Full Report
April 1, 2026 According to statistics collected by the Dr.Web anti-virus, the total number of threats detected in the first quarter (Q1) of 2026 decreased by 6.77%, compared to the fourth quarter of last year. The number of unique threats decreased by 11.98%. Adware programs and ad-displaying trojans, malicious downloader apps, and backdoors were most commonly detected on protected devices. Most widely encountered in email traffic were malicious scripts, backdoors, and various trojans. Threat actors also used emails to distribute phishing documents and exploits. Users whose files were affected by encoder trojans had primarily encountered Trojan.Encoder.35534, Trojan.Encoder.29750 and Trojan.Encoder.41868. In Q1 2026, Doctor Web’s Internet analysts detected new phishing websites, including fake online resources of credit organizations and marketplaces as well as a number of other unwanted sites. The mobile device segment saw increased activity on the part of banking trojans. At the same time, our malware analysts noted the growing popularity of a method used to prevent malicious programs from being detected by anti-viruses. This method involves adding junk code to the apps. In January, Doctor Web’s experts informed users about the Android.Phantom trojan clickers, which use machine learning and video broadcasting to boost clicks on websites. In addition, over the past three months, we detected the emergence of yet more malware on Google Play, including trojans that subscribe users to paid services. Principal trends in Q1 2026 The number of threats detected on protected devices decreased Fewer unique files exist among the threats that were detected Compared to the previous observation period, fewer users requested help to decrypt files affected by encoder trojans Banking trojans for Android devices continued to increase their activity Users were at risk of encountering Android.Phantom clicker trojans, which use machine learning, among other techniques, to boost clicks on websites More malicious apps were discovered on Google Play According to Doctor Web’s statistics service The most common threats in Q1 2026 Trojan.Siggen31.34463 A trojan written in the Go programming language and designed to download various miner trojans and adware into infected systems. This malware is a DLL file located at %appdata%\utorrent\lib.dll. To launch, it exploits a DLL Search Order Hijacking vulnerability in the uTorrent torrent client. Adware.Downware.20655 Adware.Downware.20766 Adware that often serves as an intermediary installer of pirated software. Trojan.BPlug.4268 The detection name for a malicious component of the WinSafe browser extension. This component is a JavaScript file that displays intrusive ads in browsers. Adware.Siggen.33379 A fake Adblock Plus browser ad blocker that is installed on the system by other malware to display advertisements. Statistics for malware discovered in email traffic The most common threats in email traffic in Q1 2026 JS.DownLoader.1225 Heuristic detection for ZIP archives containing JavaScripts with suspicious names. W97M.DownLoader.2938 A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer. Exploit.CVE-2017-11882.123 Exploit.CVE-2018-0798.4 Exploits designed to take advantage of Microsoft Office software vulnerabilities that allow an attacker to run arbitrary code. JS.Redirector.514 A malicious script that redirects users to a web page controlled by fraudsters. Encryption ransomware In Q1 2026, the number of requests made to decrypt files affected by encoder trojans decreased by 31.51%, compared to Q4 2025. The decline occurred against the backdrop of the New Year holidays and the associated long weekend, during which a number of cybercriminals may have suspended their activity and gone on vacation. At the same time, users who nonetheless suffered from encoder trojan attacks during this period may not have immediately responded to incidents that had occurred. The dynamics of the decryption requests received by Doctor Web’s Technical Support Service: The most common encoders of Q1 2026 Trojan.Encoder.35534 — 15.59% of user requests Trojan.Encoder.29750 — 3.23% of user requests Trojan.Encoder.41868 — 3.23% of user requests Trojan.Encoder.26996 — 1.62% of user requests Trojan.Encoder.44383 — 1.61% of user requests Network fraud Over the past three months, Doctor Web’s Internet analysts discovered a number of new fake marketplace websites on which fraudsters offer the chance to join in a “clearance sale” of supposedly unredeemed orders. The fraudulent scheme works like this: the “unclaimed” goods from the orders are divided into different categories (electronics, clothes, footwear, cosmetics, etc.) and are allegedly packed into the corresponding surprise boxes. Their content is unknown and is claimed to possibly include expensive items. At the same time, potential victims are offered a chance to buy these boxes at a relatively low price, which is the main lure of this scam. A fake marketplace site promises a “sale of unclaimed orders” that are supposedly overflowing warehouses When a user selects one of the boxes, they are asked to place an order and provide personal information that may include their first and last names, mobile phone number, and email address. Next, the user is redirected to the payment page to pay via the Faster Payments System (“Система быстрых платежей”, “СБП”, or “SBP”). As a result, the victim loses their money and provides confidential data to the fraudsters. After placing an “order”, the victim is asked to pay for it via the Faster Payments System Our experts also identified many websites for services offering various financial products, such as the ability to swiftly obtain a microloan, a regular loan, or go through bankruptcy proceedings. Such services do not provide these products themselves, as users expect, and are only intermediaries between clients and financial institutions. They provide paid access to a selection of potentially suitable options, while the aggregation of such financial offers is available from free sources. Moreover, these services do not guarantee a successful result when an application is submitted. At the same time, access is granted not after a one-time payment, but after a paid subscription involving periodic debits is taken out. One of the websites requiring users to pay in order to access a service for selecting financial offers. Users believe they are making a one-time payment for access, but unbeknownst to them, they are signing up for a subscription In some cases, such resources can mislead users by offering them one type of service, like job placements, but actually provide subscription access to the aforementioned financial offers for loans, microloans, etc. A website promises to help visitors find a job, but once payment is made to access the service, financial proposals (loans, microloans, etc.) from the website’s partners may be offered instead Among the phishing sites identified in Q1 2026 were fake web resources for the Green Marathon (“Зеленый Марафон”) charity race. They offer visitors the opportunity to register for the marathon, but these sites are not affiliated with the event and are designed to collect users’ confidential data. One of the fake sites for the Green Marathon charity race Doctor Web’s Internet analysts also discovered more fake investment service websites that were supposedly affiliated with various credit organizations. Among them were sites targeting audiences from Russia, Kazakhstan, and other countries. Scammers promise potential victims high profits and, in order to “access” pseudo-investment platforms, they are asked to take a short survey and register an account by providing personal information. An example of a phishing website that malicious actors pass off as an official resource for an investment service of one Russian bank An example of a phishing site that cybercriminals present as an official online resource for an investment service of one Kazakhstani credit institution Find out more about Dr.Web non-recommended sites Malicious and unwanted programs for mobile devices According to detection statistics collected by Dr.Web Security Space for mobile devices, in Q1 2026, the growth in activity observed in Q4 last year with regards to Android.Banker banking trojans continued to trend upward. The most widespread among them were members of the Android.Banker.Mamont subfamily. At the same time, the number of detections of the ad-displaying trojans Android.MobiDash and Android.HiddenAds decreased yet again. Topping the list of the most commonly detected potentially dangerous software were apps to which junk code has been added with the help of Android program modification tools (such apps containing junk code are detected as Tool.Obfuscator.TrashCode). Currently, this technique is actively being used to protect banking trojans from anti-virus detection. In addition, programs modified using the NP Manager tool remained prevalent (these are detected as Tool.NPMod). The most widely detected unwanted software programs were Program.FakeAntiVirus fake anti-viruses, which demand that users purchase the full version of the software to “cure” threats that had supposedly been found. The most active ad-displaying software programs in Q1 were Adware.Bastion.1.origin and Adware.Opensite.15. The former are optimization apps that create notifications containing informational messages about supposed low memory and system errors in order to display ads during “optimization”. The latter are fake cheat software for obtaining in-game resources, but, in reality, they load websites containing ads. In January 2026, our anti-virus laboratory informed users about the Android.Phantom trojan clickers. These malicious programs use machine learning and video broadcasts to boost clicks on websites. Cybercriminals distributed them in several ways: via the GetApps app catalog for Xiaomi devices, Telegram channels, Discord servers, third-party software collections, and malicious sites. Over the past three months, Doctor Web’s virus analysts discovered new threats on Google Play. Among them were Android.Joker and Android.Subscription trojans, which subscribe users to paid services. The following Q1 2026 events involving mobile malware are the most noteworthy Android.Banker banking trojans became the most widespread threats for Android devices. Cybercriminals increasingly used Android app modding tools to protect banking trojans from anti-virus detection. The trend of decreasing activity on the part of Android.MobiDash and Android.HiddenAds adware trojans continued. Users were at risk of encountering Android.Phantom trojans, which use machine learning and video broadcasts to artificially boost clicks on websites. Malicious apps were again distributed via Google Play. To find out more about the security-threat landscape for mobile devices in Q1 2026, read our special overview.
Analysis Summary
# Incident Report: Q1 2026 Global Threat Landscape Overview
## Executive Summary
In Q1 2026, Dr.Web observed a 6.77% decrease in total threat detections and a 31.51% drop in ransomware decryption requests compared to Q4 2025. Despite lower volumes, attackers transitioned toward more sophisticated techniques, including the use of machine learning in clicker trojans (**Android.Phantom**) and "junk code" obfuscation to bypass mobile anti-virus signatures. The quarter was characterized by a significant rise in banking trojans and diversified social engineering schemes targeting online consumers and job seekers.
## Incident Details
- **Discovery Date:** January 1 – March 31, 2026
- **Incident Date:** Ongoing throughout Q1 2026
- **Affected Organization:** Global users of Windows and Android platforms
- **Sector:** Technology, Finance, E-commerce, Healthcare (Charity)
- **Geography:** Global (with specific mentions of Russia and Kazakhstan)
## Timeline of Events
### Initial Access
- **Date/Time:** January 2026 (Initial report on **Android.Phantom**)
- **Vector:** Phishing emails, malicious Google Play apps, GetApps (Xiaomi), and DLL Search Order Hijacking.
- **Details:** Attackers leveraged ZIP archives with JavaScript, malicious Office documents (exploiting CVE-2017-11882), and fake browser extensions (WinSafe) to gain initial entry.
### Lateral Movement
- **Details:** While the report focuses on external threats, backdoors and downloader trojans (like **Trojan.Siggen31.34463**) were identified, which are typically used to establish long-term access and facilitate movement to drop additional payloads such as miners or adware.
### Data Exfiltration/Impact
- **Details:** Theft of personal credentials via phishing sites; financial loss through forced subscriptions to "premium" SMS services; encryption of user files by **Trojan.Encoder** variants.
### Detection & Response
- **Detection:** Dr.Web anti-virus telemetry and Internet analyst monitoring.
- **Response:** Public disclosure of **Android.Phantom** in January; continuous updating of virus databases to include obfuscated "TrashCode" signatures; reporting of malicious apps to Google Play.
## Attack Methodology
- **Initial Access:** Phishing, Malvertising, DLL Hijacking (**uTorrent** client abuse), and Google Play supply chain compromise.
- **Persistence:** Malicious browser extensions (**WinSafe**) and hidden DLLs in AppData folders.
- **Defense Evasion:** Use of "junk code" (**Tool.Obfuscator.TrashCode**), NP Manager modding tools, and machine learning/video broadcasting to mimic human behavior in clickers.
- **Credential Access:** Phishing pages mimicking investment platforms, marketplaces, and the "Green Marathon" charity site.
- **Lateral Movement:** Downloader trojans providing remote access via backdoors.
- **Impact:** Encryption (Ransomware), financial fraud (Faster Payments System/SBP abuse), and unauthorized bank transfers via **Android.Banker.Mamont**.
## Impact Assessment
- **Financial:** Significant unauthorized debits from banking trojans and fraudulent "surprise box" marketplace scams.
- **Data Breach:** High volume of PII (Names, mobile numbers, emails) collected through phishing surveys and fake registration forms.
- **Operational:** Disruption of file accessibility for users infected with **Trojan.Encoder.35534** and other variants.
- **Reputational:** Impersonation of major credit organizations and legitimate charity events (Green Marathon).
## Indicators of Compromise
- **File Indicators:**
- `%appdata%\utorrent\lib.dll` (Trojan.Siggen31.34463)
- `Trojan.Encoder.35534`
- `Android.Phantom`
- `JS.DownLoader.1225`
- **Behavioral Indicators:**
- Automated video broadcasting for click-fraud.
- Unexpected redirects to SBP (Faster Payments System) pages.
- Browser extensions displaying intrusive ads.
## Response Actions
- **Containment:** Systematic removal of identified malicious apps from the Google Play store.
- **Eradication:** Implementation of heuristic detection for ZIP-based JavaScript downloaders and Office exploits.
- **Recovery:** Technical Support Service assistance for users requesting decryption (decreasing trend noted).
## Lessons Learned
- **AI as a Double-Edged Sword:** Attackers are now successfully integrating machine learning to bypass behavioral detection.
- **Obfuscation Trends:** Simple junk code insertion remains an effective way to evade standard signature-based detection on mobile devices.
- **Holiday Lulls:** A significant drop in ransomware activity coincides with regional holidays (New Year), suggesting seasonal peaks for defender vigilance.
## Recommendations
1. **Application Hardening:** Enable DLL Hiding/Strict Search Order policies to prevent hijacking in known applications like uTorrent.
2. **Mobile Security:** Restrict installation of apps from third-party catalogs (GetApps, Telegram channels) and use reputable mobile AV.
3. **Phishing Awareness:** Train users to identify "Too Good to Be True" offers, such as unclaimed package "surprise boxes."
4. **Subscription Management:** Regularly audit mobile phone bills for unauthorized "extra-fee" services or unexpected recurring debits.