FakeUpdates remains the most prevalent malware this month, impacting 6% of organizations globally, followed closely by Remcos and AgentTesla.

Check Point Software Technologies, an AI-powered, cloud-delivered cybersecurity platform provider, has published its Global Threat Index for April 2025, highlighting that 8 African countries are among the top 20 countries most targeted by malware practitioners.

Ethiopia continues to occupy the number 1 spot as the most targeted country of the 107 involved in the Check Point survey. Others on the continent include Zimbabwe, which is the third most targeted with a Normalized Risk Index of 85%, followed by Mozambique (9^th) with a Normalized Risk Index of 67%.

Angola and Nigeria are 11^th and 12th, respectively, with a Normalized Risk Index of 66 and 66.2%. Ghana, Kenya and Uganda were ranked 17^th, 18^th and 19th, with Normalized Risk Indexes of 62.9, 60.5, and 60.2%.

This month, researchers uncovered a sophisticated multi-stage malware campaign delivering AgentTesla, Remcos, and Xloader (a FormBook evolution). The attack begins with phishing emails disguised as order confirmations and lures victims into opening a malicious 7-Zip archive. This archive contains a JScript Encoded (.JSE) file that launches a Base64-encoded PowerShell script, which executes a second-stage .NET- or AutoIt-based executable.

The final cybersecurity is injected into legitimate Windows processes such as RegAsm.exe or RegSvcs.exe, significantly increasing stealth and detection evasion.

Commodity malware meets advanced tradecraft

These findings reflect a notable trend in cybercrime: the convergence of commodity malware with advanced tradecraft. Tools once sold openly for low cost, like AgentTesla and Remcos, are now integrated into complex delivery chains that mimic the tactics of state-sponsored actors—blurring the lines between financially and politically motivated threats.

Lotem Finkelstein, Director of Threat Intelligence at Check Point Software, commented, “This latest campaign exemplifies the growing complexity of cyber threats. Attackers are layering encoded scripts, legitimate processes, and obscure execution chains to remain undetected. What we once considered low-tier malware is now weaponized in advanced operations. Organizations must adopt a prevention-first approach that integrates real-time threat intelligence, AI, and behavioral analytics.”

Top-Attacked Industries Globally

For the third straight month, the education sector was the most targeted industry, due to its broad user base and typically weaker cybersecurity. Government and telecom followed, reflecting continued focus on critical infrastructure and public services, especially in high-risk or rapidly digitizing regions.

1. Education
2. Government
3. Telecommunications

April’s data reveals a growing use of stealthy, multi-stage malware campaigns and a continued focus on sectors with lower defenses. With FakeUpdates remaining the most prevalent threat and new ransomware actors like SatanLock emerging, organizations must prioritize proactive, layered security to stay ahead of evolving attacks.