Maharashtra, UP and Delhi emerge as India’s biggest malware hotspots in 2025, Seqrite report finds

India’s rapid digitisation is being matched by a sharp rise in cyber threats, with Maharashtra, Uttar Pradesh and Delhi emerging as the country’s most malware-affected regions in 2025, according to new findings from Seqrite.

The India Cyber Threat Report 2026, released by Seqrite, the enterprise arm of Quick Heal Technologies Limited, analysed threat data from October 2024 to September 2025 and paints a picture of an increasingly automated and persistent cyber threat landscape.

Malware concentration mirrors digital activity

The report shows that Maharashtra, Uttar Pradesh and Delhi together accounted for a substantial share of India’s 265.52 million malware detections during the period studied. Maharashtra alone recorded 36.13 million detections, representing 24.31% of the national total, followed by Delhi NCR with 15.41 million detections.

At the city level, Mumbai emerged as the most targeted location with 16.59 million detections, narrowly ahead of New Delhi at 15.32 million. Seqrite researchers attribute this concentration to the density of financial, political and industrial activity in these urban centres, which makes them attractive targets for cybercriminals.

The analysis is based on telemetry from more than 8 million endpoints, with Seqrite Labs recording an average of 505 malware detections every minute.

Shift from episodic attacks to continuous exploitation

Researchers at Seqrite Labs, described as India’s largest malware analysis facility, highlight a structural shift in how attacks are being carried out. Rather than sporadic or vulnerability-driven campaigns, threat actors are now running continuous, automation-led operations, constantly scanning for weaknesses to exploit and monetise.

Trojans and file infectors dominated the threat mix, accounting for 43% and 35% of detections respectively—nearly 70% of all observed malware. The prevalence of these threats points to sustained success through social engineering, cracked software and unpatched legacy systems.

The report also notes the growing blend of legacy malware with newer techniques, including fileless intrusions, AI-assisted phishing and ransomware-as-a-service (RaaS), signalling that attackers are combining old and new methods rather than abandoning one for the other.

Preparing for “cognitive intrusions”

Looking ahead, Seqrite warns that 2026 and beyond could usher in what it terms an era of “cognitive intrusions”, where adversaries increasingly use artificial intelligence to automate reconnaissance, deception and long-term persistence. In this environment, attacks are expected to become more context-aware, targeting not just technical vulnerabilities but behavioural and operational blind spots.

To counter this shift, the report urges organisations to move beyond reactive security measures. Recommendations include investing in predictive threat intelligence, accelerating patch management, treating identity as the new perimeter, hardening AI systems, and adopting more autonomous detection and response capabilities. Strengthening collaboration across the cybersecurity ecosystem and improving user awareness are also flagged as critical.

Reinforcing the national cyber defence

Against this backdrop, Quick Heal says it is doubling down on its role in protecting India’s digital economy. The company positions its efforts as aligned with its long-standing focus on enabling secure digital adoption, particularly as online services penetrate deeper into everyday life for citizens, enterprises and public institutions.

As India’s attack surface expands alongside Digital India initiatives, the Seqrite findings underline a clear message for security leaders: cyber risk is no longer confined to isolated incidents, but is becoming a constant operational reality—especially in the country’s most digitally active states and cities.