By: Max Gannon
Cofense Intelligence relies on over 35 million trained employees from around the world. As a result, a considerable number of analyzed campaigns are written in languages other than English. This report covers from May 2023 to May 2025, providing a historical perspective that demonstrates long-term patterns and trends seen over the last several years. It focuses on the malware families delivered by campaigns bypassing secure email gateways (SEGs) in the top five languages, excluding English, most commonly seen delivering malware by Cofense Intelligence.
It is important for organizations to understand the types of threats they are most likely to face and whether they should expect targeted malware families specifically designed for their region or more generalized variants that Endpoint Detection and Response (EDR) solutions are particularly adept at stopping. This report is part of a broader series covering different trends in phishing campaigns that are delivered by the top five non-English languages seen by Cofense. Other topics include delivery mechanisms, URLs embedded in emails leading to malware, and the themes seen in five different languages.
Languages Chosen
Within the time frame of this report, there were campaigns, reported on as Active Threat Reports (ATRs), in 24 different languages that bypassed SEGs to deliver embedded URLs which lead to malware. Unfortunately, covering all of them would require more space than is feasible. As a result, the top five by volume were chosen to be featured. Those languages were Spanish, Italian, French, Portuguese, and German. Although the volume of these five could be compared and used to make claims about the volume of phishing campaigns against a specific language, that would be inaccurate, as the individual shares of the whole are more likely to represent the distribution of customers reporting emails and a broad scoped collection area bias rather than a pattern of activity. As a result, the specific volumes of each language will not be compared, but several trends within each language will be examined.
It is important to note that language can often be taken as an indicator of regionality. For example, the vast majority of German-language campaigns were received by individuals in Germany. Spanish and Portuguese-language campaigns can be a bit more varied in terms of recipient location, but when it comes to this report it is safe to assume that the majority of campaigns in those languages were focused on Latin America rather than Europe.
Malware Families Versus Delivery Mechanisms
There are many different ways of classifying and categorizing “malware,” especially when examining what counts as being “malware” and what counts as being something else. Cofense categorizes digital content being used for malicious purposes as either “malware” or a “delivery mechanism.” Malicious content is typically considered malware if it acts as, and is marketed as, a stand-alone runnable package that has malicious purposes such as collecting keystrokes, stealing saved information, or encrypting files. This is distinct from things that are called “delivery mechanisms.” These are typically tools that are used to deliver the malware. This can take the form of Office documents, PDFs, scripts, executables whose only purpose is to load malware, or even shortcut and link files. What is consistent about delivery mechanisms is that their entire purpose is to load malware. If they are capable of additional actions such as collecting keystrokes, stealing saved information, or encrypting files, it is in a very limited capacity and is typically a value added by the creator and distributors rather than a utilized feature.
Malware Types
In addition to being defined as a malware family based on its characteristics, malware can also be defined as having a “type.” This type is based on the primary purpose of malware, relying most heavily on the purpose stated by the developer and seller of the malware. The categories used by Cofense are broadly defined as Bankers, Information Stealers, Keyloggers, Remote Access Trojans (RATs), Cryptocurrency Miners, Loaders, Ransomware, and Other. Bankers consist of malware that focuses on extracting banking credentials through both browser injection, saved credential collection, or other methods like Mispadu. Information Stealers, such as PureLogs Stealer, consist of malware whose primary purpose is stealing saved information from browsers, messaging applications, or other locations. Keyloggers consist of malware like Agent Tesla keylogger, whose primary purpose is monitoring keystrokes and are frequently only capable of exfiltrating those keystrokes. RATs consist of malware whose primary purpose is to provide remote access to threat actors, although this frequently comes with a host of other capabilities. RATs can include both malware such as Async RAT, which is designed by threat actors for threat actors, as well as Remote Access Tools (also called RATs) which are repurposed legitimate tools like NetSupport Manager RAT. Cryptocurrency Miners are a very specific type that has very low volume and consists only of utilities designed to mine Cryptocurrency such as Bitcoin or Ethereum. Loaders are malware whose primary purpose is to download and run other malware, but also have an extensive suite of other capabilities that prevent them from being categorized as delivery mechanisms. An example of a popular Loader would be Oyster Loader. The Ransomware type consists of malware that encrypts data and typically, but not always, requests a ransom in order to retrieve the encrypted data and/or to not sell any stolen data. Although this type of malware is not typically delivered by email, a long standing one that has been seen delivered by email is LockBit Ransomware. Lastly, the “Other” category consists of malware like Cobalt Strike and other reconnaissance tools which don’t have a specific objective that can be defined as belonging to one of the types. Their objective is instead decided by the threat actor operating them and can be different in different environments.
Figure 1: Malware types most commonly seen in the top five languages other than English by volume of campaigns.
Spanish-Language Email Campaigns
Figure 2: Top malware families seen in Spanish-language email campaigns.
Spanish-language malware campaigns stood out for their sheer diversity, deploying 59% more distinct malware families than the next leading language. Alongside Portuguese, Spanish-language campaigns were also tied for the highest number of malware families-six in total-that were largely exclusive (90%+ volume) to that language, including 4Shared Loader, Sapphire RAT, Poco RAT, Meduza, Metamorfo, and Horabot. Figure 2 highlights Remcos RAT as the most common malware in these campaigns. Remcos RAT was also dominant in URL-based infections in Spanish-language campaigns, accounting for 42% of them. Notably, Spanish-language campaigns had three standout traits: they often featured single malware instances instead of bundled or multi-step malware payloads; they had the highest concentration of Remote Access Trojans (RATs), which made up 81% of observed threats in Spanish-language campaigns; and they rarely used legitimate Remote Access Tools, with those making up just 2% of all RATs seen in Spanish-language campaigns.
Italian-Language Email Campaigns
Figure 3: Top malware families seen in Italian-language email campaigns.
Italian-language malware campaigns featured relatively few malware families that appeared almost exclusively (90% or more) in that language—specifically Muck Stealer, Stealerium, and Teramind. Teramind also stood out as one of the few legitimate Remote Access Tools abused in these campaigns, with just 5% of RATs falling into the “legitimate” category. All of the top RATs seen in Figure 3, other than UltraVNC RAT, were frequently delivered together in multi-stage campaigns. Notably, 80% of the URLs used to deliver malware in Italian-language campaigns were legitimate, the highest share among all languages, with Dropbox alone responsible for 60% of the abused legitimate URLs. RATs were the most frequently delivered malware type, making up 78% of the total, and Italian campaigns deployed more Loaders than any other language group. Italy was unique among the top five languages in using benefits-related lures and had double the number of copyright-themed campaigns. These attacks often spoofed localized brands such as Italy’s National Cybersecurity Agency, the National Institute for Social Security, and the widely used Posta Elettronica Certificata service.
French-Language Email Campaigns
Portuguese-Language Email Campaigns
Figure 5: Top malware families seen in Portuguese-language email campaigns.
Portuguese-language campaigns featured the highest number of “top” malware families, with five families falling within just 1% of the fifth-place threshold. Among these, several—such as Lampion Banking Trojan and N-Able—were almost exclusively seen (90%+) in Portuguese campaigns. Portuguese tied with Spanish for the most unique malware families, totaling six. While RATs dominated the overall malware landscape of Portuguese-language campaigns, 41% of the campaigns involved Banking Trojans, the highest share across all languages. These Banking Trojans, including Astaroth and Lampion, are known to target Latin American users specifically, indicating the regionality of the campaigns. Legitimate RATs were surprisingly common—making up 79% of RATs in these campaigns—with Atera Agent being the most common one. Atera Agent was most frequently distributed through embedded URLs. However, URLs used in Portuguese-language campaigns were the least likely to be legitimate among all languages. Portuguese-language campaigns also stood out for the wide variety of themes they used, ranging from travel assistance to legal themes, often with relevant brand spoofing. This thematic diversity corresponded with a broad range of spoofed brands, many of which were uniquely Brazilian, such as the Brazilian Ministry of Labour and Employment, Brazilian Labor Court, Brazilian Federal Revenue Service, Jusbrasil, and Azul Brazilian Airlines. The focus on these brands suggests a strong emphasis on Brazilian targets over Portuguese, Angolan, or any other Portuguese-speaking location. Notably, the most spoofed brand overall was Comision Federal de Electricidad, at 29%.
German-Language Email Campaigns
Figure 6: Top malware families seen in German-language email campaigns.
German-language campaigns saw a slightly broader pool of top malware families, with three hovering right around the fifth-place cutoff. Much like in Italian-language attacks, most of the leading malware families—except for NetSupport Manager RAT and StrelaStealer—were deployed through multi-stage campaigns. XWorm RAT was the most dominant, appearing in nearly 29% of email campaigns that relied on embedded URLs. Remarkably, 80% of those URLs were legitimate, with Dropbox URLs comprising 69% of that total. While only one malware family, Oyster Loader, was nearly exclusive to German campaigns, these operations still featured a wide array of widely used malware families (see Figure 6). Additionally, German campaigns impersonated an unusually broad spectrum of brands—from national and regional entities like Deutsche Telekom, PostBank, INTEC Engineering, and Behles Bus, to international companies like DHL, Instagram, and DocuSign.
Conclusion
Phishing attacks aren’t just in English anymore. Cybercriminals now use multiple languages to lure people into clicking URLs or opening malicious attachments. Phishing attacks that deliver malware increasingly exploit multiple languages to broaden their reach. Cofense Intelligence identified the top 5 high-volume languages used in such attacks: Spanish, Italian, German, French and Portuguese. By tailoring the phishing content to these languages, attackers increase the likelihood of deceiving users located internationally. These insights emphasize the need for multilingual cybersecurity measures, including user training, email filtering, and threat intelligence, to effectively mitigate phishing attacks.
At Cofense, we are committed to helping organizations defend against today’s most advanced phishing attacks with speed, accuracy, and efficiency. Schedule a demo today to learn more.
