The notion that African markets are too small for the world’s most dangerous cyberattackers is making the continent vulnerable — and its networks, businesses and governments have become ideal testing grounds for increasingly sophisticated attacks.
The assailants, says cybersecurity firm Kaspersky, carry out their missions with the precision of mercenaries and the support of AI.
A series of new threat assessments from Kaspersky paint a troubling picture for the Middle East, Türkiye and Africa (META) region, comprising 72 countries. While much of the global cybersecurity conversation focuses on high-profile breaches in North America and Europe, granular data shows African countries entering a new phase of exposure.
At Kaspersky’s annual cybersecurity weekend for the META region, held in Thailand last weekend, the company reported that South Africa is emerging as both a digital leader and a digital target.
The statistics initially appear modest. Africa saw a 0.01% increase in ransomware attacks in the past year, compared with 0.07% in the Middle East and 0.06% in Türkiye.
However, according to Kaspersky, attackers often don’t distribute this type of malware on a mass scale, but hone in on high-value targets, which reduces the overall number of incidents.
These low figures also obscure a more insidious trend: the region is becoming a laboratory for cyber-innovation, precisely because of its economic challenges.
The reasoning is straightforward. In regions with patchy infrastructure, inconsistent security practices and a high uptake of mobile technology, attackers can test new strategies with relatively low risk. As South Africa expands its digital economy, cybercriminals are moving in tandem. Rather than launching broad, indiscriminate attacks, they are choosing high-value targets with surgical precision.
“The threat is far from gone,” said Tatyana Shishkova, Kaspersky lead security researcher. “Cybercriminals are becoming more skilled and selective, increasingly leveraging sophisticated AI-powered and targeted attacks.”
One manifestation of this strategy is the rise of cyber-mercenaries operating under the guise of “malware-as-a-service”. A recently discovered tool called GriffithRAT has been used in targeted attacks against fintech and trading platforms in South Africa, Egypt and the UAE. Disguised as files promising financial advice, the malware steals login credentials, captures webcam streams and logs keystrokes, offering a chilling glimpse into the new frontier of digital espionage.
Some of these attacks are so advanced they can modify cryptocurrency addresses or hijack messaging apps before the user has even completed set-up
“GriffithRAT is not the work of random hackers,” said Maher Yamout, Kaspersky lead security researcher. “It is a maintained piece of malware and part of a broader trend where cyber-mercenaries are hired to collect sensitive information, often for financial or strategic advantage … cybercrime is increasingly professional, targeted and persistent.”
The convergence of mercenary tactics and ransomware-as-a-service models is no coincidence. FunkSec, a ransomware gang that emerged late last year, has become notorious for using AI-generated code to evade detection. Unlike legacy groups that demand millions in ransom, FunkSec takes a high-volume, low-cost approach, automating attacks through the use of large language models and robotic process automation. In effect, it is streamlining crime as a service.
This is where the risks for Africa compound. Countries such as South Africa are rapidly digitalising but often without the necessary investment in cybersecurity infrastructure or training. That leaves them exposed to both broad and targeted campaigns, including from actors using sophisticated supply chain attacks. Cyberbreaches in government departments and state-owned enterprises are not isolated incidents.
In 2024 alone, Kaspersky found more than 14,000 malicious open-source packages inserted into code repositories that are widely used by developers. Many of these packages were specifically designed to exploit popular AI libraries, including tools for working with ChatGPT application programming interfaces. These packages were not theoretical vulnerabilities. They were downloaded and installed by developers across 30 countries, potentially enabling attackers to hijack applications built on supposedly trusted foundations.
It’s a reminder that modern attacks no longer rely solely on brute force or user error. In many cases, they exploit trust — both in the platforms we download from and the devices we buy.
Mobile devices are an especially soft target. In the first quarter of 2025, Africa recorded more than 94,000 mobile cyberattacks. While this represented a decline from the previous quarter, South Africa remained among the most affected countries, with 5.3% of mobile users targeted.
Sophisticated malware such as SparkCat and Triada are now appearing in both official app stores and counterfeit phones. Some of these attacks are so advanced they can modify cryptocurrency addresses or hijack messaging apps before the user has even completed set-up.
More alarming is the use of AI to design malware that can adapt to user behaviour and avoid detection. SparkCat, for instance, uses optical recognition to scan phones for sensitive financial data, in nine languages. This signals the arrival of malware that can understand and adapt to context, making it far more difficult to contain.
All of this is occurring against a backdrop of declining detection and response capacity in many African organisations. According to Kaspersky, attackers are increasingly bypassing traditional defences by targeting internet-of-things devices, webcams and smart appliances. In one instance, the Akira ransomware gang used a webcam to bypass endpoint detection systems, accessing internal networks without triggering alarms.
The implications extend beyond stolen data. Supply chain vulnerabilities and AI-powered malware are now capable of infiltrating critical infrastructure, from finance and telecommunications to energy and defence. The 2024 backdoor found in the XZ Utils compression library — inserted by a trusted developer and capable of executing remote code on Linux servers — was a wake-up call for the global tech community. For African organisations relying on open-source tools without rigorous code review processes, such incidents represent a time bomb.
Cybersecurity has become a national priority that touches every sector. But the response must go beyond reactive measures or off-the-shelf tools. It requires a systemic rethink of digital hygiene, procurement policies, software development and public-private collaboration. In South Africa, it raises questions about the way IT tenders are awarded to connected individuals with no priority placed on best practice.
Sergey Lozhkin, head of Kaspersky’s research and analysis team for the META and Asia-Pacific-Australia regions, put it succinctly: “To stay secure, organisations need layered defences: up-to-date systems, network segmentation, real-time monitoring, robust backups, and continuous user education.”
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.