Cyber Threat Intelligence Report: Top 4 Malware Targeting Finance

Introduction

The finance sector continues to face sustained and evolving cyber threats driven by the high value of financial data, credentials, and transactional access. Malware remains one of the most common and effective mechanisms used to compromise financial institutions, payment platforms, and end users, enabling fraud, data theft, and operational disruption.

According to Bitsight Threat Intelligence, malware activity impacted approximately 34 percent of organizations observed, accounting for 36 percent of total attacks over the past year. Financial services organizations remain particularly exposed due to the direct monetization potential of stolen credentials, sensitive customer data, and authenticated system access.

Financially motivated malware campaigns increasingly rely on scalable delivery methods, credential theft, and exploitation of trusted technologies rather than novel techniques. As a result, many intrusions generate their most significant impact after initial compromise, when stolen data or access is reused, resold, or leveraged for fraud.

This blog highlights the top malware categories currently targeting the finance sector, examining how these threats are delivered, how they operate, and the risks they pose to organizations and customers.

Methodology and scope

This assessment is based on analysis conducted by Bitsight Threat Intelligence, incorporating telemetry, malware analysis, incident reporting, and observed attack patterns affecting financial organizations and their customers.

The scope of this report focuses on malware categories most commonly associated with financial impact, including credential theft, fraud, data exposure, and unauthorized system access. Coverage includes both enterprise-targeted malware and consumer-focused threats that generate downstream risk for financial institutions.

To maintain relevance and accuracy, this report emphasizes observed techniques, delivery methods, and operational behaviors rather than attribution to specific threat actors or ransomware groups. Malware-as-a-service ecosystems are discussed as enabling models where applicable, reflecting their role in scaling financially motivated activity.

Metrics referenced reflect aggregated observations over the past year and are intended to illustrate relative prevalence and impact rather than exact incident counts. Findings are presented to support risk prioritization, detection strategy development, and incident response planning within the finance sector.

1. Banking trojans

Banking trojans have remained a consistent threat to the finance sector as the adoption of online banking and digital payments increases. These malware families are specifically designed to steal credentials related to banking platforms, financial services, and cryptocurrency exchanges.

According to Bitsight Threat Intelligence, banking trojans continue to serve as key initial access vectors in financially motivated attacks, likely due to their ability to remain undetected, propagate widely, and target high-value environments. This conclusion is drawn from:  

• Detection of known banking trojan indicators (file hashes, command-and-control infrastructure, and payload behaviors) across financial organizations and their supply chains.
   
• Correlation of credential theft activity with malware exposure.
   
• Trend data showing ongoing use and re-use of families such as Anubis, Hydra, and Cerberus.
   
• Deep and dark web monitoring showing advertisement, evolution, and sale of banking trojans by criminal actors.

An example detection included a financial platform in Southeast Asia with observed command-and-control communication linked to infrastructure previously associated with the Anubis banking trojan (IP: 185.141.62.123).

Most banking trojans are modular in design. After initial infection, they can download additional functionality tailored to the victim, enabling credential theft, session hijacking, or remote access.

Email attachments continue to be the most common delivery mechanism. These typically contain macros or embedded scripts that execute malware under the guise of legitimate business communication. Once active, infections may support credential theft, fraud, or resale of access on underground forums.

Modern banking trojans are increasingly sophisticated. Capabilities may include overlay attacks on banking apps, interception of SMS-based authentication, abuse of accessibility services, keylogging, screen recording, and remote control. These features allow attackers to conduct unauthorized transactions with minimal user awareness.

Geographically, banking trojan activity has been especially prevalent in Brazil, Turkey, and Southeast Asia, where malware campaigns are often customized for local financial institutions and payment platforms.

Recent examples:

• DoubleTrouble Android Banking trojan spread through Discord. Initially, DoubleTrouble was spread through phishing sites. In July 2025, security researchers observed DoubleTrouble distributing malicious Android Package Kits (APKs) hosted through Discord channels which allowed them to evade detection.
   
• Klopatra Android Banking Trojan, infected thousands of devices. Klopatra functions both as a Remote Access Trojan (RAT) and an Android Banking Trojan. In August 2025, security researchers discovered that the banking trojan had infected an estimated 3,000 devices in Spain and Italy. According to Bitsight Threat Intelligence, Klopatra Banking Trojan appeared in March of 2025 and has 40 distinct builds. 

2. Android banking malware

Android banking malware continues to evolve alongside the growth of mobile banking, posing a persistent threat to end users. These threats typically aim to steal credentials, intercept one-time passwords (OTPs), and gain unauthorized access to financial applications, often resulting in account takeovers, fraudulent transactions, and long-term erosion of customer trust. 

In 2025, Bitsight observed elevated levels of Android banking malware activity with a significant spike in detections during August and September. Campaigns observed across Turkey, Spain, Italy, and Southeast Asia illustrate how regional mobile threats are tailored to local languages, payment platforms, and mobile banking habits. 

These campaigns frequently involve malicious Android applications distributed through unofficial sources or disguised as legitimate tools like PDF readers, streaming services, or phone optimizers. Once installed, the malware leverages advanced techniques such as overlay attacks, SMS interceptions, keylogging, and abuse of Android Accessibility Services to harvest credentials in real time.

Recent examples:

• In July 2025, Anatsa (aka Teabot) Banking Trojan leveraged a fake PDF application on the Google Play store (despite passing Play Store security checks). During this attack, an estimated 90,000 users were impacted. The actors leveraged keyloggers, overlay attacks, and credential theft to steal banking details of an astonishing number of users. According to Bitsight Threat Intelligence, Anatsa has targeted over 831 financial institutions in the past year expanding its operations to Germany and South Korea. Previously, Bitsight reported that Anatsa had targeted 650 financial institutions across Europe, US, and UK in previous years.
   
• In late August 2025, Frogblight Android Banking Trojan targeted users in Turkey. Our data shows that smishing messages were sent to users with the claim of an impending court case. Users were directed to download an app in which they could view court supposed court documents, but instead unknowingly installed malware. Frogblight was able to send SMS messages from an infected user’s device, thus expanding the reach of this attack. 

3. Information-stealing malware

Information Stealers continue to rank among the most pervasive malware categories affecting the finance sector. These threats are designed to harvest sensitive data from infected systems and devices including stolen credentials, browser cookie sessions, financial account token, and system metadata. They often serve as precursors to larger attacks, fraud, unauthorized access, or system wide compromise. 

According to Bitsight Threat Intelligence, finance-related platforms (such mobile payment apps) are frequent targets of information-stealing malware campaigns. These platforms are particularly attractive due to their integration with payment workflows, stored financial data, and access to transaction histories.

RedLine, one of the most active information stealers observed across Bitsight’s telemetry, is commonly delivered through phishing emails, malicious download links, cracked software sites, or spoofed software updates. Once executed, it silently collects browser credentials, saved passwords, authentication cookies, and details from financial applications installed on the system or device. 

Bitsight analysis links RedLine to widespread credential theft activity impacting:

• Online banking portals
• Enterprise financial software
• Cryptocurrency wallet extensions

Rather than immediately deploying secondary payloads, RedLine often enables threat actors to sell access in underground markets, where banking credentials and session tokens tied to financial platforms are resold to facilitate account takeovers or business email compromise (BEC) scams. 

RedLine operates under a Malware-as-a-Service (MaaS) model, allowing multiple criminal groups to tailor campaigns while relying on shared infrastructure and tools. The malware also collects device fingerprints and system inventory data, which is used to filter for high-value victims like users logged into financial management tools or connected to enterprise accounting environments.

Because the operational impact of information stealers is delayed, often resurfacing only once credentials are reused or sold on the dark web, many financial organizations may remain unaware of a compromise until fraud, unauthorized withdrawals, or anomalous login attempts are detected across customer or employee accounts. 

Recent examples: 

• In May 2025, Bitsight in collaboration with the FBI and Microsoft’s Digital Crimes unit disrupted the Lumma Stealer malware after it infected nearly 400,000 devices globally.
   
• In 2025, security researchers released a report detailing an information-stealing malware campaign in which 2.3 million compromised bank card information and bank login credentials were seen for sale across the deep and dark web. 

4. Malware-as-a-service (MaaS) ecosystems

Malware-as-a-service continues to play a significant role in the scale and persistence of financial malware activity. Under this model, malware developers provide tooling, infrastructure, updates, and support to customers, lowering technical barriers and increasing campaign volume.

According to Bitsight Threat Intelligence, the finance sector is disproportionately affected by MaaS-driven malware due to the direct monetization potential of stolen credentials, financial data, and authenticated access. Information stealers, loaders, and banking trojans are commonly chained together to enable multi-stage intrusions.

MaaS tooling is frequently updated to evade detection, rotate infrastructure, and introduce new capabilities. This results in repeated exposure for organizations even after successful remediation, particularly when credential hygiene and access controls are not addressed.

Threat monitoring and incident response

According to Bitsight Threat Intelligence, malware accounted for a significant portion of observed cyber incidents over the past year, with the finance sector experiencing elevated exposure due to the value of financial and identity data.

Organizations should prioritize continuous monitoring of email traffic, endpoint behavior, and authentication activity. Strong email filtering, endpoint detection, and anomaly-based monitoring are essential for early detection.

Threat hunting efforts should focus on identifying credential theft indicators, abnormal login behavior, command-and-control communications, and signs of modular malware activity. Incident response plans should include rapid credential revocation, system isolation, forensic preservation, and recovery from trusted backups.

Conclusion

The finance sector remains a primary target for a diverse range of malware, including banking trojans, information stealers, mobile banking malware, and malware delivered through service-based ecosystems. According to Bitsight Threat Intelligence, the convergence of credential theft, mobile exploitation, and scalable malware delivery models continues to drive risk across financial organizations.

Reducing exposure requires consistent security hygiene, rapid vulnerability management, strong access controls, and proactive monitoring. Early detection and response remain critical, as many financially motivated attacks generate their greatest impact after initial compromise rather than at the point of infection.

How Bitsight can help

• Identify external indicators associated with malware exposure, including compromised systems, suspicious network behavior, and insecure configurations that increase susceptibility to banking trojans and information-stealing malware.
• Monitor for security signals commonly linked to credential theft activity, supporting earlier detection of risks associated with banking trojans, information stealers, and malware-as-a-service operations.
• Assess exposure related to email security posture and externally observable controls that influence the likelihood of phishing-based malware delivery.
• Highlight vulnerabilities and misconfigurations that may increase the risk of exploitation-driven intrusions affecting financial organizations.
• Provide continuous visibility into mobile and third-party risk exposure, supporting oversight of suppliers and service providers that may introduce downstream malware risk.
• Enable risk prioritization by correlating malware-related findings with overall security posture and peer benchmarks, helping organizations focus remediation efforts on the most impactful controls.
• Enhance intelligence through monitoring of dark web activity, including the advertisement, sale, and evolution of malware families, to identify emerging threats and understand shifts in criminal toolsets and targeting.
• Track malware tactics, techniques, and procedures (TTPs) to inform threat hunting strategies, helping organizations detect early-stage activity associated with malware deployment.
• Support ongoing monitoring and reporting to track improvements in security posture, enhance threat detection, and reduce the likelihood and impact of malware-driven incidents over time.

Talk to our team to learn more.