RATs give attackers full control over infected devices: they can execute commands, move laterally, launch other programs, collect data, and install additional malware. This makes RATs ideal for scaling: after compromising one device, an attacker can use it as an entry point to move laterally within the network or to gather information. In March 2025, Head Mare launched a wave of attacks on manufacturing companies in Russia, affecting about 100 organizations. Victims received phishing emails with ZIP attachments. As a result, the PhantomPyramid Python backdoor was installed on infected systems for remote control, along with the legitimate MeshAgent tool, which the attackers used to pose as administrative software.
Attackers also use RATs to build botnets—networks of infected devices that can be used for DDoS attacks, spam, phishing, or cryptocurrency mining. Thanks to automated control, such botnets are easy to scale: new victims join the network, and commands are pushed to all nodes at once.
Spyware and miners appeared in one out of five attacks (22% and 19%, respectively). Spyware is widely used in both mass and targeted attacks because it is so versatile, while miners are becoming less profitable as mining profits fall. Miners only make sense only when very large numbers of devices are infected: profit per device is small, but scale adds up, which is why they're popular in mass campaigns. Attackers spread them via phishing or by exploiting vulnerabilities. In targeted attacks, however, miners are rarely used because noticeable performance drops quickly attract attention.
Ransomware remains the primary tool in targeted attacks (14%), and its use in mass campaigns is also growing thanks to widely available RaaS platforms and high automation. In February 2025, Russian small and medium-sized businesses faced a new threat—PE32 ransomware, a sophisticated tool that uses post‑quantum cryptography to encrypt data in three rounds. Dozens of companies were affected, with ransom demands ranging from $500 to $150,000, payable in Bitcoin.
Technologies once employed in targeted ransomware attacks are now being adapted for mass use: underground forums increasingly offer RaaS services with ready‑made builders, manuals, and infrastructure for launching attacks. As competition grows in the dark web market, attackers upgrade their platforms with unique features and better evasion techniques to attract more partners. This lets even inexperienced attackers run high‑tech campaigns with automated delivery and defense evasion. As a result, we expect the number and share of mass attacks involving ransomware to keep growing: a low barrier to entry, strong automation, and attractive monetization opportunities make these services appealing to cybercriminals. For example, a new RaaS platform called Pay2Key appeared on Russian cybercrime forums. Built on the Mimic ransomware, it is primarily used in mass attacks but also allows attackers to target specific victims. Despite informal bans on attacks across the CIS, the attackers carried out at least three phishing campaigns against Russian companies in finance, construction, and retail. The attacks started with phishing emails containing malicious RAR attachments or links to files on Dropbox. After a self‑extracting (SFX) archive was launched, Pay2Key was downloaded to the device.