zone of a Russian city.

Trojan.Siggen30.53926

The detection name of an Electron framework host process modified by threat actors. It mimics a Steam application component (Steam Client WebHelper) and loads a JavaScript backdoor.

JS.MalVpn.1

A malicious script that various malicious programs use to connect to C2 servers.

Trojan.Siggen31.34463

A trojan written in the Go programming language and designed to download various miner trojans and adware into infected systems. This malware is a DLL file located at %appdata%\utorrent\lib.dll. To launch, it exploits a DLL Search Order Hijacking vulnerability in the uTorrent torrent client.

In email traffic, trojans that download and install other malware were most commonly detected in 2025. Threat actors also distributed various backdoors, exploits, phishing documents, and malicious scripts via email messages.

W97M.DownLoader.2938

A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer.

Exploit.CVE-2017-11882.123

Exploit.CVE-2018-0798.4

Exploits designed to take advantage of Microsoft Office software vulnerabilities and allow an attacker to run arbitrary code.

JS.Phishing.684

JS.Phishing.745

A malicious JavaScript script that generates a phishing web page.

BackDoor.AgentTeslaNET.20

Spyware designed to steal confidential information. For example, it collects and sends logins and passwords from numerous programs, such as browsers, messengers, email clients, databases, and more, to the attackers. It also steals clipboard contents, implements Keylogging functionality, and can take screenshots.

Win32.Expiro.153

A file virus that infects Windows executable files. Its main purpose is to steal passwords for various programs.

JS.DownLoader.1225

Heuristic detection for ZIP archives containing JavaScripts with suspicious names.

Trojan.PackedNET.3223

Detection for malicious programs protected with a packer.

Trojan.AutoIt.1413

The detection name for a packed version of the Trojan.AutoIt.289 malicious app, written in the AutoIt scripting language. This trojan is distributed as part of a group of several malicious applications, including a miner, a backdoor, and a self-propagating module. Trojan.AutoIt.289 performs various malicious actions that make it difficult for the main payload to be detected.

Encryption ransomware

Compared with 2024, in 2025, Doctor Web’s technical support service registered 35.98% fewer user requests to decrypt files affected by encryption trojans. The dynamics of when those requests were registered is shown in the graph below:

The most common encoders of 2025:

Trojan.Encoder.35534 (23.22% of user requests)

An encoder trojan also known as Mimic. It uses the everything.dll library from the legitimate software Everything, which is designed to instantly locate files on Windows computers.

Trojan.Encoder.35209 (3.33% of user requests)

An encoder trojan based on the source code of the Conti encoder malware. It encrypts files using the ChaCha20 algorithm. Now that some of the threat actors’ C2 servers have been taken down and the private RSA encryption keys have been disclosed, files affected by some modifications of this trojan can be decrypted.

Trojan.Encoder.35067 (2.50% of user requests)

An encoder trojan also known as Macop (Trojan.Encoder.30572 is one of its other variants). It is small in size, about 30-40 Kbytes. This is partially due to the fact that the trojan does not carry third-party cryptographic libraries and uses exclusively CryptoAPI functions for encryption and key generation. It uses the AES-256 algorithm to encrypt files, and the keys themselves are encrypted with RSA-1024.

Trojan.Encoder.41868 (2.31% of user requests)

An encoder whose artifacts indicate that the hacker group C77L was involved in its creation.

Trojan.Encoder.29750 (2.13% of user requests)

A ransomware trojan with multiple versions. Its current modifications use the AES-256+RSA algorithm to encrypt files.

Network fraud

In 2025, Doctor Web’s Internet analysts observed an increase in the number of phishing websites created for stealing Telegram messenger accounts. Malicious actors used various techniques: fake authentication and authorization pages, fake messages from Telegram support warning of alleged messenger-usage violations requiring account “verification”, etc.

An example of a phishing website informing the user that they must verify their Telegram account due to a violation of the platform’s terms of service

Similar sites were also created to target users of other services, such as gaming platforms, online stores, and so on. The fakes could look like genuine Internet resources and invited potential victims to log into their account. If users fell for the trick, their confidential information ended up in the attackers’ hands.

A fake website for the Steam platform displays a phishing form for entering a login and password

Users once again encountered various types of fraudulent online resources offering all sorts of gifts and bonuses as well as the chance to participate in certain “lucrative promotions”. Commonplace were fake sites of Russian marketplaces where visitors could supposedly participate in a prize drawing. The “winnings” were programmed into the websites, and to “receive” the prizes, victims were required to make a certain payment—for example, supposedly in the form of a tax, then a delivery fee for the goods, and then a fee to insure them. In other variations of this scam, the desired item was allegedly unavailable, but a cash equivalent was offered instead. To “get” the money, the user was also required to make some payments: in the form of fees, insurance, etc. In the end, the victim never received any prize.

An example of a fake marketplace website offering the chance to participate in a “prize drawing”

Variants of similar schemes included fake transport company websites targeting residents of Great Britain. These offered people the chance to participate in a drawing for transport cards that were supposedly timed to a certain event and allowed free use of public transportation services. After a “win”, fraudsters asked victims to provide personal data and pay a small “fee”.

A fraudulent website, allegedly belonging to a transportation company, offers people the chance to participate in a transport card drawing

All sorts of fraudulent finance-themed sites remained relevant. Once again popular with scammers were web resources offering opportunities to make money by trading on the market using automated systems based on unique algorithms and artificial intelligence technologies. Such sites are created to target users from many countries. They usually request personal information from users wanting to register a “request” or an “account”. Such information ends up in the attackers’ hands—for them to use at their own discretion. Threat actors can resell the data or continue luring potential victims into the fake investment service, demanding that users deposit money into the “trading” account.

One fraudulent site offering access to an “investment platform” based on AI technologies was allegedly related to the Apple Corporation

Many of these sites are created using similar templates in the form of a fake chat with a “virtual assistant” or an “employee” of a particular company, and the fraudsters contact potential victims by assuming one of those roles. Users are asked to answer several questions and then provide personal data.

On one of the websites, scammers offered French users access to non-existent automated trading software called Trader AI, which would allegedly allow them to make money, starting from €3,500

One Internet resource advertised an investment service that was supposedly built directly on the basis of the Telegram messenger. This website promised an income of €10,000 per month, thanks to automated trading of global company shares “directly in the phone’s browser”.

A fraudulent website invites users to join a “Telegram platform” that supposedly trades stocks automatically

Scammers also offered potential victims a chance to make money using “trading bots” that were supposedly created with the participation of large companies and services such as Telegram, WhatsApp, TikTok, and others.

An example of a website that invited potential victims to use a non-existent trading bot, allegedly related to the WhatsApp messenger

Throughout 2025, our Internet analysts discovered new fraudulent sites offering users in many countries, including Russia and countries of the CIS (Commonwealth of Independent States) and Europe, opportunities to invest in the oil and gas sector. Typically, on such sites, potential victims are also asked to provide personal information, such as their first and last names, mobile phone number, email address, etc.

A fraudulent site targeting Kyrgyz citizens offers them the opportunity to “make money from oil and gas”, promising large profits

Our analysts observed the emergence of more fraudulent websites offering “government support” in the form of payments or compensation. For instance, commonly occurring in the Russian Internet segment were fraudulent web resources purporting to be connected to the Gosuslugi (Госуслуги) portal.

An example of a fraudulent website purporting to be linked to the Gosuslugi service and promising Russian users stable payments from the government and a major oil and gas company. To “participate” in the “payment program”, victims were asked to provide personal data

Our experts also noted the emergence of more fake education project websites. These offered users opportunities to take various education and training courses to improve their financial literacy, master a particular profession, etc. To “access” the training, potential victims, as in many other similar schemes, were also asked for personal information.

One of the fraudulent sites offering users the opportunity to learn English

Doctor Web’s Internet analysts detected new fraudulent sites selling theater tickets. On such resources, fraudsters offer potential victims discounted tickets for purchase, but after making “payment”, the victims do not receive them.

An example of a fraudulent website selling non-existent theater tickets

In addition, new fake websites for private cinemas were also common. As in the case with the theater tickets, scammers offer potential victims movie tickets for purchase, but the victims end up handing over their money to the fraudsters.

The fake site of a private cinemaв

Mobile devices

According to detection statistics collected by Dr.Web Security Space for mobile devices, in 2025, users were most likely to encounter the ad-displaying trojans Android.MobiDash and Android.HiddenAds and also Android.FakeApp programs, which, instead of providing the declared functionality, can load various websites, including fraudulent and malicious ones. Android.Triada trojans were more active. These are multifunctional threats that cybercriminals embed into the firmware of Android devices. Moreover, the number of Android.Banker banking trojan attacks increased. At the same time, Android.SpyMax banking trojans were less active.

Last year, malware creators continued using various techniques to protect their malicious Android apps. One method involved converting DEX code to C code (also known as DCC).

The most common unwanted apps were Program.FakeMoney programs. These offer users virtual rewards for completing various tasks and promise them that they can convert these rewards into real money. But, in reality, these apps do not have such an option. In addition, the apps Program.FakeAntiVirus.1 and Program.CloudInject.1 were also frequently detected on protected devices. The former imitates the work of anti-viruses and detects non-existent threats, offering to “cure” infections for users if they purchase the full version of the software. The latter are programs modified via a popular cloud service. When they are being modified, dangerous system permissions and an obfuscated code, whose purpose cannot be controlled, are added to them.

Programs modified with the NP Manager utility (these programs are detected as Tool.NPMod) became the most widespread riskware. The NP Manager tool obfuscates the code of the modified programs and allows their digital signature verification to be bypassed. The most active adware apps in 2025 were Adware.ModAd.1 programs, third-party WhatsApp messenger mods that automatically open advertising links when the messenger is in use.

In 2025, new cases of Android device firmware infections were identified. Our company informed users about one of them in April. Threat actors had preinstalled Android.Clipper.31 malware into the system storage area of a number of budget smartphone models and used it to steal cryptocurrency from users. Other attackers managed to implant dangerous Android.Triada trojans into the firmware of some other Android smartphone models. In addition, more cases of Android TV box sets having their firmware infected with new versions of the Android.Vo1d trojan, which our company discovered in 2024, have been recorded.

Over the past year, Doctor Web’s anti-virus laboratory identified a number of dangerous malicious programs. In April, we informed users about the Android.Spy.1292.origin trojan, which was hidden in Alpine Quest mapping software that had been modified by threat actors. Android.Spy.1292.origin targeted Russian military personnel and sent the attackers information about their infected devices: mobile phone numbers and accounts, collected phonebook contacts, geolocation data, and information about the files stored in the devices’ memory. It could also steal certain files when commanded to do so by the attackers. Malicious actors were interested in getting their hands on confidential documents sent via messengers and also in obtaining Alpine Quest location log files.

In August, our specialists warned about the Android.Backdoor.916.origin backdoor, which cybercriminals had disguised as an anti-virus and were distributing via direct messages in messengers. Android.Backdoor.916.origin steals confidential information and allows criminals to spy on users. Employees of Russian companies were this backdoor’s main target.

In October, we informed users about the multi-functional backdoor Android.Backdoor.Baohuo.1.origin, which our virus analysts discovered in modified versions of the Telegram X messenger. This malware is also used to steal confidential data, including Telegram logins and passwords, incoming SMS, chats in the messenger, and clipboard data. At the same time, the backdoor allows attackers to completely control the messenger and the victim’s hacked Telegram account. To control the backdoor, cybercriminals used both a C2 server and a Redis database—something not seen previously in Android threats. Android.Backdoor.Baohuo.1.origin mainly targeted users in Indonesia and Brazil.

To find out more about the security-threat landscape for mobile devices in 2025, read our special overview.

Prospects and possible trends

In the New Year 2026, adware trojans that help cybercriminals make illegal profits will likely remain one of the most common threats to users. We can expect that malicious actors will increasingly use banking trojans, which also allow them to enrich themselves.

Further growth in the popularity of various tools and techniques that help conceal malicious activity may occur. Such techniques include the use of packers and obfuscators, malicious droppers and multi-stage downloaders, and steganography to conceal payloads. In addition, when creating malicious software, cybercriminals, including those with little programming experience, will increasingly resort to the help of AI assistants. As a result, more families of malware will emerge, and the number of threats will increase.

Government and corporate structures will once again be in the crosshairs of cybercriminals, resulting in further targeted attacks. New cases of firmware infections in Android smartphones, TV box sets and other types of mobile devices are also likely to occur, especially in the budget segment. Online scammers will remain active.