Doctor Web’s Q1 2026 virus activity review
April 1, 2026
Most widely encountered in email traffic were malicious scripts, backdoors, and various trojans. Threat actors also used emails to distribute phishing documents and exploits.
Users whose files were affected by encoder trojans had primarily encountered Trojan.Encoder.35534, Trojan.Encoder.29750 and Trojan.Encoder.41868.
In Q1 2026, Doctor Web’s Internet analysts detected new phishing websites, including fake online resources of credit organizations and marketplaces as well as a number of other unwanted sites.
The mobile device segment saw increased activity on the part of banking trojans. At the same time, our malware analysts noted the growing popularity of a method used to prevent malicious programs from being detected by anti-viruses. This method involves adding junk code to the apps.
In January, Doctor Web’s experts informed users about the Android.Phantom trojan clickers, which use machine learning and video broadcasting to boost clicks on websites. In addition, over the past three months, we detected the emergence of yet more malware on Google Play, including trojans that subscribe users to paid services.
Principal trends in Q1 2026
- The number of threats detected on protected devices decreased
- Fewer unique files exist among the threats that were detected
- Compared to the previous observation period, fewer users requested help to decrypt files affected by encoder trojans
- Banking trojans for Android devices continued to increase their activity
- Users were at risk of encountering Android.Phantom clicker trojans, which use machine learning, among other techniques, to boost clicks on websites
- More malicious apps were discovered on Google Play
According to Doctor Web’s statistics service
The most common threats in Q1 2026
- Trojan.Siggen31.34463
- A trojan written in the Go programming language and designed to download various miner trojans and adware into infected systems. This malware is a DLL file located at %appdata%\utorrent\lib.dll. To launch, it exploits a DLL Search Order Hijacking vulnerability in the uTorrent torrent client.
- Adware.Downware.20655
- Adware.Downware.20766
- Adware that often serves as an intermediary installer of pirated software.
- Trojan.BPlug.4268
- The detection name for a malicious component of the WinSafe browser extension. This component is a JavaScript file that displays intrusive ads in browsers.
- Adware.Siggen.33379
- A fake Adblock Plus browser ad blocker that is installed on the system by other malware to display advertisements.
Statistics for malware discovered in email traffic
The most common threats in email traffic in Q1 2026
- JS.DownLoader.1225
- Heuristic detection for ZIP archives containing JavaScripts with suspicious names.
- W97M.DownLoader.2938
- A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer.
- Exploit.CVE-2017-11882.123
- Exploit.CVE-2018-0798.4
- Exploits designed to take advantage of Microsoft Office software vulnerabilities that allow an attacker to run arbitrary code.
- JS.Redirector.514
- A malicious script that redirects users to a web page controlled by fraudsters.
Encryption ransomware
In Q1 2026, the number of requests made to decrypt files affected by encoder trojans decreased by 31.51%, compared to Q4 2025. The decline occurred against the backdrop of the New Year holidays and the associated long weekend, during which a number of cybercriminals may have suspended their activity and gone on vacation. At the same time, users who nonetheless suffered from encoder trojan attacks during this period may not have immediately responded to incidents that had occurred.
The dynamics of the decryption requests received by Doctor Web’s Technical Support Service:
The most common encoders of Q1 2026
- Trojan.Encoder.35534 — 15.59% of user requests
- Trojan.Encoder.29750 — 3.23% of user requests
- Trojan.Encoder.41868 — 3.23% of user requests
- Trojan.Encoder.26996 — 1.62% of user requests
- Trojan.Encoder.44383 — 1.61% of user requests
Network fraud
Over the past three months, Doctor Web’s Internet analysts discovered a number of new fake marketplace websites on which fraudsters offer the chance to join in a “clearance sale” of supposedly unredeemed orders. The fraudulent scheme works like this: the “unclaimed” goods from the orders are divided into different categories (electronics, clothes, footwear, cosmetics, etc.) and are allegedly packed into the corresponding surprise boxes. Their content is unknown and is claimed to possibly include expensive items. At the same time, potential victims are offered a chance to buy these boxes at a relatively low price, which is the main lure of this scam.
A fake marketplace site promises a “sale of unclaimed orders” that are supposedly overflowing warehouses
When a user selects one of the boxes, they are asked to place an order and provide personal information that may include their first and last names, mobile phone number, and email address. Next, the user is redirected to the payment page to pay via the Faster Payments System (“Система быстрых платежей”, “СБП”, or “SBP”). As a result, the victim loses their money and provides confidential data to the fraudsters.
After placing an “order”, the victim is asked to pay for it via the Faster Payments System
Our experts also identified many websites for services offering various financial products, such as the ability to swiftly obtain a microloan, a regular loan, or go through bankruptcy proceedings. Such services do not provide these products themselves, as users expect, and are only intermediaries between clients and financial institutions. They provide paid access to a selection of potentially suitable options, while the aggregation of such financial offers is available from free sources. Moreover, these services do not guarantee a successful result when an application is submitted. At the same time, access is granted not after a one-time payment, but after a paid subscription involving periodic debits is taken out.
One of the websites requiring users to pay in order to access a service for selecting financial offers. Users believe they are making a one-time payment for access, but unbeknownst to them, they are signing up for a subscription
In some cases, such resources can mislead users by offering them one type of service, like job placements, but actually provide subscription access to the aforementioned financial offers for loans, microloans, etc.
A website promises to help visitors find a job, but once payment is made to access the service, financial proposals (loans, microloans, etc.) from the website’s partners may be offered instead
Among the phishing sites identified in Q1 2026 were fake web resources for the Green Marathon (“Зеленый Марафон”) charity race. They offer visitors the opportunity to register for the marathon, but these sites are not affiliated with the event and are designed to collect users’ confidential data.
One of the fake sites for the Green Marathon charity race
Doctor Web’s Internet analysts also discovered more fake investment service websites that were supposedly affiliated with various credit organizations. Among them were sites targeting audiences from Russia, Kazakhstan, and other countries. Scammers promise potential victims high profits and, in order to “access” pseudo-investment platforms, they are asked to take a short survey and register an account by providing personal information.
An example of a phishing website that malicious actors pass off as an official resource for an investment service of one Russian bank
An example of a phishing site that cybercriminals present as an official online resource for an investment service of one Kazakhstani credit institution
Malicious and unwanted programs for mobile devices
According to detection statistics collected by Dr.Web Security Space for mobile devices, in Q1 2026, the growth in activity observed in Q4 last year with regards to Android.Banker banking trojans continued to trend upward. The most widespread among them were members of the Android.Banker.Mamont subfamily. At the same time, the number of detections of the ad-displaying trojans Android.MobiDash and Android.HiddenAds decreased yet again.
Topping the list of the most commonly detected potentially dangerous software were apps to which junk code has been added with the help of Android program modification tools (such apps containing junk code are detected as Tool.Obfuscator.TrashCode). Currently, this technique is actively being used to protect banking trojans from anti-virus detection. In addition, programs modified using the NP Manager tool remained prevalent (these are detected as Tool.NPMod).
The most widely detected unwanted software programs were Program.FakeAntiVirus fake anti-viruses, which demand that users purchase the full version of the software to “cure” threats that had supposedly been found. The most active ad-displaying software programs in Q1 were Adware.Bastion.1.origin and Adware.Opensite.15. The former are optimization apps that create notifications containing informational messages about supposed low memory and system errors in order to display ads during “optimization”. The latter are fake cheat software for obtaining in-game resources, but, in reality, they load websites containing ads.
In January 2026, our anti-virus laboratory informed users about the Android.Phantom trojan clickers. These malicious programs use machine learning and video broadcasts to boost clicks on websites. Cybercriminals distributed them in several ways: via the GetApps app catalog for Xiaomi devices, Telegram channels, Discord servers, third-party software collections, and malicious sites.
Over the past three months, Doctor Web’s virus analysts discovered new threats on Google Play. Among them were Android.Joker and Android.Subscription trojans, which subscribe users to paid services.
The following Q1 2026 events involving mobile malware are the most noteworthy
- Android.Banker banking trojans became the most widespread threats for Android devices.
- Cybercriminals increasingly used Android app modding tools to protect banking trojans from anti-virus detection.
- The trend of decreasing activity on the part of Android.MobiDash and Android.HiddenAds adware trojans continued.
- Users were at risk of encountering Android.Phantom trojans, which use machine learning and video broadcasts to artificially boost clicks on websites.
- Malicious apps were again distributed via Google Play.
To find out more about the security-threat landscape for mobile devices in Q1 2026, read our special overview.