Kenya’s cybersecurity team caught 4.5 billion cyber threat events between October and December 2025. That’s a 441% jump from the previous quarter, and it tells us something important about what’s happening in the country’s digital scene.
The National Kenya Computer Incident Response Team (KE-CIRT/CC), which monitors the country’s cyber infrastructure, sent out 21.8 million security advisories during this period.
The vast majority of these warnings had a simple message: patch your systems, use multi-factor authentication, and configure your firewalls properly.
System vulnerabilities accounted for the overwhelming majority of cyber attacks, with 4.4 billion incidents. These weren’t sophisticated zero-day exploits. Most happened because organizations were running outdated software, using default passwords, or had misconfigured their cloud services.
Malware attacks hit 70.9 million times, up 124% from the previous quarter. Internet service providers, cloud platforms, and government systems took the brunt of it.
Attackers went after end-user devices, IoT gadgets, email systems, and web applications, with the goal of encrypting data for ransom, stealing credentials, or planting backdoors for later access.
Brute force attacks reached 42.8 million attempts, a 127% increase. Attackers hammered away at login pages, database servers, and remote access systems.
They exploited weak passwords and the absence of multi-factor authentication. Remote Desktop Protocol configurations were particularly vulnerable, especially as more people work remotely.
Web application attacks climbed to 11.6 million, an 11% increase, with government systems and ISPs being the primary targets. Attackers exploited outdated SSL/TLS configurations, vulnerable open-source libraries like Log4J, and poorly secured APIs. Cross-site scripting and remote code execution vulnerabilities gave them ways in.
DDoS attacks jumped 1,116% to 58.3 million incidents. Healthcare and government services were hit hardest. Attackers used reflection and amplification techniques, abusing DNS and NTP services to flood targets with traffic. Many attacks came from botnets built from compromised IoT devices and routers with default credentials.
Mobile application attacks increased 303% to 310,009 incidents, targeting Android devices, set-top boxes, and smart TVs. The Android Debug Bridge protocol was a common entry point as attackers exploited improper credential management to access devices and steal personal information.
Kenya has long strived to position itself as East Africa’s digital hub, which makes it an attractive target for attackers. The threat actors weren’t particularly innovative.
They exploited known vulnerabilities, used social engineering, and relied on organizations not following basic security practices. The fact that system misconfigurations topped the threat list shows that many attacks could have been prevented.
As more services move online and more devices connect to the internet, the attack surface expands. Cloud adoption accelerated during this period, but many organizations migrated without properly securing their cloud environments.
READ: Kenya Detects 842M Cyberthreats, Down 81% From Last Quarter
Social engineering became more targeted during the quarter. Attackers timed campaigns around end-of-year activities, impersonating employers offering bonuses, delivery services, and government agencies.
They used phone calls, SMS, and messaging apps, exploiting the fact that Kenya has high mobile penetration but varying levels of digital literacy.
The healthcare sector faced singular pressure from DDoS attacks. Disrupting hospital systems or health portals during peak periods causes immediate real-world harm. Some attacks were politically motivated, carried out by hacktivists or advanced persistent threat groups.
In response, the National KE-CIRT/CC has bee running quarterly meetings with over 50 organizations from critical infrastructure sectors to share threat intelligence, discuss attack patterns, and coordinate responses.
On the regulatory side, the Computer Misuse and Cyber Crimes Act from 2018 established the National Computer and Cybercrimes Coordination Committee (NC4).
New regulations in 2024 required the Communications Authority to set up a Cyber Security Operations Centre specifically for the ICT and telecommunications sector.
The bright side is last quarter’s data suggests that Kenya’s cyber defenders are getting better at detection. The massive increase in detected threats partly reflects improved monitoring capabilities.
