Check Point Press Releases

Check Point’s Threat Index Reveals RoughTed and Fireball Drop-off in July

RoughTed malvertising campaign has remained the most prevalent malware in July, despite drop in infections; Fireball continued to decline after the arrest of its suspected distributors

San Carlos, CA  —  Mon, 21 Aug 2017

Check Point® Software Technologies Ltd. (NASDAQ: CHKP) reveals that according to its latest Global Threat Impact Index, the number of organizations impacted by the RoughTed malvertising campaign fell by more than a third during July, from 28% to 18%.

RoughTed is a large-scale malvertising campaign used to deliver malicious websites and payloads such as scams, adware, exploit kits and ransomware. Despite its drop-off, RoughTed remained the most prevalent form of malware during July. Hacker Defender, a user-mode rootkit for Windows, increased to second place and affected 5% of organizations globally.

The Index also reveals a sharp decline in the prevalence of Fireball, which fell to third place. In July, it impacted 4.5% of organizations, down from 20% of organizations only two months ago, following the arrest of the suspected distributors during the month.

“The drop in Fireball is encouraging and can be related to the arrest of its suspected distributors in China. This highlights the positive impact that law enforcement authorities can have when working in tandem with the cyber security industry,” said Maya Horowitz, Threat Intelligence Group Manager at Check Point.

July 2017’s Top 3 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

  1. ↔ RoughTed – Large scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
  2. ↑ Hacker Defender – User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
  3. ↓ Fireball – Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.

For the first time in 2017, Hummingbad did not appear in the top three of the most common mobile malware as spyware. This month, TheTruthSpy had the highest impact on organizations mobile estates – followed by Lootor and Triada.

Top 3 ‘Most Wanted’ mobile malware:

  1. TheTruthSpy – Mobile spyware which can be installed in stealth mode and used to track and record data from a device.
  2. Lotoor – Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
  3. Triada – Modular Backdoor for Android which grants super-user privileges to downloaded malware and helps it embed into system processes. Triada has also been spoofing URLs loaded in the browser.

“It is encouraging to see highly infectious malware variants becoming less impactful, but it is critical that organizations do not see this as a signal that they can drop their guard. While RoughTed’s effectiveness dropped considerably, nearly one in five organizations were still impacted by it during July. It is also important to be aware that as soon as one avenue for attackers is shut down, cyber-criminals quickly devise new malware forms to attack targets with. Organizations in every industry need a multi-layered approach to their cyber security.

SandBlast™ Zero-Day Protection and Mobile Threat Prevention, for example, protect against the widest range of continually evolving attack types, and also protect against zero-day malware variants,” concluded Horowitz.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, a collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

* The complete list of the top 10 malware families in July can be found on the Check Point Blog.


Follow Check Point Research via:



About Check Point Research

Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.


About Check Point Software Technologies Ltd.

Check Point Software Technologies Ltd. ( is a leading provider of cyber security solutions to governments and corporate enterprises globally. Its solutions protect customers from cyber-attacks with an industry leading catch rate of malware, ransomware and other types of attacks. Check Point offers a multilevel security architecture that defends enterprises’ cloud, network and mobile device held information, plus the most comprehensive and intuitive one point of control security management system. Check Point protects over 100,000 organizations of all sizes.


This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.