IT security firm Check Point Software has published its April 2025 threat report, which shows that FakeUpdates continues to dominate. The researchers also reveal how cybercriminals are combining commodity malware with sophisticated techniques to evade detection — a trend that increases the risk of breaches for Swedish organizations.
FakeUpdates, also known as SocGholish, was again the most widespread malware in April, affecting 6 percent of organizations globally. In Sweden, 7.62 percent of organizations were impacted, giving it a clear first place. In second place was Androxgh0st at 2.88 percent, followed by Remcos at 1.52 percent.
Check Point researchers warn of a growing trend: multi-stage campaigns in which commodity malware such as AgentTesla, Remcos and XLoader are chained together with more advanced techniques to infiltrate systems and harvest data. These attacks typically begin with convincing phishing emails that include attached ZIP files containing malicious code. That code then executes a script which launches a sequence of executables that inject malware into Windows processes. The result is highly stealthy attacks with significant potential for damage.
“We are seeing the threat landscape evolve quickly,” says Mats Ekdahl, security expert at Check Point Software. Cybercriminals can deploy large-scale campaigns using tools that are openly available for a few hundred kronor. That makes it essential for organizations to adopt a preventive security mindset and leverage technologies that perform real-time analysis.
For organizations looking to reduce risk, key recommendations from the report include: enforcing strong email security and phishing defenses, applying timely patching and endpoint protection, using behavior-based detection that spots in-memory injection and suspicious process activity, and implementing network segmentation to limit lateral movement. Regular user training and simulated phishing exercises also help lower the chance that attackers will succeed with the initial foothold.
While commodity malware remains widely available and affordable, its integration into multi-stage campaigns makes it far more dangerous. Detection technologies that focus on fileless techniques, script behavior and process injection are crucial to identify and stop these stealthy chains early. Organizations should also monitor for indicators of compromise associated with FakeUpdates/SocGholish and the other prevalent families highlighted in the report.
For more information, read Check Point Software’s blog post summarizing the April 2025 findings: https://blog.checkpoint.com/research/april-2025-malware-spotlight-fakeupdates-dominates-as-multi-stage-campaigns-blend-commodity-malware-with-stealth/