Full Report
March 27, 2025 According to statistics collected by the Dr.Web anti-virus, the total number of threats detected in the first quarter of 2025 increased by 7.23%, compared to the fourth quarter of 2024. At the same time, the number of unique threats decreased by almost a third—27.59%. This suggests that, while increasing the intensity of their attacks, threat actors were using the same malicious and unwanted applications in them more often. Malicious scripts with different functionality, ad-displaying trojans, and adware apps were the most widespread threats. In email traffic, trojan droppers and downloaders, adware software, malicious scripts, and trojans designed to run various threats on attacked computers were most frequently detected. Users whose files were affected by encoder trojans had mostly encountered Trojan.Encoder.35534, Trojan.Encoder.35209, and Trojan.Encoder.35067. In January, Doctor Web’s virus laboratory uncovered an active Monero cryptocurrency mining campaign using many different trojans. To conceal some of them, threat actors utilized steganography, a technique that allows some data to be hidden within other data—for example, inside images. At the same time, over the course of the first quarter, our Internet analysts detected an increase in the number of fraudulent websites aimed at stealing Telegram messenger user accounts. In the mobile threats department, Doctor Web’s specialists observed increased activity on the part of adware trojans and some banking trojans used to target the Android OS. In addition, they uncovered dozens of new malicious apps on Google Play. Principal trends in Q1 2025 Threats were detected on protected devices in increasing numbers. The quantity of unique threats used in attacks decreased. Phishing sites designed to steal Telegram accounts became more prevalent. Several widespread ad-displaying and banking trojan families, used to target the Android operating system, heightened their activity. New malware emerged on Google Play. According to Doctor Web’s statistics service The most common threats in Q1 2025: VBS.KeySender.6 A malicious script that, in an infinite loop, searches for windows containing the text mode extensions, разработчика, and розробника and sends them an Escape key press event, forcibly closing them. Adware.Downware.20091 Adware that often serves as an intermediary installer of pirated software. Trojan.BPlug.4242 The detection name for malicious components of the WinSafe browser extension. These components are JavaScript files that display intrusive ads in browsers. JS.Siggen5.44590 Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with the time zone of a Russian city. Trojan.Siggen30.53926 The detection name of an Electron framework host process modified by threat actors. It mimics a Steam application component (Steam Client WebHelper) and loads a JavaScript backdoor. Statistics for malware discovered in email traffic JS.Siggen5.44590 Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with the time zone of a Russian city. JS.Inject A family of malicious JavaScripts that inject a malicious script into the HTML code of webpages. Trojan.AVKill.63950 This is a dropper that installs the JS.BackDoor.42 backdoor on computers running the Windows operating system. Trojan.Inject5.13806 A malicious program for Windows-based computers that was created using the AutoIt scripting language. It launches several system processes and injects the Trojan.Fbng spyware trojan into them. The attackers can use the latter as banking malware and for other purposes. Encryption ransomware In Q1 2025, the number of requests made to decrypt files affected by encoder trojans decreased by 9.34%, compared to Q4 2024. The dynamics of the decryption requests received by Doctor Web’s technical support service: The most common encoders of Q1 2025: Trojan.Encoder.35534 — 11.89% of user requests Trojan.Encoder.35209 — 5.95% of user requests Trojan.Encoder. 35067 — 3.57% of user requests Trojan.Encoder.38200 — 2.38% of user requests Trojan.Encoder.37369 — 1.98% of user requests Network fraud In Q1 2025, Doctor Web’s Internet analysts observed the emergence of many new phishing websites designed to steal Telegram messenger user accounts. Among the most common variants were fake login pages and support pages that informed users about alleged problems due to some violation of the terms of service. Fake sites of online stores were widespread once again. On these, cybercriminals asked potential victims to log in to their accounts. A phishing authorization form on a fake website of one Russian online store Our specialists continued detecting fraudulent sites with all sorts of “great offers”, such as quick or easy ways to make money; others were about receiving certain gifts, participating in promotions, etc. One of the schemes, for instance, targeted residents of Great Britain, offering them the chance to obtain “limited edition” transportation cards, which were supposedly dedicated to the anniversaries of various carriers and would allow them to use public transport services free of charge for a long period of time. Fraudulent sites offering the chance to obtain “special” First Essex and Oyster transportation cards that allow public transport services to be used for free Users had to answer several questions and then play a game by opening virtual gift boxes (the “winning” box in such scenarios is hardcoded). After “winning”, users had to provide personal information and pay £2 to “receive” the promised card. As a result, the victims’ personal information and money ended up in the hands of threat actors. A potential victim has allegedly obtained a card successfully from one of the game boxes, and in order to receive it, they must provide personal data and also pay £2 A form for entering bank card details to pay for a non-existent promotional transportation card Fraudsters continue luring potential victims with all sorts of trading platforms that have “unique” algorithms, including ones that are supposedly based on artificial intelligence (AI) technologies. At the same time, cybercriminals exploit the names of famous people and hide behind real companies and services, attributing to themselves a connection with them. One popular scenario is based on claims that users can make money with the help of certain specialized services from Telegram, WhatsApp, and other companies. Some of these fraudulent sites were advertising various AI platforms, such as Telegram AI and WHATSAPP AI, which allegedly could help users make at least €14,000 per month, thanks to an “automated trading system”: Other variants exploited the theme of trading bots, which are commonly passed off as instruments created by the messengers’ owners themselves. One website, for instance, promised that “Pavel Durov’s bot” Telegram.AI would allow users to earn €2,500+ monthly; and another one offered the option to use the WhatsApp Bot, supposedly created by Mark Zuckerberg, to make up to €500 per day. Another scam website offered users the option to register on a “Telegram platform” that allegedly runs directly from a smartphone browser, automatically trades shares of global companies, and earns €10,000 per month: One website promised “every Europe resident” an income starting at €5,000 per month with the help of certain AI-based algorithms from the WhatsApp Company: Scam platform “The wealth formula” (“Formule Bohatstvi” in Czech), with its fake AI-based trading system, is a popular variation of this fraudulent scheme. It supposedly makes trades in a split second by analyzing huge amounts of data. Different sites of this non-existent system invite visitors to watch an informational video and register an account for consultations in the “anti-crisis solutions office”. The fraudsters are mainly targeting Europeans—Czech users in particular— who are promised an income of €1,000 per day “for life”. To access the system, potential victims are required to make a minimum deposit of €250. Other similar scenarios, such as generating income using various specialized software, also remain popular. One such website invited Czech users to make thousands of crowns per day with “the world’s most intelligent cryptographic software”: Another scam Internet portal promised earnings of over 4.7 million crowns monthly using certain trading software known as «10K EVERY DAY APP»: At the same time, users continued encountering fake investment-themed websites targeting residents of different countries. For example, for an audience from Kazakhstan, fraudsters prepared yet another platform for earning passive income through oil and gas trading: Many other sites offered the opportunity to “earn as much as possible” by trading shares of companies in Kazakhstan, Russia, China, and other countries: Russian and Kyrgyz residents also encountered similar websites; on these, users allegedly could make money by trading oil and gas: And one scam Internet resource offered Romanian users the chance to join the BRUA pipeline project, promising 3,000 lei per week as passive income: Sites that promise government support to the population in the form of benefits, social payments, etc., remain a lure for potential victims. Threat actors, for instance, tried to bait Russian users with more fake Gosuslugi web portals. One asked them to provide personal data—supposedly to participate in an oil and gas company payment program and also to receive bonuses from the government: Another scam site promised every Kazakhstan resident assistance in the form of money payments. It was allegedly organized on behalf of a large bank to “avoid problems and disasters”: Fake investing service websites, including those supposedly belonging to Russian credit organizations, are still a problem. Many of them mimic real bank websites in order to confuse potential victims as much as possible. Examples of fake Russian bank websites offering access to “investing services” Find out more about Dr.Web non-recommended sites Malicious and unwanted programs for mobile devices According to detection statistics collected by Dr.Web Security Space for mobile devices, in Q1 2025, Android.HiddenAds and Android.MobiDash ad-displaying trojans, along with Android.FakeApp malicious fake programs, were the Android threats most commonly encountered; their activity increased, compared to the last quarter of 2024. In addition, users progressively encountered Android.BankBot and Android.Banker banking trojans. In contrast, Android.SpyMax spyware trojans, whose attacks increased in number almost every month in 2024, were detected less frequently. Our specialists once again discovered many threats on Google Play. Among them were trojans used in various fraudulent schemes, cryptocurrency-stealing malware, and adware trojans. The following Q1 2025 events involving mobile malware are the most noteworthy: Android.HiddenAds and Android.MobiDash adware trojan activity increased. Android.BankBot and Android.Banker banking trojans were more active. The number of Android.SpyMax spyware trojans attacks declined. New threats were discovered on Google Play. To find out more about the security-threat landscape for mobile devices in Q1 2025, read our special overview.
Analysis Summary
# Incident Report: Q1 2025 Dr.Web Threat Landscape Analysis
## Executive Summary
The first quarter of 2025 saw a significant increase in the *volume* of detected threats (+7.23% QoQ), suggesting increased attack intensity by threat actors who reused existing malware families. However, the diversity of used threats decreased significantly (-27.59% in unique threats). Key activities included widespread cryptocurrency mining campaigns utilizing steganography, a surge in phishing targeting Telegram accounts, and increased malicious activity on the Android ecosystem, particularly involving adware and banking Trojans actively discovered on Google Play.
## Incident Details
- **Discovery Date:** March 27, 2025 (Reporting date for Q1 statistics)
- **Incident Period:** January 1, 2025 – March 31, 2025 (Q1 2025)
- **Affected Organization:** Global user base monitored by Dr.Web
- **Sector:** Cybersecurity / Threat Intelligence (Reporting Source) / Targeting all sectors
- **Geography:** Global, with specific focus areas noted in Russia, Central Europe, Kazakhstan, and the UK based on fraud schemes.
## Timeline of Events
### Initial Access (Throughout Q1 2025)
- **Date/Time:** January 2025 (Specific campaign noted)
- **Vector:** Email (Droppers/Downloaders), Vulnerable Software/Libraries (JS.Siggen5.44590), Compromised Mobile Apps (Google Play), Web-based Phishing.
- **Details:**
* **January:** Active Monero cryptocurrency mining campaign identified using various Trojans, sometimes concealed via **steganography** within other data (e.g., images).
* **Throughout Q1:** Widespread usage of threats like **VBS.KeySender.6** (forcing closure of windows containing specific Russian text strings) and **JS.Siggen5.44590** (malicious code in the `es5-ext-main` JavaScript library, triggering on specific Russian time zones).
* **Mobile:** Increased deployment of **Android.HiddenAds** and **Android.MobiDash** via Google Play or other vectors.
### Lateral Movement (Throughout Q1 2025)
- **Vector:** File Droppers and Injectors via Email Traffic.
- **Details:** Email traffic frequently contained droppers (**Trojan.AVKill.63950**) which installed backdoors (**JS.BackDoor.42**). **Trojan.Inject5.13806** launched multiple system processes and injected **Trojan.Fbng** spyware into them.
### Data Exfiltration/Impact (Throughout Q1 2025)
- **Impact:** Financial theft (banking Trojans, crypto mining), Advertising revenue generation (Adware), Data loss/financial impact via ransomware, Credential theft (Phishing).
- **Details:**
* **Ransomware:** **Trojan.Encoder.35534** was the most active encryption trojan (11.89% of decryption requests).
* **Credential Theft:** Significant increase in fraudulent websites targeting Telegram messenger accounts, fake online store logins, and sites mimicking major banks or offering "easy money" schemes (e.g., fake transport card promotions targeting UK residents, AI trading scams targeting European/Czech users).
### Detection & Response (Ongoing)
- **Detection:** Detection reported based on statistics gathered by Dr.Web anti-virus products (Q1 2025 telemetry).
- **Response Actions:** Doctor Web analysts detected and reported on the surge in phishing websites, active crypto mining, and new threats appearing on Google Play. Support services tracked a 9.34% decrease in decryption requests compared to Q4 2024.
## Attack Methodology
| Category | Method(s) Observed in Q1 2025 |
| :--- | :--- |
| **Initial Access** | Email attachments/bodies containing droppers/loaders, Compromised software libraries (e.g., NPM package JS.Siggen5.44590), Malicious apps on Google Play. |
| **Persistence** | Not explicitly detailed, but implied through Trojan families capable of maintaining presence. |
| **Privilege Escalation** | Not explicitly detailed. |
| **Defense Evasion** | **Steganography** used to conceal Monero mining malware. Malware behavior tailored geographically (JS.Siggen5.44590 checks for Russian time zones). |
| **Credential Access** | **Phishing** via fake Telegram login pages, fake online store pages, and fake bank investment portals. |
| **Discovery** | **VBS.KeySender.6** actively searches for specific window titles containing Russian text. |
| **Lateral Movement** | Process injection (**Trojan.Inject5.13806** injecting **Trojan.Fbng** spyware). |
| **Collection** | Banking Trojans (**Android.BankBot**, **Android.Banker**) on Android; **Trojan.Fbng** spyware. |
| **Exfiltration** | Not explicitly detailed, but implied by spyware and banking trojans. |
| **Impact** | File encryption (**Trojan.Encoder.* family**), Resource hijacking (**Cryptocurrency Mining**), Financial fraud (**Banking Trojans**, **Phishing**). |
## Impact Assessment
- **Financial:** Direct theft via banking Trojans; financial loss to users paying for fake services/cards in phishing scams (e.g., £2 charge for fake transport cards); financial loss via ransomware payments; CPU/resource degradation due to crypto mining.
- **Data Breach:** User credentials (Telegram, banking, online store accounts) compromised via phishing/fraudulent sites. Personal user data gathered via phishing schemes.
- **Operational:** Increased detection volume straining security monitoring resources. Potential operational disruption from forced application closure by VBS.KeySender.6 on affected endpoints.
- **Reputational:** Harm to legitimate brands and services targeted by advanced impersonation schemes (e.g., banks, Telegram, WhatsApp).
## Indicators of Compromise (Selected Examples)
- **File Indicators (Malware Families):** Trojan.Encoder.35534, Trojan.Encoder.35209, Trojan.Encoder.35067, Android.HiddenAds, Android.MobiDash, Android.BankBot, Android.Banker.
- **Behavioral Indicators:** Execution of JavaScript code triggered by specific geo-location/time zone checks; infinite looping script sending Escape key events; process modification mimicking legitimate Steam components (Trojan.Siggen30.53926).
## Response Actions
*Note: As this is a summary of external threat intelligence, institutional response actions are inferred based on Dr.Web's findings and reporting.*
- **Containment:** Detection and blocking of known malicious files and domains by anti-virus software against the rising volume of threats.
- **Eradication:** Updates to anti-virus signatures to counter the top five desktop threats and the active mobile threats.
- **Recovery:** Users affected by ransomware submitted decryption requests (though volume decreased slightly).
## Lessons Learned
1. **Repetition Over Novelty:** Threat actors are optimizing attack frequency by reusing successful malware strains rather than developing novel ones, requiring sustained vigilance against established families.
2. **Supply Chain Risk:** Malicious code being directly injected into widely used third-party JavaScript libraries (`es5-ext-main`) highlights a critical software supply chain risk vector.
3. **Evolving Evasion:** The resurgence of steganography for malware concealment in high-profile campaigns (like Monero mining) demonstrates a commitment to advanced evasion techniques.
4. **Geographic and Linguistic Targeting:** Attacks are often highly targeted, using specific language elements (Russian text strings) or local schemes (transport cards in the UK, investment scams in Czechia/Kazakhstan) to increase victim engagement.
## Recommendations
1. **Software Integrity Verification:** Implement robust integrity checking and monitoring for all utilized public JavaScript libraries and dependencies to detect supply chain compromises like `JS.Siggen5.44590` immediately.
2. **Email Security Enhancement:** Maintain strict controls and behavioral analysis for email traffic, focusing specifically on identifying droppers and downloaders common in this vector.
3. **Public Credential Awareness:** Issue targeted warnings/education campaigns specifically on recent Telegram phishing lures, including fake support pages and online retailer login prompts.
4. **Mobile Endpoint Protection:** Ensure advanced security solutions capable of detecting banking Trojans and adware (**Android.HiddenAds/MobiDash**) are active and updated on all Android devices, with rigorous vetting of applications installed from Google Play.