ESET Research Profile picture
Security research and breaking news straight from ESET Research Labs.
𝓙𝓪𝓬𝓴2 Profile picture doesntgooutside Profile picture 2 subscribed
Aug 30 9 tweets 3 min read
#ESETresearch identified two GREF campaigns targeting #Android users with @signalapp and @telegram apps trojanized into cyberespionage tools .

Image Signal Plus Messenger and FlyGram were built by merging the BadBazaar espionage code, previously used to target #Uyghurs and other #Turkic minorities, into the respective base app’s code. 2/9
Apr 20 6 tweets 4 min read
#ESETResearch confirms Lazarus is linked to the recent #3CX supply-chain attacks. Based on code similarities and network infrastructure, we connect the 3CX incident with a Linux case of DreamJob, a long-term Lazarus operation using job offer as lures. 1/6… First, let’s look at the timeline. It shows that the trojanized macOS version of the 3CX Desktop App was ready two months prior to the distribution of the Windows version. Also interesting is that the attack was in preparation as early as December 2022. 2/6 Image
Mar 14 6 tweets 3 min read
#ESETResearch discovered an attack by APT group Tick against a data-loss prevention (DLP) company in East Asia and found a previously unreported tool used by the group.… @0xfmz 1/6 In 2021, in the DLP company’s network, the attackers introduced trojanized installers of the legitimate application Q-dir, part of a toolkit used by the company. When executed, the installer dropped the open-source ReVBShell backdoor and ran the original Q-dir application. 2/6 Image
Mar 2 5 tweets 3 min read
#ESETResearch analyzed a new #MustangPanda backdoor. Its C&C communications is done over #MQTT using the open-source QMQTT library, so we named it MQsTTang. This library depends on parts of the Qt framework, statically linked in the PE.… 1/5 A sample of MQsTTang was identified by @Unit42_Intel on 2023-02-17. As stated in that thread, the backdoor uses the legitimate MQTT broker This has the benefit of hiding their actual C&C servers from victims and analysts. 2/5
Mar 1 11 tweets 7 min read
#ESETResearch analyze first in-the-wild UEFI bootkit bypassing UEFI Secure Boot even on fully updated Windows 11 systems. Its functionality indicates it is the #BlackLotus UEFI bootkit, for sale on hacking forums since at least Oct 6, 2022. @smolar_m… 1/11 BlackLotus brings legit but vulnerable binaries to the victim’s system (#BYOVD) to exploit #CVE-2022-21894 and bypass UEFI Secure Boot on up-to-date Windows systems. In some samples, these binaries are downloaded directly from the MS Symbol Store.… 2/11
Feb 15 4 tweets 3 min read
While #infostealer detections trended downwards in 2022, decreasing by 10% in #ESET telemetry, #banking malware doubled in numbers YoY. #ESETresearch 1/4 This phenomenon was caused by the prevalence of the web skimmer JS/Spy.Banker, also known as #Magecart. Throughout the year, it consistently accounted for about three-fourths of banking malware detections. It was also the third most detected infostealer overall in T3 2022. 2/4
Feb 8 5 tweets 3 min read
👏 Proofpoint for this blogpost on #TA866. @ESETResearch have been tracking this group for a while and we assess with medium confidence that TA866 and #AsylumAmbuscade are the same group. 1/4
In their February 2022 espionage campaign, attackers delivered a LUA downloader that installed #AHKBOT / #SunSeed AutoHotkey, the same implant used in recent crimeware campaigns. 2/5
Nov 30, 2022 6 tweets 2 min read
#ESETesearch discovered Dolphin, a sophisticated backdoor extending the arsenal of the #ScarCruft APT group. Dolphin has a wide range of spying capabilities and is deployed on selected targets only.… 1/6 The backdoor was used as the final payload of a multistage attack in early 2021, involving a watering-hole attack on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor, named BLUELIGHT, previously reported by Volexity and Kaspersky. 2/6
Nov 25, 2022 4 tweets 3 min read
#ESETResearch discovered an ongoing Android RAT campaign that uses #FIFAWorldCup in Qatar🇶🇦 as a lure and already infected over 750 devices. It spreads via Facebook page linking to a website distributing the RAT. Downloaded RAT also offers World Cup news and live broadcasts 1/4 ImageImageImage The RAT has extensive capabilities like exfiltrating SMS, call logs, contact list, photos, clipboard, files with particular extensions, record phone calls, take pictures, etc. Exfiltrated data is encrypted and uploaded to attacker’s server. 2/4 ImageImage
Nov 25, 2022 9 tweets 7 min read
On November 21st #ESETResearch detected and alerted @_CERT_UA of a wave of ransomware we named #RansomBoggs, deployed in multiple organizations in Ukraine🇺🇦. While the malware written in .NET is new, its deployment is similar to previous attacks attributed to #Sandworm. 1/9 @_CERT_UA Its authors make multiple references to Monsters, Inc., the 2001 movie by Pixar. The ransom note (SullivanDecryptsYourFiles.txt) shows the authors impersonate James P. Sullivan, the main character of the movie, whose job is to scare kids. 2/9
Nov 23, 2022 6 tweets 5 min read
#ESETresearch discovered an active #Android campaign conducted by the hack-for-hire group #Bahamut. The campaign has been active since January 2022, with malicious apps are distributed through a fake #SecureVPN website
@LukasStefanko… 1/6 We discovered at least 8 versions of the spyware, all trojanized versions of legitimate VPN apps SoftVPN and OpenVPN; none have been available on Google Play. The fake SoftVPN triggered our YARA rules; we also got a DM from @malwrhunterteam about the sample. TY folks!
2/6 Image
Nov 22, 2022 4 tweets 2 min read
#ESETResearch discovered that #LuckyMouse/#APT27 used a code-signing certificate belonging to VMPsoft, the developer of the VMProtect packer. The signed file is a loader for the SysUpdate backdoor (aka Soldier). We notified VMPSoft of this compromise 1/4… Image Pivoting on the certificate, we found genuine VMPsoft binaries and a sample of SysUpdate signed and packed with VMProtect. Since LuckyMouse rarely use VMProtect, it is possible that they also stole VMProtect packer when they got the digi certificate. 2/4…
Nov 9, 2022 9 tweets 6 min read
#ESETResearch discovered and reported to the manufacturer 3 vulnerabilities in the #UEFI firmware of several Lenovo Notebooks. The vulnerabilities allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS. @smolar_m 1/9 Reported vulnerabilities – #CVE-2022-3430, #CVE-2022-3431, and #CVE-2022-3432 – affect various Lenovo Yoga, IdeaPad and ThinkBook devices. All affected devices with an active development support have been fixed after we reported them to the manufacturer. 2/9
Oct 12, 2022 7 tweets 3 min read
#Emotet’s operators were busy updating their systeminfo module, with changes that enable malware operators to improve the targeting of specific victims and distinguish tracking bots from real users. #ESETresearch 1/7 The operators completely changed the attributes that are collected and sent to the attacker’s C&Cs. The new list includes processor brand, size of physical memory in MB and an approximate % of it being in use. 2/7 ImageImageImage
Oct 11, 2022 6 tweets 3 min read
#ESETresearch reveals new findings about POLONIUM, an APT group that has targeted more than a dozen organizations in Israel 🇮🇱 since at least September 2021, using at least seven different custom backdoors.…
Five of the seven described #POLONIUM backdoors were previously undocumented. At the time of writing our blogpost, the latest one (PapaCreep) was still being used. It is also the first one not written in C# or PowerShell. 2/6
Sep 30, 2022 6 tweets 5 min read
#ESETresearch has discovered #Lazarus attacks against targets in 🇳🇱 and 🇧🇪, spreading via spearphishing emails and exploiting the CVE-2021-21551 vulnerability to disable the monitoring of all security solutions on compromised machines @pkalnai… @pkalnai The attack started with spearphishing emails connected to fake job offers, targeting an aerospace company in the Netherlands, and a political journalist in Belgium. The attackers then deployed a VMProtect-ed version of #BLINDINGCAN, a fully featured HTTP(S) backdoor. 2/6
Sep 28, 2022 9 tweets 4 min read
In July, #ESETresearch reported on macOS spyware we dubbed CloudMensis. In the blogpost, we left the malware unattributed. However, further analysis showed similarities with a Windows malware called #RokRAT, a #ScarCruft tool. @marc_etienne_, @pkalnai 1/9 The Windows and macOS malware variants are not copycats of each other, but share the following similarities: ➡️ 2/9
Aug 16, 2022 7 tweets 4 min read
#ESETresearch #BREAKING A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil 🇧🇷. This is an instance of Operation In(ter)ception by #Lazarus for Mac. @pkalnai @dbreitenbacher 1/7 Malware is compiled for both Intel and Apple Silicon. It drops three files: a decoy PDF document Coinbase_online_careers_2022_07.pdf, a bundle and a downloader safarifontagent. It is similar to #ESETresearch discovery in May. 2/7
Jul 19, 2022 7 tweets 4 min read
#ESETresearch uncovers #CloudMensis, spyware for macOS using cloud storage as a way to communicate back and forth its operators. @marc_etienne_… 1/7 We’ve analysed two #CloudMensis stages, the first download and runs the featureful spy agent. Both uses cloud storage using an authentication token. 2/7
Jul 15, 2022 9 tweets 3 min read
#ESETResearch warns of a new campaign using a fake Salesforce update as a lure to deploy the Sliver malware for macOS and Windows 1/9 The Mac infection chain is very similar to a COVID-19-themed campaign documented by SentinelOne last week.… 2/9
Jul 13, 2022 6 tweets 3 min read
#ESETresearch discovered and reported to the manufacturer three buffer overflow vulnerabilities in UEFI firmware of several #Lenovo Notebook devices, affecting more than 70 various models including several ThinkBook models. @smolar_m 1/6 The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features. 2/6