The IT Nerd

ESET Research has released its latest APT Activity Report, which highlights activities of select APT groups that were documented by ESET researchers from October 2025 through March 2026. During the monitored time frame, China-aligned threat actors remained highly active worldwide, conducting espionage campaigns shaped in part by geopolitical developments affecting Beijing’s economic and security interests. Following the US military operation in Venezuela and amid continuing instability in the Gulf region, ESET spotted signs that China-aligned groups were being mobilized to improve Beijing’s visibility into maritime, energy, and political developments abroad. North Korea-aligned Andariel attacked a company that appears to be involved in the nuclear power industry.

China-aligned FamousSparrow targeted a Venezuelan governmental entity connected to maritime affairs, likely to monitor the resilience of oil shipments after the US intervention. There, ESET also noticed SteppeDriver, another China-aligned APT group targeting a Syrian governmental network, activity that may reflect both Chinese commercial interest in Syria’s reconstruction projects and security concerns surrounding Uyghur fighters present in that country. China-aligned UNC5221’s SPAWN malware family targeted governmental entities in Cambodia and Panama, as well as an AI and robotics company in South Korea. The latter targeting South Korea aligns with Beijing’s enduring interest in strategic technologies prioritized under the Made in China 2025 industrial development policy.

The war in Iran that began in late February 2026 was the defining event for Iran-aligned activity during this period. Paradoxically, the conflict coincided with a decline in activity from established Iran-aligned APT groups in ESET telemetry, most likely because internet restrictions imposed by the Iranian regime hindered their ability to operate effectively. At the same time, this environment appears to have favored the mobilization of proxy and hacktivist actors targeting Israel, the United States, and other states seen as hostile to Tehran. ESET Research also documented an unusual spike in activity against Israeli targets that it could not confidently link to previously known groups. Two unattributed activity clusters, Rusty Boots and MoKhargosh, demonstrated both espionage capabilities and destructive potential against Israel – including deployment of a bootkit-style wiper while retaining destructive tooling for later use.

ESET Research also found a defense company in the United Arab Emirates being compromised, and Arabic-speaking users being targeted with Android spyware. It was possibly aimed at journalists or open-source intelligence practitioners since the name of attacker’s Telegram channel was likely inspired by Live Universal Awareness Map (Liveuamap), a legitimate, well-known OSINT platform dedicated to mapping military incidents worldwide.

North Korea-aligned threat actors remained active on several fronts. Multiple groups continued targeting developers and the cryptocurrency ecosystem with social engineering schemes that can yield both direct financial gain and opportunities for software supply-chain compromise. ESET also uncovered the reemergence of the Andariel group in attacks against South Korea, where the group deployed TigerRAT and attempted to spread Rook ransomware within an engineering company that appears to manufacture equipment relevant to liquid hydrogen handling and the nuclear power industry – technologies that are obviously of interest to Pyongyang’s ballistic and nuclear ambitions.

Russia-aligned threat actors continued to focus overwhelmingly on Ukraine and entities connected to that country’s defense efforts. Sednit deployed its Covenant and BeardShell implants against Ukrainian military personnel, drone manufacturers, and organizations involved in drone research and development, while also targeting logistics and transportation companies outside Ukraine. Sandworm intensified destructive activity over the winter, deploying several new wipers in Ukraine against governmental and private sector targets. Particularly notable was a December 2025 data destruction incident affecting a Polish energy company, which ESET attributed to Sandworm with medium confidence.

ESET products protect our customers’ systems from the malicious activities described in this released report. Intelligence shared here is based mostly on proprietary ESET telemetry data and has been verified by ESET researchers, who prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups. These threat intelligence analyses, known as ESET APT Reports, assist organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks.

More information about ESET APT Reports, which deliver high-quality, strategic, actionable, and tactical cybersecurity threat intelligence, is available on the ESET Threat Intelligence page.

For more details about the mentioned and other APT groups’ activities, read the full APT Activity Report, “Conflict-informed espionage: Monitoring oil shipments, targeting drone makers,” on WeLiveSecurity.com. 

A new Android scam, CallPhantom, falsely claims to provide access to call logs, SMS records, and WhatsApp call history for any phone number in exchange for payment.

ESET identified and reported 28 separate CallPhantom apps on Google Play, cumulatively downloaded more than 7.3 million times.

Some CallPhantom apps sidestep Google Play’s official billing system, complicating victims’ refund efforts.

ESET researchers have uncovered fraudulent apps on Google Play that claim to provide the call history “for any number.” The offending apps, which ESET named CallPhantom based on their false claims, purport to provide access to call histories, SMS records, and even WhatsApp call logs for any phone number. To unlock this supposed feature, users are asked to pay — but all they get in return is randomly generated data. ESET’s investigation identified 28 such fraudulent apps, cumulatively downloaded more than 7.3 million times. As an App Defense Alliance partner, ESET reported their findings to Google, which removed all of the apps identified in this report from Google Play. 

The CallPhantom apps mainly targeted Android users in India and the broader Asia Pacific region. Many of the apps came with India’s +91 country code preselected, and support UPI, a payment system used primarily in India.

In general, CallPhantom apps have a simple user interface and do not request any intrusive or sensitive permissions — they don’t need to. Coincidentally, they do not contain any functionality capable of retrieving actual call, SMS, or WhatsApp data.

In the CallPhantom apps ESET analyzed, researchers saw three different payment methods used, two of which are in violation of Google Play’s payments policy. Some of the apps relied on subscriptions via Google Play’s official billing system. Others relied on payments via a third party; in some cases, payment card checkout forms were included directly in the CallPhantom apps.

The fees requested for the fake service differ widely across the apps. The apps also appear to offer different subscription packages, such as weekly, monthly, or yearly services, with the highest requested price sitting at US$80. For the lowest “subscription tier,” the average requested price was €5.

In general, subscriptions purchased through the official Google Play billing system can be canceled. For the 28 apps described in this blog post, existing subscriptions were canceled when the apps were removed from Google Play. In some cases, refunds for Google Play purchases are possible.

If the purchase was made outside of Google Play — for example, by entering payment card details inside the app or by paying via third-party services — then Google cannot cancel the subscription or issue a refund, and users have to contact their payment provider.

For a more details about CallPhantom, check out the latest ESET Research blog post, “Fake call logs, real payments: How CallPhantom tricks Android users,” on WeLiveSecurity.com.

ESET researchers have uncovered a multiplatform supply-chain attack by North Korea-aligned APT group ScarCruft, targeting the Yanbian region in China – home to ethnic Koreans and a crossing point for North Korean refugees and defectors. In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor. The backdoor, named BirdCall by ESET, was originally known to target Windows only; the Android version was later discovered as part of this supply-chain attack.  

The Android version of BirdCall, discovered in the latest attack, implements a subset of the commands and capabilities of the Windows backdoor – it collects contacts, SMS messages, call logs, documents, media files, and private keys. It can also take screenshots and record surrounding audio. ESET discovered, based on this investigation, that Android BirdCall has been actively developed over a span of several months and at least seven versions have been deployed.

Since the website compromised in this attack is dedicated to the people of Yanbian and their traditional games, ESET concludes that the primary targets are ethnic Koreans living in Yanbian.  It is probable that the attack was aimed at collecting information on individuals based in (or originating from) the Yanbian region and deemed of interest to the North Korean regime – most likely refugees or defectors.

The gaming platform’s Windows client was compromised through a malicious update leading to the RokRAT backdoor, which deployed the more sophisticated BirdCall backdoor. “Victims downloaded the trojanized games via a web browser from a single page on their devices and likely installed them intentionally. We did not identify any other APK locations or any malicious APKs on the official Google Play store. We were unable to determine when the website was first compromised and the supply-chain attack started. However, based on our analysis of the deployed malware, we estimate that it happened in late 2024,” says ESET researcher Filip Jurčacko, who discovered the latest attack by ScarCruft.

The Windows backdoor was initially discovered in 2021 and attributed to ScarCruft as part of ESET Threat Intelligence Reporting . The original Windows backdoor has a wide range of spying capabilities, including taking screenshots, logging keystrokes and clipboard content, stealing credentials and files, and executing shell commands. For C&C purposes, the backdoor utilizes legitimate cloud storage services, such as Dropbox or pCloud, or compromised websites. 

ScarCruft, also known as APT37 or Reaper, has been operating since at least 2012 and is suspected to be a North Korean espionage group. It primarily focuses on South Korea, but other Asian countries have also been targeted. ScarCruft seems to be interested mainly in government and military organizations, and companies in various industries linked to the interests of North Korea. The group also targets North Korean defectors.

For a more details about BirdCall, check out the latest ESET Research blogpost “A rigged game: ScarCruft compromises gaming platform in a supply-chain attack,”  on WeLiveSecurity.com

ESET Research has discovered a new variant of the NGate malware family that abuses a legitimate Android application called HandyPay, instead of the previously leveraged NFCGate tool. The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI generated. As with previous iterations of NGate, the malicious code allows the attackers to transfer NFC data from the victim’s payment card to their own device and use them for contactless ATM cash-outs and unauthorized payments. Additionally, the code can capture the victims’ payment card PINs and exfiltrate them to the operators’ C&C server. The primary targets of this are users in Brazil; however, NFC-based attacks are expanding into new regions.

The malicious code used to trojanize HandyPay shows signs of having been produced with the help of GenAI tools. Specifically, the malware logs contain an emoji typical of AI-generated text, suggesting that LLMs were involved in generating or modifying the code, although definitive proof remains elusive. This fits a broader trend in which GenAI lowers the barrier to entry for cybercriminals, enabling threat actors with limited technical skill to produce workable malware.

ESET Research believes that the campaign distributing the trojanized HandyPay began around November 2025 and remains active. It should also be noted that the maliciously patched version of HandyPay has never been available on the official Google Play store. As an App Defense Alliance partner, we shared our findings with Google. ESET also reached out to the HandyPay developers to alert them about the malicious use of their application. 

As the number of NFC threats keeps rising, so too has the ecosystem supporting them become more robust. The first NGate attacks employed the open-source NFCGate tool to facilitate the transfer of NFC data. Since then, several malware-as-a-service (MaaS) offerings with similar functionality have become available for purchase. However, in this campaign the threat actors decided to go with their own solution and maliciously patched an existing app – HandyPay.

The first new NGate sample is distributed through a website that impersonates Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery organization (Loterj). The second NGate sample is distributed via a fake Google Play web page as an app named Proteção Cartão (machine translation: Card Protection). Both sites were hosted on the same domain, strongly implying a single threat actor. The malware abuses the HandyPay service to forward NFC card data to an attacker-controlled device. Apart from relaying NFC data, the malicious code also steals payment card PINs, enabling the threat actor to use the victim’s payment card data to withdraw cash from ATMs.

For a more detailed analysis of the new NGate variant, check out the latest ESET Research blog post, “New NGate variant hides in a trojanized NFC payment app,” on WeLiveSecurity.com. 

ESET today released its 2026 SMB Cyber Readiness Index – North America edition. This new report surveyed hundreds of small and medium-sized businesses (SMBs) from across the United States and Canada to uncover new insights into their cyber resilience, incidents and reporting, perceived threats, and investments – while analyzing the current appetite for managed services, cyber insurance and AI-powered applications.

In this new report, 87% of U.S. and 83% of Canadian SMBs said that they feel slightly to very confident that their business is cyber resilient. Across both countries, cyber resilience confidence rose to 91% and 88%, respectively, for businesses that had more than one cyber incident in the last year (over businesses that had zero or one incident during that timeframe). Across both regions, about half of respondents (47% in the U.S. and 52% in Canada) said that they don’t expect a change in cybersecurity budget this year.

In order to manage cyber-attacks, SMBs are increasingly including cyber insurance in their resilience strategies to ensure compliance, financial stability and peace of mind when incidents occur. Today, 86% of U.S. SMBs carry cyber insurance, with over half deploying specific security controls (e.g., MFA, IAM, EDR/MDR) as part of their coverage conditions. Canadian SMBs only trail slightly with 78% carrying cyber insurance. In both countries, respondents who have had more than one incident are more likely to carry insurance.

On the AI front, Canadians are more cautious about the deployment of new AI applications than their U.S. counterparts. 69% of Canadian respondents said that they are integrating AI applications into their organization compared to 81% of U.S. respondents.

The 2026 Index surveyed 700 cybersecurity decision-makers across U.S. and Canadian organizations with 25 to 1,000 endpoints, uncovering new insights into SMB cyber readiness, incident response, cybersecurity tools and management, insurance and compliance, AI strategy, and more. Here are some additional highlights from the report released today:

“Perception vs. Reality”: Are SMBs Worried About the Right Threats?

· SMBs across the U.S. (32%) and Canada (34%) say AI-powered malware is their top concern for the year ahead, a signal of how dominant AI has become in headlines and boardroom conversations.

· But the actual causes of breaches paint a very different picture. In the U.S., the leading drivers of cyber incidents remain phishing (27%), lack of security monitoring (27%) and unpatched security vulnerabilities (25%). In Canada, attacks most often stem from phishing (21%), weak passwords (20%), and insufficient security monitoring (20%).

· Meanwhile, one of the most consequential risks, supply chain compromise, barely registers among SMBs’ top concerns in the survey, ranking eighth (17%) among U.S. respondents and 10th (16%) for Canadians – despite the potential for widespread downstream impact.

· Finally, 82% of U.S. and Canadian SMBs agree that cyber warfare and global conflict pose a real threat to their business, underscoring how interconnected today’s risks are.

Cyber Insurance is Influencing Security Behavior

· Incident experience is a major driver of cyber risk insurance adoption: 95% of U.S. and 92% of Canadian SMBs that suffered multiple incidents carry insurance, compared to 77% of U.S. and 68% of Canadian businesses with no incidents.

· In both markets, insurers are playing a more direct role in shaping security posture: 55% of insured U.S. SMBs and 41% of insured Canadian SMBs are required to implement specific controls, often involving continuous monitoring or MDR‑style services, as a condition of coverage.

· Of SMBs surveyed, 16% U.S. and 19% of Canadian respondents say that they outsource some or all of their cybersecurity. Of the U.S. companies that outsource, 35% of SMBs now outsource security to a cyber insurer offering MDR, 21% use an MDR vendor, 17% rely on an MSP/MSSP with MDR, and 27% still use a traditional MSP.

· Of the Canadian companies who outsource, 27% of SMBs now outsource security to a cyber insurer offering MDR, 8% use an MDR vendor, 27% rely on an MSP/MSSP with MDR, and 38% still use a traditional MSP.

Confidence Rising Meets Increasing Attacks

· Even as confidence rises, cyberattacks remain widespread across the U.S. and Canada, reinforcing the sense that cybersecurity incidents are now an inevitable part of doing business.

· In the U.S., 54% of SMBs experienced an incident in the past 12 months, including 22% who faced multiple breaches. Canada shows a similar trend, with 46% reporting at least one incident and 12% experiencing more than one. These numbers highlight how frequently SMBs are being targeted and successfully compromised, despite increased awareness and stronger budgets.

· This growing prevalence is shaping how SMBs think about risk, pushing many to build processes that assume disruption rather than hope to avoid it altogether. In fact, organizations with multiple incidents show the highest confidence levels. In the U.S., 52% of those with repeat incidents (and 42% of Canadians) identify as “very confident,” compared to firms with only one or no incidents.

· These repeatedly targeted organizations also report the strongest budgets, with 45% of U.S. SMBs in this category describing their cybersecurity funding as “more than sufficient” and expecting additional investment increases. Canadian firms were less enthusiastic with their budget – with 25% identifying their budgets as “more than sufficient.”

· Finally, cybersecurity confidence does not always correlate with company size in the United States. Larger U.S. SMBs (500–1,000 endpoints) are less likely to deploy advanced, proactive measures such as threat detection and response (24%) than smaller SMBs (34%), indicating that operational complexity may be outpacing modernization efforts even as confidence rises.

SMBs are Still Investing in Awareness & Training

· Across both the U.S. and Canada, cyber awareness training emerges as the top investment priority for the year ahead, reinforcing the reality that human error remains the most exploited weakness in today’s attacks.

· Over 90% of SMBs in both countries say training is “critical” or “very important,” with 42% of U.S. SMBs and 43% of Canadian SMBs planning to increase these investments in the next 12 months—making it the leading budget category in both markets.

· Nearly half of SMBs now go beyond basic training: 44% of U.S. organizations and 47% in Canada use structured programs that include phishing simulations, a shift likely driven by rising concern over AI‑driven phishing techniques and deepfake‑enabled impersonation threats.

· This emphasis on strengthening the human layer aligns closely with incident data, as phishing remains a top cause of breaches (27% in the U.S., 21% in Canada), underscoring why SMBs continue to invest heavily in awareness, behavior change, and simulation‑based resilience.

ESET’s 2026 SMB Cyber Readiness Index surveyed 700 cybersecurity decision‑makers across the United States and Canada in industries such as manufacturing, construction, healthcare, retail, telecommunications, transportation, and more. This included 500 respondents from the United States and 200 from Canada with 25 to 1,000 endpoints. Notably, 67% of U.S. respondents and 51% of Canadian respondents were their company’s primary decision-makers for cybersecurity.

ESET researchers recently traced the reactivation of Sednit through their modern toolkit, which is centered on two paired implants, BeardShell and Covenant, each using a different cloud provider for resilience. This dual‑implant approach enabled long‑term surveillance of Ukrainian military personnel and has been in use since April 2024. In 2016, the US Department of Justice linked the Sednit group to Unit 26165 of the GRU, a Russian Federation intelligence agency within the Main Intelligence Directorate of the Russian military.

ESET’s account of modern Sednit activities begins with SlimAgent, an espionage implant discovered on a Ukrainian governmental machine by CERT-UA in April 2024. SlimAgent is a simple yet efficient spying tool capable of logging keystrokes, capturing screenshots, and collecting clipboard data. Within its telemetry ESET identified previously unknown samples with code similar to SlimAgent, which were deployed as early as 2018 – six years before the Ukrainian case – against governmental entities in two European countries. Thus, SlimAgent appears to be an evolution of the Xagent keylogger module, which has been deployed as a standalone component since at least 2018. Xagent is a custom toolset used exclusively by the Sednit group for more than six years.

SlimAgent was not the only implant found on the Ukrainian machine in 2024; BeardShell – a much more recent addition to Sednit’s custom arsenal – was deployed there as well. BeardShell is a sophisticated implant capable of executing PowerShell commands within a .NET runtime environment, while leveraging the legitimate cloud storage service Icedrive as its Command & Control channel. The shared use of a rare obfuscation technique, combined with its co-location with SlimAgent, leads ESET to assess with high confidence that BeardShell is part of Sednit’s custom arsenal.

Since the initial 2024 case, Sednit continued deploying BeardShell through 2025 and into 2026, primarily in long-term espionage operations targeting Ukrainian military personnel. To maintain persistent access to these high-value targets, Sednit systematically deploys another implant alongside BeardShell: Covenant, the final component of its modern arsenal. Covenant is an open-source .NET post exploitation framework and provides over 90 built-in tasks, supporting capabilities such as data exfiltration, target monitoring, and network pivoting.

Since 2023, Sednit developers have made a number of modifications and experiments with Covenant to establish it as their primary espionage implant, keeping BeardShell mainly as a fallback in case Covenant encounters operational issues, such as the takedown of its cloud-based infrastructure. Sednit has successfully relied on Covenant for several years, particularly against selected targets in Ukraine.

For instance, in 2025, our analysis of Sednit-controlled Covenant cloud drives revealed machines that had been monitored for more than six months. In January 2026, Sednit also deployed Covenant in a series of spearphishing campaigns exploiting the CVE 2026 21509 vulnerability, as reported by CERT UA.

The sophistication of BeardShell and the extensive modifications made to Covenant demonstrate that Sednit’s developers remain fully capable of producing advanced custom implants. Furthermore, the shared code and techniques linking these tools to their 2010-era predecessors strongly suggest continuity within the development team.

For a more detailed analysis of Sednit’s latest arsenal, check out the latest ESET Research blogpost ” Sednit reloaded: Back in the trenches ” on WeLiveSecurity.com. 

ESET today announced the opening of applications for its Women in Cybersecurity North American Scholarship, launching on International Women’s Day in alignment with the 2026 theme, #GiveToGain. Now entering its 11^th year, the program continues ESET’s longstanding commitment to support and empower women pursuing careers in cybersecurity through financial assistance, mentorship, and community-building.

Originally established in 2016 in the United States and expanded to Canada in 2021, ESET’s Women in Cybersecurity Scholarship was one of the earliest initiatives of its kind in the industry. In Canada alone, the program has awarded more than $50,000 to 14 women, expanding from one $5,000 award in its first year to $15,000 across three scholarships today. Many recipients have gone on to build successful careers in cybersecurity and technology.

The need for continued action remains clear. According to the most recent (ISC)² Cybersecurity Workforce Study, approximately 22% of the global cybersecurity workforce is comprised of women, a sign of gradual progress but continued underrepresentation across the industry. In Canada, women account for 21.2% of cybersecurity professionals, underscoring the need for initiatives to expand access and strengthen the talent pipeline. As emerging technologies like AI reshape the threat landscape, a diversity of perspectives is critical to developing ethical and effective solutions.

For the 2026 application cycle, ESET Canada will award three $5,000 awards to applicants demonstrating strong technical aptitude, leadership potential, and a commitment to cybersecurity.

DETAILS AND HOW TO APPLY

Applications are now being accepted for the 2026 round and submissions must be received by 11:59 p.m. PT April 8, 2026. Applicants can learn more about the scholarships and submit their application by visiting ESET’s dedicated webpages. If you’re a Canadian student, apply here. Questions? Email us at CA-scholarship@eset.com [Canada-only inquiries] with any questions.

ESET researchers have discovered PromptSpy, the first known Android malware to abuse generative AI in its execution flow to achieve persistence. It is the first time generative AI has been deployed in this manner. Because the attackers rely on prompting an AI model (specifically, Google’s Gemini) to guide malicious UI manipulation, ESET has named this family PromptSpy. The malware can capture lockscreen data, block uninstallation attempts, gather device info, take screenshots, record screen activity as video, and more.  This is the second AI-powered malware that ESET Research has discovered, following PromptLock in August 2025, the first known case of AI-driven ransomware.

Based on language localization clues and the distribution vectors observed during analysis, this campaign appears to be financially motivated and seems to primarily target users in Argentina. However, PromptSpy has not been observed in ESET telemetry yet, possibly making it a proof of concept.

While generative AI is deployed only in a relatively minor part of PromptSpy’s code — the one responsible for achieving persistence — it still has a significant impact on the malware’s adaptability. Specifically, Gemini is used to provide PromptSpy with step-by-step instructions on how to make the malicious app “locked”, i.e. pinned, in the recent apps list (often represented by a padlock icon in the multitasking view of many Android launchers), thus preventing it from being easily swiped away or killed by the system. The AI model and prompt are predefined in the code and cannot be changed. 

PromptSpy is distributed by a dedicated website and has never been available on Google Play. As an App Defense Alliance partner, ESET nevertheless shared the findings with Google. Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services.

With the app’s name being MorganArg and its icon seemingly inspired by Morgan Chase, the malware is likely impersonating the Morgan Chase bank. MorganArg, likely a shorthand for “Morgan Argentina”, also appears as the name of the cached website, suggesting a regional targeting focus.

Because PromptSpy blocks uninstallation by overlaying invisible elements on the screen, the only way for a victim to remove it is to reboot the device into Safe Mode, where third party apps are disabled and can be uninstalled normally. To enter Safe Mode, users should typically press and hold the power button, long press Power off, and confirm the Reboot to Safe Mode prompt (though the exact method may differ by device and manufacturer). Once the phone restarts in Safe Mode, the user can go to Settings → Apps → MorganArg and uninstall it without interference.

For a more detailed analysis of PromptSpy check out the latest ESET Research blogpost “PromptSpy ushers in the era of Android threats using GenAI”  on WeLiveSecurity.com

ESET researchers have uncovered an Android spyware campaign leveraging romance scam tactics to target individuals in Pakistan. The campaign uses a malicious app posing as a chat platform that allows users to initiate conversations operated via WhatsApp. Underneath the romance charade, the real purpose of the malicious app, which ESET named GhostChat, is exfiltration of the victim’s data. The same threat actor appears to be running a broader spy operation – including a ClickFix attack leading to the compromise of victims’ computers, and a WhatsApp device-linking attack gaining access to victims’ WhatsApp accounts – thus expanding the scope of surveillance. These related attacks used websites impersonating Pakistani governmental organizations as lures. Victims obtained GhostChat from unknown sources, and it requires manual installation; it was never available on Google Play, and Google Play Protect, which is enabled by default, protects against it.

The app uses the icon of a legitimate dating app but lacks the original app’s functionality and instead serves as a lure – and tool – for espionage on mobile devices. Once logged in, victims are presented with a selection of 14 female profiles; each profile is linked to a specific WhatsApp number with a Pakistani (+92) country code. The use of local numbers reinforces the illusion that the profiles are real individuals based in Pakistan, increasing the credibility of the scam. Upon entering the correct code, the app redirects the user to WhatsApp to initiate a conversation with the assigned number – presumably operated by the threat actor.

While the victim engages with the app, and even prior to logging in, GhostChat spyware has already begun running in the background, silently monitoring device activity and exfiltrating sensitive data to a C&C server. Beyond initial exfiltration, GhostChat engages in active espionage: It sets up a content observer to monitor newly created images and uploads them as they appear. Additionally, it schedules a periodic task that scans for new documents every five minutes, ensuring continual surveillance and data harvesting.

The campaign is also connected to broader infrastructure involving ClickFix-based malware delivery and WhatsApp account hijacking techniques. These operations leverage fake websites, impersonation of national authorities, and deceptive, QR-code-based device-linking to compromise both desktop and mobile platforms. ClickFix is a social engineering technique that tricks users into manually executing malicious code on their devices by following seemingly legitimate instructions.

In addition to desktop targeting via the ClickFix attack, a malicious domain was used in a mobile-focused operation aimed at WhatsApp users. Victims were lured into joining a supposed community – posing as a channel of the Pakistan Ministry of Defence – by scanning a QR code to link their Android device or iPhone to WhatsApp Web or Desktop. Known as GhostPairing, this technique allows an adversary to gain access to the victims’ chat history and contacts, acquiring the same level of visibility and control over the account as the owners, effectively compromising their private communications.

For a more detailed analysis of GhostChat, check out the latest ESET Research blog post, “Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan“

The attack involved data-wiping malware that ESET researchers have now analyzed and named DynoWiper

In late 2025, Poland’s energy system faced what has been described as the “largest cyberattack” targeting the country in years. ESET Research has now found that the attack was the work of the notorious Russia-aligned APT group Sandworm.

“Based on our analysis of the malware and associated TTPs, we attribute the attack to the Russia-aligned Sandworm APT with medium confidence due to a strong overlap with numerous previous Sandworm wiper activity we analyzed,” said ESET researchers. “We’re not aware of any successful disruption occurring as a result of this attack,” they added.

Sandworm has a long history of disruptive cyberattacks, especially on Ukraine’s critical infrastructure. Meanwhile, the attack on Poland’s power grid in the last week of December involved data-wiping malware that ESET has now analyzed and named DynoWiper. ESET security solutions detect DynoWiper as Win32/KillFiles.NMO.

While details regarding the intended impact continue to be investigated, ESET researchers have highlighted the fact that the coordinated attack occurred on the 10th anniversary of the Sandworm-orchestrated attack against the Ukrainian power grid, which resulted in the first ever malware-facilitated blackout. Back in December 2015, Sandworm used the BlackEnergy malware to gain access to critical systems at several electrical substations, leaving around 230,000 people without electricity for several hours.

Fast forward a decade and Sandworm continues to target entities operating in various critical infrastructure sectors, especially in Ukraine. In their latest APT Activity Report, covering April to September 2025, ESET researchers noted that they spotted Sandworm conducting wiper attacks against targets in Ukraine on a regular basis.