The IT Nerd

ESET researchers have uncovered an Android spyware campaign leveraging romance scam tactics to target individuals in Pakistan. The campaign uses a malicious app posing as a chat platform that allows users to initiate conversations operated via WhatsApp. Underneath the romance charade, the real purpose of the malicious app, which ESET named GhostChat, is exfiltration of the victim’s data. The same threat actor appears to be running a broader spy operation – including a ClickFix attack leading to the compromise of victims’ computers, and a WhatsApp device-linking attack gaining access to victims’ WhatsApp accounts – thus expanding the scope of surveillance. These related attacks used websites impersonating Pakistani governmental organizations as lures. Victims obtained GhostChat from unknown sources, and it requires manual installation; it was never available on Google Play, and Google Play Protect, which is enabled by default, protects against it.

The app uses the icon of a legitimate dating app but lacks the original app’s functionality and instead serves as a lure – and tool – for espionage on mobile devices. Once logged in, victims are presented with a selection of 14 female profiles; each profile is linked to a specific WhatsApp number with a Pakistani (+92) country code. The use of local numbers reinforces the illusion that the profiles are real individuals based in Pakistan, increasing the credibility of the scam. Upon entering the correct code, the app redirects the user to WhatsApp to initiate a conversation with the assigned number – presumably operated by the threat actor.

While the victim engages with the app, and even prior to logging in, GhostChat spyware has already begun running in the background, silently monitoring device activity and exfiltrating sensitive data to a C&C server. Beyond initial exfiltration, GhostChat engages in active espionage: It sets up a content observer to monitor newly created images and uploads them as they appear. Additionally, it schedules a periodic task that scans for new documents every five minutes, ensuring continual surveillance and data harvesting.

The campaign is also connected to broader infrastructure involving ClickFix-based malware delivery and WhatsApp account hijacking techniques. These operations leverage fake websites, impersonation of national authorities, and deceptive, QR-code-based device-linking to compromise both desktop and mobile platforms. ClickFix is a social engineering technique that tricks users into manually executing malicious code on their devices by following seemingly legitimate instructions.

In addition to desktop targeting via the ClickFix attack, a malicious domain was used in a mobile-focused operation aimed at WhatsApp users. Victims were lured into joining a supposed community – posing as a channel of the Pakistan Ministry of Defence – by scanning a QR code to link their Android device or iPhone to WhatsApp Web or Desktop. Known as GhostPairing, this technique allows an adversary to gain access to the victims’ chat history and contacts, acquiring the same level of visibility and control over the account as the owners, effectively compromising their private communications.

For a more detailed analysis of GhostChat, check out the latest ESET Research blog post, “Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan“

The attack involved data-wiping malware that ESET researchers have now analyzed and named DynoWiper

In late 2025, Poland’s energy system faced what has been described as the “largest cyberattack” targeting the country in years. ESET Research has now found that the attack was the work of the notorious Russia-aligned APT group Sandworm.

“Based on our analysis of the malware and associated TTPs, we attribute the attack to the Russia-aligned Sandworm APT with medium confidence due to a strong overlap with numerous previous Sandworm wiper activity we analyzed,” said ESET researchers. “We’re not aware of any successful disruption occurring as a result of this attack,” they added.

Sandworm has a long history of disruptive cyberattacks, especially on Ukraine’s critical infrastructure. Meanwhile, the attack on Poland’s power grid in the last week of December involved data-wiping malware that ESET has now analyzed and named DynoWiper. ESET security solutions detect DynoWiper as Win32/KillFiles.NMO.

While details regarding the intended impact continue to be investigated, ESET researchers have highlighted the fact that the coordinated attack occurred on the 10th anniversary of the Sandworm-orchestrated attack against the Ukrainian power grid, which resulted in the first ever malware-facilitated blackout. Back in December 2015, Sandworm used the BlackEnergy malware to gain access to critical systems at several electrical substations, leaving around 230,000 people without electricity for several hours.

Fast forward a decade and Sandworm continues to target entities operating in various critical infrastructure sectors, especially in Ukraine. In their latest APT Activity Report, covering April to September 2025, ESET researchers noted that they spotted Sandworm conducting wiper attacks against targets in Ukraine on a regular basis.

ESET Research has discovered a new China-aligned APT group, LongNosedGoblin, that abuses Group Policy – a mechanism for managing settings and permissions on Windows machines, typically used with Active Directory – to deploy malware and move laterally across the compromised network. It is used to deploy cyberespionage tools across networks of governmental institutions in Southeast Asia and Japan. In 2024, ESET researchers noticed previously undocumented malware in the network of a Southeast Asian governmental entity. However, the group has been active since at least since September 2023. As of this September, ESET began observing renewed activity by the group in the region. It deploys malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) for Command & Control (C&C).

LongNosedGoblin has several tools in its arsenal. NosyHistorian is a C#/.NET application that the group uses to collect browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox, which is then used to determine where to deploy further malware. NosyDoor collects metadata about the victim’s machine, including the machine name, username, the OS version, and the name of the current process, and sends it all to the C&C. It then retrieves and parses task files with commands from the C&C. The commands allow it to exfiltrate files, delete files, and execute shell commands, among other things.

NosyStealer is used to steal browser data from Microsoft Edge and Google Chrome. NosyDownloader executes a chain of obfuscated commands, and downloads and runs a payload in memory. Among other tools used by LongNosedGoblin, ESET identified a C#/.NET keylogger NosyLogger, which seems to be a modified version of the open-source keylogger DuckSharp. Among other tools used by the group is a reverse SOCKS5 proxy, and an argument runner (a tool that runs an application passed as an argument) that was used to run a video recorder, likely FFmpeg, to capture audio and video.

For a more detailed analysis of LongNosedGoblin’s arsenal, check out the latest ESET Research blogpost “LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan” on WeLiveSecurity.com.

ESET Research has released its latest Threat Report, which summarizes threat landscape trends seen in ESET telemetry and from the perspective of both ESET threat detection and research experts, from June through November 2025.  AI-powered malware moved from theory to reality in H2 2025, as ESET discovered PromptLock – the first known AI-driven ransomware, capable of generating malicious scripts on the fly. While AI is still mainly used for crafting convincing phishing and scam content, PromptLock – and the handful of other AI-driven threats identified to this day – signal a new era of threats. 

On the ransomware scene, victim numbers surpassed 2024 totals well before year’s end, with ESET Research projections pointing to a 40% year-over-year increase. Akira and Qilin now dominate the ransomware-as-a-service market, while low-profile newcomer Warlock introduced innovative evasion techniques. EDR killers continued to proliferate, highlighting that endpoint detection and response tools remain a significant obstacle for ransomware operators.

On the mobile platform, NFC threats continued to grow in scale and sophistication, with an 87% increase in ESET telemetry and several notable upgrades and campaigns observed in H2 2025. NGate  – a pioneer among NFC threats, first discovered by ESET– received an upgrade in the form of contact stealing, likely laying the groundwork for future attacks. RatOn, entirely new malware on the NFC fraud scene, brought a rare fusion of remote access trojan (RAT) capabilities and NFC relay attacks, showing cybercriminals’ determination to pursue new attack avenues. RatOn was distributed through fake Google Play pages and ads mimicking an adult version of TikTok, and a digital bank ID service.  PhantomCard – new NGate-based malware adapted to the Brazilian market – was seen in multiple campaigns in Brazil in H2 2025.

Furthermore, after its global disruption in May, the Lumma Stealer infostealer managed to briefly resurface – twice – but its glory days are most likely over. Detections plummeted by 86% in H2 2025 compared to the first half of the year, and a significant distribution vector of Lumma Stealer – the HTML/FakeCaptcha trojan, used in ClickFix attacks – nearly vanished from ESET telemetry.

Meanwhile, CloudEyE, also known as GuLoader, surged into prominence, skyrocketing almost thirtyfold according to ESET telemetry. Distributed via malicious email campaigns, this malware-as-a-service downloader and cryptor is used to deploy other malware, including ransomware, as well as infostealer juggernauts such as Rescoms, Formbook, and Agent Tesla. Poland was most affected by this threat, with 32% of CloudEyE attack attempts in H2 2025 detected here.

For more information, check out the ESET Threat Report H2 2025 on WeLiveSecurity.com. 

ESET researchers have identified new MuddyWater activity primarily targeting organizations in Israel, with one confirmed target in Egypt. The victims in Israel were in the technology, engineering, manufacturing, local government, and educational sectors. MuddyWater, also referred to as Mango Sandstorm or TA450, is an Iran-aligned cyberespionage group known for its persistent targeting of government and critical infrastructure sectors, often leveraging custom malware and publicly available tools, and has links to the Ministry of Intelligence and National Security of Iran. In this campaign, the attackers deployed a set of previously undocumented, custom tools with the objective of improving defense evasion and persistence. New backdoor MuddyViper enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. The campaign leverages additional credential stealers. Among these tools is Fooder, a custom loader that masquerades as the classic Snake game.

In this campaign, initial access is typically achieved through spearphishing emails, often containing PDF attachments that link to installers for remote monitoring and management (RMM) software hosted on free file-sharing platforms such as OneHub, Egnyte, or Mega. These links lead to the download of tools including Atera, Level, PDQ, and SimpleHelp. Among the tools deployed by MuddyWater operators is also the VAX One backdoor, named after the legitimate software which it impersonates: Veeam, AnyDesk, Xerox, and the OneDrive updater service. 

The group’s continued reliance on this familiar playbook makes its activity relatively easy to detect and block. However, in this case, the group also used more advanced techniques to deploy MuddyViper, a new backdoor, by using a loader (Fooder) that reflectively loads MuddyViper into memory and executes it. Several versions of Fooder masquerade as the classic Snake game, hence the designation, MuddyViper. Another notable characteristic of Fooder is its frequent use of a custom delay function that implements the core logic of the Snake game, combined with “Sleep” API calls. These features are intended to delay execution in an attempt to hide malicious behavior from automated analysis systems. Additionally, MuddyWater developers adopted CNG, the next-generation Windows cryptographic API, which is unique for Iran-aligned groups and somewhat atypical across the broader threat landscape. During this campaign, the operators deliberately avoided hands-on-keyboard interactive sessions, which is a historically noisy technique often characterized by mistyped commands. Thus, while some components remain noisy and easily detected, as is typical for MuddyWater, overall this campaign shows signs of technical evolution – increased precision, strategic targeting, and a more advanced toolset. 

The post-compromise toolset also includes multiple credential stealers: CE-Notes, which targets Chromium-based browsers; LP-Notes, which stages and verifies stolen credentials; and Blub, which steals login data from Chrome, Edge, Firefox, and Opera browsers.

MuddyWater was first introduced to the public in 2017 by Unit 42, whose description of the group’s activity is consistent with ESET’s profiling – a focus on cyberespionage, the use of malicious documents as attachments designed to prompt users to enable macros and bypass security controls, and primarily targeting entities located in the Middle East.

Notable past activities include Operation Quicksand (2020), a cyberespionage campaign targeting Israeli government entities and telecommunications organizations, which exemplifies the group’s evolution from basic phishing tactics to more advanced, multistage operations; and a campaign targeting political groups and organizations in Türkiye, demonstrating the group’s geopolitical focus, its ability to adapt social engineering tactics to local contexts, and reliance on modular malware and flexible C&C infrastructure.

ESET has documented multiple campaigns attributed to MuddyWater that highlight the group’s evolving toolset and shifting operational focus. In March and April 2023, MuddyWater targeted an unidentified victim in Saudi Arabia, and the group conducted a campaign in January and February 2025 that was notable for its operational overlap with Lyceum (an OilRig subgroup). This cooperation suggests that MuddyWater may be acting as an initial access broker for other Iran-aligned groups.

For a more detailed analysis of the latest MuddyWater campaign, check out the latest ESET Research blogpost “MuddyWater: Snakes by the riverbank” on WeLiveSecurity.com. 

ESET researchers have discovered a network implant used by the China-aligned PlushDaemon APT group to perform adversary-in-the-middle attacks.

You can read more here: https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/

Ensar Seker, CISO at SOCRadar, commented:

“The attack outlined in recent reports marks a deeply concerning evolution in supply chain and update‑mechanism compromise. PlushDaemon is exploiting edge network devices, routers and similar infrastructure, via implants such as EdgeStepper to intercept DNS queries and redirect software‑update traffic toward attacker‑controlled infrastructure.   By hijacking a trusted software‑update channel, the group manages to deliver custom downloaders (e.g., LittleDaemon, DaemonicLogistics) and ultimately the SlowStepper backdoor toolkit without triggering the usual defenses around malicious attachments or phishing. 

“What makes this campaign particularly dangerous is two‑fold. First, the compromise occurs at the network infrastructure layer rather than the endpoint meaning it bypasses most EDRs, user‑based filters, and conventional supply‑chain checks.

Second, the software update system is treated as a trusted delivery mechanism, making detection and attribution extremely difficult. The attacker doesn’t need to persuade a user to click a link or open a file; they simply hijack the trust in the update process itself. This underscores how sophisticated adversaries are blending network compromise with supply chain tradecraft.

“For security teams, the implications are clear: controlling and monitoring just the “software packages” is no longer enough. Organizations must treat the update infrastructure, DNS routing paths, device firmware/routers, and trust chains as part of their threat surface. I ‘d recommend organizations map out their trusted update hierarchies, enforce signed updates end‑to‑end, monitor outbound DNS resolution patterns for anomalies (especially from network devices), and segment update‐delivery systems from general user infrastructure. The fact that PlushDaemon is operating across multiple sectors, including universities, manufacturing, automotive and regions U.S., Taiwan, New Zealand, South Korea means that no industry can consider itself immune.”

I have to admit that this is the most interesting man in the middle attack that I have seen. And it’s concerning as it requires zero user interaction. On top of that it happens further up the attack chain. That should put defenders on alert as this would be difficult to defend against.

ESET researchers have recently observed a new instance of Operation DreamJob — a campaign that ESET tracks under the umbrella of North Korea-aligned Lazarus group — in which several European companies active in the defense industry were targeted. Some of these are heavily involved in the unmanned aerial vehicle (UAV / drones) sector, suggesting that the operation may be linked to North Korea’s current efforts to scale up its drone program. The in-the-wild attacks successively targeted three companies active in the defense sector in Central and Southeastern Europe. Initial access was almost certainly achieved via social engineering. The main payload deployed to the targets was ScoringMathTea, a remote-access trojan (RAT) that offers the attackers full control over the compromised machine. The suspected primary goal of the attackers was exfiltration of proprietary information and manufacturing know-how.

In Operation DreamJob, the dominant theme of social engineering is a lucrative, but faux, job offer served with a side of malware: The target usually receives a decoy document with a job description and a trojanized PDF reader to open it. ESET Research attributes this activity with a high level of confidence to Lazarus, particularly because of its campaigns related to Operation DreamJob, and because the targeted sectors, located in Europe, align with the targets of the previous instances of Operation DreamJob (aerospace, defense, engineering).

The three targeted organizations manufacture different types of military equipment (or parts thereof), many of which are currently deployed in Ukraine as a result of European countries’ military assistance. At the time of Operation DreamJob’s observed activity, North Korean soldiers were deployed in Russia, reportedly to help Moscow repel Ukraine’s offensive in the Kursk region. It is thus possible that Operation DreamJob was interested in collecting sensitive information on some Western-made weapons systems currently employed in the Russia-Ukraine war. More generally, these entities are involved in the production of types of materiel that North Korea also manufactures domestically, and for which it might be hoping to perfect its own designs and processes. The interest in UAV-related know-how is notable, as it echoes recent media reports indicating that Pyongyang is investing heavily in domestic drone manufacturing capabilities. North Korea has relied heavily on reverse engineering and intellectual property theft to develop its domestic UAV capabilities. 

Generally, Lazarus attackers are highly active and deploy their backdoors against multiple targets. This frequent use exposes these tools and enables their detection. As a countermeasure, the group’s tools are preceded in the execution chain by a series of droppers, loaders, and simple downloaders. The attackers decided to incorporate their malicious loading routines into open-source projects available on GitHub.

The main payload, ScoringMathTea, is a complex RAT that supports around 40 commands. Its first appearance can be traced back to VirusTotal submissions from Portugal and Germany in October 2022, where its dropper posed as an Airbus-themed job offer lure. The implemented functionality is the usual required by Lazarus: manipulation of files and processes, exchanging the configuration, collecting the victim’s system info, opening a TCP connection, and executing local commands or new payloads downloaded from the C&C server. Regarding ESET telemetry, ScoringMathTea was seen in attacks against an Indian technology company in January 2023, a Polish defense company in March 2023, a British industrial automation company in October 2023, and an Italian aerospace company in September 2025. It seems that it is one of the flagship payloads for Operation DreamJob campaigns.

The group’s most significant evolution is the introduction of new libraries designed for DLL proxying and the selection of new open-source projects to trojanize for improved evasion. “For nearly three years, Lazarus has maintained a consistent modus operandi, deploying its preferred main payload, ScoringMathTea, and using similar methods to trojanize open-source applications. This predictable, yet effective, strategy delivers sufficient polymorphism to evade security detection, even if it is insufficient to mask the group’s identity and obscure the attribution process,” concludes Kálnai.

The Lazarus group (also known as HIDDEN COBRA) is an APT group linked to North Korea that has been active since at least 2009. It is responsible for high-profile incidents. The diversity, number, and eccentricity in implementation of Lazarus campaigns define this group, as well as the fact that it performs all three pillars of cybercriminal activities: cyberespionage, cybersabotage, and pursuit of financial gain.

Operation DreamJob is a codename for Lazarus campaigns that rely primarily on social engineering, specifically using fake job offers for prestigious or high-profile positions (the “dream job” lure). Targets are predominantly in the aerospace and defense sectors, followed by engineering and technology companies, and the media and entertainment sector.

For a more detailed analysis of the latest Lazarus DreamJob campaign against the UAV sector, check out the latest ESET Research blogpost “Gotta fly: Lazarus targets the UAV sector” on WeLiveSecurity.com.

ESET researchers have uncovered two Android spyware campaigns targeting individuals interested in secure communication apps, namely Signal and ToTok. These campaigns distribute malware through deceptive websites and social engineering and appear to target residents of the United Arab Emirates (UAE). ESET’s investigation led to the discovery of two previously undocumented spyware families: Android/Spy.ProSpy impersonates upgrades or plugins for the Signal app and the controversial and discontinued ToTok app, and Android/Spy.ToSpy impersonates the ToTok app. The ToSpy campaigns are ongoing, as suggested by C&C servers that remain active.

ESET Research discovered the ProSpy campaign in June 2025, and it has likely been ongoing since 2024. ProSpy is being distributed through three deceptive websites designed to impersonate communication platforms Signal and ToTok. These sites offer malicious APKs posing as improvements, disguised as a Signal Encryption Plugin and ToTok Pro. The use of a domain name ending in the substring ae.net may suggest that the campaign targets individuals residing in the United Arab Emirates, as AE is the two-letter country code for the UAE.

During the investigation, ESET discovered five more malicious APKs using the same spyware codebase, posing as an enhanced version of the ToTok messaging app under the name ToTok Pro. ToTok, a controversial free messaging and calling app developed in the United Arab Emirates, was removed from Google Play and Apple’s App Store in December 2019 due to surveillance concerns. Given that its user base is primarily located in the UAE, it is likely that ToTok Pro may be targeting users in this region, who may be more liable to download the app from unofficial sources in their own region.

Upon execution, both malicious apps request permissions to access contacts, SMS messages, and files stored on the device. If these permissions are granted, ProSpy starts exfiltrating data in the background. The Signal Encryption Plugin extracts device information, stored SMS messages, and the contact list, and it exfiltrates other files – such as chat backups, audio, video, and images.

In June 2025, ESET telemetry systems flagged another previously undocumented Android spyware family actively distributed in the wild, originating from a device located in the UAE. ESET labeled the malware Android/Spy.ToSpy. Later investigation revealed four deceptive distribution websites impersonating the ToTok app. Given the app’s regional popularity and the impersonation tactics used by the threat actors, it is reasonable to speculate that the primary targets of this spyware campaign are users in the UAE or surrounding regions. In the background, the spyware can collect and exfiltrate the following data: user contacts, device information files such as chat backups, images, documents, audio, and video, among others. ESET findings suggest that the ToSpy campaign likely began in mid-2022.

For a more detailed analysis and technical breakdown of Android/Spy.ProSpy and Android/Spy.ToSpy, check out the latest ESET Research blog post, “New spyware campaigns target privacy-conscious Android users in the UAE” on WeLiveSecurity.com.

ESET today released a new and improved version of its free ESET Basic Cybersecurity Awareness Training. The revamped Basic course introduces an immersive storyline, interactive modules, and refreshed content designed to empower employees to be the first line of defence and help organizations of all sizes reduce employee-related cyber risks. 

For companies that need to track course completions or require training that meets HIPAA, PCI, SOX, GDPR, CCPA, and cyber insurance compliance requirements, ESET offers a comprehensive 90-minute Premium Cybersecurity Awareness Training. Re-released last fall, the premium course, “Digital Shadows: Cryptic Chronicles,” offers dozens of modules, unlimited phishing simulation tests, dashboards for administrators to track learners’ status, a customizable training portal, reporting and course completion certificates, engaging gamification, and more.

The updated Basic course places employees in the role of a cyber investigator at NetDetect, a fictional cybersecurity team tasked with helping organizations recover from breaches and fortify defenses. Learners are immediately drawn into a mission supporting EVX, an electric vehicle company whose groundbreaking battery technology has made it a target for cybercriminals. Guided by a storyline, employees analyze a breach, uncover risky behaviors, and put protective practices into action. Modules cover key topics, including creating and managing strong passwords, safeguarding email and spotting phishing attempts, protecting against malware, identifying personalized attacks, and staying secure while working online.

This October, the launch coincides with the start of Cybersecurity Awareness Month. Over the last two decades, Cybersecurity Awareness Month has grown into a collaborative effort between government and industry to enhance cybersecurity awareness, encourage actions to reduce online risk, and generate discussion on cyber threats on a national and global scale. 

ESET has also launched a Cybersecurity Awareness Kit today, which includes access to the free ESET Cybersecurity Awareness Training, ESET’s 2025 H1 Threat Report, and a free 30-day business trial of ESET’s full-featured security solution. On Oct. 23, consumers can also learn about the real-world applications and vulnerabilities of facial recognition technology from ESET’s Webinar, The Rise and Risk of Facial Recognition. To explore these resources, visit https://www.eset.com/us/business/cybersecurity-awareness-month-kit/.

To learn more about ESET Cybersecurity Awareness Training – Basic and Premium offerings, visit https://www.eset.com/us/business/cybertraining/. 

ESET Research has released new findings on DeceptiveDevelopment, also known as Contagious Interview – a threat group aligned with North Korea that has grown increasingly active in recent years. The group is primarily focused on cryptocurrency theft, targeting freelance developers across Windows, Linux, and macOS platforms. The newly published research paper traces the group’s evolution from early malware families to more advanced toolsets. These campaigns rely heavily on sophisticated social engineering tactics, including fake job interviews and the ClickFix technique, to deliver malware and exfiltrate cryptocurrency. ESET also analyzed open-source intelligence (OSINT) data that sheds light on the operations of North Korean IT workers involved in fraudulent employment schemes and their ties to DeceptiveDevelopment. These findings are being presented today at the annual Virus Bulletin (VB) Conference.

DeceptiveDevelopment is a North Korea-aligned group active since at least 2023, focused on financial gain. The group targets software developers on all major systems – Windows, Linux, and macOS – and especially those in cryptocurrency and Web3 projects. Initial access is achieved exclusively via various social engineering techniques like ClickFix, and fake recruiter profiles similar to Lazarus’s Operation DreamJob to deliver trojanized codebases during staged job interviews. Its most typical payloads are the BeaverTail, OtterCookie, and WeaselStore infostealers, and the InvisibleFerret modular RAT.

The attackers opted for various methods to compromise users, relying on clever social engineering tricks. Via both fake and hijacked profiles, they pose as recruiters on platforms like LinkedIn, Upwork, Freelancer.com, and Crypto Jobs List. They offer fake lucrative job opportunities in order to attract their target’s interest. Victims are requested to participate in a coding challenge or pre-interview task.

In addition to fake recruiter accounts, the attackers have customized and improved the social engineering method called ClickFix. Victims are lured to a fake job interview site and asked to fill out a detailed application form, investing significant time and effort. At the final step, they’re prompted to record a video answer, but the site displays a camera error and offers a “How to fix” link. This link instructs users to open a terminal and copy a command that should solve the camera or microphone issue, which instead of fixing the issue, downloads and executes malware.

While research into DeceptiveDevelopment is primarily based on data from ESET telemetry and reverse-engineering the group’s toolset, it is interesting to point out its connections to fraud operations by North Korean IT workers. According to the FBI’s “Most Wanted” poster, the IT worker campaign has been ongoing since at least April 2017 and has become increasingly prominent in recent years. In a joint advisory released in May 2022, the IT worker campaign is described as a coordinated effort by North Korea-aligned workers to gain employment at overseas companies, whose salaries are then used as funding for the regime. They have also been known to steal internal company data and use it for extortion, as stated in an announcement by the FBI in January 2025.

As ESET Research discovered from available OSINT data, fake CVs, and other related materials, the IT workers mainly focus on employment and contract work in the West, specifically prioritizing the United States. However, our findings based on the acquired materials have shown a shift toward Europe, with targets in countries such as France, Poland, Ukraine, and Albania. The workers utilize AI to perform their job tasks and rely heavily on AI for manipulating photos in their profile pictures and CVs, and even perform face swaps in real-time video interviews to look like the persona they are currently using. They utilize remote interviewing platforms like Zoom, MiroTalk, FreeConference, or Microsoft Teams for various social engineering techniques. Proxy interviewing poses a severe risk to employers, since hiring of an illegitimate employee from a sanctioned country may not only be irresponsible or underperforming, but could also evolve into a dangerous insider threat.

The research paper “DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception” summarizes the evolution of the group’s two flagship toolsets, InvisibleFerret and BeaverTail. At the same time, it identifies newly discovered links between DeceptiveDevelopment’s Tropidoor backdoor and the PostNapTea RAT used by the Lazarus group. Furthermore, it provides a comprehensive analysis of TsunamiKit and WeaselStore, new toolkits used by DeceptiveDevelopment and documents the functionality of a WeaselStore C&C server and its API.

For a more detailed analysis of DeceptiveDevelopment operations and tools, check out the latest ESET Research white paper “DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception” or the brief accompanying blogpost on WeLiveSecurity.com. M