The notion that African markets are too small a target for the world’s most dangerous cyber attackers has become one of the continent’s great vulnerabilities. That assumption is turning African networks, businesses, and governments into ideal testing grounds for increasingly sophisticated attacks. The assailants carry out their missions with the precision of trained mercenaries and the support of artificial intelligence (AI).

A series of new threat assessments from cybersecurity firm Kaspersky paints a troubling picture for the Middle East, Turkiye and Africa (META) region, comprising 72 countries. While much of the global cybersecurity conversation continues to focus on high-profile breaches in North America and Europe, granular data shows African countries entering a new phase of exposure.

At Kaspersky’s annual Cyber Security Weekend for the META region, held in Thailand last weekend, the company reported that South Africa is emerging as both a digital leader and a digital target.

The statistics initially appear modest. Africa saw a 0.01% increase in ransomware attacks in the past year, compared to 0.07% in the Middle East and 0.06% in Turkiye.

However, according to Kaspersky, attackers often don’t distribute this type of malware on a mass scale, but prioritise high-value targets, which reduces the overall number of incidents.

These low figures also obscure a more insidious trend: the region is becoming a laboratory for cyber innovation, precisely because of its economic challenges.

The reasoning is straightforward. In regions with patchy infrastructure, inconsistent security practices, and a high uptake of mobile technology, attackers can test new strategies with relatively low risk. As South Africa expands its digital economy, cybercriminals are moving in tandem. Rather than launching broad, indiscriminate attacks, they are choosing high-value targets with surgical precision.

“The threat is far from gone,” said Tatyana Shishkova, Kaspersky lead security researcher. “Cybercriminals are becoming more skilled and selective, increasingly leveraging sophisticated AI-powered and targeted attacks”.

One manifestation of this strategy is the rise of cyber mercenaries operating under the guise of “malware-as-a-service”. A recently discovered tool called GriffithRAT has been used in targeted attacks against fintech and trading platforms in South Africa, Egypt and the UAE. Disguised as files promising financial advice, the malware steals login credentials, captures webcam streams, and logs keystrokes, offering a chilling glimpse into the new frontier of digital espionage.

“GriffithRAT is not the work of random hackers,” said Maher Yamout, Kaspersky lead security researcher. “It is a maintained piece of malware and part of a broader trend where cyber mercenaries are hired to collect sensitive information, often for financial or strategic advantage… cybercrime is increasingly professional, targeted, and persistent.”

The convergence of mercenary tactics and ransomware-as-a-service models is no coincidence. FunkSec, a ransomware gang that emerged in late 2024, has become notorious for using AI-generated code to evade detection. Unlike legacy groups that demand millions in ransom, FunkSec takes a high-volume, low-cost approach, automating attacks through the use of Large Language Models and Robotic Process Automation. In effect, it is streamlining crime as a service.

This is where the risks for Africa compound. Countries like South Africa are digitalising at a rapid pace, but often without the necessary investment in cybersecurity infrastructure or training. That leaves them exposed to both broad and targeted campaigns, including from actors using sophisticated supply chain attacks. Cyber breaches in government departments and state owned enterprises are not isolated incidents.

In 2024 alone, Kaspersky found over 14,000 malicious open-source packages inserted into code repositories that are widely used by developers. Many of these packages were specifically designed to exploit popular AI libraries, including tools for working with ChatGPT APIs. These packages were not theoretical vulnerabilities. They were downloaded and installed by developers across 30 countries, potentially enabling attackers to hijack applications built on supposedly trusted foundations.

It’s a reminder that modern attacks no longer rely solely on brute force or user error. In many cases, they exploit trust – both in the platforms we download from and the devices we buy.

Mobile devices are an especially soft target. In the first quarter of 2025, Africa recorded more than 94,000 mobile cyberattacks. While this represented a decline from the previous quarter, South Africa remained among the most affected countries, with 5.3% of mobile users targeted.

Sophisticated malware like SparkCat and Triada are now appearing in both official app stores and counterfeit phones. Some of these attacks are so advanced they can modify cryptocurrency addresses or hijack messaging apps before the user has even completed setup.

More alarming is the use of AI to design malware that can adapt to user behaviour and avoid detection. SparkCat, for instance, uses optical recognition to scan phones for sensitive financial data, in nine languages. It signals the arrival of malware that can understand and adapt to context, making it far more difficult to contain.

All of this is occurring against a backdrop of declining detection and response capacity in many African organisations. According to Kaspersky, attackers are increasingly bypassing traditional defences by targeting IoT devices, webcams, and smart appliances. In one instance, the Akira ransomware gang used a webcam to bypass endpoint detection systems, accessing internal networks without triggering alarms.

The implications extend beyond stolen data. Supply chain vulnerabilities and AI-powered malware are now capable of infiltrating critical infrastructure, from finance and telecommunications to energy and defence. The 2024 backdoor found in the XZ Utils compression library – inserted by a trusted developer and capable of executing remote code on Linux servers – was a wake-up call for the global tech community. For African organisations relying on open-source tools without rigorous code review processes, such incidents represent a blinking time bomb.

As a result, Cybersecurity has become a national priority that touches every sector. But the response must go beyond reactive measures or off-the-shelf tools. It requires a systemic rethink of digital hygiene, procurement policies, software development, and public-private collaboration. In South Africa, it raises the question of not prioritising best practise over awarding tenders to connected individuals.

Sergey Lozhkin, head of Kaspersky’s Global Research and Analysis Team (GReAT) for the META and APAC regions, put it succinctly: “To stay secure, organisations need layered defences: up-to-date systems, network segmentation, real-time monitoring, robust backups, and continuous user education.”

Education may be the least glamorous component of cybersecurity, but it remains the most vital. Without it, even the best tools will fail. With it, organisations can at least slow down the tide of increasingly professional cybercrime.