top of page

IT Threat Evolution in Q1 2026: Comprehensive Statistics Report

  • May 18
  • 3 min read

Key Findings


  • More than 2.67 million mobile attacks prevented in Q1 2026, down from 3.24 million in Q4 2025

  • Trojan-Banker malware dominated mobile threats with 10.86% share of detections

  • 306,070 malicious installation packages discovered, with 162,275 tied to mobile banking Trojans

  • Kaspersky blocked over 343 million web-based attacks in Q1 2026

  • 2,938 new ransomware variants detected, with 77,319 unique users targeted

  • Clop ransomware returned to top position with 14.42% of DLS victims

  • SparkCat crypto stealer found in apps on Google Play and Apple App Store using advanced obfuscation techniques

  • Kimwolf botnet linked to IPIDEA proxy network, later dismantled by law enforcement


Background


The data in this report comes from the Kaspersky Security Network, a global system for analyzing anonymized threat information shared voluntarily by Kaspersky product users. In Q3 2025, Kaspersky updated its methodology for calculating statistical indicators, which affected all sections except installation package statistics. Previous quarters were recalculated using the new methodology to ensure consistency for future comparisons. The methodology change means some figures differ significantly from earlier published reports, but enables accurate trend analysis going forward.


Mobile Threat Volume and Trends


Attack volumes on mobile devices declined in Q1 2026 to 2.67 million from 3.24 million in the previous quarter. However, this decrease does not necessarily indicate reduced risk for users. The drop stems primarily from fewer adware and RiskTool detections, while the number of unique users targeted by threats remained relatively stable. Android malware samples slightly increased to 306,070, suggesting threat actors are maintaining production despite lower detection volumes overall.


Mobile Banking Trojans Lead the Charge


Banking Trojans emerged as the most prevalent mobile malware category by installation packages, accounting for more than half of all detected malicious apps. Among these, Mamont variants dominated with 73.5% of banking Trojan detections, followed by Faketoken, Rewardsteal, and Creduz families. Despite their prominence in package volume, banking Trojans were still surpassed by adware and RiskTool apps when measuring total affected users. HiddenAd and MobiDash represented the most common adware, while Revpn and SpyLoan dominated RiskTool detections.


Advanced Threats and Discoveries


Researchers linked the notorious Kimwolf botnet to the IPIDEA proxy network in Q1, leading to the network's takedown in cooperation with GTIG. Early 2026 brought a significant discovery when SparkCat, a crypto stealer, was found in multiple apps on Google Play and the Apple App Store. The attackers embedded obfuscated Rust malware code using a custom-built Dalvik-like virtual machine for Android. The iOS variant evolved to leverage Apple's proprietary Vision framework for optical character recognition, demonstrating increasing sophistication.


Non-Mobile Ransomware Landscape


Kaspersky blocked over 343 million web-based attacks in Q1 2026, with Web Anti-Virus responding to 50 million unique links. Nearly 15 million malicious objects were caught by File Anti-Virus. The ransomware ecosystem saw significant law enforcement action, including the FBI's seizure of RAMP domains, a major recruiting platform for RaaS programs. Despite these interventions, 2,938 new ransomware variants emerged in Q1, returning to Q3 2025 activity levels after a surge in Q4.


Major Ransomware Groups and Operators


Clop reclaimed the top position among ransomware gangs with 14.42% of victims published on data leak sites, displacing Qilin which held 12.34%. The Gentlemen, an emerging threat actor that appeared no later than July 2025, quickly climbed to third place with 9.25%, already surpassing established groups like Akira at 7.25% and INC Ransom at 6.13%. This rapid rise indicates a competitive and dynamic ransomware-as-a-service environment where new operators can quickly gain market share.


Critical Vulnerability Exploitation


The Interlock group exploited CVE-2026-20131, a zero-day vulnerability in Cisco Secure FMC firewall management software, since at least January 26, 2026. The flaw allowed arbitrary Java code execution with root privileges, enabling attackers to compromise network appliances. This campaign reflects the ransomware ecosystem's continued reliance on zero-day vulnerabilities for initial access and the rapid weaponization of network infrastructure weaknesses.


Law Enforcement Actions


Q1 2026 saw significant law enforcement victories. Polish authorities arrested a suspect linked to the Phobos group, while a Phobos administrator pleaded guilty in the U.S. to ransomware distribution dating back to November 2020. The Department of Justice charged a negotiator working for a cyber incident response firm with collusion with BlackCat actors, allegedly sharing negotiation insights and serving as an affiliate. An initial access broker for Yanluowang received an 81-month sentence for facilitating dozens of attacks resulting in over 9 million dollars in confirmed losses.


Ransomware Targeting Geography


Pakistan led ransomware targeting at 0.79% of attacked users, followed by South Korea at 0.64% and China at 0.52%. Tajikistan, Libya, and Turkmenistan rounded out the top six. Notably, countries outside traditional cybercrime hotspots like Rwanda and Cameroon appeared in the top ten, suggesting threat actors are casting wider nets or encountering different defensive postures across regions. Ransomware activity peaked in March 2026, with 35,056 unique users encountering attacks during that month alone.


Sources


  • https://securelist.com/malware-report-q1-2026-mobile-statistics/119819/

  • https://securelist.com/malware-report-q1-2026-pc-iot-statistics/119828/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page