Expel Quarterly Threat Report, Q3 2025: Threat intel recap

Q3 2025 recap describing BaoLoader and similar trojanized applications that masquerade as useful utilities (PDF editors, recipe and calendar apps) but install backdoors and abuse code-signing certificates; BaoLoader comprised 13% of non-targeted commodity malware and related families (e.g., TamperedChef) saw tens of thousands of downloads. Although primarily monetized via affiliate fraud rather than credential theft or ransomware, the presence of arbitrary backdoors and PowerShell-based AV enumeration increases enterprise risk, so stricter application control and sanctioned tooling are recommended.