Full Report
July 1, 2026 According to statistics collected by the Dr.Web anti-virus, the total number of threats detected in the second quarter (Q2) of 2026 was up by 5.72% from Q1. The number of unique threats increased by 95.32%. Ad-displaying programs and trojans, malicious crypto-miners, and trojans used to run other malware were most frequently discovered on protected devices. In email traffic, malicious scripts and different types of trojans, such as downloaders, droppers, password stealers, and miners, were most regularly detected. Also commonly encountered were backdoors, phishing documents, and various exploits. Users whose files were affected by encoder trojans had primarily encountered Trojan.Encoder.35534, Trojan.Encoder.41868, and Trojan.Encoder.37400. At the same time, Doctor Web’s Technical Support Service registered slightly fewer user requests for decryption, compared to the previous quarter. In Q2 2026, Doctor Web’s Internet analysts observed an increase in the number of phishing attacks targeting MAX messenger users. Fraudsters also exploited the current news agenda and adapted popular scam schemes accordingly. In May, we warned about the spread of JobStealer, a malicious program targeting macOS and Windows users. Under the pretext of conducting online job interviews, cybercriminals passed it off as video-conferencing software. The JobStealer trojan pilfers various confidential information, including data from almost 300 browser crypto wallet extensions, Telegram messenger files, passwords and bank card data saved in browsers, and cookie files. In June, Doctor Web’s anti-virus laboratory experts informed users about Android.MagicAd.1, a new advertising trojan capable of displaying background ads thanks to its ability to bypass Android OS restrictions. To do this, the trojan exploits third-party apps. The technique it uses depends on the target device’s manufacturer. Android.Banker banking trojans were among the malicious Android programs most commonly detected on protected Android devices. At the same time, malware writers continued actively using various tools for modding Android apps to shield their malware from anti-virus detection. During the second quarter, our virus analysts discovered a number of new trojan programs on Google Play that are designed to subscribe users to paid mobile services. Principal trends in Q2 2026 The number of threats detected on protected devices increased. Significantly more unique files were among the threats detected. Compared to Q1, fewer requests to decrypt files affected by encoder trojans were registered. Scammers started ramping up their attacks on users of the Russian messenger MAX. Android.Banker banking trojans remained the most widespread malware for Android devices. Doctor Web’s experts discovered an ad-displaying trojan that can bypass Android OS restrictions and display background ads. Threat actors distributed JobStealer, malware designed to steal confidential data from macOS and Windows computer users. According to Doctor Web’s statistics service The most common threats in Q2 2026 Adware.Downware.20091 Adware.Downware.20766 Adware that often serves as an intermediary installer of pirated software. Trojan.Siggen31.34463 A trojan written in the Go programming language and designed to download various miner trojans and adware into infected systems. This malware is a DLL file located at %appdata%\utorrent\lib.dll. To launch, it exploits a DLL Search Order Hijacking vulnerability in the uTorrent client. Trojan.BPlug.4268 The detection name for a malicious component of the WinSafe browser extension. This component is a JavaScript file that displays intrusive ads in browsers. Trojan.Starter.8319 The detection name for malicious XML scripts that launch Trojan.AutoIt.289 malware and its components. Statistics for malware discovered in email traffic The most widespread threats in email traffic in Q2 2026 X97M.DownLoader.2343 An XLSX file (the Microsoft Excel spreadsheet format) with an OLE object that downloads a malicious file onto an attacked computer. W97M.DownLoader.2938 A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer. Exploit.CVE-2017-11882.123 Exploit.CVE-2018-0798.4 Exploits designed to take advantage of Microsoft Office software vulnerabilities that allow an attacker to run arbitrary code. JS.Muldrop.1171 A malicious JavaScript that executes malware hidden in it on the target system. Encryption ransomware In Q2 2026, the number of requests made to decrypt files affected by encoder trojans decreased slightly—by 2.67%, compared to Q1 2026. The dynamics of the decryption requests received by Doctor Web’s Technical Support Service: The most common encoders of Q2 2026 Trojan.Encoder.35534 — 14.47% of user requests Trojan.Encoder.41868 — 5.26% of user requests Trojan.Encoder.37400 — 3.95% of user requests Trojan.Encoder.35209 — 3.29% of user requests Trojan.Encoder.44197 — 2.63% of user requests Network fraud One of the trends Doctor Web’s Internet analysts observed in the second quarter of 2026 was that, against the backdrop of a growing audience for the Russian messenger MAX, threat actors began more actively attacking users of this service. In doing so, the attackers utilize well-known schemes that previously targeted users of other messengers, like Telegram and WhatsApp. For instance, our experts found many fraudulent websites created to steal MAX accounts under the guise of various voting events. The potential victim is asked to vote in a particular contest, but to do so, the user must log in to their account by providing a mobile phone number and the security code received after entering it. When the user enters all of the requested data, the attackers gain access to their account. An example of a phishing site that fraudsters use to gain access to a victim’s MAX messenger account During Q2 2026, Doctor Web’s Internet analysts observed the emergence of more fraudulent investing-related websites. Cybercriminals follow today’s trends and continue to actively exploit the topic of artificial intelligence (AI). For example, on some websites, they offered potential victims the opportunity to join a new investment project allegedly linked to large Russian credit organizations. Malicious actors promised access to a specialized chatbot, based on the ChatGPT neural network, that assists with investing. To become members of this “project”, website visitors had to register by providing their personal information. A fraudulent website offers the chance to register in an investment project allegedly related to a Russian bank and then gain access to a specialized financial chatbot based on the ChatGPT neural network At the same time, scammers tried to lure Russian-speaking users by exploiting the names of not only Russian banks but also foreign credit institutions. For example, cybercriminals presented a number of pseudo-investment service websites as being related to South Korean banks. One of the fraudulent sites offering Russian-speaking users the chance to join some investment project belonging to a South Korean bank and promising an income starting from 2,000,000 South Korean won In Q2 2026, scammers trying to hijack account data for various services remained active. Among the many phishing websites discovered were fake Internet resources of transport companies. One was targeting the customers of a Russian express delivery service. Potential victims were asked to log in to their account by using the mobile phone number linked to the account, or to log in via Gosuslugi (Госуслуги). At the same time, even after “logging in” to the account using the first method, the user was shown a second phishing form that looked like authorization via Gosuslugi was required. Using a fraudulent website, threat actors could steal data from several accounts at once—from a personal account on the transport company’s website and from the Gosuslugi web portal Our specialists also identified new phishing sites for credit organizations of various countries. For instance, scammers asked depositors of one US bank to log in to their account and check the availability of a higher interest rate for “loyal customers”: In another case, a phishing website was designed to look like it belonged to one of the Ecuadorian banks and asked users for their online banking account login and password: Another phishing scheme targeted British users. Cybercriminals created fake government service websites where individuals could pay a parking fine. Potential victims were asked for detailed personal information, supposedly to verify their identity, after which they were redirected to a page for paying the “fine”. The alleged opportunity for citizens to get various gratuitous payments remains a common fraudulent scheme. However, cybercriminals are constantly adapting it to current events. For example, in the run-up to Russia Day celebrations, fake websites of Russian credit organizations began emerging, with scammers promising special holiday payments. On one such site, users were supposedly eligible to receive between 5,000 and 300,000 rubles for taking a survey: In another variant of the scheme, users could supposedly expect to receive “assistance” in the amount of 5,000 rubles after completing a survey: Amid speculative reports of fuel shortages in some Russian regions, a number of these sites promised vouchers for 20 to 200 liters of free fuel: After answering a few simple questions, visitors to these sites were asked to undergo an “identity check” in order to receive the promised reward. For this, they had to provide their first and last names, mobile phone number, and bank card number. Fraudsters could then use this information to steal the victims’ money. Fake FIFA (the International Federation of Association Football) websites were also among the unwanted Internet portals identified in Q2 2026. On these, users were allegedly able to officially purchase tickets to 2026 FIFA World Cup matches, brand souvenirs, and various premium services. Just like on the legitimate site, visitors to such fakes were asked to log in to a FIFA ID account, but the authentication form for entering the login and password in this case was accepting any data at all. Fake FIFA ID account login form When football enthusiasts selected the product they were interested in, they were asked to complete the purchase and make payment. During the payment process, users were redirected to the website of one of the services included in the Dr.Web anti-virus database for non-recommended Internet resources. A fake FIFA website allegedly allowing users to officially purchase licensed products and services Our experts also identified a number of spam campaigns aimed at distributing links to fake Russian marketplace websites, where the attackers offered potential victims the opportunity to participate in an “anniversary prize draw”. The fraudsters promised the chance to win money prizes—up to 1,000,000 rubles—as well as computer and mobile gadgets: To participate in this “promotion”, users had to click the corresponding button on these websites, after which the prize drawing process would be simulated. After several attempts, the potential victim was told that they had won several gifts and supposedly had their choice of either the prizes themselves—at the marketplace pickup point—or their cash equivalent—by transfer to a bank account: If the option to receive prizes at the pick-up point was chosen, these websites would report that the required goods were out of stock, but the user could allegedly still exchange them for money. For that to happen, the potential victim had to provide their bank card number: Once the number was entered, the sites asked the victim to pay the state fee to “officially register the winnings”: The fraudsters’ victims never actually received any prizes. They not only handed over their bank card details but also their money. Find out more about Dr.Web non-recommended sites Malicious and unwanted programs for mobile devices According to detection statistics collected by Dr.Web Security Space for mobile devices, in Q2 2026, users encountered banking trojans less frequently; however, these trojan apps remained the most widespread malware. In addition, the activity of the Android.HiddenAds and Android.MobiDash ad-displaying trojans continued to decrease. The programs Tool.Obfuscator.TrashCode and Tool.NPMod, which were modified using the NP Manager modding tool, were the most commonly detected, potentially dangerous software. Malware creators use this tool to protect malicious software from being detected by anti-viruses. The most prevalent unwanted apps were Program.FakeAntiVirus fake anti-viruses. To “cure” threats that were allegedly detected, they demand that users purchase the full version of the software. Topping the list of the most commonly detected adware programs were Adware.AdPush modules, which display misleading notifications and collect confidential data. The Android OS optimization apps Adware.Bastion.1.origin were widespread again. They create notifications with informational messages about supposed memory insufficiencies and system errors to display ads during “optimization”. Adware.Opensite.15 advertising programs also remained highly active. Threat actors distribute them under the guise of cheating apps, which supposedly can help users obtain various in-game resources. But these programs, in fact, only load websites with ads. In June, Doctor Web’s specialists informed users about Android.MagicAd.1, a trojan capable of bypassing Android OS restrictions and displaying background ads. For that, Android.MagicAd.1 exploits third-party apps and also utilizes different methods, which it selects, based on the infected device’s manufacturer. Over the course of Q2, our malware analysts uncovered more trojan apps on Google Play from the Android.Joker and Android.Subscription families, which subscribe users to paid services. Combined, they were downloaded at least 2,600,000 times. The most noteworthy Q2 2026 events involving mobile malware Android.Banker banking trojans remained the most commonly detected malware on devices protected with Dr.Web anti-virus products. Malicious actors continued actively using specialized Android app-modding tools to shield banking trojans from anti-virus detection. The activity of the ad-displaying trojans Android.MobiDash and Android.HiddenAds decreased again. Doctor Web’s malware analysts discovered Android.MagicAd.1, a trojan that exploits third-party programs to bypass Android OS restrictions and display background ads. More trojan apps subscribing users to paid services were detected on Google Play. To find out more about the security-threat landscape for mobile devices in Q2 2026, read our special overview.
Analysis Summary
# Industry News: Q2 2026 Malware Landscape: AI Exploitation and Messenger Interception Driven by "MAX" Expansion
## Summary
Doctor Web’s Q2 2026 activity review highlights a 95.32% surge in unique threats, driven by the rapid diversification of malware and sophisticated social engineering. Key trends include the pivot of scammers toward the emergent "MAX" messenger platform and the weaponization of Artificial Intelligence as a lure for fraudulent investment schemes.
## Key Details
- **Date:** July 1, 2026
- **Companies Involved:** Doctor Web (Researcher), Google (Android/Play Store), MAX Messenger, Microsoft (Targeted Office Vulnerabilities)
- **Category:** Market Analysis / Threat Intelligence Report
## The Story
The second quarter of 2026 saw a significant quantitative and qualitative shift in the threat landscape. While total detections increased by nearly 6%, the nearly 100% jump in *unique* threats suggests attackers are utilizing automated polymorphism or rapid development cycles to evade signature-based detection.
The quarter was defined by targeted social engineering. Cybercriminals capitalized on the growth of the Russian messenger **MAX**, porting established phishing tactics from Telegram and WhatsApp to this newer ecosystem. Furthermore, the report identifies high-frequency exploitation of the "AI hype cycle," with scammers utilizing fake ChatGPT-based financial chatbots to harvest data from retail investors. In the mobile sector, a new sophisticated trojan, **Android.MagicAd.1**, demonstrated an ability to bypass OS-level restrictions by exploiting third-party app permissions, varying its technique based on the device manufacturer.
## Business Impact
### For the Companies Involved
- **Doctor Web:** Positions itself as a critical intelligence provider for the Eastern European and mobile markets via deep analysis of regional platforms (MAX, Gosuslugi).
- **MAX Messenger:** Faces a "trust tax" as rapid user growth attracts significant criminal activity, potentially stalling adoption if security perception wanes.
### For Competitors
- Security vendors must pivot from generic signature databases to behavior-based detection to address the massive surge in unique, varied threat actors.
- Mobile security firms must account for manufacturer-specific exploitation techniques highlighted by the MagicAd.1 discovery.
### For Customers
- **Enterprise:** Elevated risk from "JobStealer" malware, which disguised itself as video conferencing software—a direct hit on the remote/hybrid work model.
- **Retail:** High exposure to "investment" scams and fake government payouts (Russia Day/Fuel vouchers), leading to direct financial loss and identity theft via Gosuslugi.
### For the Market
- The shift toward utilizing Go (Trojan.Siggen31) and JavaScript for cross-platform delivery (Windows/macOS) signals a maturing underground market focused on maximizing ROI per strain of malware.
## Technical Implications
- **Developer Tool Abuse:** Widespread use of "NP Manager" (modding tools) and packers to shield Android malware from detection.
- **Vulnerability Lifecycle:** Continued prevalence of exploits for older vulnerabilities (CVE-2017-11882) suggests a persistent gap in patch management within the SMB sector.
- **DLL Hijacking:** Exploitation of the uTorrent client via DLL Search Order Hijacking remains a viable and active infection vector for miners.
## Strategic Analysis
- **Market Positioning:** Threat actors are following the "attention economy"—where users go (MAX messenger, AI tools), criminals follow immediately.
- **Competitive Advantage:** Attackers are using manufacturer-specific code paths for Android, suggesting a move toward "Precision Malware" that adapts to the specific hardware environment it infects.
- **Challenges:** The decrease in decryption requests suggests either better backup hygiene by users or, more likely, a shift by criminals from ransomware toward raw data theft and account hijacking (Gosuslugi/Crypto wallets).
## Industry Reactions
- **Analyst Opinions:** This report confirms that the "commodity malware" era is being replaced by highly adaptive, event-driven campaigns that exploit local news cycles (fuel shortages, holidays).
- **Market Response:** Growing pressure on app store curators (Google Play) as over 2.6 million downloads were attributed to "subscription trojans" despite screening processes.
## Future Outlook
- **The "MAX" Ecosystem:** Expect a rise in automated botting and account-takeover tools specialized for the MAX messenger as its market share stabilizes.
- **AI Fraud:** As LLMs become more integrated into business, expect "Prompt Injection" or "Lure-as-a-Service" where fake AI interfaces become the primary phishing vector.
- **World Cup 2026:** Phishing activity regarding FIFA tickets is expected to peak in the coming months, utilizing the exact fake-gateway infrastructure identified in this report.
## For Security Professionals
- **Action Item:** Audit the use of "modded" Android APKs within the workforce; these are currently the primary delivery vehicle for banking trojans.
- **Endpoint Defense:** Ensure EDR solutions are configured to monitor DLL search order execution, specifically targets like uTorrent or browser extensions.
- **User Training:** Update phishing simulations to include "Video Interview" software prompts and AI-bot investment lures.