Full Report
January 12 2026 According to statistics collected by the Dr.Web anti-virus, the total number of threats detected in the fourth quarter of 2025 increased by 16.05%, compared to the third quarter. The number of unique threats decreased by 1.13%. Most common were unwanted adware apps, malicious scripts, and various malicious programs, including downloaders and ad-displaying trojans. In email traffic, trojan apps—like downloaders, password stealers, and droppers—were most frequently detected. Moreover, exploits, backdoors, and various malicious scripts were also distributed via email. Users whose files were affected by encoder trojans had mostly encountered Trojan.Encoder.35534, Trojan.Encoder.41868, and Trojan.Encoder.29750. In October, we informed users about the Android.Backdoor.Baohuo.1.origin backdoor, which cybercriminals were distributing in modified versions of the Telegram X messenger. This malicious program steals logins and passwords for Telegram accounts as well as other sensitive data. Using this backdoor, threat actors can control the victims’ hacked accounts and also gain full control over the messenger itself, performing various actions on behalf of users. In November, our anti-virus laboratory released a study of a targeted attack carried out by the Cavalry Werewolf hacker group on a Russian state institution. During the examination, Doctor Web’s experts identified many of the malicious instruments being used by the threat actors, including open-source tools that cybercriminals utilize in their campaigns. Our specialists also studied the features of this hacker group and the actions it typically takes in compromised networks. Already in December, we published information about the unique trojan dubbed Trojan.ChimeraWire, which artificially increases the popularity of websites. To do so, it pretends to be a human so that its actions are not blocked by the anti-bot protection of the sites. The malicious program automatically searches target websites in search engines, opens them, and performs clicks on their webpages in accordance with the parameters received from the malicious actors. Trojan.ChimeraWire infects computers with the help of several malicious programs that exploit DLL Search Order Hijacking class vulnerabilities and also utilize anti-debugging techniques to avoid detection. Over the course of Q4, Doctor Web’s Internet analysts identified new fraudulent websites that promised potential victims quick and easy money. More phishing sites and fake marketplace Internet resources were also found. Our specialists uncovered yet more malicious apps on Google Play. Among them were Android.Joker trojans, which subscribe Android device owners to paid services, as well as Android.FakeApp malicious apps, which are used by cybercriminals to implement various fraudulent schemes. At the same time, Dr.Web Security Space for mobile devices detection statistics revealed that Android banking trojans increased their activity. Principal trends in Q4 2025 The number of threats detected on protected devices increased The number of unique threats used in attacks decreased More users requested help to decrypt files affected by encoder trojans Banking trojans targeting Android device owners were more active Threat actors distributed the Android.Backdoor.Baohuo.1.origin backdoor, which hacks the Telegram accounts of Android users New malicious apps emerged on Google Play According to Doctor Web’s statistics service The most common threats in Q4 2025: Trojan.Siggen31.34463 A trojan written in the Go programming language and designed to download various miner trojans and adware into infected systems. This malware is a DLL file located at %appdata%\utorrent\lib.dll. To launch, it exploits a DLL Search Order Hijacking vulnerability in the uTorrent torrent client. Adware.Downware.20091 Adware that often serves as an intermediary installer of pirated software. VBS.KeySender.7 A malicious script that, in an infinite loop, searches for windows containing the text mode extensions, разработчика, and розробника and sends them an Escape key press event, forcibly closing them. Trojan.BPlug.4268 The detection name for a malicious component of the WinSafe browser extension. This component is a JavaScript file that displays intrusive ads in browsers. Adware.Siggen.33379 A fake Adblock Plus browser ad blocker that is installed on the system by other malware to display advertisements. Statistics for malware discovered in email traffic The most common threats in email traffic in Q4 2025: W97M.DownLoader.2938 A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer. Exploit.CVE-2017-11882.123 Exploit.CVE-2018-0798.4 Exploits designed to take advantage of Microsoft Office software vulnerabilities and allow an attacker to run arbitrary code. Trojan.AutoIt.1413 The detection name for a packed version of the Trojan.AutoIt.289 malicious app, written in the AutoIt scripting language. This trojan is distributed as part of a group of several malicious applications, including a miner, a backdoor, and a self-propagating module. Trojan.AutoIt.289 performs various malicious actions that make it difficult for the main payload to be detected. JS.Phishing.791 A malicious JavaScript script that generates a phishing web page. Encryption ransomware In Q4 2025, the number of requests made to decrypt files affected by encoder trojans increased by 1.15%, compared to Q3 2025. The dynamics of the decryption requests received by Doctor Web’s technical support service: The most common encoders of Q4 2025: Trojan.Encoder.35534 — 24.90% of user requests Trojan.Encoder.41868 — 4.21% of user requests Trojan.Encoder.29750 — 3.42% of user requests Trojan.Encoder.26996 — 2.68% of user requests Trojan.Encoder.30356 — 0.38% of user requests Network fraud Over the course of Q4 2025, Doctor Web’s Internet analysts observed the emergence of new fake marketplace websites. Fraudsters, allegedly on behalf of online trading platforms, offer potential victims the opportunity to play a carousel-type game (similar to roulette) with the chance of winning a prize. After several attempts, the user “gets lucky”, but to receive the prize, they are supposedly required to pay first for the shipping, then insurance, some taxes, etc. In some cases, the victim is told that the item in question is allegedly unavailable and is offered the chance to exchange it for money. If the user agrees, they are again asked to make some more payments in the form of insurance, some account activation, etc. Example of a fake marketplace website offering a “prize drawing” More Internet resources on which scammers sell non-existent theater tickets were added to our unwanted and malicious websites database. Such sites offer victims the chance to attend popular theatrical performances, often at attractive prices. However, after victims pay, they do not get the tickets and have essentially given their money away to the fraudsters. One of the fraudulent sites that sells non-existent theater tickets Other sites that imitate the websites of private cinemas and offer users a chance to buy movie tickets have also been detected. Victims do not receive any tickets after paying for them on such sites. The fake website of a private cinema Our specialists detected several phishing web resources with some of them being fake sites of the Steam platform. Malicious actors used them to obtain user account data by asking potential victims to provide a login and password for authentication. A phishing website that imitates the real Steam Internet portal and asks potential victim to log into their account In addition, scammers again lured potential victims into non-existent investment projects. One of the detected sites invited Russian-speaking users living in America to invest $250 in a project called Federal Invest with the chance to “make up to 90,000 dollars in 3 months”. This project was allegedly created with the participation of Donald Trump. A fraudulent site offering the chance to join a “profitable investment project” Another website reported that Uzbek users can achieve an income of at least 15,000,000 Uzbek soums already within the first month of joining the advertised project, which is allegedly related to a large holding company. A fraudulent website promising residents of Uzbekistan some large profits by joining the “investment project” Find out more about Dr.Web non-recommended sites Malicious and unwanted programs for mobile devices According to detection statistics collected by Dr.Web Security Space for mobile devices, in Q4 2025, the ad-displaying trojans Android.MobiDash and Android.HiddenAds remained the most common Android threats, despite a decline in their activity. Malicious programs that belong to the Android.Siggen family and have various functionality rose to third place. Over the course of last three months, banking trojan activity increased, with the Android.Banker family showing the greatest growth. Program.CloudInject apps, modified via the CloudInject cloud service, were the most common unwanted software. Among the potentially dangerous programs, or riskware, the most active were Tool.NPMod apps, which had been modified using the NP Manager utility. The most commonly detected adware programs were Adware.Adpush modules that developers embed into Android apps. In October, Doctor Web released a report on Android.Backdoor.Baohuo.1.origin, a dangerous backdoor that threat actors embedded into Telegram X messenger modifications. This malware steals confidential information and allows the attackers to control both the victim's account and the messenger itself by changing its operating logic. During the fourth quarter, our virus analysts discovered new threats on Google Play, including Android.Joker trojans, which subscribe users to paid services, and Android.FakeApp malicious apps, which are used for fraudulent purposes. The following Q4 2025 events involving mobile malware are the most noteworthy: Adware trojans remained the most common Android threats. Android.Banker banking trojan activity increased. The dangerous backdoor Android.Backdoor.Baohuo.1.origin was found in a third-party Telegram X messenger mods. New malicious programs emerged on Google Play. To find out more about the security-threat landscape for mobile devices in Q4 2025, read our special overview.
Analysis Summary
# Industry News: Dr.Web Q4 2025 Threat Landscape Shows Increased Volume, Focus on Mobile and Financial Fraud
## Summary
Dr.Web reported a significant 16.05% increase in overall threat detections in Q4 2025 compared to Q3, though the diversity of unique threats slightly declined. Key trends highlighted include surging activity from Android banking trojans, a rise in ransomware decryption requests, aggressive social engineering schemes (phishing and fake investment sites), and the emergence of specialized malware like the Telegram X backdoor and website traffic manipulation trojans.
## Key Details
- **Date:** January 12, 2026 (Reporting on Q4 2025)
- **Companies Involved:** Dr.Web (Doctor Web)
- **Category:** Market Analysis / Threat Intelligence Report
## The Story
Dr.Web's Q4 2025 review indicates that while the sheer number of attacks is escalating, attackers are reusing effective malware families. Desktop threats were dominated by adware, downloaders, and script-based malware distributed via email, often leveraging older Microsoft Office exploits. Ransomware activity saw an uptick, notably involving **Trojan.Encoder.35534**. The mobile ecosystem faced severe pressure, with increased activity from **Android.Banker** trojans and sophisticated threats like **Android.Backdoor.Baohuo.1.origin** targeting messaging apps (Telegram X), alongside Joker trojans on Google Play leading to unauthorized subscriptions. Furthermore, Dr.Web detailed highly organized financial fraud, including fake marketplace/prize scams and investment schemes leveraging high-profile political names for geopolitical targeting (e.g., the Trump-related investment fraud). The firm also identified unique threats such as **Trojan.ChimeraWire**, designed for black-hat SEO/click-fraud.
## Business Impact
### For the Companies Involved (Dr.Web)
- **Reinforced Relevance:** The high volume of detailed threat intelligence reinforces Dr.Web's position as a vital provider of security insights, driving potential OEM utilization of their detection data and justifying their subscription service relevance.
- **Product Validation:** Increased detection numbers validate the efficacy and necessity of their endpoint protection solutions (Dr.Web Security Space).
### For Competitors
- **Competitive Intelligence:** Competitors gain valuable indicators of compromise (IoCs) and tactical insights into successful attack vectors (e.g., DLL Search Order Hijacking, Office exploits), allowing them to rapidly tune their own detection engines.
- **Focus Shift:** The report confirms a strong trend toward mobile and financial/social engineering attacks, signaling where competitors must prioritize R&D and market messaging.
### For Customers
- **Increased Risk Profile:** Organizations and consumers are facing a higher volume of threats, leading to increased operational costs associated with remediation, decryption recovery (ransomware), and mitigating social engineering attacks.
- **Mobile Security Mandate:** The active Android banking trojans and Telegram X backdoor underscore that mobile devices are primary targets for credential and financial theft, requiring stronger endpoint protection beyond standard app vetting.
### For the Market
- **Monetization of Credential Theft:** The sophisticated monetization methods observed—from unauthorized mobile subscriptions (Joker trojans) to account takeover (Telegram backdoor) and financial scams (phishing, investment fraud)—confirm that credential and account theft remains a high-yield market segment for cybercriminals.
- **Persistence of Legacy Exploits:** The continued reliance on older Microsoft Office exploits (CVEs from 2017/2018) in email traffic suggests a significant patching deficit in enterprise environments, indicating sustained vulnerability exposure.
## Technical Implications
The activity points to evolving attacker tradecraft:
1. **Evasion Techniques:** Use of anti-debugging methods and DLL Search Order Hijacking (e.g., **Trojan.ChimeraWire**) indicate a focus on evading automated analysis and sandbox detection.
2. **Language Diversity:** The appearance of malware written in Go (**Trojan.Siggen31.34463**) shows threat actors diversifying toolchains for better cross-platform performance or evasion.
3. **Platform Specificity:** Deep integration into specific applications (Telegram X backdoor) demonstrates targeted exploitation rather than broad, opportunistic campaigns, requiring application-layer security monitoring.
## Strategic Analysis
- **Market Positioning:** Dr.Web successfully leverages its telemetry to position itself as a comprehensive security vendor covering traditional desktop endpoints, email vectors, and the rapidly expanding mobile threat surface.
- **Competitive Advantage:** Their analysis covering state-sponsored activity (Cavalry Werewolf group) and novel fraud schemes provides depth that general threat reports might lack, appealing to high-value enterprise and government clients requiring in-depth threat actor profiling.
- **Challenges:** The slight dip in *unique* threats, coupled with the sharp rise in *total* detections, suggests attackers are prioritizing the mass deployment of a known set of effective, adaptable tools over developing completely new families, which could strain generalized defense mechanisms if not updated rapidly.
## Industry Reactions
- **Analyst Opinions:** Analysts likely view the Q4 surge as indicative of the "normalization" of high threat volume, where saturation tactics remain effective, particularly against less sophisticated users (evidenced by the rise in adware and simple downloaders).
- **Expert Commentary:** Experts will emphasize that the overlap between financial fraud (investment scams) and credential theft (phishing, backdoors) represents a peak intersection of cybercrime profitability.
## Future Outlook
- **Prediction:** Expect continued escalation in targeted mobile banking malware and social engineering campaigns tied to geopolitical or economic narratives (as seen with the fraudulent investment schemes).
- **What to Watch For:** Further exploitation of popular messaging platforms (similar to Telegram X) and the adoption of more sophisticated click-fraud techniques like those seen with Trojan.ChimeraWire, potentially impacting digital advertising spend integrity.
## For Security Professionals
Incident response teams should prioritize:
1. **Patch Management:** Urgency in addressing legacy vulnerabilities in Microsoft Office exploited via email workflows.
2. **Mobile Security Hygiene:** Strict control over third-party messengers and applications outside official app stores, given the risks posed by the Telegram X backdoor.
3. **User Awareness Training:** Mandatory training focused on recognizing complex social engineering tactics, including multi-stage financial/prize fraud and investment scams employing high-profile fake endorsements.
4. **Endpoint Controls:** Review controls to mitigate DLL hijacking vulnerabilities in commonly installed applications like torrent clients (uTorrent example cited).