Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
We include indicators of activity and mitigations for PAN-OS vulnerability CVE-2026-0257.
The post Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 appeared first on Unit 42.

We include indicators of activity and mitigations for PAN-OS vulnerability CVE-2026-0257.
The post Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 appeared first on Unit 42.

![]()
Mexico is one of the host countries for the 2026 FIFA World Cup, with matches to be played in three major cities: Mexico City, Monterrey, and Guadalajara. These locations are expected to see a large influx of international visitors, increasing the potential security risks. Many of those risks arise from users connecting to public wireless networks.
To better understand the wireless environments that visitors may encounter, we at Kaspersky GReAT conducted a wardriving assessment in the three host cities. The aim of the study was to analyze characteristics, deployment patterns, security configurations and potential exposure risks of public Wi-Fi infrastructure in urban wireless environments.
The information collected during the assessment was used exclusively for passive observation and infrastructure analysis. No attempts were made to authenticate, intercept communications, exploit systems or interact with the detected wireless networks beyond the publicly broadcast management information.
During processing of the collected data, one step involved filtering out networks belonging to cars or cell phones categorized as mobile hotspots because they do not represent networks that can be considered part of the assessment.
The cities included in the study have high population density and extensive wireless infrastructure deployments. We chose areas with the most prominent wireless network activity and highly concentrated public access points. We carried out wardriving research in Monterrey back in 2008, but the cityβs hotspot landscape has changed since then.
We chose the following analysis areas for each of the cities:
The wireless information was collected using passive wireless reconnaissance techniques. The collected information included:
We performed a wireless infrastructure analysis in Mexico City, Guadalajara, and Monterrey. We drove through the areas surrounding the World Cup stadiums, tourist zones, and other places where fan concentrations are likely to be largest. Our goal was to evaluate the security status, deployment characteristics and operational exposure of detected wireless networks.
In total, we recorded 84,588 signals with 69,473 unique Service Set Identifiers (SSIDs) in busy locations and World Cup zones across the three cities. Mexico City accounted for 61.4% of the signals, Guadalajara for 23.6%, and Monterrey for 14.8%. Approximately 82% of the signals had a single SSID (81.9%, 81.34%, and 84% respectively). Notably, they all operate under the IEEE 802.11 standard protocol.
Particular attention was given to identifying standard deployment patterns, legacy configurations, default vendor settings and information disclosure through publicly broadcast wireless identifiers.
The following sections present the results that were obtained by analyzing wireless infrastructure across the three locations.
SSID analysis was conducted to evaluate naming conventions, deployment standardization and potential information exposure.
Only a few networks (0.0047%) have an invisible SSID, meaning the names of these networks are not broadcast. Some users prefer to hide the SSID for various reasons, such as the networkβs purpose, the profile of its users, internal policies, etc. In contrast, the rest of the networks maintained active SSID broadcasting.
SSID structures may unintentionally disclose operational details about internet service providers (ISPs), device manufacturers, deployment practices, organizational ownership or user identity. The repeated presence of default SSID naming patterns across the analyzed locations indicates a significant degree of infrastructure homogeneity and reuse of default wireless configurations. It may also facilitate passive infrastructure profiling by revealing standard characteristics in use.
Approximately 34% of the detected networks retained the default SSID naming conventions provided by the manufacturer or ISP, while 66% used customized identifiers.
Distribution of SSID naming conventions (download)
Several recurring SSID naming conventions associated with ISP-provided deployments were identified in the three cities. The most frequently observed patterns include identifiers such as βClub_Totalplay_WiFiβ, βizzi WiFiβ, and βMegacable WiFiβ, which suggests extensive standardization of wireless infrastructure deployment. Additionally, we observed distinctive location-specific SSIDs in each area of analysis, such as βXXXX-Internet para Todos-CDMXβ or βRED JALISCOβ.
Most frequently observed SSID patterns (download)
Sequential SSID naming structures were also identified during the analysis. Patterns such as βINFINITUMXXβ and βIZZI-XXβ suggest automated ISP deployment and large-scale deployment strategies.
We identified 33 unique sequential naming structures among the 137 sequential SSIDs in total, representing approximately 0.16% of the detected wireless networks.
The following graph shows the top five sequential SSID patterns found in the largest number of networks:
Five most frequently observed sequential patterns (download)
Several customized SSIDs contained personal or organizational identifiers, including family names, professions, addresses or internal department references. Although personalized SSIDs may simplify local network identification for users, they may also expose sensitive information that could be useful for social engineering, physical targeting, or organizational profiling.
During the analysis, multiple networks were identified that used the physical MAC address of a Wi-Fi access point (BSSID) as the visible SSID. This practice exposes hardware-level information that could facilitate vendor fingerprinting and targeted reconnaissance activities.
The organizationally unique identifier (OUI) contained in the first bytes of the BSSID identifies the equipment manufacturer. Threat actors can correlate exposed manufacturers with device-specific vulnerabilities.
BSSID-derived SSID by city (download)
Notably, we found that more than 30% of networks in all three cities reuse the MAC address as the SSID.
We performed wireless infrastructure profiling to identify the most common wireless equipment manufacturers and ISP deployments across the three locations.
Large-scale ISP deployments frequently use standardized wireless configurations and vendor-specific hardware platforms. Identifying dominant manufacturers and ISP naming conventions can provide insight into infrastructure and deployment practices facilitating the mapping of standardized attack surfaces.
The following figure shows the distribution of the most commonly used manufacturers.
Most frequently observed wireless equipment manufacturers (download)
The manufacturer analysis revealed a strong concentration of wireless infrastructure among a limited number of vendors. Across the three locations, Huawei Technologies, MediaTek-based devices, and other manufacturersβ equipment that is distributed through ISP channels represented a significant portion of the detected deployments. Mexico City had the most diverse infrastructure, while Monterrey and Guadalajara had a greater concentration of wireless equipment known as SOHO (small office/home office) or residential-grade hardware. The widespread presence of standard vendor platforms may facilitate infrastructure fingerprinting and large-scale targeting of known device-specific vulnerabilities.
Most frequently observed wireless equipment manufacturers across the three cities (download)
ISP deployments frequently exhibited standardized configuration patterns and recurring manufacturer identifiers. Our ISP deployment analysis revealed a high concentration of access points associated with major residential internet providers. Deployments associated with Infinitum, Totalplay and Izzi represented a substantial portion of the detected wireless infrastructure across all locations. These findings suggest a high degree of deployment standardization across networks associated with major residential internet providers. This observation was supported by the repeated presence of ISP-associated SSIDs such as βInfinitumβ, βTotalplayβ, and βIzziβ, combined with manufacturer identifiers frequently associated with consumer equipment, including Huawei, ZTE and other residential wireless equipment vendors.
It is important to note that, for this analysis, ISPs were primarily inferred from SSID naming conventions and manufacturer fingerprint data. A significant portion of the detected wireless networks fell into the βUNKNOWN/CUSTOMβ category. This classification includes custom hotspots and networks whose naming conventions did not expose identifiable ISP-associated patterns. The findings suggest that many users and organizations (as we saw previously, approximately 66%) use custom network names, limiting direct provider attribution.
The following figure illustrates the distribution of ISP-associated wireless deployments in general.
Most frequently observed ISPs (download)
To better understand this distribution, we took the most frequently observed ISPs by city.
Most frequently observed ISPs across the three cities (download)
We also analyzed wireless signal characteristics to evaluate coverage quality, signal strength, and frequency band utilization in the three cities. In dense urban environments, signal quality and frequency spectrum distribution can affect wireless reliability, client connectivity, roaming performance, and overall network efficiency.
Signal quality analysis revealed that a substantial portion of the detected access points operated under weak or very weak signal conditions. Monterrey had the highest percentage of very weak signals, with approximately 50% of detected deployments. Similar patterns were observed in Guadalajara and Mexico City, suggesting high-density wireless environments with overlapping coverage areas. Only a limited percentage of networks were classified within the very good or excellent signal categories across the three locations.
Signal quality distribution by city (download)
Signal stability analysis revealed that most detected wireless deployments exhibited stable beacon transmission behavior. More than 96% of the detected access points across all locations were classified as stable, while only a small percentage exhibited unstable or indeterminate signal behavior.
These findings imply that the majority of the wireless infrastructure observed during the assessment corresponded to permanently deployed access points rather than transient or intermittent wireless devices.
Signal stability status (download)
Frequency band analysis revealed the strong prevalence of 2.4 GHz wireless deployments across the three locations. More than 95% of the detected wireless networks operated within the 2.4 GHz spectrum, while only a small percentage of deployments were classified under the unknown or non-standard frequency categories. This uneven distribution reflects the continued prevalence of legacy-compatible wireless infrastructure and SOHO deployments.
Frequency band utilization (download)
These findings are consistent with dense urban wireless environments with large numbers of access points in restricted spectrum allocations.
Next, we analyzed wireless channel utilization to evaluate frequency spectrum congestion and channel allocation patterns across the three cities. Our analysis focused on the 2.4 GHz spectrum, where channel overlap and high access point density commonly produce interference and degraded wireless performance. In densely populated wireless environments, an excessive concentration of access points on a limited number of channels can lead to co-channel interference, packet collisions, reduced throughput, and degraded network stability.
Spectrum congestion analysis revealed that the 2.4 GHz band consistently experienced elevated congestion levels across the three cities. The detailed results showed a strong concentration of deployments on channels 11, 6 and 1, which are traditionally recommended as non-overlapping channels within the 2.4 GHz spectrum. Channel 11 was the most utilized channel, accounting for 25.2% of the detected access points, followed by channel 6 with 22.5% and channel 1 with 19.5%. This distribution indicates that most wireless deployments adhere to standard channel allocation practices for 2.4 GHz Wi-Fi environments.
The following figure illustrates the overall distribution of the most frequently utilized wireless channels.
Most utilized wireless channels (download)
To further assess wireless spectrum saturation, the detected access points were grouped according to channel congestion levels: VERY_HIGH, HIGH, UNKNOWN, MEDIUM, LOW and NONE.
Mexico City had the highest proportion of heavily congested wireless channels, with approximately 7% of detected access points operating under HIGH congestion conditions. Guadalajara followed with nearly 5% of deployments categorized as HIGH congestion, while Monterrey had the lowest percentage at approximately 3.29%.
These findings suggest that wireless spectrum saturation increases proportionally with urban infrastructure density and access point concentration. Despite the presence of congested deployments, most detected access points were categorized as LOW or MEDIUM congestion, suggesting severe spectrum saturation was localized rather than uniformly distributed.
Channel congestion by city (download)
A thorough analysis of individual channel utilization revealed that channels 11, 6 and 1 consistently experienced the highest congestion levels across the three cities, which correlates with our previous findings. These channels accounted for the majority of VERY_HIGH congestion classifications, particularly within the 2.4 GHz band.
In Mexico City, channel 11 alone accounted for more than 25% of detected deployments and consistently exhibited VERY_HIGH congestion levels.
This behavior reflects the limited availability of non-overlapping channels within the 2.4 GHz spectrum and the widespread reliance on default wireless configurations.
Most congested channels by city (download)
Overall, the channel utilization analysis showed that wireless deployments are concentrated heavily within the traditional, non-overlapping 2.4 GHz channels. While this strategy reduces adjacent-channel interference, excessive access point density on the same channels can still produce significant co-channel contention and poor wireless performance in high-density urban environments.
The next thing we evaluated was the security posture of the detected wireless networks. We analyzed the wireless security configurations advertised by access points in each of the locations.
The analysis revealed that WPA2 was the dominant wireless authentication mechanism across the three cities. Mexico City had the highest WPA2 adoption rate at 81.19%, followed by Monterrey at 79.19% and Guadalajara at 77.59%.
The study found that every 6th open access point (17%) was unsafe, namely 16.5% in Mexico City, 18.5% in Guadalajara, and 17.2% in Monterrey. Open wireless deployments were consistently present across all locations, ranging between 10% and 12% of detected access points. These findings show that despite the widespread deployment of modern wireless security standards, encryption adoption remains incomplete.
Distribution of wireless authentication mechanisms across the three locations (download)
To simplify the interpretation of wireless security posture, we grouped detected networks into four categories:
Across the three locations, secure networks comprised most of detected deployments, accounting for approximately 82% of all access points. However, insecure open networks still account for between 10% and 12% of detected wireless infrastructure, consistent with our previous findings. It is important to mention that networks within the unknown category are not considered secure.
Mexico City had the highest percentage of secure deployments at 83.54%, while Guadalajara had the highest percentage of insecure open networks at 12.46%. Although Monterrey had the lowest percentage of insecure networks, open deployments still accounted for more than 10% of the detected access points.
Wireless security posture grouping across the three locations (download)
Although modern WPA2/WPA3 encryption standards dominate current wireless deployments, the continued presence of open and legacy WPA deployments indicates that insecure wireless configurations remain relevant from an operational standpoint. These networks may expose users to passive traffic interception, unauthorized monitoring, rogue access point attacks, and credential harvesting techniques.
We also analyzed Wi-Fi Protected Setup (WPS) in all the locations to evaluate additional attack surfaces. WPS is a standard feature on wireless routers that enables devices such as printers, repeaters or mobile phones to connect to a secure Wi-Fi network without manually entering a long password, typically through a PIN-based enrolled mechanism. Although WPA2 and WPA3 provide strong encryption mechanisms, the presence of WPS can introduce security weaknesses due to inherently vulnerable PIN-based enrollment methods.
By combining detections from the three locations, we found that 55% of all detected access points did not advertise WPS capabilities, leaving 45% of deployments vulnerable to WPS-based abuse. These results suggest that, despite the adoption of modern encryption standards, a significant portion of wireless infrastructure continues to expose legacy convenience features.
During the analysis, we found that Mexico City had the highest proportion of WPS-enabled networks, with 46.61% of the detected access points advertising WPS capabilities. Guadalajara was second with 43.45%, while Monterrey had the lowest proportion at 40.93%.
The percentage of detected access points advertising WPS capabilities across the three locations (download)
Almost half of the detected wireless networks in each city continued to advertise WPS, indicating that WPS prevalence is consistently high across the three cities.
In many cases, networks classified as secure because of WPA2/WPA3 encryption still had WPS functionality enabled, which effectively increased the available attack surface.
To further assess the relationship between encryption strength and WPS exposure, we conducted a secondary analysis of secure networks (WPA2/WPA3) only. The results showed that around half of all secure deployments still exposed WPS, with the following breakdown for each city:
The proportion of secure networks with WPS enabled across the three locations (download)
These findings indicate that encryption strength alone is not enough to evaluate wireless security posture because additional protocol features, such as WPS, may still expose exploitable attack vectors.
Overall, travelers operating within dense public environments are exposed not only to insecure wireless infrastructure but also to various risks associated with digital interactions. These risks include many threats, from public USB charging systems and phishing QR codes to proximity-based protocols and exposure to shared public devices, such as interactive totems or kiosks. One particular point that should be taken into account in light of our research is the issue of rogue wireless deployments.
Rogue access points are not necessarily malicious; they may be set up accidentally by misconfiguring router settings. An entry point for potential compromise might be caused by various misconfigurations, from a weak password to an insecure protocol. However, attackers deploy such unauthorized hotspots with malicious intent to infiltrate a network. Threat actors may deploy rogue access points posing as legitimate public wireless networks in airports, hotels, cafΓ©s and tourist areas. These deployments are called βevil twinsβ and can trick users into connecting to attacker-controlled infrastructure capable of intercepting traffic, harvesting credentials, or performing man-in-the-middle attacks. Further risk lies in the potential compromise of local network devices or even malware distribution. Such threats complement our findings, underscoring the importance of implementing traffic encryption, using a security solution and exercising extreme caution while browsing via public networks.
The wardriving assessment conducted in Mexico City, Guadalajara, and Monterrey revealed that modern wireless infrastructure continues to present multiple forms of operational exposure despite the widespread adoption of WPA2 and WPA3 security standards. The analysis demonstrated that wireless environments are highly standardized in all the locations, with recurring ISP deployments, default SSID naming conventions, homogeneous manufacturer distribution, and predictable channel allocation practices observed in all three cities.
Although most of the detected networks were classified as secure under WPA2/WPA3 authentication mechanisms, a significant proportion were exposing additional attack surfaces through enabled WPS functionality, default configurations, sequential SSID structures, and infrastructure metadata disclosure. This demonstrates that encryption strength alone is insufficient for evaluating the overall security posture of wireless infrastructure. Additionally, the prevalence of open networks and legacy wireless configurations indicates that insecure deployments are still operationally relevant in all the locations.
The results also showed that wireless infrastructure is heavily concentrated within the 2.4 GHz spectrum, particularly around channels 11, 6, and 1. This leads to elevated congestion and increased co-channel interference in densely populated urban environments.
SSID analysis further revealed that publicly broadcast wireless identifiers frequently expose valuable operational information about ISPs, equipment manufacturers, deployment templates, organizational ownership, and user-defined naming practices. The identification of default ISP naming conventions, sequential SSID structures, and BSSID-derived SSIDs demonstrated that many deployments prioritize operational convenience and simplicity over exposure minimization and privacy.
The scope of the threats stemming from vulnerable wireless configurations poses serious digital exposure risks for users. The widespread presence of standard deployments, predictable SSID naming and publicly exposed infrastructure identifiers can facilitate passive reconnaissance, infrastructure fingerprinting and opportunistic targeting.
To minimize the risks of wireless-based exposure and the attack surface related to hotspot infrastructure, we recommend taking the following measures:
The findings presented in this assessment emphasize the importance of combining strong wireless encryption standards, secure deployment practices, exposure minimization strategies, and user awareness to enhance the overall security posture of wireless environments.




![]()
Mexico is one of the host countries for the 2026 FIFA World Cup, with matches to be played in three major cities: Mexico City, Monterrey, and Guadalajara. These locations are expected to see a large influx of international visitors, increasing the potential security risks. Many of those risks arise from users connecting to public wireless networks.
To better understand the wireless environments that visitors may encounter, we at Kaspersky GReAT conducted a wardriving assessment in the three host cities. The aim of the study was to analyze characteristics, deployment patterns, security configurations and potential exposure risks of public Wi-Fi infrastructure in urban wireless environments.
The information collected during the assessment was used exclusively for passive observation and infrastructure analysis. No attempts were made to authenticate, intercept communications, exploit systems or interact with the detected wireless networks beyond the publicly broadcast management information.
During processing of the collected data, one step involved filtering out networks belonging to cars or cell phones categorized as mobile hotspots because they do not represent networks that can be considered part of the assessment.
The cities included in the study have high population density and extensive wireless infrastructure deployments. We chose areas with the most prominent wireless network activity and highly concentrated public access points. We carried out wardriving research in Monterrey back in 2008, but the cityβs hotspot landscape has changed since then.
We chose the following analysis areas for each of the cities:
The wireless information was collected using passive wireless reconnaissance techniques. The collected information included:
We performed a wireless infrastructure analysis in Mexico City, Guadalajara, and Monterrey. We drove through the areas surrounding the World Cup stadiums, tourist zones, and other places where fan concentrations are likely to be largest. Our goal was to evaluate the security status, deployment characteristics and operational exposure of detected wireless networks.
In total, we recorded 84,588 signals with 69,473 unique Service Set Identifiers (SSIDs) in busy locations and World Cup zones across the three cities. Mexico City accounted for 61.4% of the signals, Guadalajara for 23.6%, and Monterrey for 14.8%. Approximately 82% of the signals had a single SSID (81.9%, 81.34%, and 84% respectively). Notably, they all operate under the IEEE 802.11 standard protocol.
Particular attention was given to identifying standard deployment patterns, legacy configurations, default vendor settings and information disclosure through publicly broadcast wireless identifiers.
The following sections present the results that were obtained by analyzing wireless infrastructure across the three locations.
SSID analysis was conducted to evaluate naming conventions, deployment standardization and potential information exposure.
Only a few networks (0.0047%) have an invisible SSID, meaning the names of these networks are not broadcast. Some users prefer to hide the SSID for various reasons, such as the networkβs purpose, the profile of its users, internal policies, etc. In contrast, the rest of the networks maintained active SSID broadcasting.
SSID structures may unintentionally disclose operational details about internet service providers (ISPs), device manufacturers, deployment practices, organizational ownership or user identity. The repeated presence of default SSID naming patterns across the analyzed locations indicates a significant degree of infrastructure homogeneity and reuse of default wireless configurations. It may also facilitate passive infrastructure profiling by revealing standard characteristics in use.
Approximately 34% of the detected networks retained the default SSID naming conventions provided by the manufacturer or ISP, while 66% used customized identifiers.
Distribution of SSID naming conventions (download)
Several recurring SSID naming conventions associated with ISP-provided deployments were identified in the three cities. The most frequently observed patterns include identifiers such as βClub_Totalplay_WiFiβ, βizzi WiFiβ, and βMegacable WiFiβ, which suggests extensive standardization of wireless infrastructure deployment. Additionally, we observed distinctive location-specific SSIDs in each area of analysis, such as βXXXX-Internet para Todos-CDMXβ or βRED JALISCOβ.
Most frequently observed SSID patterns (download)
Sequential SSID naming structures were also identified during the analysis. Patterns such as βINFINITUMXXβ and βIZZI-XXβ suggest automated ISP deployment and large-scale deployment strategies.
We identified 33 unique sequential naming structures among the 137 sequential SSIDs in total, representing approximately 0.16% of the detected wireless networks.
The following graph shows the top five sequential SSID patterns found in the largest number of networks:
Five most frequently observed sequential patterns (download)
Several customized SSIDs contained personal or organizational identifiers, including family names, professions, addresses or internal department references. Although personalized SSIDs may simplify local network identification for users, they may also expose sensitive information that could be useful for social engineering, physical targeting, or organizational profiling.
During the analysis, multiple networks were identified that used the physical MAC address of a Wi-Fi access point (BSSID) as the visible SSID. This practice exposes hardware-level information that could facilitate vendor fingerprinting and targeted reconnaissance activities.
The organizationally unique identifier (OUI) contained in the first bytes of the BSSID identifies the equipment manufacturer. Threat actors can correlate exposed manufacturers with device-specific vulnerabilities.
BSSID-derived SSID by city (download)
Notably, we found that more than 30% of networks in all three cities reuse the MAC address as the SSID.
We performed wireless infrastructure profiling to identify the most common wireless equipment manufacturers and ISP deployments across the three locations.
Large-scale ISP deployments frequently use standardized wireless configurations and vendor-specific hardware platforms. Identifying dominant manufacturers and ISP naming conventions can provide insight into infrastructure and deployment practices facilitating the mapping of standardized attack surfaces.
The following figure shows the distribution of the most commonly used manufacturers.
Most frequently observed wireless equipment manufacturers (download)
The manufacturer analysis revealed a strong concentration of wireless infrastructure among a limited number of vendors. Across the three locations, Huawei Technologies, MediaTek-based devices, and other manufacturersβ equipment that is distributed through ISP channels represented a significant portion of the detected deployments. Mexico City had the most diverse infrastructure, while Monterrey and Guadalajara had a greater concentration of wireless equipment known as SOHO (small office/home office) or residential-grade hardware. The widespread presence of standard vendor platforms may facilitate infrastructure fingerprinting and large-scale targeting of known device-specific vulnerabilities.
Most frequently observed wireless equipment manufacturers across the three cities (download)
ISP deployments frequently exhibited standardized configuration patterns and recurring manufacturer identifiers. Our ISP deployment analysis revealed a high concentration of access points associated with major residential internet providers. Deployments associated with Infinitum, Totalplay and Izzi represented a substantial portion of the detected wireless infrastructure across all locations. These findings suggest a high degree of deployment standardization across networks associated with major residential internet providers. This observation was supported by the repeated presence of ISP-associated SSIDs such as βInfinitumβ, βTotalplayβ, and βIzziβ, combined with manufacturer identifiers frequently associated with consumer equipment, including Huawei, ZTE and other residential wireless equipment vendors.
It is important to note that, for this analysis, ISPs were primarily inferred from SSID naming conventions and manufacturer fingerprint data. A significant portion of the detected wireless networks fell into the βUNKNOWN/CUSTOMβ category. This classification includes custom hotspots and networks whose naming conventions did not expose identifiable ISP-associated patterns. The findings suggest that many users and organizations (as we saw previously, approximately 66%) use custom network names, limiting direct provider attribution.
The following figure illustrates the distribution of ISP-associated wireless deployments in general.
Most frequently observed ISPs (download)
To better understand this distribution, we took the most frequently observed ISPs by city.
Most frequently observed ISPs across the three cities (download)
We also analyzed wireless signal characteristics to evaluate coverage quality, signal strength, and frequency band utilization in the three cities. In dense urban environments, signal quality and frequency spectrum distribution can affect wireless reliability, client connectivity, roaming performance, and overall network efficiency.
Signal quality analysis revealed that a substantial portion of the detected access points operated under weak or very weak signal conditions. Monterrey had the highest percentage of very weak signals, with approximately 50% of detected deployments. Similar patterns were observed in Guadalajara and Mexico City, suggesting high-density wireless environments with overlapping coverage areas. Only a limited percentage of networks were classified within the very good or excellent signal categories across the three locations.
Signal quality distribution by city (download)
Signal stability analysis revealed that most detected wireless deployments exhibited stable beacon transmission behavior. More than 96% of the detected access points across all locations were classified as stable, while only a small percentage exhibited unstable or indeterminate signal behavior.
These findings imply that the majority of the wireless infrastructure observed during the assessment corresponded to permanently deployed access points rather than transient or intermittent wireless devices.
Signal stability status (download)
Frequency band analysis revealed the strong prevalence of 2.4 GHz wireless deployments across the three locations. More than 95% of the detected wireless networks operated within the 2.4 GHz spectrum, while only a small percentage of deployments were classified under the unknown or non-standard frequency categories. This uneven distribution reflects the continued prevalence of legacy-compatible wireless infrastructure and SOHO deployments.
Frequency band utilization (download)
These findings are consistent with dense urban wireless environments with large numbers of access points in restricted spectrum allocations.
Next, we analyzed wireless channel utilization to evaluate frequency spectrum congestion and channel allocation patterns across the three cities. Our analysis focused on the 2.4 GHz spectrum, where channel overlap and high access point density commonly produce interference and degraded wireless performance. In densely populated wireless environments, an excessive concentration of access points on a limited number of channels can lead to co-channel interference, packet collisions, reduced throughput, and degraded network stability.
Spectrum congestion analysis revealed that the 2.4 GHz band consistently experienced elevated congestion levels across the three cities. The detailed results showed a strong concentration of deployments on channels 11, 6 and 1, which are traditionally recommended as non-overlapping channels within the 2.4 GHz spectrum. Channel 11 was the most utilized channel, accounting for 25.2% of the detected access points, followed by channel 6 with 22.5% and channel 1 with 19.5%. This distribution indicates that most wireless deployments adhere to standard channel allocation practices for 2.4 GHz Wi-Fi environments.
The following figure illustrates the overall distribution of the most frequently utilized wireless channels.
Most utilized wireless channels (download)
To further assess wireless spectrum saturation, the detected access points were grouped according to channel congestion levels: VERY_HIGH, HIGH, UNKNOWN, MEDIUM, LOW and NONE.
Mexico City had the highest proportion of heavily congested wireless channels, with approximately 7% of detected access points operating under HIGH congestion conditions. Guadalajara followed with nearly 5% of deployments categorized as HIGH congestion, while Monterrey had the lowest percentage at approximately 3.29%.
These findings suggest that wireless spectrum saturation increases proportionally with urban infrastructure density and access point concentration. Despite the presence of congested deployments, most detected access points were categorized as LOW or MEDIUM congestion, suggesting severe spectrum saturation was localized rather than uniformly distributed.
Channel congestion by city (download)
A thorough analysis of individual channel utilization revealed that channels 11, 6 and 1 consistently experienced the highest congestion levels across the three cities, which correlates with our previous findings. These channels accounted for the majority of VERY_HIGH congestion classifications, particularly within the 2.4 GHz band.
In Mexico City, channel 11 alone accounted for more than 25% of detected deployments and consistently exhibited VERY_HIGH congestion levels.
This behavior reflects the limited availability of non-overlapping channels within the 2.4 GHz spectrum and the widespread reliance on default wireless configurations.
Most congested channels by city (download)
Overall, the channel utilization analysis showed that wireless deployments are concentrated heavily within the traditional, non-overlapping 2.4 GHz channels. While this strategy reduces adjacent-channel interference, excessive access point density on the same channels can still produce significant co-channel contention and poor wireless performance in high-density urban environments.
The next thing we evaluated was the security posture of the detected wireless networks. We analyzed the wireless security configurations advertised by access points in each of the locations.
The analysis revealed that WPA2 was the dominant wireless authentication mechanism across the three cities. Mexico City had the highest WPA2 adoption rate at 81.19%, followed by Monterrey at 79.19% and Guadalajara at 77.59%.
The study found that every 6th open access point (17%) was unsafe, namely 16.5% in Mexico City, 18.5% in Guadalajara, and 17.2% in Monterrey. Open wireless deployments were consistently present across all locations, ranging between 10% and 12% of detected access points. These findings show that despite the widespread deployment of modern wireless security standards, encryption adoption remains incomplete.
Distribution of wireless authentication mechanisms across the three locations (download)
To simplify the interpretation of wireless security posture, we grouped detected networks into four categories:
Across the three locations, secure networks comprised most of detected deployments, accounting for approximately 82% of all access points. However, insecure open networks still account for between 10% and 12% of detected wireless infrastructure, consistent with our previous findings. It is important to mention that networks within the unknown category are not considered secure.
Mexico City had the highest percentage of secure deployments at 83.54%, while Guadalajara had the highest percentage of insecure open networks at 12.46%. Although Monterrey had the lowest percentage of insecure networks, open deployments still accounted for more than 10% of the detected access points.
Wireless security posture grouping across the three locations (download)
Although modern WPA2/WPA3 encryption standards dominate current wireless deployments, the continued presence of open and legacy WPA deployments indicates that insecure wireless configurations remain relevant from an operational standpoint. These networks may expose users to passive traffic interception, unauthorized monitoring, rogue access point attacks, and credential harvesting techniques.
We also analyzed Wi-Fi Protected Setup (WPS) in all the locations to evaluate additional attack surfaces. WPS is a standard feature on wireless routers that enables devices such as printers, repeaters or mobile phones to connect to a secure Wi-Fi network without manually entering a long password, typically through a PIN-based enrolled mechanism. Although WPA2 and WPA3 provide strong encryption mechanisms, the presence of WPS can introduce security weaknesses due to inherently vulnerable PIN-based enrollment methods.
By combining detections from the three locations, we found that 55% of all detected access points did not advertise WPS capabilities, leaving 45% of deployments vulnerable to WPS-based abuse. These results suggest that, despite the adoption of modern encryption standards, a significant portion of wireless infrastructure continues to expose legacy convenience features.
During the analysis, we found that Mexico City had the highest proportion of WPS-enabled networks, with 46.61% of the detected access points advertising WPS capabilities. Guadalajara was second with 43.45%, while Monterrey had the lowest proportion at 40.93%.
The percentage of detected access points advertising WPS capabilities across the three locations (download)
Almost half of the detected wireless networks in each city continued to advertise WPS, indicating that WPS prevalence is consistently high across the three cities.
In many cases, networks classified as secure because of WPA2/WPA3 encryption still had WPS functionality enabled, which effectively increased the available attack surface.
To further assess the relationship between encryption strength and WPS exposure, we conducted a secondary analysis of secure networks (WPA2/WPA3) only. The results showed that around half of all secure deployments still exposed WPS, with the following breakdown for each city:
The proportion of secure networks with WPS enabled across the three locations (download)
These findings indicate that encryption strength alone is not enough to evaluate wireless security posture because additional protocol features, such as WPS, may still expose exploitable attack vectors.
Overall, travelers operating within dense public environments are exposed not only to insecure wireless infrastructure but also to various risks associated with digital interactions. These risks include many threats, from public USB charging systems and phishing QR codes to proximity-based protocols and exposure to shared public devices, such as interactive totems or kiosks. One particular point that should be taken into account in light of our research is the issue of rogue wireless deployments.
Rogue access points are not necessarily malicious; they may be set up accidentally by misconfiguring router settings. An entry point for potential compromise might be caused by various misconfigurations, from a weak password to an insecure protocol. However, attackers deploy such unauthorized hotspots with malicious intent to infiltrate a network. Threat actors may deploy rogue access points posing as legitimate public wireless networks in airports, hotels, cafΓ©s and tourist areas. These deployments are called βevil twinsβ and can trick users into connecting to attacker-controlled infrastructure capable of intercepting traffic, harvesting credentials, or performing man-in-the-middle attacks. Further risk lies in the potential compromise of local network devices or even malware distribution. Such threats complement our findings, underscoring the importance of implementing traffic encryption, using a security solution and exercising extreme caution while browsing via public networks.
The wardriving assessment conducted in Mexico City, Guadalajara, and Monterrey revealed that modern wireless infrastructure continues to present multiple forms of operational exposure despite the widespread adoption of WPA2 and WPA3 security standards. The analysis demonstrated that wireless environments are highly standardized in all the locations, with recurring ISP deployments, default SSID naming conventions, homogeneous manufacturer distribution, and predictable channel allocation practices observed in all three cities.
Although most of the detected networks were classified as secure under WPA2/WPA3 authentication mechanisms, a significant proportion were exposing additional attack surfaces through enabled WPS functionality, default configurations, sequential SSID structures, and infrastructure metadata disclosure. This demonstrates that encryption strength alone is insufficient for evaluating the overall security posture of wireless infrastructure. Additionally, the prevalence of open networks and legacy wireless configurations indicates that insecure deployments are still operationally relevant in all the locations.
The results also showed that wireless infrastructure is heavily concentrated within the 2.4 GHz spectrum, particularly around channels 11, 6, and 1. This leads to elevated congestion and increased co-channel interference in densely populated urban environments.
SSID analysis further revealed that publicly broadcast wireless identifiers frequently expose valuable operational information about ISPs, equipment manufacturers, deployment templates, organizational ownership, and user-defined naming practices. The identification of default ISP naming conventions, sequential SSID structures, and BSSID-derived SSIDs demonstrated that many deployments prioritize operational convenience and simplicity over exposure minimization and privacy.
The scope of the threats stemming from vulnerable wireless configurations poses serious digital exposure risks for users. The widespread presence of standard deployments, predictable SSID naming and publicly exposed infrastructure identifiers can facilitate passive reconnaissance, infrastructure fingerprinting and opportunistic targeting.
To minimize the risks of wireless-based exposure and the attack surface related to hotspot infrastructure, we recommend taking the following measures:
The findings presented in this assessment emphasize the importance of combining strong wireless encryption standards, secure deployment practices, exposure minimization strategies, and user awareness to enhance the overall security posture of wireless environments.




One of the biggest football (soccer) events of this summer is the World Cup 2026. The tournament is co-hosted by three countries: the U.S., Canada, and Mexico. Unfortunately, events of this scale attract not just fans, but also scammers from all over the globe. Weβve already covered how cybercriminals are prepping for the World Cup online, and today weβre talking about digital security for fans on the ground in Mexico.
The country will host 13 matches and welcome millions of tourists. Theyβll be staying in hotels, heading to games, checking out restaurants, navigating airports, and visiting popular tourist spotsΒ β and everywhere they go, the temptation to connect to public Wi-Fi will be high.
Weβve surveyed more than 84 500 (!) public Wi-Fi access points in Mexico City, Guadalajara, and Monterrey β and we have a lot to share about their security. Spoiler alert: many networks are still using outdated security standards, so you really shouldnβt go on vacation without reliable protection and an eSIM.
Walking across Mexico looking for public Wi-Fi access points would have been a bit tough, though thatβs exactly what we did for a similar Wi-Fi security survey in Paris. You can check out the results of that in our post, How safe is Wi-Fi in Paris?
This time the mission was far more demanding: mapping the wireless landscape of three major metropolises. Thatβs why we went wardrivingΒ β scanning for and logging wireless networks from a moving vehicle while equipped with a smartphone or laptop. Itβs similar to searching for Wi-Fi on your phone, where the device constantly listens for nearby networks. Except instead of connecting to them, we just collect data about them.
All information was used strictly for passive observation and infrastructure analysis. Beyond receiving publicly broadcast service information, the experts of Kasperskyβs Global Research and Analysis Team (GReAT) didnβt attempt to authenticate, intercept traffic, exploit systems, or otherwise interact with the wireless networks they discovered. Mobile access points deployed in cars and on mobile devices were excluded from the sample.
Our main target was Mexico City β the capital and one of the most densely populated cities in Latin America. We took a drive through popular tourist spots: Mexico City Stadium, Mexico City International Airport, ZΓ³calo, Paseo de la Reforma, Colonia Roma, La Condesa, Polanco, CoyoacΓ‘n.
In Guadalajara and Monterrey, we drove similar routes: stadiums, main avenues, airports, and popular neighborhoods. Below you can see a heatmap of the areas we covered, ranging from red for areas with the highest density of public access points, through yellow and green, to blue for the lowest concentration.
We used passive radio reconnaissance to log 84Β 500 signals and 69Β 500 unique network identifiers across these three cities. The majority of the signals were caught in Mexico City (61.4%), followed by Guadalajara (23.6%) and Monterrey (14.8%).
What we analyzed:
You can find the full version of the study on the Securelist blog.
Network names (SSIDs) can tell you a lot by unintentionally revealing information about hardware manufacturers, ISPs, deployment methods, and whether an access point belongs to a business or a private user.
About 34% of the public Wi-Fi networks we logged didnβt bother changing their names at all, either sticking with the factory SSIDs from the router manufacturers or using standard naming conventions from their ISPs. For attackers, this can be a pretty solid hint, since this kind of network name lets them know which provider owns a given access point, what hardware is being used, and how itβs likely configured by default.
Another troubling nuance is the large number of Wi-Fi networks (over 30%) that use the access pointβs MAC address (BSSID) as the visible network name. The first few bytes of a BSSID contain an Organizationally Unique Identifier (OUI), which gives away the routerβs manufacturer. This is a useful lead for bad actors: they can find out who made the hardware and test for vulnerabilities specific to that brandβs models.
An access point secured with WPA2/WPA3 can be considered more or less safe. All other authentication mechanisms yield much weaker results. We grouped the public Wi-Fi networks into four categories:
The results are roughly the same across all three cities: about 82% of all analyzed access points are protected by secure standards. The outdated and insecure WPA protocol was practically nonexistent. However, more than 10% of the access points turned out to be completely unsecured. Connecting to these networks carries the risk of traffic interception and hidden surveillance.
But security isnβt evaluated by WPA protocols alone. We also checked for the presence of WPS, the infamous feature for quickly connecting to a network without entering a password, which is highly vulnerable to attacks. It turned out that WPS is enabled on nearly half (47%) of the access points in Mexico City, 43% in Guadalajara, and 41% in Monterrey. On average, 45% of the access points are potentially vulnerable to WPS-related attacksΒ β sacrificing security for the sake of convenience.
Whatβs more, this feature frequently remained active even on seemingly secure WPA2/WPA3 networksΒ β about half of them utilized WPS. This shows that having WPA2/WPA3 is still not enough to consider a Wi-Fi access point safe, as additional features like WPS can still leave the door open to attacks.
Digital risks on a trip arenβt limited to public Wi-Fi alone, especially now that many are shifting away from public Wi-Fi to an eSIM. There are still plenty of threats in crowded places: public USB chargers, QR codes with swapped links, NFC and Bluetooth attacks, and, of course, social engineering tactics. Letβs break it all down.
Charging stations. Public USB chargers can also be dangerous: bad actors could potentially gain access to the data on your device or try to install malware. We covered these attacks in detail in our post, Data theft during smartphone charging.
Dangerous QR codes. Criminals can plant phishing QR codes in popular tourist spots. The pretexts can vary wildly; for instance, ads for team-specific fan βeventsβ, or links supposedly offering discounts or restaurant menus. In reality, any QR code posted on the street can be considered insecure by default, and you shouldnβt scan them with your smartphone unless you have a QR code threat analyzerΒ installed.
Fake broadcasts, tickets, and betting pools. Earlier, we described cases where bad actors were distributing malware via fake IPTV apps to capitalize on the WC26 hype. Remember, even if you plan to watch the tournament from home, you still need to stay alert and not trust the first sites that pop up advertising free broadcasts, offering betting pools, or promising unbelievably generous payouts.
NFC and Bluetooth attacks. Leaving Bluetooth enabled in crowded places can also cause problems: someone might try to discover your device, track you, or initiate an unwanted pairing request. NFC services with contactless payments create additional risks tooΒ β especially when paying in sketchy spots.
Despite the prevalence of secure WPA2/WPA3 public Wi-Fi access points in Mexico City, Guadalajara, and Monterrey, our study shows that public Wi-Fi networks remain vulnerable. Itβs also important to remember that attackers can create fake networksΒ β so-called evil twinsΒ β disguised as legitimate public Wi-Fi in airports, hotels, cafΓ©s, and tourist spots.
For the average user, itβs practically impossible to tell how safe a specific access point is when trying to connect. Thatβs why the safest option is to use cellular data to access the internet β completely eliminating the need for Wi-Fi. Besides, thereβs no need to research the nuances of local laws, rates, and other cellular details for every country you plan to visit; you can just buy a global eSIM online in two clicks. We explained how to make the entire process hassle-free in our post, Internet on the go with Kaspersky eSIM Store.
If you still plan on connecting to public Wi-Fi, always use a VPN to secure your device and data when connecting to unfamiliar β especially unsecured β Wi-Fi networks. This creates an encrypted tunnel between your device and the VPN server, making it impossible to intercept your data along the way. Havenβt picked a VPN yet? Try Kaspersky VPN Secure Connection, which is included with both Kaspersky Premium and Kaspersky Plus subscriptions.
Now, if you still plan to attend the World Cup without any cybersecurity solution, at least follow these basic rules of digital hygiene:
What else to read to make sure cheering for your favorite team isnβt only exciting, but also safe:





It starts with the familiar: a short message, a trusted name, a routine tone. Delivery updates, work pings, brand alerts hum in the background, rarely attracting scrutiny. You check, you answerβ¦ β until minutes later youβve slipped into a trap built to lower your guard and hijack your trust.
Thatβs why messaging scams cut deep: they exploit everyday habits where instinct, not caution, leads. Communication once moved slowly, leaving room for doubt. Now itβs instant β and that speed is a weapon in criminal hands.
On our blog, weβve already examined numerous scam schemes in messaging apps β from pig butchering, where the victim is groomed for a very long time, or catfishing, where the scammer creates a fake identity, to phishing via chatbots or through gift-giving campaigns in messaging apps.
Now, for the first time, Kaspersky has set out to capture the full end-to-end reality of messaging-based scams to understand how quickly harm occurs, how they impact trust and what remains after the interaction ends. What emerges is a highly organized and industrialized scam ecosystem embedded within everyday messaging channels such as SMS, WhatsApp, and email.
Kaspersky experts have prepared a report on targeted scams in messaging apps, detailing not only the financial but also the emotional damage caused by such attacks, as well as providing tips on how to protect yourself and avoid them. In this post, we explore the most interesting facts, but you can find more details in the full report.
How much do you think a single successful attack via a messaging app costs the average victim? Ten dollars? Or maybe 50? Youβre underestimating the scammers. Although more than a third (36%) of victims incur losses of less than $135, on average a victim losesβ¦ $733!
| Country | Average loss per victim |
| Senegal | $392.94 |
| Serbia | $493.32 |
| Morocco | $504.28 |
| Greece | $609.32 |
| United Kingdom | $617.38 |
| CΓ΄te dβIvoire | $654.11 |
| Spain | $672.67 |
| United States | $724.73 |
| Portugal | $868.20 |
| Italy | $896.02 |
| France | $1,193.58 |
| Germany | $1,369.35 |
The average amount lost by a victim in a successful attack via a messaging app
On the one hand, the financial hit doesnβt look catastrophic in isolation. These are micro-losses by design. Small enough that some never report them to the police. Small enough that banks donβt always investigate. Small enough to be dismissed as bad luck rather than organized crime.
But $733 is not nothing. Itβs enough to cover a monthβs worth of groceries, school or daycare fees, or utility bills. Against the backdrop of the global cost-of-living crisis, a single such loss can seriously dent a familyβs budget.
In 11% of cases, losses exceed $1,350, and more than a quarter of victims (28%) report having been scammed three or more times in the past six months. Once scammers discover that a phone number responds, that contact becomes an asset, circulating from one database to another.
Now imagine the scale of the problem: if just 10% of the three billion messagingβapp users worldwide fell victim with the average loss, the total damage would amount toβ¦ nearly $220 billion! This is comparable to the GDP of Greece, and exceeds that of Morocco, Serbia, or CΓ΄te dβIvoire.
It becomes clear that behind the daily flood of fraudulent schemes lie large scam cartels operating on an industrial scale, using AI to personalize messages that mimic those of family members, friends, and familiar brands. This, in essence, forms the basis of a full-fledged economy built on digital identity theft.
More than half of successful messaging scams (52%) unfold in under 30 minutesΒ β from first contact to the moment money or personal data changes handsΒ β or even faster, before the victim begins to doubt the legitimacy of the sender. In fact, one in seven scams takes less than five minutesΒ β quicker than boiling an egg!
The speed isnβt accidental. Itβs the method. Scammers structure their schemes to deny the victim a chance to come to their senses. Every element is engineered to compress the decision-making window: the urgency of the scenario, the familiarity of the format, the plausibility of the request.
They rush you β faster, faster, donβt tell anyone, you only have a few minutes, solve the problem, donβt ask questions. Click the link, fill in the details, approve the transaction, or elseβ¦ Or else what? The scammersβ imagination knows no bounds here, but if you donβt do something right now, youβll definitely regret it.
Alas, the realization of what has happened usually comes when the damage is already irreversible. More than half of victims (51%) lose money; another 43% hand over their personal dataΒ β most commonly phone numbers, names, and email addressesΒ β to scammers, and often the victim loses both.
A delivery notification, a bank alert, a message from a merchant you ordered from last week β messaging apps permeate every aspect of everyday life, making such interactions completely normal. An attack shouldnβt feel like an attack. It should feel like the same message youβve received hundreds of times.
Itβs no surprise that scammers focus their attention on this method of communication first and foremost. The most popular platforms for scams are predictable: WhatsApp (43%), SMS/iMessage (40%), Facebook (27%), Telegram (22%), and Instagram (19%)Β β these are the ones that people trust most.
A wide variety of schemes is used. Brand impersonation is now one of the three most common types of messaging scam worldwide β accounting for 31% of cases. Fake delivery notifications top the list at 38%, followed by investment scams at 37%.
At the same time, nearly two-thirds (63%) of fraudulent schemes span multiple platforms, moving from SMS to WhatsApp, from WhatsApp to Telegram, etc. In this way, scammers achieve two goals: they mimic organic messaging and evade moderation algorithms.
Just a couple of years ago, fraudulent messages gave themselves away with bad grammar, awkward phrasing, illogical requests, and an obsessive sense of urgency. Today, a phishing message looks, sounds, and reads just like the real thing.
Scam cartels want to catch people in motionΒ β between meetings, on a commute, or during everyday tasksΒ β when your attention is already fragmented. They mimic your motherβs turn of phrase. They match your bankβs tone of voice. They copy your courierβs format exactly. They mirror the rhythm, structure, and style of authentic brand communications across messaging platforms. And AI is accelerating all of it.
What this creates is overlap. Legitimate and fraudulent messages appear in the same environment, using the same formats, language, and triggers. The difference between them is no longer obvious.
The data shows that two-thirds of victims (66%) believe AI was used in the scam against them, 42% cite messages written by AI, 31% report generated or cloned voices, and 25% encountered deepfake images or videos.
Thatβs why mere awareness and βtech-savvinessβ may no longer be enough to protect oneself. From Gen Z to Gen X, messaging scams cut across every generation.
But money is far from the only problem a victim is left with after an attack. After what theyβve been through, people develop distrust toward incoming messages, unfamiliar numbers, and any requests for action. As a result, 99% of fraud victims say they no longer trust incoming notifications in messaging apps.
This creates a crisis of trust in all digital channels in general. Every legitimate message can now be perceived as a scam. Brands, banks, and delivery services are forced to operate in an environment where the customer is, by default, in a state of distrust.
Dr. Elizabeth Carter, a forensic linguist and criminologist at Kingston University in London, notes that scammers use familiar contexts, common social settings and embedded linguistic norms to create the illusion for the victim that their decision-making is rational and reasonable in the moment. However, what is actually happening is that they construct false realities in which those decisions end up causing financial and psychological harm. She also notes that it is very hard to identify a false reality while you are in it.
After realizing they had been deceived, more than half of victims felt angerΒ β the kind that comes from having trusted something and discovering it was used against you. 42% of victims report frustration, 38% β feeling upset. Moreover, several months later, these feelings havenβt gone away: nearly half of all victims (48%) are still angry, a third (33%) remain frustrated, and 30% are upset.
And nearly one in 10 victims donβt tell anyone what happened. They feel shame, a sense of having fallen for something so obvious. This leaves a significant portion of the actual damage unreported: only 24% of victims contact the police, and only 23% report it to their bank.
The crisis of trust β and even a touch of paranoia β that has arisen due to widespread attacks on users can linger in victimsβ minds for a long time, affecting their quality of life. To prevent this, follow these guidelines:
Weβve covered other threats in messaging apps in similar articles:





Threat actors are already gearing up for this yearβs biggest football (soccer) event, the World Cup 2026. With millions of fans looking for ways to stream matches online, many will turn to IPTV apps to watch live TV broadcasts over the internet. Itβs no surprise, then, that cybersecurity researchers have discovered multiple campaigns over the past few months where malware was disguised as fake Android IPTV apps.
In this post, we discuss what IPTV apps are, how criminals use fake versions to spread malware, what this malware is capable of, and, most importantly, how to avoid becoming a victim.
IPTV stands for Internet Protocol Television. This technology delivers TV content over the internet instead of through cable, over-the-air antennas, or satellites. Naturally, the simplest and most common examples of IPTV are the official platforms of TV networks, which can include both websites and dedicated apps.
However, alongside official options, pirate IPTV services also exist. They usually lure users with free or dirt-cheap access to content that can otherwise be hard to find without expensive subscriptionsΒ β most notably broadcasts of various sporting events; football matches in particular.
As is typically the case with pirated content, these apps are blocked from official app stores, forcing users to download them from third-party sites. Consequently, the risk of using these services isnβt tied to IPTV technology itself, but rather to the fake apps and modified APK files distributed under the guise of well-known platformsΒ β both official and pirated.
For instance, in February researchers found the Massiv banking Trojan distributed under the guise of fake IPTV apps. Even then, experts noted that this wasnβt the only malware leveraging this tacticΒ β several others were also spotted in the wild. The primary targets of these IPTV-mimicking malicious fakes have mostly been users in Portugal, Spain, France, and TΓΌrkiye.
In most cases, the discovered fake IPTV apps lacked the advertised functionality, so users didnβt get access to any content after installing the apps. Instead, the fake app would open the website of a legitimate IPTV service in a built-in browser to mimic normal functioning and avoid raising user suspicion.
Of course, the most interesting activity happened out of the userβs sight. These are some of the features the malware did have:
The Massiv banking Trojan mimics the interface of the Portuguese government app Chave MΓ³vel Digital in a fake pop-up window, looking even more convincing than the official version from Google Play. Source
In March, researchers reported on a new campaign where several fake IPTV apps were used to distribute an even more advanced and feature-rich malware strain: Perseus.
Research into Perseus shows that the malware is based on the source code of an Android banking Trojan called Cerberus, which leaked nearly six years ago. Perseus comes in two different versions: Turkish and English. The English-language version is more advanced and shows clear signs of AI-driven refinement.
Perseus abuses Accessibility Services, a set of Android features originally designed to make life easier for users with severe visual impairments. Fraudsters learned long ago how to leverage this tool to steal data from Android devices β a topic weβve covered in detail across several of our posts.
An example of a malicious APK disguised as Roja Directa TV, another IPTV app. Source
By abusing Accessibility Services, Perseus gains remote control over the victimβs device. Hereβs what it can do:
On top of that, the English-language version of Perseus boasts another notable feature. The malware can hunt for sensitive information like passwords, recovery phrases, and financial data across an entire range of note-taking apps: Google Keep, Xiaomi Notes, Samsung Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes.
All of these capabilities help criminals drain football fansβ money not just from various banking services, but from cryptocurrency apps as well.
The World Cup is just around the corner, and millions of fans worldwide will definitely want to tune in to this yearβs premier football event. Past experience shows that cybercriminals frequently cash in on major spectacles like this. So, how can you watch theΒ matches safely?
You canβt even watch TV safely anymore these days! Check out other threats facing TV lovers:





Phishing campaigns have become significantly more sophisticated and convincing in recent years. Sender addresses are now nearly identical to the real deal, emails are flawlessly written, and users are called by their names. But what do you do when a suspicious email comes from a clearly legitimate email address?
Lately, phishers have been exploiting the Google AppSheet platform to set up email blasts that originate from an official Google-linked address. Following a successful attack, they walk away with their victimsβ accounts and sensitive data.
In this post, we break down how this new data theft scheme works, and how to protect yourself from these sneaky phishing attacks.
AppSheet is a Google service for building apps without any coding skills. Itβs frequently used by small businesses to automate routine workflows. Unfortunately, itβs precisely this simplicity that makes AppSheet so attractive to cybercriminals. All it takes to pull off a phishing scam these days are a few dollars and an app quickly thrown together using pre-made commands and blocks.
The playbook for AppSheet phishing attacks is pretty run-of-the-mill. The victim receives an email on behalf of a major companyΒ β and these messages often begin by addressing the recipient by name. It appears the attackers are parsing leaked data to match names with specific email addresses.
Next, the attackers play on the recipientβs emotions β employing either stick or carrot. They might panic the victim with urgent warnings that demand immediate actionΒ β think βYour account will be disabled soonβ or βSuspicious activity detectedβ. Alternatively, they lure them in with irresistible bait, like the promise of a verified badge or an interview invitation from a tech giant. These fake HR emails are engineered to give victims an immediate rush. They make it look like the recipientβs application was already fast-tracked and highly rated, teasing a job offer that could drop as early as tomorrow.
For most people, these messages donβt raise a single red flag. The email bypasses the spam folder completely, and the From field displays the exact name of the company they expect to see. Unfortunately, none of it means the email is authentic: attackers can put whatever they want in the display name. And letβs be honest: very few people actually stop to scrutinize the senderβs email address.
In AppSheet-based phishing campaigns, the sender is always the same: noreply{@}appsheet.com. But hereβs the real kicker: that address is 100% legitimate. Because itβs tied directly to Googleβs own infrastructure, thereβs a good chance that standard anti-spam filters greenlight these emails without blinking.
Naturally, to secure that coveted interview or fix their account, the victim clicks the linkΒ β and then voluntarily hands over their entire digital identity on a copycat website: full name, address, phone number, etc. From there, the attackers can sell the harvested data on the dark web, or weaponize it for secondary, targeted attacks. To top it all off, the victim is redirected to a phishing login page, which allows the attackers to steal their accounts.
Hereβs a step-by-step breakdown of how a victim goes from receiving a fake Google Careers portal email to having their account completely compromised:
Similar phishing campaigns are launched on behalf of other major tech brandsΒ β and the users who hand over their Apple account data risk losing not just their account but also control of all their Apple devices. The attackers might pressure the victim into signing out of their personal Apple ID, and in to a βcorporate accountβ for verificationΒ β which is in reality an Apple account they own. The moment the victim does so, the criminals take complete remote control of the used device, often using Lost Mode to lock the victim out and hold their phone to ransom.
To make matters worse, attackers donβt always drop a malicious link in the initial email. Instead, they play the long gameΒ β hooking the target into a conversation by asking them to reply and confirm their interest. This pretexting creates an illusion of chatting with a real recruiter. And this playbook isnβt reserved exclusively for Silicon Valley, either. Attackers frequently impersonate globally recognized household names, like Volvo or Coca-Cola. Of course, itβs highly unlikely that attackers want someoneβs Coca-Cola accountΒ β if the user even has one to begin with. Most likely, the goal is to steal sensitive data or convince the user to log in to a phishing form using their Google/Apple/Facebook, etc. credentials.
Of course, βdream jobsβ arenβt the only bait used. Weβve seen campaigns where βFacebook Supportβ reaches out to tell a user theyβve been deemed eligible for the prestigious Meta Verified badge β a blue checkmark normally reserved for top-tier celebrities and global brands. To secure the coveted blue checkmark, the victim is directed to a phishing page where theyβre asked to complete an identity formΒ β before handing over the ultimate prize: their Facebook username and password. And itβs all in the name of security, naturally!
These spoofed sites are created in a wide variety of languages, and tailored to users in different countries. Below is the Dutch version.
In other campaigns, attackers abuse Googleβs AppSheet to weaponize sheer panic, trying to unsettle the user with claims that theyβve violated Metaβs intellectual property policy β and threatening to permanently close their Facebook account. To appeal, the victim must click a link toβ¦ a phishing site, provide their personal information, and, of course, enter their Facebook username and password.
Sadly, phishing attacks are becoming increasingly sophisticated, with attackers routinely hijacking the reputation of legitimate services and domains. Hereβs how to keep from falling into their traps, and safeguard your data:
Phishing attacks are growing increasingly sophisticated. Hereβs what else you should know about phishing:




Imagine handing your smartphone over for repair. A couple of days later, you pick it up β and great, itβs working again! But you wonβt even realize that your device has been injected with malicious code, allowing attackers to access your smartphone even when itβs locked.
This is the beginning of the story shared by Kaspersky ICS CERT researchers, Alexander Kozlov and Sergey Anufrienko, at the Black Hat Asia 2026 conference. They managed to uncover a vulnerability that flips conventional assumptions about smartphone and IoT security on their head. Its core lies at the very heart of Qualcomm chips.
To grasp the severity of this discovery, we first need to look at how a modern device powered by a Qualcomm chip boots up. Think of it as a fortress with multiple layers of security. Each subsequent layer verifies the pass issued by the previous one. The bedrock foundation β the most trusted layer of them all β is the BootROM, a read-only memory baked directly into the silicon that canβt be modified once it comes off the fab.
The BootROM is the very first thing to run when a device powers on. It verifies the signature of the next bootloader, which in turn verifies the next, building a chain of trust all the way up to the operating system. If an attacker can compromise this chain at the BootROM level, itβs game over: the malicious code will execute before the main operating system even has a chance to load.
This is exactly what attackers can do by exploiting the CVE-2026-25262 vulnerability discovered by Kaspersky ICS CERT researchers.
The research began with a protocol called Sahara. This is a component of Emergency Download Mode (EDL). Manufacturers and service centers use it to revive bricked devices: the phone is connected to a computer via USB, and a special utility program signed by the manufacturer (in this case, Qualcomm) is uploaded to it.
Sahara is implemented directly within the ARM PBL (Primary Boot Loader) β the BootROM itself. This means the protocol runs before any operating system boots, before any user access privileges are checked, and before any security controls are activated. The device simply waits for a USB connection, ready to accept data.
The communication scheme looks simple: the device sends a handshake (HELLO) to the computer, the computer selects the mode, a cycle begins to upload the utility program in chunks, and finally, the device executes the uploaded code. And it was within the verification logic of these very file chunks that the vulnerability was identified.
In technical terms, the bug introduced by the developers is classified as CWE-123: Write-What-Where Condition. This is about as bad as it gets when it comes to flaws in low-level programming. An attacker can write arbitrary data to an arbitrary address in the device memory.
Without diving too deep into the technical weeds, suffice it to say that by exploiting the discovered vulnerability, attackers can gain access to any data on the device, including user-entered passwords, files, contacts, geolocation data, as well as the hardware sensors like the camera and microphone. In certain scenarios, complete control over the device is possible. Just a few minutes of physical access to the device via a cable connection, and the gadget has been compromised. This creates a risk if you hand your smartphone over to a repair shop, pass it to someone else to set up and install apps on, or just leave it unattended.
The CVE-2026-25262 vulnerability affects the following Qualcomm chip series: MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50 β every single version released to date, until the vulnerability is patched by the manufacturer.
These are no obsolete museum pieces. The MDM9207, which we used for the bulk of our research, is integrated into modem modules for the internet of things (IoT), industrial equipment, smart home devices, healthcare monitoring systems, logistics trackers, and banking terminals. The MSM8916 powers many budget smartphones, while the SDX50 is used in automotive control units.
The catch is that the attacker needs physical access to the device to pull this off. In the real world, this translates to:
With just a few minutes of physical access to the device an attacker can plant a backdoor so deep inside that standard research tools wonβt even detect it in most cases.
Qualcomm was notified of the discovery in March 2025 and confirmed the vulnerability in its chips. To identify it, the vendor reserved CVE-2026-25262, and on April 20, 2026, Kaspersky ICS CERT published technical information on the vulnerability and recommendations for users.
Qualcomm included this vulnerability in its May security bulletin. While fixing already-made devices is fundamentally impossible, the company promised to make all future chips without this vulnerability.
If you currently own a device with an affected chip, use our recommendations below to help mitigate the risk of infection.
If you notice that your gadget with a vulnerable Qualcomm chip starts acting up β overheating when idle, reporting unexpected spikes in network traffic, or exhibiting strange app behavior β you may have fallen victim to this vulnerability. You can wipe the malicious code and reset your device to its baseline state simply by completely cutting its power. This means either pulling the battery or letting it drain all the way to zero until the gadget shuts down entirely. In this case, the malicious code will most likely not persist on the device β during our research, we were unable to confirm that it could achieve persistence in non-volatile memory.
Want to learn more about severe vulnerabilities in Android phones? Check out these posts:





Netflix, Apple TV+, Disney+, Hulu, Amazon Prime, YouTube Premiumβ¦ The average law-abiding family today pays for five to 10 subscriptions just to watch their shows of choice, with the monthly bill easily crossing the hundred-dollar mark. Itβs no surprise, then, that social media and online marketplaces are seeing a surge in demand for the βmagic boxesβ that popped up at the end of 2025: Android-powered TV boxes that promise to unlock thousands of channels and every streaming service subscription-free for a one-time purchase.
Ads for these devices are flooding TikTok and Instagram: smiling influencers unbox the SuperBoxes, plug them into a TV, and browse endlessly through channels. It looks like the ultimate life hack against subscription fatigue, right? In reality, itβs one of the easiest ways to invite a botnet into your home network.
A promotional video on TikTok explaining how great it is when the cheese is free you can just go ahead and cancel all your subscriptions
Stories about malicious TV boxes have surfaced before, but right now, their marketing has reached a truly alarming scale.
At the end of 2025, analysts examined several models of the popular SuperBox device available from major retail stores and online marketplaces. The findings were deeply concerning: immediately upon powering up, the devices began pinging the servers of the Chinese messaging app Tencent QQ, as well as the Grass proxy service β effectively renting out the ownerβs internet bandwidth to third parties.
Inside the firmware, researchers discovered applications completely uncharacteristic of a media player: a network scanner, a traffic analyzer, and tools for DNS hijacking. Consequently, the device not only streams pirated content but also scans the local network for other targets (including industrial SCADA interfaces), and stands ready to participate in DDoS attacks. The SuperBoxes were also found to contain folders with the telltale name βsecondstageβ, a textbook indication of multi-stage malware.
More recently, in April 2026, the Darknet Diaries podcast featured an interview with a security researcher known by the alias D3ada55, who shared plenty of intriguing details about these boxes β including the fact that they were still openly sold on major platforms like Amazon, Walmart, and Best Buy.
The SuperBox case is far from the only instance where Android devices have been turned into botnet nodes β or sold infected right out of the box. Hereβs a look at the most recent cases:
All of these stories share the same origin: the Triada Trojan, first documented by our researchers back in 2016 and dubbed at the time βone of the most advanced mobile Trojansβ. Over the past decade it has evolved from a standard piece of malware into a modular backdoor baked directly into firmware during manufacturing.
Manufacturers of cheap TV boxes cut corners on absolutely everything: Google Play Protect certification, firmware audits, and security updates. Many of these devices run on the Android Open Source Project without any security guarantees whatsoever. Somewhere along the supply chain β whether at the factory, through a middleman, or at a distributor β a backdoor gets injected into the firmware image. Our experts suspect that the manufacturer itself might not even be aware of the compromise.
The sheer scale of the infection turns millions of identical boxes into the perfect foundation for a botnet: every compromised device represents a unique IP address that can be rented out to anyone. Botnet operators like Kimwolf monetize this not only through distributed DDoS attacks but also by reselling the bandwidth of infected smart TVs and streaming boxes.
An infected TV box sits right in your living room, connected to your home Wi-Fi. That means it can see smartphones running banking apps, network-attached storage (NAS) units holding family archives, IP cameras, smart locks, work laptops, and any other the devices connected to your Wi-Fi network.
With this kind of beachhead inside your home network, an attacker can intercept unencrypted traffic, spoof DNS requests, scan ports, and hunt for vulnerabilities on neighboring devices. On top of that, they can use your IP address for fraudulent activity. As a result, in the best-case scenario, your IP will end up blacklisted, and legitimate services will start blocking you for suspicious activity; in the worst-case scenario, law enforcement could come knocking on your door.
You should be on alert if a device:
Want to know how else to protect your smart home devices? Read more in our related posts:




A compromised maintainer account was used to publish malicious package versions across the @antv namespace.
The post Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack appeared first on SecurityWeek.
Don't miss this virtual event as we explore how to cut through alert fatigue, leverage AI and unified platforms to accelerate investigations, and apply actionable threat intelligence.
The post Virtual Event Today: Threat Detection & Incident Response Summit appeared first on SecurityWeek.
β―Fox Tempest provides a service that cybercriminals use to distribute ransomware and other malware disguised as legitimate software.
The post Microsoft Disrupts Malware-Signing Service Run by βFox TempestβΒ appeared first on SecurityWeek.
Attackers are increasingly abusing Microsoftβs decades-old MSHTA utility to stealthily deliver stealers, loaders, and persistent malware through phishing, fake software downloads, and LOLBIN-based attack chains.
The post Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks appeared first on SecurityWeek.
![]()
IT threat evolution in Q1 2026. Mobile statistics
IT threat evolution in Q1 2026. Non-mobile statistics
In the third quarter of 2025, we updated the methodology for calculating statistical indicators based on the Kaspersky Security Network. These changes affected all sections of the report except for the statistics on installation packages, which remained unchanged.
To illustrate the differences between the reporting periods, we have also recalculated data for the previous quarters. Consequently, these figures may significantly differ from the previously published ones. However, subsequent reports will employ this new methodology, enabling precise comparisons with the data presented in this post.
The Kaspersky Security Network (KSN) is a global network for analyzing anonymized threat information, voluntarily shared by users of Kaspersky solutions. The statistics in this report are based on KSN data unless explicitly stated otherwise.
According to Kaspersky Security Network, in Q1 2026:
The number of malware, adware, or unwanted software attacks on mobile devices decreased to 2,676,328 in Q1, down from 3,239,244 in the previous quarter.
Attacks on users of Kaspersky mobile solutions, Q3 2024 β Q1 2026 (download)
The overall drop in attack volume stems primarily from a reduction in adware and RiskTool detections. Nonetheless, this trend does not equate to a lower risk for mobile users. As shown later in this report, the number of unique users targeted by these threats remained relatively stable.
In Q1, Synthient researchers identified a link between the notorious Kimwolf botnet and the IPIDEA proxy network. This network was later taken down in cooperation with GTIG.
In early 2026, we discovered several apps on Google Play and the App Store that contained a new version of the SparkCat crypto stealer.
The Trojan code, meticulously concealed, was embedded into the infected Android apps. The obfuscated malicious Rust library was decrypted using a Dalvik-like virtual machine custom-built by the attackers. The iOS version of the malware also underwent several changes; specifically, the attackers began leveraging Appleβs proprietary Vision framework for optical character recognition (OCR).
The number of Android malware samples saw a slight increase compared to Q4Β 2025, reaching a total of 306,070.
Detected malicious and potentially unwanted installation packages, Q1 2025 β Q1 2026 (download)
The detected installation packages were distributed by type as follows:
Detected mobile apps by type, Q4 2025* β Q1 2026 (download)
* Data for the previous quarter may differ slightly from previously published figures due to certain verdicts being retrospectively revised.
Threat actors once again ramped up the production of new banking Trojans; as a result, this category overtook all others in volume, accounting for more than half of all installation packages.
Share* of users attacked by the given type of malicious or potentially unwanted app out of all targeted users of Kaspersky mobile products, Q4 2025 β Q1 2026 (download)
* The total percentage may exceed 100% if the same users encountered multiple attack types.
Following the surge in banking Trojan installation packages, the number of associated attacks also rose, causing Trojan-Banker apps to climb one spot in terms of their share of targeted users. Mamont variants emerged as the most prevalent banking Trojans, accounting for 73.5% of detections, with the rest of the users encountering Faketoken, Rewardsteal, Creduz, and other families.
Yet banking Trojans were still outpaced by adware and RiskTool-type unwanted apps when measured by the total number of affected users. Despite a decrease in their share of installation packages, these two app types retained their positions as the top two threats by attack volume. The most common adware detections involved HiddenAd (44.9%) and MobiDash (38.1%), while most frequently seen RiskTool apps were Revpn (67%) and SpyLoan (20.5%).
Note that the malware rankings below exclude riskware or potentially unwanted software, such as RiskTool or adware.
| Verdict | %* Q4Β 2025 | %* Q1Β 2026 | Difference in p.p. | Change in ranking |
| Backdoor.AndroidOS.Triada.ag | 2.62 | 7.09 | +4.48 | +10 |
| DangerousObject.Multi.Generic. | 6.75 | 5.84 | -0.92 | -1 |
| DangerousObject.AndroidOS.GenericML. | 3.52 | 5.51 | +1.99 | +6 |
| Trojan-Banker.AndroidOS.Mamont.jo | 0.00 | 5.28 | +5.28 | |
| Trojan.AndroidOS.Fakemoney.v | 5.40 | 3.44 | -1.96 | -1 |
| Trojan-Downloader.AndroidOS.Keenadu.l | 0.00 | 3.35 | +3.35 | |
| Trojan-Banker.AndroidOS.Mamont.jx | 0.00 | 3.09 | +3.09 | |
| Backdoor.AndroidOS.Triada.z | 4.87 | 3.08 | -1.79 | -2 |
| Trojan.AndroidOS.Triada.fe | 5.01 | 2.98 | -2.02 | -4 |
| Backdoor.AndroidOS.Keenadu.a | 2.07 | 2.73 | +0.66 | +6 |
| Trojan-Banker.AndroidOS.Mamont.jg | 0.34 | 2.37 | +2.03 | |
| Trojan.AndroidOS.Triada.hf | 2.15 | 2.23 | +0.07 | +3 |
| Trojan.AndroidOS.Boogr.gsh | 2.35 | 2.15 | -0.20 | 0 |
| Trojan.AndroidOS.Triada.ii | 5.68 | 2.07 | -3.60 | -11 |
| Backdoor.AndroidOS.Triada.ae | 1.91 | 1.76 | -0.16 | +3 |
| Backdoor.AndroidOS.Triada.ab | 1.79 | 1.72 | -0.08 | +3 |
| Trojan.AndroidOS.Triada.gn | 2.38 | 1.58 | -0.80 | -5 |
| Trojan-Banker.AndroidOS.Mamont.gg | 1.56 | 1.50 | -0.06 | +2 |
| Trojan.AndroidOS.Triada.ga | 1.48 | 1.50 | +0.01 | +4 |
| Backdoor.AndroidOS.Triada.ad | 0.53 | 1.40 | +0.87 | +44 |
* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.
The pre-installed Triada.ag backdoor rose to the top spot; it is similar to the older Triada.z version we documented previously. Because the same variant was pre-installed across a wide range of devices, the total number of affected users is aggregated. Consequently, Triada outpaced even Mamont, as users encountered a variety of Mamont variants, causing the share of that banking Trojan to spread across multiple rows. Other pre-installed Triada variants (Triada.z, Triada.ae, Triada.ab, and Triada.ad) also made the rankings. Furthermore, we observed increasing activity from the Keenadu.a backdoor, while diverse variants of the embedded Triada Trojan remained in the rankings.
Q1Β 2026 saw a characteristic rise in mobile banking Trojan activity, with the number of packages totalingΒ 162,275, a 50% increase compared to the prior quarter.
Number of installation packages for mobile banking Trojans detected by Kaspersky, Q1 2025 β Q1 2026 (download)
We saw a similar growth in the previous quarter, with banking Trojan volumes rising by 50% during that period as well. Various Mamont variants accounted for the absolute majority of packages and represented nearly every entry in the rankings of most frequent banking Trojans by affected user count.
| Verdict | %* Q4Β 2025 | %* Q1Β 2026 | Difference in p.p. | Change in ranking |
| Trojan-Banker.AndroidOS.Mamont.jo | 0.00 | 15.75 | +15.75 | |
| Trojan-Banker.AndroidOS.Mamont.jx | 0.00 | 9.22 | +9.22 | |
| Trojan-Banker.AndroidOS.Mamont.jg | 1.47 | 7.08 | +5.61 | +24 |
| Trojan-Banker.AndroidOS.Mamont.gg | 6.79 | 4.48 | -2.32 | -3 |
| Trojan-Banker.AndroidOS.Mamont.ks | 0.00 | 3.98 | +3.98 | |
| Trojan-Banker.AndroidOS.Agent.ws | 6.03 | 3.78 | -2.25 | -2 |
| Trojan-Banker.AndroidOS.Mamont.hl | 4.30 | 3.27 | -1.03 | +1 |
| Trojan-Banker.AndroidOS.Mamont.iv | 6.00 | 3.08 | -2.92 | -3 |
| Trojan-Banker.AndroidOS.Mamont.jb | 3.93 | 3.07 | -0.86 | +1 |
| Trojan-Banker.AndroidOS.Mamont.jv | 0.00 | 2.79 | +2.79 |
* Unique users who encountered this malware as a percentage of all users of Kaspersky mobile security solutions who encountered banking threats.




![]()
IT threat evolution in Q1Β 2026. Non-mobile statistics
IT threat evolution in Q1Β 2026. Mobile statistics
The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data.
In Q1Β 2026:
In January 2026, it was reported that the FBI had seized the domains of the RAMP cybercrime forum, a major platform used extensively by ransomware developers to advertise their RaaS programs and to recruit affiliates. There has been no official statement from the FBI, nor is it clear if RAMP servers were seized. In a post on an external website, a RAMP moderator mentioned law enforcement agencies gaining control over the forum. The takedown disrupted a key element of the RaaS ecosystem, creating ripple effects for ransomware operators, affiliates, and initial access brokers.
A man suspected of links to the Phobos group was apprehended in Poland. He was charged with the creation, acquisition, and distribution of software designed for unlawfully obtaining information, including data that facilitates unauthorized access to information stored within a computer system.
In March, a Phobos ransomware administrator pleaded guilty to the creation and distribution of the Trojan, which had been used in international attacks dating back to at least November 2020.
In March, the U.S. Department of Justice charged a man who had acted as a negotiator for ransomware groups. The company he worked for specializes in cyberincident investigations. The prosecution alleges the suspect colluded with the BlackCat threat actor to share privileged insights into the ongoing progress of negotiations. Additionally, the suspect is alleged to have had a prior direct role in BlackCat attacks, serving as an affiliate for the RaaS operation.
In a separate development this March, a U.S. court sentenced an initial access broker associated with the Yanluowang ransomware group to 81 months of imprisonment. According to the U.S. Department of Justice, the convict facilitated dozens of ransomware attacks across the United States, resulting in over $9 million in actual loss and more than $24 million in intended loss.
The Interlock group has been heavily exploiting the CVE-2026-20131 zero-day vulnerability in Cisco Secure FMC firewall management software since at least January 26, 2026. The vulnerability enabled arbitrary Java code execution with root privileges on the affected device. This campaign demonstrates the ongoing reliance on zero-day vulnerabilities for initial access, a focus on network appliances as high-value entry points, and the rapid weaponization of new vulnerabilities within the ransomware ecosystem.
This section highlights the most prolific ransomware gangs by number of victims added to each groupβs DLS. This quarter, the Clop ransomware (14.42%) returned to the top of the rankings, displacingΒ Qilin (12.34%), which had held the leading position in the previous reporting period. Following closely is a new threat actor, The Gentlemen (9.25%). Emerging no later than July 2025, the group had already surpassed the activity levels of mainstays such as Akira (7.25%) and INC Ransom (6.13%).
Number of each groupβs victims according to its DLS as a percentage of all groupsβ victims published on all the DLSs under review during the reporting period (download)
In Q1Β 2026, Kaspersky solutions detected six new ransomware families and 2938 new modifications. Volumes have returned to Q3Β 2025 levels following a surge in Q4Β 2025.
Number of new ransomware modifications, Q1 2025 β Q1 2026 (download)
Throughout Q1, our solutions protected 77,319 unique users from ransomware. Ransomware activity was highest in March, with 35,056 unique users encountering such attacks during the month.
Number of unique users attacked by ransomware Trojans, Q1 2026 (download)
| Country/territory* | %** | |
| 1 | Pakistan | 0.79 |
| 2 | South Korea | 0.64 |
| 3 | China | 0.52 |
| 4 | Tajikistan | 0.40 |
| 5 | Libya | 0.38 |
| 6 | Turkmenistan | 0.36 |
| 7 | Iraq | 0.35 |
| 8 | Bangladesh | 0.33 |
| 9 | Rwanda | 0.30 |
| 10 | Cameroon | 0.28 |
* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.
| Name | Verdict | %* | |
| 1 | (generic verdict) | Trojan-Ransom.Win32.Gen | 33.90 |
| 2 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 6.38 |
| 3 | WannaCry | Trojan-Ransom.Win32.Wanna | 5.87 |
| 4 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 4.68 |
| 5 | (generic verdict) | Trojan-Ransom.Win32.Agent | 3.80 |
| 6 | LockBit | Trojan-Ransom.Win32.Lockbit | 2.80 |
| 7 | (generic verdict) | Trojan-Ransom.Win32.Phny | 1.99 |
| 8 | (generic verdict) | Trojan-Ransom.MSIL.Agent | 1.96 |
| 9 | (generic verdict) | Trojan-Ransom.Python.Agent | 1.93 |
| 10 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 1.89 |
* Unique Kaspersky users attacked by the specific ransomware Trojan family as a percentage of all unique users attacked by this type of threat.
In Q1Β 2026, Kaspersky solutions detected 3485 new modifications of miners.
Number of new miner modifications, Q1 2026 (download)
In Q1, we detected attacks using miner programs on the computers of 260,588 unique Kaspersky users worldwide.
Number of unique users attacked by miners, Q1 2026 (download)
| Country/territory* | %** | |
| 1 | Senegal | 3.19 |
| 2 | Turkmenistan | 3.06 |
| 3 | Mali | 2.63 |
| 4 | Tanzania | 1.62 |
| 5 | Bangladesh | 1.06 |
| 6 | Ethiopia | 0.95 |
| 7 | Panama | 0.88 |
| 8 | Afghanistan | 0.79 |
| 9 | Kazakhstan | 0.77 |
| 10 | Bolivia | 0.75 |
* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.
In Q1Β 2026, Google uncovered a new cryptocurrency theft campaign. The scammers directed victims to a fraudulent video call, prompting them to execute malicious scripts under the guise of technical support fixes for connection problems.
In March, researchers with GTIG and iVerify reported the discovery of an in-the-wild exploit chain targeting both iOS and macOS devices. The exploit kit was apparently marketed on the dark web, providing threat actors with a suite of spyware capabilities alongside specialized cryptocurrency exfiltration modules. The exploit was delivered via drive-by downloads when victims visited various compromised websites. Our analysis confirmed that the toolkit included an updated version of a component previously identified in the Operation Triangulation attack chain.
Devices running macOS were similarly impacted by the high-profile supply chain attack targeting the Axios npm package, a widely used HTTP client for JavaScript. The installation of the infected package led to the deployment of a backdoor on macOS devices.
Unique users* who encountered this malware as a percentage of all attacked users of Kaspersky security solutions for macOS (download)
* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.
The share of PasivRobber spyware attacks is beginning to decline, giving way to more traditional adware and Monitor-class software capable of tracking user activity. The popular Amos stealer also maintains its presence within the TOPΒ 20.
| Country/territory | %* Q4Β 2025 | %* Q1Β 2026 |
| China | 1.28 | 1.97 |
| France | 1.18 | 1.07 |
| Brazil | 1.13 | 0.98 |
| Mexico | 0.72 | 0.52 |
| Germany | 0.71 | 0.45 |
| The Netherlands | 0.62 | 0.75 |
| Hong Kong | 0.49 | 0.53 |
| India | 0.42 | 0.48 |
| Russian Federation | 0.34 | 0.37 |
| Thailand | 0.24 | 0.27 |
* Unique users who encountered threats to macOS as a percentage of all unique Kaspersky users in the country/territory.
This section presents statistics on attacks targeting Kaspersky IoT honeypots. The geographic data on attack sources is based on the IP addresses of attacking devices.
In Q1Β 2026, the share of devices attacking Kaspersky honeypots via the SSH protocol saw a significant increase compared to the previous reporting period.
Distribution of attacked services by number of unique IP addresses of attacking devices (download)
The distribution of attacks between Telnet and SSH maintained the ratio observed in Q4Β 2025.
Distribution of attackersβ sessions in Kaspersky honeypots (download)
Share of each threat delivered to an infected device as a result of a successful attack, out of the total number of threats delivered (download)
The primary shifts in the IoT threat distribution are linked to the activity of various Mirai botnet variants, although members of this family continue to account for the majority of the list. Furthermore, a new variant, Mirai.kl, surfaced in the rankings. We also observed a significant decline in NyaDrop botnet activity during Q1.
The United States, the Netherlands, and Germany accounted for the highest proportions of SSH-based attacks during this period.
| Country/territory | Q4Β 2025 | Q1Β 2026 |
| United States | 16.10% | 23.74% |
| The Netherlands | 15.78% | 17.57% |
| Germany | 12.07% | 10.34% |
| Panama | 7.72% | 6.34% |
| India | 5.32% | 6.05% |
| Romania | 4.05% | 5.82% |
| Australia | 1.62% | 4.61% |
| Vietnam | 4.21% | 3.50% |
| Russian Federation | 3.79% | 2.35% |
| Sweden | 2.25% | 2.09% |
China continues to account for the largest proportion of Telnet attacks, though there was a marked increase in activity originating from Pakistan.
| Country/territory | Q4Β 2025 | Q1Β 2026 |
| China | 53.64% | 39.54% |
| Pakistan | 14.27% | 27.31% |
| Russian Federation | 8.20% | 8.25% |
| Indonesia | 8.58% | 6.71% |
| India | 4.85% | 4.66% |
| Brazil | 0.06% | 3.30% |
| Argentina | 0.02% | 2.51% |
| Nigeria | 1.22% | 1.38% |
| Thailand | 0.01% | 0.55% |
| Sweden | 0.54% | 0.55% |
The statistics in this section are based on detection verdicts by Web Anti-Virus, which protects users when suspicious objects are downloaded from malicious or infected web pages. These malicious pages are purposefully created by cybercriminals. Websites that host user-generated content, such as message boards, as well as compromised legitimate sites, can become infected.
The following statistics show the distribution by country/territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages redirecting to exploits, sites containing exploits and other malicious programs, botnet C&C centers, and so on). One or more web-based attacks could originate from each unique host.
To determine the geographic source of web attacks, we matched the domain name with the real IP address where the domain is hosted, then identified the geographic location of that IP address (GeoIP).
In Q1Β 2026, Kaspersky solutions blocked 343,823,407 attacks launched from internet resources worldwide. Web Anti-Virus was triggered by 49,983,611 unique URLs.
Web-based attacks by country/territory, Q1 2026 (download)
To assess the risk of malware infection via the internet for usersβ computers in different countries and territories, we calculated the share of Kaspersky users in each location on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.
This ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.
| Country/territory* | %** | |
| 1 | Venezuela | 9.33 |
| 2 | Hungary | 8.16 |
| 3 | Italy | 7.58 |
| 4 | Tajikistan | 7.48 |
| 5 | India | 7.21 |
| 6 | Greece | 7.13 |
| 7 | Portugal | 7.10 |
| 8 | France | 7.05 |
| 9 | Belgium | 6.83 |
| 10 | Slovakia | 6.80 |
| 11 | Vietnam | 6.62 |
| 12 | Bosnia and Herzegovina | 6.57 |
| 13 | Canada | 6.56 |
| 14 | Serbia | 6.50 |
| 15 | Tunisia | 6.36 |
| 16 | Qatar | 6.01 |
| 17 | Spain | 5.95 |
| 18 | Germany | 5.95 |
| 19 | Sri Lanka | 5.89 |
| 20 | Brazil | 5.88 |
* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users targeted by web-based Malware attacks as a percentage of all unique users of Kaspersky products in the country/territory.
On average during the quarter, 4.73% of usersβ computers worldwide were subjected to at least one Malware web attack.
Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer by infecting files or removable media, or initially made their way onto the computer in non-open form. Examples of the latter are programs in complex installers and encrypted files.
Data in this section is based on analyzing statistics produced by anti-virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The statistics are based on detection verdicts from the On-Access Scan (OAS) and On-Demand Scan (ODS) modules of File Anti-Virus and include detections of malicious programs located on user computers or removable media connected to the computers, such as flash drives, camera memory cards, phones, or external hard drives.
In Q1Β 2026, our File Anti-Virus detected 15,831,319 malicious and potentially unwanted objects.
For each country and territory, we calculated the percentage of Kaspersky users whose computers had the File Anti-Virus triggered at least once during the reporting period. This statistic reflects the level of personal computer infection in different countries and territories around the world.
Note that this ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.
| Country/territory* | %** | |
| 1 | Turkmenistan | 47.96 |
| 2 | Tajikistan | 31.48 |
| 3 | Cuba | 31.03 |
| 4 | Yemen | 29.59 |
| 5 | Afghanistan | 28.47 |
| 6 | Burundi | 26.93 |
| 7 | Uzbekistan | 24.81 |
| 8 | Syria | 23.08 |
| 9 | Nicaragua | 21.97 |
| 10 | Cameroon | 21.60 |
| 11 | China | 21.09 |
| 12 | Mozambique | 21.02 |
| 13 | Algeria | 20.64 |
| 14 | Democratic Republic of the Congo | 20.63 |
| 15 | Bangladesh | 20.44 |
| 16 | Mali | 20.35 |
| 17 | Republic of the Congo | 20.23 |
| 18 | Madagascar | 20.00 |
| 19 | Belarus | 19.78 |
| 20 | Tanzania | 19.52 |
* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users on whose computers local Malware threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.
On average worldwide, Malware local threats were detected at least once on 11.55% of usersβ computers during Q1.
Russia scored 11.92% in these rankings.




Have you ever tried to tally up how much you spend on subscriptions each month? Music, movies, gaming, language courses, delivery services, heated seats, and even the ability to chat with the Grok bot directly from your car β thereβs a subscription for just about everything now. Thereβs even a subscription service specifically designed toβ¦ track your other subscriptions.
The number of subscriptions varies significantly depending on where you live, but statistically, 78% of adults worldwide have at least one paid subscription, with the average user juggling 5.6 active services. Furthermore, a large portion of these are family plans used by groups of close relatives⦠and sometimes other people: 37% of users share their subscriptions outside their immediate family.
Because subscription accounts, especially family plans, often contain sensitive personal data, theyβve become a prime target for cybercriminals. Today we look at how to manage your subscriptions securely, avoid having your accounts compromised, and keep from falling for scammersβ latest tricks.
Why would anyone want to hack your subscription? Even if the service only offers entertainment, your account almost certainly contains sensitive information: your name, address, email, phone number, the names of other members, and other personally identifiable information. This data is then sold on the dark web and used for further attacks.
Attackers compromise subscription accounts either through social engineering and phishing, or by taking advantage of many usersβ reliance on weak or leaked passwords. As we recently highlighted in our research, nearly half of all passwords worldwide can be cracked in less than a minute. Scammers then either resell existing subscriptions or slots in a family group at a discount, or they sign the victim up for new services, hoping the extra charges go unnoticed.
Finally, some middlemen donβt bother with hacking at all; they simply buy bulk subscriptions for a large number of devices, where the per-unit cost is typically much lower. They then resell individual slots in these plans on online marketplaces. As a result, a single βfamilyβ account can end up filled with people who are complete strangers to one another.
Many subscription owners think nothing of sharing access with family and friends. What could possibly go wrong?
The worst-case scenario from a security standpoint is when a single account is purchased and the owner shares the login and password with other users. This usually happens when people try to save money on a family plan by buying an individual subscription and sharing it. Some services even allow for different profiles, but they are all tied to a single account, meaning the credentials are shared. This is how streaming platforms like Hulu and Disney+ operate.
Sharing one account among multiple people significantly increases the risk of your credentials falling into the wrong hands. Thereβs no way to guarantee that everyone else is storing those details securely or that their devices arenβt infected with malware. Even without malware, itβs incredibly easy to accidentally hand over a password to attackers simply by signing in to the subscription service over unprotected public Wi-Fi.
Itβs entirely possible that the password you kindly shared with some friends has already surfaced in some corner of the dark web, and you may soon lose access to your account. Furthermore, if you reuse the same password across different sites and apps, your other accounts are now in the crosshairs as well.
The second scenario is when each group member has an individual account. Many services now allow you to add extra users to a subscription at no additional cost, and most owners are happy to give away these free slots. Even then, you shouldnβt let your guard down: a breach of just one of these accounts can still leak sensitive information, such as family membersβ names, addresses, billing info, and other subscription-related data.
To keep your and your loved onesβ personal data private and your accounts under your control, follow these simple rules.
To do this, learn β and teach your friends and family β how to use password managers, two-factor authentication, or passkeys.
If you and your loved ones rely on memory to store passwords, thereβs a high probability that youβre reusing the same one across multiple services. This is a major blunder: data breaches happen all the time, and a single compromised password gives attackers access to your other accounts.
The simplest solution is to use a password manager that generates and remembers complex, unique passwords for every site and service on your behalf. All you have to do is remember the single main password for its encrypted vault. Additionally, Kaspersky Password ManagerΒ doesnβt just store and create passwords; it can also check if theyβve appeared in leaked databases, and sync your credentials across all your devices.
Additionally, a password manager provides a robust defense against phishing: unlike a human, who can easily be misled by a sign-in form that looks almost identical to the real thing and is hosted on a look-alike domain, a password manager wonβt fall for the trick. Itβll only offer to autofill your saved login and password on the specific site or service for which they were originally stored.
Avoid using browsers to store your passwords: unfortunately, attackers have long figured out how to extract browser-saved passwords in a matter of seconds.
Two-factor authentication (2FA) is an extra layer of verification the system requests after you enter your password β such as an SMS code or a one-time code from an authenticatorΒ app. Whenever technically possible, be sure to enable 2FA on every account linked to a subscription. This applies to the subscription services themselves, as well as any third-party accounts you use to sign in, such as Google, Apple, or Facebook.
We recommend storing your two-factor authentication tokens and generating the one-time codes β which refresh every 30 seconds β inside Kaspersky Password Manager. This significantly lowers the chances of someone hijacking your account. Even if an attacker somehow discovers or guesses your password, they wonβt be able to get the code without physical access to your device.
Finally, you can ditch passwords (almost) entirely by switching to passkeys. Weβve previously covered what this password alternative looks like and the specifics of using it. Currently, this is the most breach-resistant authentication system out there. Its main drawback has been the difficulty of syncing passkeys across different ecosystems, like Windows and iOS, but the updated version of Kaspersky Password ManagerΒ can now save and sync passkeys across Windows, macOS, iOS, and Android devices, making that issue a thing of the past.
Even a complex password and 2FA arenβt reasons to let your guard down. An attacker can infect your device with an infostealer: malware designed to swipe things like session cookies from your browser, app configuration files, and other sensitive data. Session cookies allow you to stay signed in without re-entering your credentials every time; however, if scammers get their hands on them, they can sign in to the service as you β even without knowing your username or password. This makes a proactive approach essential, especially if you use Chrome, Edge, Opera, or other Chromium-based browsers on Windows. We recommend installing Kaspersky Premium on all your devices; it includes Kaspersky Password ManagerΒ in addition to comprehensive protection against cyberthreats.
Otherwise, you might be asking for trouble. For example, if you share a Steam subscription with a friend who cheats, both of your accounts could end up banned. Furthermore, never try to let someone else into your personal account or individual subscription. Sharing your password with others is usually a violation of the terms of service, and can result in your account being blocked.
To do this, periodically check active devices and sessions in your subscription settings. If you see an unrecognized device in the authorized list, terminate that session β or all of them β and change your account password immediately. Signing back in on a few devices is much easier than trying to recover a hijacked account.
And remember: donβt let your own habits compromise your security. If youβre visiting friends, on vacation, or on a business trip and use a local computer or smart TV β or if you sign in to your account from a public computer β donβt forget to sign out when youβre done. Otherwise, the next person to use that device might find themselves with free subscriptions or, even worse, access to your email or cloud photo stream.
Watch out for phishing emails and messages spoofing legitimate services. If you receive a notification about a βneed to update your billing detailsβ, or a claim that a βnew user has been addedβ to your family plan, donβt rush to click any links or open attachments. Links can lead to a phishing page, and attachments may hide malware. Scammers often use email addresses and domains that look nearly identical to the real ones β for instance, by swapping l (lowercase L) for I (uppercase i), or using a familiar name in a different domain zone.
Unfortunately, phishing pages are often indistinguishable from the originals now that AI is being used for high-quality design and layout. Since spotting every red flag yourself is increasingly difficult, itβs best to delegate anti-phishing protection to Kaspersky Premium. It will alert you to suspicious sites, saving your money and keeping your peace of mind.
Lastly, some scammers lure users in with freebies like fake gift subscriptions for Telegram Premium. The victim is asked to visit a phishing page mimicking the Telegram login screen and sign in to their account to claim the gift. The result isnβt hard to guess: instead of a premium subscription β a hijacked account. Recently, scammers have even learned to use mini-apps to steal credentials directly inside Telegram under various pretexts β ranging from gift giveaways to claims that you must move to a new chat because the old one was blocked.
You can often find subscription offers on marketplaces and retail platforms at prices significantly lower than what the official provider charges. More likely than not, that tempting price hides a hacked account or a family group that you could be kicked out of at any moment, because the family admin is either the seller or a random user. Furthermore, sharing a family plan with strangers from around the world is a violation of terms for many services.
Now that weβve covered subscription security, what about those extra subscriptions that quietly eat away at your balance every month? Research shows that users typically underestimate how many active subscriptions they have and how much they spend on them; they also frequently forget to cancel auto-renewals for subscriptions they no longer use, or auto-charges after the trial period ends.
If you suspect youβre in that boat, start your investigation with your own bank statements. Recurring charges for the same amount can be a subscription youβve forgotten about. Check who received the payment; if the name doesnβt ring a bell, do an online search on the company. Itβs also worth searching your email box for the merchant name or the payment amount; this can help you track down subscription notifications and figure out what exactly youβre paying for. And donβt forget to check your spam folder, as thatβs where subscription alerts often end up.
Now, letβs look at how to check and cancel active subscriptions purchased through the App Store and Google Play.
If youβre the family group manager, youβll be able to see the purchase history for other family members.
Note: to manage your iCloud subscription, youβll need to go to the specific iCloud section located just below Subscriptions. In the Family Sharing section, if youβre the one who set it up, you can view the subscription and purchase history for all family members.
Read more on subscriptions:




![]()
With International Anti-Ransomware Day taking place on May 12, Kaspersky presents its annual report on the evolving global and regional ransomware cyberthreat landscape.
Ransomware remains one of the most persistent and adaptive cyberthreats. In 2026:
According to Kaspersky Security Network, the share of organizations affected by ransomware decreased in 2025 across all regions compared to 2024.
Percentage of organizations affected by ransomware attacks by region, 2025 (download)
Despite the formal decrease, organizations across all sectors continue to face a high likelihood of attack, as ransomware operators refine their tactics and scale their operations with increasing efficiency. Kaspersky and VDC Research have found that in the manufacturing sector alone, ransomware attacks may have caused over $18 billion in losses in the first three quarters of the year.
In 2026, ransomware operators increasingly prioritize neutralizing endpoint defenses before executing their payloads. Tools commonly referred to as βEDR killersβ have become a standard component of attack playbooks. This reflects a continuing trend toward more deliberate and methodical intrusions.
Attackers attempt to terminate security processes and disable monitoring agents, often by exploiting trusted components such as signed drivers. This technique is called Bring Your Own Vulnerable Driver (BYOVD) and allows adversaries to blend into legitimate system activity while gradually degrading defensive visibility.
Thus, evasion is no longer an opportunistic step but a planned and repeatable phase of the attack lifecycle. As a result, organizations are increasingly challenged not just to detect ransomware but also to maintain control in environments where security controls themselves are actively targeted.
We predicted that quantum-resistant ransomware would appear in 2025. Looking back at the previous year, we see that advanced ransomware groups indeed started using post-quantum cryptography as quantum computing evolved. The encryption techniques used by this quantum-proof ransomware could be used to resist decryption attempts from both classical and quantum computers, making it nearly impossible for victims to decrypt their data without having to pay a ransom.
One example is the appearance of the PE32 ransomware family (link in Russian); it leverages the cutting-edge ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) standard to secure its AES keys. This specific cryptographic framework was recently selected by NIST as the primary standard for post-quantum defense.
Within the PE32 ransomware architecture, this is realized through the Kyber1024 algorithm, a robust mechanism providing Level 5 security, roughly equivalent in strength to AES-256. Its primary function is the secure generation and transmission of shared secrets between parties, specifically engineered to withstand future quantum computing attacks. This shift toward post-quantum readiness is part of a broader industry trend; for instance, TLS 1.3 and QUIC protocols have already adopted the X25519Kyber768 hybrid model, which fuses classical encryption with quantum-resistant security.
In 2025, the share of ransoms paid dropped to 28%. As a response to this, one of the developments in the 2026 landscape is the growing prevalence of extortion incidents in which no file encryption takes place at all. Instead, attackers leave out the βwareβ in βransomwareβ and focus on extracting sensitive data and leveraging the threat of public disclosure as their primary means of extortion. ShinyHunters is an excellent example of such a group, using a data leak site to publicize its victims.
By avoiding encryption, attackers may aim at reducing the likelihood of immediate detection, shortening the duration of the attack, and eliminating dependencies on stable encryption routines. Often, this model is used alongside traditional tactics in so-called double extortion schemes, but an increasing number of campaigns rely exclusively on data theft.
For victims, this shift fundamentally changes the nature of the risk. While backups remain effective against encryption-based disruption, they provide no protection against data exposure, regulatory consequences, and reputational damage. Ransomware is therefore evolving from a business continuity issue into a broader data security and compliance challenge.
The ransomware ecosystem continues to evolve toward a highly industrialized and specialized model, with initial access remaining as one of its most critical components. In 2026, many ransomware operators keep relying on IABs (initial access brokers), a network of intermediaries who supply pre-compromised access to corporate environments, aiming to no longer perform full intrusions themselves.
This βaccess-as-a-serviceβ model is fueled by credential theft operations, and the widespread availability of compromised accounts harvested through infostealers and phishing campaigns.
The primary access vectors offered for sale have not changed: RDP, VPN, and RDWeb are still the top access vectors. Consequently, remote access infrastructure remains the primary attack surface for initial access sales. In response to the measures against public exposure of RDP access points to the internet, attackers are now targeting RDWeb portals, which are frequently vulnerable and occasionally inadequately safeguarded.
The result is a threat landscape where unauthorized access is increasingly commoditized, and the barrier to launching ransomware attacks declines. This means that preventing initial compromise is only part of the challenge; equal emphasis must be placed on detecting misuse of legitimate credentials and limiting lateral movement within already-breached environments.
Telegram channels and underground forums increasingly function as platforms for the distribution and sale of compromised datasets and access credentials including those that were obtained as a result of ransomware attacks.
Advertisements posted on these resources typically include the nature of the access, a description of the exfiltrated or compromised data, price terms, and contact information for prospective buyers. In addition, some malicious actors mention their collaboration with other ransomware groups. Lesser-known gangs can use this name-dropping to promote themselves
Multiple threat actors not related to ransomware groups distribute datasets downloaded from ransomware blogs on underground forums and Telegram. By re-publishing download links and files, they spread compromised data as well as information on the ransomware attack within the community.
The ransomware itself is also sold or offered for subscription on the dark web platforms. The sellers underscore the uniqueness of their malware, as well as its encryption and defense evasion features.
Law enforcement agencies are actively shutting down dark web platforms and ransomware data leak sites. A major underground forum, RAMP, which also functioned as a platform for threat actors to advertise their ransomware services and publish serviceβrelated updates, was seized by authorities in Januaryβ―2026. Another underground forum, LeakBase, where malicious actors distributed exfiltrated and compromised data, was seized in March 2026. In 2025, law enforcement agencies seized well-known forums like Nulled, Cracked, and XSS. Also in 2025, the DLSs of BlackSuit and 8Base ransomware groups were seized. These takedowns cause inconvenience to ransomware coordination, specifically for initial access brokers and affiliates, though similar forums are expected to fill the void over time.
RansomHubβs sudden dormancy in 2025 marked a shift, and Qilin became the dominant player from Q2 onward. According to Kaspersky research, Qilin was the most active group executing targeted attacks in 2025.
Each groupβs share of victims according to its data leak site (DLS) as a percentage of all reported victims of all groups during the period under review (download)
Qilin stands out as one of the fastest-growig and dominant RaaS platforms. Its combination of high-volume operations and structured affiliate model positions it as a central player in the current ecosystem.
Clop, the second most active group in 2025, is distinguished through its large-scale, supply-chain-style attacks, exploiting widely used file transfer and enterprise software to compromise hundreds of victims simultaneously. This one-to-many approach sets it apart from more traditional, single-target campaigns.
Third place is occupied by Akira, which remains notable for its consistency and operational stability, maintaining a steady stream of victims without major disruption. Its ability to sustain activity over time makes it one of the most reliable indicators of baseline ransomware threat levels.
Although no longer active, RansomHub stands out for its rapid rise and equally rapid disappearance in 2025, highlighting the volatility of the RaaS market. Its shutdown created a vacuum that significantly reshaped affiliate distribution across other groups.
DragonForce is also notable β not just for its own operations, but for its broader influence within the ransomware ecosystem, including reported involvement in infrastructure conflicts and possible links to the disruption of competing groups. Thus, the group claims that RansomHub βhas moved to their infrastructure.β This positions it as more than just an operator and potentially an ecosystem-level actor.
While emerging actors generally operate on a smaller scale, they provide insight into the continuous churn and low barrier to entry within the ransomware ecosystem.
The Gentlemen group caught our attention in early 2026, as they managed to attack a significant number of victims over a short time. This actor is also notable for reflecting a broader shift toward professionalization and controlled operations within the ransomware ecosystem. Unlike many emerging groups that rely on opportunistic attacks and inconsistent leak activity, The Gentlemen demonstrate a more deliberate approach: structured intrusion workflows, selective targeting, and measured communication with victims. This signals a move away from chaotic, high-noise campaigns toward predictable, business-like execution models that are easier to scale and harder to disrupt. Their TTPs include the massive exploitation of hardware very common on big corporations, such as FortiOS/FortiProxy, SonicWall VPN, and Cisco ASA appliances. The group might be comprised of professional cybercriminals who left other prominent groups.
The group is also notable for its emphasis on data-centric extortion strategies, often prioritizing exfiltration and leverage over purely disruptive encryption. This aligns with one of the defining trends of 2026: ransomware evolving into a form of data breach monetization rather than just system denial. By focusing on controlled pressure and reputational risk instead of immediate operational damage, The Gentlemen exemplify how attackers are adapting to lower ransom payment rates and improved backup practices among victims.
Some other groups to take note of in 2026:
Although there is little to say about these groups at the time of writing this report, each of them may be equally likely to disappear from the threat landscape or grow into a prominent threat. Thatβs why itβs important to track them from their early days. Moreover, collectively, these groups illustrate how dynamic the ransomware landscape is, with new entrants constantly replenishing it.
Despite the growing effort by law enforcement agencies across the globe to seize and disrupt dark web platforms and threat actor infrastructures, ransomware operations remain stable, with new groups quickly taking the place of those who went silent. In 2026, we see a shift towards encryptionless extortion, with data leaks increasingly becoming the main threat to target organizations. At the same time, data encryption is also upgrading to the next level with the emergence of post-quantum ransomware.
To resist the evolving threat, Kaspersky recommends organizations:
Prioritize proactive prevention through patching and vulnerability management. Many ransomware attacks exploit unpatched systems, so organizations should implement automated patch management tools to ensure timely updates for operating systems, software, and drivers. For Windows environments, enabling Microsoftβs Vulnerable Driver Blocklist is critical to thwarting BYOVD attacks. Regularly scan for vulnerabilities and prioritize high-severity flaws, especially in widely used software.
Strengthen remote access: RDP and RDWeb connections should never be directly exposed to the internet, only through VPN or ZTNA (Zero Trust Network Access). Itβs highly recommended to adopt multi-factor authentication on everything; the architecture may require continuous authentication for access, as one valid credential captured is enough to cause a breach. Monitoring the underground for stolen employee credentials is essential. Audit open ports across the entire attack surface. The adoption of the βPrinciple of Least Privilegeβ (PoLP), where users, systems, or processes are granted only the minimum access rights, such as read, write, or execute permissions, necessary to perform their specific job functions, is highly recommended.
Strengthen endpoint and network security with advanced detection and segmentation. Deploy robust endpoint detection and response solutions such as Kaspersky NEXT EDR to monitor for suspicious activity like driver loading or process termination. Network segmentation is equally important. Limit lateral movement by isolating critical systems and using firewalls to restrict traffic. Complete and immediate offboarding for employees is necessary as well as periodic permission reviews, with automatic revocation of unused access. Sessions with complete logging for privileged accounts are more than necessary. Monitoring the traffic divergence to new sites or even to legitimate endpoints can help the defenders to spot a new insider threat.
Invest in backups, training, and incident response planning. Maintain offline or immutable backups that are tested regularly to ensure rapid recovery without paying a ransom. Backups should cover critical data and systems and be stored in air-gapped environments to resist encryption or deletion. User education is essential to combatting phishing, which remains one of the top attack vectors. Conduct simulated phishing exercises and train employees to recognize AI-crafted emails. Kaspersky Global Emergency Response Team (GERT) can help develop and test an incident response plan to minimize potential downtime and costs.
The recommendation to avoid paying a ransom remains robust, especially given the risk of unavailable keys due to dismantled infrastructure, affiliate chaos, or malicious intent. By investing in backups, incident response, and preventive measures like patching and training, organizations can avoid funding criminals and mitigate the impact.
Kaspersky also offers free decryptors for certain ransomware families. If you get hit by ransomware, check to see if thereβs a decryptor available for the ransomware family used against you.




![]()
IT threat evolution in Q1 2026. Mobile statistics
IT threat evolution in Q1 2026. Non-mobile statistics
In the third quarter of 2025, we updated the methodology for calculating statistical indicators based on the Kaspersky Security Network. These changes affected all sections of the report except for the statistics on installation packages, which remained unchanged.
To illustrate the differences between the reporting periods, we have also recalculated data for the previous quarters. Consequently, these figures may significantly differ from the previously published ones. However, subsequent reports will employ this new methodology, enabling precise comparisons with the data presented in this post.
The Kaspersky Security Network (KSN) is a global network for analyzing anonymized threat information, voluntarily shared by users of Kaspersky solutions. The statistics in this report are based on KSN data unless explicitly stated otherwise.
According to Kaspersky Security Network, in Q1 2026:
The number of malware, adware, or unwanted software attacks on mobile devices decreased to 2,676,328 in Q1, down from 3,239,244 in the previous quarter.
Attacks on users of Kaspersky mobile solutions, Q3 2024 β Q1 2026 (download)
The overall drop in attack volume stems primarily from a reduction in adware and RiskTool detections. Nonetheless, this trend does not equate to a lower risk for mobile users. As shown later in this report, the number of unique users targeted by these threats remained relatively stable.
In Q1, Synthient researchers identified a link between the notorious Kimwolf botnet and the IPIDEA proxy network. This network was later taken down in cooperation with GTIG.
In early 2026, we discovered several apps on Google Play and the App Store that contained a new version of the SparkCat crypto stealer.
The Trojan code, meticulously concealed, was embedded into the infected Android apps. The obfuscated malicious Rust library was decrypted using a Dalvik-like virtual machine custom-built by the attackers. The iOS version of the malware also underwent several changes; specifically, the attackers began leveraging Appleβs proprietary Vision framework for optical character recognition (OCR).
The number of Android malware samples saw a slight increase compared to Q4Β 2025, reaching a total of 306,070.
Detected malicious and potentially unwanted installation packages, Q1 2025 β Q1 2026 (download)
The detected installation packages were distributed by type as follows:
Detected mobile apps by type, Q4 2025* β Q1 2026 (download)
* Data for the previous quarter may differ slightly from previously published figures due to certain verdicts being retrospectively revised.
Threat actors once again ramped up the production of new banking Trojans; as a result, this category overtook all others in volume, accounting for more than half of all installation packages.
Share* of users attacked by the given type of malicious or potentially unwanted app out of all targeted users of Kaspersky mobile products, Q4 2025 β Q1 2026 (download)
* The total percentage may exceed 100% if the same users encountered multiple attack types.
Following the surge in banking Trojan installation packages, the number of associated attacks also rose, causing Trojan-Banker apps to climb one spot in terms of their share of targeted users. Mamont variants emerged as the most prevalent banking Trojans, accounting for 73.5% of detections, with the rest of the users encountering Faketoken, Rewardsteal, Creduz, and other families.
Yet banking Trojans were still outpaced by adware and RiskTool-type unwanted apps when measured by the total number of affected users. Despite a decrease in their share of installation packages, these two app types retained their positions as the top two threats by attack volume. The most common adware detections involved HiddenAd (44.9%) and MobiDash (38.1%), while most frequently seen RiskTool apps were Revpn (67%) and SpyLoan (20.5%).
Note that the malware rankings below exclude riskware or potentially unwanted software, such as RiskTool or adware.
| Verdict | %* Q4Β 2025 | %* Q1Β 2026 | Difference in p.p. | Change in ranking |
| Backdoor.AndroidOS.Triada.ag | 2.62 | 7.09 | +4.48 | +10 |
| DangerousObject.Multi.Generic. | 6.75 | 5.84 | -0.92 | -1 |
| DangerousObject.AndroidOS.GenericML. | 3.52 | 5.51 | +1.99 | +6 |
| Trojan-Banker.AndroidOS.Mamont.jo | 0.00 | 5.28 | +5.28 | |
| Trojan.AndroidOS.Fakemoney.v | 5.40 | 3.44 | -1.96 | -1 |
| Trojan-Downloader.AndroidOS.Keenadu.l | 0.00 | 3.35 | +3.35 | |
| Trojan-Banker.AndroidOS.Mamont.jx | 0.00 | 3.09 | +3.09 | |
| Backdoor.AndroidOS.Triada.z | 4.87 | 3.08 | -1.79 | -2 |
| Trojan.AndroidOS.Triada.fe | 5.01 | 2.98 | -2.02 | -4 |
| Backdoor.AndroidOS.Keenadu.a | 2.07 | 2.73 | +0.66 | +6 |
| Trojan-Banker.AndroidOS.Mamont.jg | 0.34 | 2.37 | +2.03 | |
| Trojan.AndroidOS.Triada.hf | 2.15 | 2.23 | +0.07 | +3 |
| Trojan.AndroidOS.Boogr.gsh | 2.35 | 2.15 | -0.20 | 0 |
| Trojan.AndroidOS.Triada.ii | 5.68 | 2.07 | -3.60 | -11 |
| Backdoor.AndroidOS.Triada.ae | 1.91 | 1.76 | -0.16 | +3 |
| Backdoor.AndroidOS.Triada.ab | 1.79 | 1.72 | -0.08 | +3 |
| Trojan.AndroidOS.Triada.gn | 2.38 | 1.58 | -0.80 | -5 |
| Trojan-Banker.AndroidOS.Mamont.gg | 1.56 | 1.50 | -0.06 | +2 |
| Trojan.AndroidOS.Triada.ga | 1.48 | 1.50 | +0.01 | +4 |
| Backdoor.AndroidOS.Triada.ad | 0.53 | 1.40 | +0.87 | +44 |
* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.
The pre-installed Triada.ag backdoor rose to the top spot; it is similar to the older Triada.z version we documented previously. Because the same variant was pre-installed across a wide range of devices, the total number of affected users is aggregated. Consequently, Triada outpaced even Mamont, as users encountered a variety of Mamont variants, causing the share of that banking Trojan to spread across multiple rows. Other pre-installed Triada variants (Triada.z, Triada.ae, Triada.ab, and Triada.ad) also made the rankings. Furthermore, we observed increasing activity from the Keenadu.a backdoor, while diverse variants of the embedded Triada Trojan remained in the rankings.
Q1Β 2026 saw a characteristic rise in mobile banking Trojan activity, with the number of packages totalingΒ 162,275, a 50% increase compared to the prior quarter.
Number of installation packages for mobile banking Trojans detected by Kaspersky, Q1 2025 β Q1 2026 (download)
We saw a similar growth in the previous quarter, with banking Trojan volumes rising by 50% during that period as well. Various Mamont variants accounted for the absolute majority of packages and represented nearly every entry in the rankings of most frequent banking Trojans by affected user count.
| Verdict | %* Q4Β 2025 | %* Q1Β 2026 | Difference in p.p. | Change in ranking |
| Trojan-Banker.AndroidOS.Mamont.jo | 0.00 | 15.75 | +15.75 | |
| Trojan-Banker.AndroidOS.Mamont.jx | 0.00 | 9.22 | +9.22 | |
| Trojan-Banker.AndroidOS.Mamont.jg | 1.47 | 7.08 | +5.61 | +24 |
| Trojan-Banker.AndroidOS.Mamont.gg | 6.79 | 4.48 | -2.32 | -3 |
| Trojan-Banker.AndroidOS.Mamont.ks | 0.00 | 3.98 | +3.98 | |
| Trojan-Banker.AndroidOS.Agent.ws | 6.03 | 3.78 | -2.25 | -2 |
| Trojan-Banker.AndroidOS.Mamont.hl | 4.30 | 3.27 | -1.03 | +1 |
| Trojan-Banker.AndroidOS.Mamont.iv | 6.00 | 3.08 | -2.92 | -3 |
| Trojan-Banker.AndroidOS.Mamont.jb | 3.93 | 3.07 | -0.86 | +1 |
| Trojan-Banker.AndroidOS.Mamont.jv | 0.00 | 2.79 | +2.79 |
* Unique users who encountered this malware as a percentage of all users of Kaspersky mobile security solutions who encountered banking threats.




![]()
IT threat evolution in Q1Β 2026. Non-mobile statistics
IT threat evolution in Q1Β 2026. Mobile statistics
The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data.
In Q1Β 2026:
In January 2026, it was reported that the FBI had seized the domains of the RAMP cybercrime forum, a major platform used extensively by ransomware developers to advertise their RaaS programs and to recruit affiliates. There has been no official statement from the FBI, nor is it clear if RAMP servers were seized. In a post on an external website, a RAMP moderator mentioned law enforcement agencies gaining control over the forum. The takedown disrupted a key element of the RaaS ecosystem, creating ripple effects for ransomware operators, affiliates, and initial access brokers.
A man suspected of links to the Phobos group was apprehended in Poland. He was charged with the creation, acquisition, and distribution of software designed for unlawfully obtaining information, including data that facilitates unauthorized access to information stored within a computer system.
In March, a Phobos ransomware administrator pleaded guilty to the creation and distribution of the Trojan, which had been used in international attacks dating back to at least November 2020.
In March, the U.S. Department of Justice charged a man who had acted as a negotiator for ransomware groups. The company he worked for specializes in cyberincident investigations. The prosecution alleges the suspect colluded with the BlackCat threat actor to share privileged insights into the ongoing progress of negotiations. Additionally, the suspect is alleged to have had a prior direct role in BlackCat attacks, serving as an affiliate for the RaaS operation.
In a separate development this March, a U.S. court sentenced an initial access broker associated with the Yanluowang ransomware group to 81 months of imprisonment. According to the U.S. Department of Justice, the convict facilitated dozens of ransomware attacks across the United States, resulting in over $9 million in actual loss and more than $24 million in intended loss.
The Interlock group has been heavily exploiting the CVE-2026-20131 zero-day vulnerability in Cisco Secure FMC firewall management software since at least January 26, 2026. The vulnerability enabled arbitrary Java code execution with root privileges on the affected device. This campaign demonstrates the ongoing reliance on zero-day vulnerabilities for initial access, a focus on network appliances as high-value entry points, and the rapid weaponization of new vulnerabilities within the ransomware ecosystem.
This section highlights the most prolific ransomware gangs by number of victims added to each groupβs DLS. This quarter, the Clop ransomware (14.42%) returned to the top of the rankings, displacingΒ Qilin (12.34%), which had held the leading position in the previous reporting period. Following closely is a new threat actor, The Gentlemen (9.25%). Emerging no later than July 2025, the group had already surpassed the activity levels of mainstays such as Akira (7.25%) and INC Ransom (6.13%).
Number of each groupβs victims according to its DLS as a percentage of all groupsβ victims published on all the DLSs under review during the reporting period (download)
In Q1Β 2026, Kaspersky solutions detected six new ransomware families and 2938 new modifications. Volumes have returned to Q3Β 2025 levels following a surge in Q4Β 2025.
Number of new ransomware modifications, Q1 2025 β Q1 2026 (download)
Throughout Q1, our solutions protected 77,319 unique users from ransomware. Ransomware activity was highest in March, with 35,056 unique users encountering such attacks during the month.
Number of unique users attacked by ransomware Trojans, Q1 2026 (download)
| Country/territory* | %** | |
| 1 | Pakistan | 0.79 |
| 2 | South Korea | 0.64 |
| 3 | China | 0.52 |
| 4 | Tajikistan | 0.40 |
| 5 | Libya | 0.38 |
| 6 | Turkmenistan | 0.36 |
| 7 | Iraq | 0.35 |
| 8 | Bangladesh | 0.33 |
| 9 | Rwanda | 0.30 |
| 10 | Cameroon | 0.28 |
* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.
| Name | Verdict | %* | |
| 1 | (generic verdict) | Trojan-Ransom.Win32.Gen | 33.90 |
| 2 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 6.38 |
| 3 | WannaCry | Trojan-Ransom.Win32.Wanna | 5.87 |
| 4 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 4.68 |
| 5 | (generic verdict) | Trojan-Ransom.Win32.Agent | 3.80 |
| 6 | LockBit | Trojan-Ransom.Win32.Lockbit | 2.80 |
| 7 | (generic verdict) | Trojan-Ransom.Win32.Phny | 1.99 |
| 8 | (generic verdict) | Trojan-Ransom.MSIL.Agent | 1.96 |
| 9 | (generic verdict) | Trojan-Ransom.Python.Agent | 1.93 |
| 10 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 1.89 |
* Unique Kaspersky users attacked by the specific ransomware Trojan family as a percentage of all unique users attacked by this type of threat.
In Q1Β 2026, Kaspersky solutions detected 3485 new modifications of miners.
Number of new miner modifications, Q1 2026 (download)
In Q1, we detected attacks using miner programs on the computers of 260,588 unique Kaspersky users worldwide.
Number of unique users attacked by miners, Q1 2026 (download)
| Country/territory* | %** | |
| 1 | Senegal | 3.19 |
| 2 | Turkmenistan | 3.06 |
| 3 | Mali | 2.63 |
| 4 | Tanzania | 1.62 |
| 5 | Bangladesh | 1.06 |
| 6 | Ethiopia | 0.95 |
| 7 | Panama | 0.88 |
| 8 | Afghanistan | 0.79 |
| 9 | Kazakhstan | 0.77 |
| 10 | Bolivia | 0.75 |
* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.
In Q1Β 2026, Google uncovered a new cryptocurrency theft campaign. The scammers directed victims to a fraudulent video call, prompting them to execute malicious scripts under the guise of technical support fixes for connection problems.
In March, researchers with GTIG and iVerify reported the discovery of an in-the-wild exploit chain targeting both iOS and macOS devices. The exploit kit was apparently marketed on the dark web, providing threat actors with a suite of spyware capabilities alongside specialized cryptocurrency exfiltration modules. The exploit was delivered via drive-by downloads when victims visited various compromised websites. Our analysis confirmed that the toolkit included an updated version of a component previously identified in the Operation Triangulation attack chain.
Devices running macOS were similarly impacted by the high-profile supply chain attack targeting the Axios npm package, a widely used HTTP client for JavaScript. The installation of the infected package led to the deployment of a backdoor on macOS devices.
Unique users* who encountered this malware as a percentage of all attacked users of Kaspersky security solutions for macOS (download)
* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.
The share of PasivRobber spyware attacks is beginning to decline, giving way to more traditional adware and Monitor-class software capable of tracking user activity. The popular Amos stealer also maintains its presence within the TOPΒ 20.
| Country/territory | %* Q4Β 2025 | %* Q1Β 2026 |
| China | 1.28 | 1.97 |
| France | 1.18 | 1.07 |
| Brazil | 1.13 | 0.98 |
| Mexico | 0.72 | 0.52 |
| Germany | 0.71 | 0.45 |
| The Netherlands | 0.62 | 0.75 |
| Hong Kong | 0.49 | 0.53 |
| India | 0.42 | 0.48 |
| Russian Federation | 0.34 | 0.37 |
| Thailand | 0.24 | 0.27 |
* Unique users who encountered threats to macOS as a percentage of all unique Kaspersky users in the country/territory.
This section presents statistics on attacks targeting Kaspersky IoT honeypots. The geographic data on attack sources is based on the IP addresses of attacking devices.
In Q1Β 2026, the share of devices attacking Kaspersky honeypots via the SSH protocol saw a significant increase compared to the previous reporting period.
Distribution of attacked services by number of unique IP addresses of attacking devices (download)
The distribution of attacks between Telnet and SSH maintained the ratio observed in Q4Β 2025.
Distribution of attackersβ sessions in Kaspersky honeypots (download)
Share of each threat delivered to an infected device as a result of a successful attack, out of the total number of threats delivered (download)
The primary shifts in the IoT threat distribution are linked to the activity of various Mirai botnet variants, although members of this family continue to account for the majority of the list. Furthermore, a new variant, Mirai.kl, surfaced in the rankings. We also observed a significant decline in NyaDrop botnet activity during Q1.
The United States, the Netherlands, and Germany accounted for the highest proportions of SSH-based attacks during this period.
| Country/territory | Q4Β 2025 | Q1Β 2026 |
| United States | 16.10% | 23.74% |
| The Netherlands | 15.78% | 17.57% |
| Germany | 12.07% | 10.34% |
| Panama | 7.72% | 6.34% |
| India | 5.32% | 6.05% |
| Romania | 4.05% | 5.82% |
| Australia | 1.62% | 4.61% |
| Vietnam | 4.21% | 3.50% |
| Russian Federation | 3.79% | 2.35% |
| Sweden | 2.25% | 2.09% |
China continues to account for the largest proportion of Telnet attacks, though there was a marked increase in activity originating from Pakistan.
| Country/territory | Q4Β 2025 | Q1Β 2026 |
| China | 53.64% | 39.54% |
| Pakistan | 14.27% | 27.31% |
| Russian Federation | 8.20% | 8.25% |
| Indonesia | 8.58% | 6.71% |
| India | 4.85% | 4.66% |
| Brazil | 0.06% | 3.30% |
| Argentina | 0.02% | 2.51% |
| Nigeria | 1.22% | 1.38% |
| Thailand | 0.01% | 0.55% |
| Sweden | 0.54% | 0.55% |
The statistics in this section are based on detection verdicts by Web Anti-Virus, which protects users when suspicious objects are downloaded from malicious or infected web pages. These malicious pages are purposefully created by cybercriminals. Websites that host user-generated content, such as message boards, as well as compromised legitimate sites, can become infected.
The following statistics show the distribution by country/territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages redirecting to exploits, sites containing exploits and other malicious programs, botnet C&C centers, and so on). One or more web-based attacks could originate from each unique host.
To determine the geographic source of web attacks, we matched the domain name with the real IP address where the domain is hosted, then identified the geographic location of that IP address (GeoIP).
In Q1Β 2026, Kaspersky solutions blocked 343,823,407 attacks launched from internet resources worldwide. Web Anti-Virus was triggered by 49,983,611 unique URLs.
Web-based attacks by country/territory, Q1 2026 (download)
To assess the risk of malware infection via the internet for usersβ computers in different countries and territories, we calculated the share of Kaspersky users in each location on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.
This ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.
| Country/territory* | %** | |
| 1 | Venezuela | 9.33 |
| 2 | Hungary | 8.16 |
| 3 | Italy | 7.58 |
| 4 | Tajikistan | 7.48 |
| 5 | India | 7.21 |
| 6 | Greece | 7.13 |
| 7 | Portugal | 7.10 |
| 8 | France | 7.05 |
| 9 | Belgium | 6.83 |
| 10 | Slovakia | 6.80 |
| 11 | Vietnam | 6.62 |
| 12 | Bosnia and Herzegovina | 6.57 |
| 13 | Canada | 6.56 |
| 14 | Serbia | 6.50 |
| 15 | Tunisia | 6.36 |
| 16 | Qatar | 6.01 |
| 17 | Spain | 5.95 |
| 18 | Germany | 5.95 |
| 19 | Sri Lanka | 5.89 |
| 20 | Brazil | 5.88 |
* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users targeted by web-based Malware attacks as a percentage of all unique users of Kaspersky products in the country/territory.
On average during the quarter, 4.73% of usersβ computers worldwide were subjected to at least one Malware web attack.
Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer by infecting files or removable media, or initially made their way onto the computer in non-open form. Examples of the latter are programs in complex installers and encrypted files.
Data in this section is based on analyzing statistics produced by anti-virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The statistics are based on detection verdicts from the On-Access Scan (OAS) and On-Demand Scan (ODS) modules of File Anti-Virus and include detections of malicious programs located on user computers or removable media connected to the computers, such as flash drives, camera memory cards, phones, or external hard drives.
In Q1Β 2026, our File Anti-Virus detected 15,831,319 malicious and potentially unwanted objects.
For each country and territory, we calculated the percentage of Kaspersky users whose computers had the File Anti-Virus triggered at least once during the reporting period. This statistic reflects the level of personal computer infection in different countries and territories around the world.
Note that this ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.
| Country/territory* | %** | |
| 1 | Turkmenistan | 47.96 |
| 2 | Tajikistan | 31.48 |
| 3 | Cuba | 31.03 |
| 4 | Yemen | 29.59 |
| 5 | Afghanistan | 28.47 |
| 6 | Burundi | 26.93 |
| 7 | Uzbekistan | 24.81 |
| 8 | Syria | 23.08 |
| 9 | Nicaragua | 21.97 |
| 10 | Cameroon | 21.60 |
| 11 | China | 21.09 |
| 12 | Mozambique | 21.02 |
| 13 | Algeria | 20.64 |
| 14 | Democratic Republic of the Congo | 20.63 |
| 15 | Bangladesh | 20.44 |
| 16 | Mali | 20.35 |
| 17 | Republic of the Congo | 20.23 |
| 18 | Madagascar | 20.00 |
| 19 | Belarus | 19.78 |
| 20 | Tanzania | 19.52 |
* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users on whose computers local Malware threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.
On average worldwide, Malware local threats were detected at least once on 11.55% of usersβ computers during Q1.
Russia scored 11.92% in these rankings.




At least one threat actor has adopted the recently released malware source code in attacks against NPM developers.
The post First Shai-Hulud Worm Clones Emerge appeared first on SecurityWeek.