Understanding the growing and increasingly sophisticated cyberthreat landscape is now a prerequisite for day-to-day cyber defence in South Africa, according to global cybersecurity company, Kaspersky. At a recent media event held in Johannesburg, Maher Yamout, Lead Security Researcher for the Global Research & Analysis Team (GReAT) at Kaspersky, unpacked South Africa’s current cyberthreat landscape, looking at ransomware trends, and the rise of infostealers.
According to data from Kaspersky, 42.4 million web attacks and 95.6 million on-device attacks were detected in Sub-Saharan Africa in the first half of 2025 (H1 2025). The region recorded more than a double increase in spyware, as well as 64% more password stealer attacks and 12% more backdoor infections compared with the same period of last year.
In South Africa in H1 2025, Kaspersky security tools blocked more than 6 million online attack attempts on users. With threats that include phishing scams, exploits, botnets, Remote Desktop Protocol attacks, and network spoofing, such as fake Wi-Fi networks, one in five users in the country (20.9%) were targeted. In the same period, 10.3 million on-device incidents were blocked, where 21.2% of South African users faced malware delivered via infected USB drives, CDs, DVDs, and hidden installers, including ransomware, worms, backdoors, trojans, password stealers, and spyware. Industrial environments also remain a target: attacks on 27.7% of ICS (Industrial Control Systems) computers in South Africa were blocked by Kaspersky solutions in H1 2025.
Kaspersky’s analysis shows that the number of backdoors more than doubled in South Africa in H1 2025, compared to the same period in 2024 (a 123% increase was recorded). Furthermore, banking trojans grew 136%, and password stealers increased 122%. Spyware attacks happened 3.6 times more often, alongside a 14% increase in exploits targeting vulnerabilities in applications like Microsoft Office.
Infostealers remain concerning for both consumers and enterprises. Kaspersky notes that many stealers still reach Windows PCs via phishing and pirated software, reinforcing the need for secure mail gateways, application control, and blocking unapproved software. Additionally, Kaspersky's research this year exposed SparkCat, the first stealer to infiltrate Apple’s App Store, and also found on Google Play. It scans photo galleries for screenshots containing sensitive data, such as wallet recovery phrases or passwords, demonstrating that storing credentials in images is unsafe. A related family, SparkKitty, was later observed exfiltrating images and device details via apps distributed through official stores and scam sites.
“Knowing the threat landscape becomes an operational concern,” said Yamout. “When you understand which threats are registered in the region, you can tune controls that matter. In our recent work, we have also supported INTERPOL-led efforts to disrupt stealer operations affecting Africa. Meanwhile, cases like SparkCat show why screenshots of passwords or recovery phrases are not safe, even if the app came from an official store.”
Kaspersky solutions registered almost three million phishing attempts in South Africa in the first half of 2025. Although this marks a 29% decrease compared to the same period of 2024, the threat of targeted phishing is still rife in the region. Globally, Kaspersky has tracked phishing campaigns that use AI-generated text, deepfakes, and voice cloning, as well as trusted services such as Telegram pages and Google Translate links, to bypass filters. Some phishing sites also place CAPTCHA screens upfront to reduce machine detection. These realities mirror the lures and infrastructure abuse seen in local incidents.
Ransomware remains a leading reason of corporate cyber incidents in South Africa, with targeted groups selecting high-value victims across government and enterprise. Effective defence combines prevention and response. These include adopting rigorous patching, strong authentication, limited remote access, endpoint detection and response (EDR) and extended detection and response (XDR) solutions, such as from the Kaspersky Next product line, regular backups, and user awareness to blunt phishing-led initial access.
“Resilience is built in layers. Map your risks, reduce the attack surface, and plan for containment. If your controls shorten the time from the first suspicious event to isolation and rollback, you change the economics for cyber attackers,” concluded Yamout.
