The IT Nerd

ESET Research has discovered a new China-aligned APT group, LongNosedGoblin, that abuses Group Policy – a mechanism for managing settings and permissions on Windows machines, typically used with Active Directory – to deploy malware and move laterally across the compromised network. It is used to deploy cyberespionage tools across networks of governmental institutions in Southeast Asia and Japan. In 2024, ESET researchers noticed previously undocumented malware in the network of a Southeast Asian governmental entity. However, the group has been active since at least since September 2023. As of this September, ESET began observing renewed activity by the group in the region. It deploys malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) for Command & Control (C&C).

LongNosedGoblin has several tools in its arsenal. NosyHistorian is a C#/.NET application that the group uses to collect browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox, which is then used to determine where to deploy further malware. NosyDoor collects metadata about the victim’s machine, including the machine name, username, the OS version, and the name of the current process, and sends it all to the C&C. It then retrieves and parses task files with commands from the C&C. The commands allow it to exfiltrate files, delete files, and execute shell commands, among other things.

NosyStealer is used to steal browser data from Microsoft Edge and Google Chrome. NosyDownloader executes a chain of obfuscated commands, and downloads and runs a payload in memory. Among other tools used by LongNosedGoblin, ESET identified a C#/.NET keylogger NosyLogger, which seems to be a modified version of the open-source keylogger DuckSharp. Among other tools used by the group is a reverse SOCKS5 proxy, and an argument runner (a tool that runs an application passed as an argument) that was used to run a video recorder, likely FFmpeg, to capture audio and video.

For a more detailed analysis of LongNosedGoblin’s arsenal, check out the latest ESET Research blogpost “LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan” on WeLiveSecurity.com.

ESET Research has released its latest Threat Report, which summarizes threat landscape trends seen in ESET telemetry and from the perspective of both ESET threat detection and research experts, from June through November 2025.  AI-powered malware moved from theory to reality in H2 2025, as ESET discovered PromptLock – the first known AI-driven ransomware, capable of generating malicious scripts on the fly. While AI is still mainly used for crafting convincing phishing and scam content, PromptLock – and the handful of other AI-driven threats identified to this day – signal a new era of threats. 

On the ransomware scene, victim numbers surpassed 2024 totals well before year’s end, with ESET Research projections pointing to a 40% year-over-year increase. Akira and Qilin now dominate the ransomware-as-a-service market, while low-profile newcomer Warlock introduced innovative evasion techniques. EDR killers continued to proliferate, highlighting that endpoint detection and response tools remain a significant obstacle for ransomware operators.

On the mobile platform, NFC threats continued to grow in scale and sophistication, with an 87% increase in ESET telemetry and several notable upgrades and campaigns observed in H2 2025. NGate  – a pioneer among NFC threats, first discovered by ESET– received an upgrade in the form of contact stealing, likely laying the groundwork for future attacks. RatOn, entirely new malware on the NFC fraud scene, brought a rare fusion of remote access trojan (RAT) capabilities and NFC relay attacks, showing cybercriminals’ determination to pursue new attack avenues. RatOn was distributed through fake Google Play pages and ads mimicking an adult version of TikTok, and a digital bank ID service.  PhantomCard – new NGate-based malware adapted to the Brazilian market – was seen in multiple campaigns in Brazil in H2 2025.

Furthermore, after its global disruption in May, the Lumma Stealer infostealer managed to briefly resurface – twice – but its glory days are most likely over. Detections plummeted by 86% in H2 2025 compared to the first half of the year, and a significant distribution vector of Lumma Stealer – the HTML/FakeCaptcha trojan, used in ClickFix attacks – nearly vanished from ESET telemetry.

Meanwhile, CloudEyE, also known as GuLoader, surged into prominence, skyrocketing almost thirtyfold according to ESET telemetry. Distributed via malicious email campaigns, this malware-as-a-service downloader and cryptor is used to deploy other malware, including ransomware, as well as infostealer juggernauts such as Rescoms, Formbook, and Agent Tesla. Poland was most affected by this threat, with 32% of CloudEyE attack attempts in H2 2025 detected here.

For more information, check out the ESET Threat Report H2 2025 on WeLiveSecurity.com. 

ESET researchers have identified new MuddyWater activity primarily targeting organizations in Israel, with one confirmed target in Egypt. The victims in Israel were in the technology, engineering, manufacturing, local government, and educational sectors. MuddyWater, also referred to as Mango Sandstorm or TA450, is an Iran-aligned cyberespionage group known for its persistent targeting of government and critical infrastructure sectors, often leveraging custom malware and publicly available tools, and has links to the Ministry of Intelligence and National Security of Iran. In this campaign, the attackers deployed a set of previously undocumented, custom tools with the objective of improving defense evasion and persistence. New backdoor MuddyViper enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. The campaign leverages additional credential stealers. Among these tools is Fooder, a custom loader that masquerades as the classic Snake game.

In this campaign, initial access is typically achieved through spearphishing emails, often containing PDF attachments that link to installers for remote monitoring and management (RMM) software hosted on free file-sharing platforms such as OneHub, Egnyte, or Mega. These links lead to the download of tools including Atera, Level, PDQ, and SimpleHelp. Among the tools deployed by MuddyWater operators is also the VAX One backdoor, named after the legitimate software which it impersonates: Veeam, AnyDesk, Xerox, and the OneDrive updater service. 

The group’s continued reliance on this familiar playbook makes its activity relatively easy to detect and block. However, in this case, the group also used more advanced techniques to deploy MuddyViper, a new backdoor, by using a loader (Fooder) that reflectively loads MuddyViper into memory and executes it. Several versions of Fooder masquerade as the classic Snake game, hence the designation, MuddyViper. Another notable characteristic of Fooder is its frequent use of a custom delay function that implements the core logic of the Snake game, combined with “Sleep” API calls. These features are intended to delay execution in an attempt to hide malicious behavior from automated analysis systems. Additionally, MuddyWater developers adopted CNG, the next-generation Windows cryptographic API, which is unique for Iran-aligned groups and somewhat atypical across the broader threat landscape. During this campaign, the operators deliberately avoided hands-on-keyboard interactive sessions, which is a historically noisy technique often characterized by mistyped commands. Thus, while some components remain noisy and easily detected, as is typical for MuddyWater, overall this campaign shows signs of technical evolution – increased precision, strategic targeting, and a more advanced toolset. 

The post-compromise toolset also includes multiple credential stealers: CE-Notes, which targets Chromium-based browsers; LP-Notes, which stages and verifies stolen credentials; and Blub, which steals login data from Chrome, Edge, Firefox, and Opera browsers.

MuddyWater was first introduced to the public in 2017 by Unit 42, whose description of the group’s activity is consistent with ESET’s profiling – a focus on cyberespionage, the use of malicious documents as attachments designed to prompt users to enable macros and bypass security controls, and primarily targeting entities located in the Middle East.

Notable past activities include Operation Quicksand (2020), a cyberespionage campaign targeting Israeli government entities and telecommunications organizations, which exemplifies the group’s evolution from basic phishing tactics to more advanced, multistage operations; and a campaign targeting political groups and organizations in Türkiye, demonstrating the group’s geopolitical focus, its ability to adapt social engineering tactics to local contexts, and reliance on modular malware and flexible C&C infrastructure.

ESET has documented multiple campaigns attributed to MuddyWater that highlight the group’s evolving toolset and shifting operational focus. In March and April 2023, MuddyWater targeted an unidentified victim in Saudi Arabia, and the group conducted a campaign in January and February 2025 that was notable for its operational overlap with Lyceum (an OilRig subgroup). This cooperation suggests that MuddyWater may be acting as an initial access broker for other Iran-aligned groups.

For a more detailed analysis of the latest MuddyWater campaign, check out the latest ESET Research blogpost “MuddyWater: Snakes by the riverbank” on WeLiveSecurity.com. 

ESET researchers have discovered a network implant used by the China-aligned PlushDaemon APT group to perform adversary-in-the-middle attacks.

You can read more here: https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/

Ensar Seker, CISO at SOCRadar, commented:

“The attack outlined in recent reports marks a deeply concerning evolution in supply chain and update‑mechanism compromise. PlushDaemon is exploiting edge network devices, routers and similar infrastructure, via implants such as EdgeStepper to intercept DNS queries and redirect software‑update traffic toward attacker‑controlled infrastructure.   By hijacking a trusted software‑update channel, the group manages to deliver custom downloaders (e.g., LittleDaemon, DaemonicLogistics) and ultimately the SlowStepper backdoor toolkit without triggering the usual defenses around malicious attachments or phishing. 

“What makes this campaign particularly dangerous is two‑fold. First, the compromise occurs at the network infrastructure layer rather than the endpoint meaning it bypasses most EDRs, user‑based filters, and conventional supply‑chain checks.

Second, the software update system is treated as a trusted delivery mechanism, making detection and attribution extremely difficult. The attacker doesn’t need to persuade a user to click a link or open a file; they simply hijack the trust in the update process itself. This underscores how sophisticated adversaries are blending network compromise with supply chain tradecraft.

“For security teams, the implications are clear: controlling and monitoring just the “software packages” is no longer enough. Organizations must treat the update infrastructure, DNS routing paths, device firmware/routers, and trust chains as part of their threat surface. I ‘d recommend organizations map out their trusted update hierarchies, enforce signed updates end‑to‑end, monitor outbound DNS resolution patterns for anomalies (especially from network devices), and segment update‐delivery systems from general user infrastructure. The fact that PlushDaemon is operating across multiple sectors, including universities, manufacturing, automotive and regions U.S., Taiwan, New Zealand, South Korea means that no industry can consider itself immune.”

I have to admit that this is the most interesting man in the middle attack that I have seen. And it’s concerning as it requires zero user interaction. On top of that it happens further up the attack chain. That should put defenders on alert as this would be difficult to defend against.

ESET researchers have recently observed a new instance of Operation DreamJob — a campaign that ESET tracks under the umbrella of North Korea-aligned Lazarus group — in which several European companies active in the defense industry were targeted. Some of these are heavily involved in the unmanned aerial vehicle (UAV / drones) sector, suggesting that the operation may be linked to North Korea’s current efforts to scale up its drone program. The in-the-wild attacks successively targeted three companies active in the defense sector in Central and Southeastern Europe. Initial access was almost certainly achieved via social engineering. The main payload deployed to the targets was ScoringMathTea, a remote-access trojan (RAT) that offers the attackers full control over the compromised machine. The suspected primary goal of the attackers was exfiltration of proprietary information and manufacturing know-how.

In Operation DreamJob, the dominant theme of social engineering is a lucrative, but faux, job offer served with a side of malware: The target usually receives a decoy document with a job description and a trojanized PDF reader to open it. ESET Research attributes this activity with a high level of confidence to Lazarus, particularly because of its campaigns related to Operation DreamJob, and because the targeted sectors, located in Europe, align with the targets of the previous instances of Operation DreamJob (aerospace, defense, engineering).

The three targeted organizations manufacture different types of military equipment (or parts thereof), many of which are currently deployed in Ukraine as a result of European countries’ military assistance. At the time of Operation DreamJob’s observed activity, North Korean soldiers were deployed in Russia, reportedly to help Moscow repel Ukraine’s offensive in the Kursk region. It is thus possible that Operation DreamJob was interested in collecting sensitive information on some Western-made weapons systems currently employed in the Russia-Ukraine war. More generally, these entities are involved in the production of types of materiel that North Korea also manufactures domestically, and for which it might be hoping to perfect its own designs and processes. The interest in UAV-related know-how is notable, as it echoes recent media reports indicating that Pyongyang is investing heavily in domestic drone manufacturing capabilities. North Korea has relied heavily on reverse engineering and intellectual property theft to develop its domestic UAV capabilities. 

Generally, Lazarus attackers are highly active and deploy their backdoors against multiple targets. This frequent use exposes these tools and enables their detection. As a countermeasure, the group’s tools are preceded in the execution chain by a series of droppers, loaders, and simple downloaders. The attackers decided to incorporate their malicious loading routines into open-source projects available on GitHub.

The main payload, ScoringMathTea, is a complex RAT that supports around 40 commands. Its first appearance can be traced back to VirusTotal submissions from Portugal and Germany in October 2022, where its dropper posed as an Airbus-themed job offer lure. The implemented functionality is the usual required by Lazarus: manipulation of files and processes, exchanging the configuration, collecting the victim’s system info, opening a TCP connection, and executing local commands or new payloads downloaded from the C&C server. Regarding ESET telemetry, ScoringMathTea was seen in attacks against an Indian technology company in January 2023, a Polish defense company in March 2023, a British industrial automation company in October 2023, and an Italian aerospace company in September 2025. It seems that it is one of the flagship payloads for Operation DreamJob campaigns.

The group’s most significant evolution is the introduction of new libraries designed for DLL proxying and the selection of new open-source projects to trojanize for improved evasion. “For nearly three years, Lazarus has maintained a consistent modus operandi, deploying its preferred main payload, ScoringMathTea, and using similar methods to trojanize open-source applications. This predictable, yet effective, strategy delivers sufficient polymorphism to evade security detection, even if it is insufficient to mask the group’s identity and obscure the attribution process,” concludes Kálnai.

The Lazarus group (also known as HIDDEN COBRA) is an APT group linked to North Korea that has been active since at least 2009. It is responsible for high-profile incidents. The diversity, number, and eccentricity in implementation of Lazarus campaigns define this group, as well as the fact that it performs all three pillars of cybercriminal activities: cyberespionage, cybersabotage, and pursuit of financial gain.

Operation DreamJob is a codename for Lazarus campaigns that rely primarily on social engineering, specifically using fake job offers for prestigious or high-profile positions (the “dream job” lure). Targets are predominantly in the aerospace and defense sectors, followed by engineering and technology companies, and the media and entertainment sector.

For a more detailed analysis of the latest Lazarus DreamJob campaign against the UAV sector, check out the latest ESET Research blogpost “Gotta fly: Lazarus targets the UAV sector” on WeLiveSecurity.com.

ESET researchers have uncovered two Android spyware campaigns targeting individuals interested in secure communication apps, namely Signal and ToTok. These campaigns distribute malware through deceptive websites and social engineering and appear to target residents of the United Arab Emirates (UAE). ESET’s investigation led to the discovery of two previously undocumented spyware families: Android/Spy.ProSpy impersonates upgrades or plugins for the Signal app and the controversial and discontinued ToTok app, and Android/Spy.ToSpy impersonates the ToTok app. The ToSpy campaigns are ongoing, as suggested by C&C servers that remain active.

ESET Research discovered the ProSpy campaign in June 2025, and it has likely been ongoing since 2024. ProSpy is being distributed through three deceptive websites designed to impersonate communication platforms Signal and ToTok. These sites offer malicious APKs posing as improvements, disguised as a Signal Encryption Plugin and ToTok Pro. The use of a domain name ending in the substring ae.net may suggest that the campaign targets individuals residing in the United Arab Emirates, as AE is the two-letter country code for the UAE.

During the investigation, ESET discovered five more malicious APKs using the same spyware codebase, posing as an enhanced version of the ToTok messaging app under the name ToTok Pro. ToTok, a controversial free messaging and calling app developed in the United Arab Emirates, was removed from Google Play and Apple’s App Store in December 2019 due to surveillance concerns. Given that its user base is primarily located in the UAE, it is likely that ToTok Pro may be targeting users in this region, who may be more liable to download the app from unofficial sources in their own region.

Upon execution, both malicious apps request permissions to access contacts, SMS messages, and files stored on the device. If these permissions are granted, ProSpy starts exfiltrating data in the background. The Signal Encryption Plugin extracts device information, stored SMS messages, and the contact list, and it exfiltrates other files – such as chat backups, audio, video, and images.

In June 2025, ESET telemetry systems flagged another previously undocumented Android spyware family actively distributed in the wild, originating from a device located in the UAE. ESET labeled the malware Android/Spy.ToSpy. Later investigation revealed four deceptive distribution websites impersonating the ToTok app. Given the app’s regional popularity and the impersonation tactics used by the threat actors, it is reasonable to speculate that the primary targets of this spyware campaign are users in the UAE or surrounding regions. In the background, the spyware can collect and exfiltrate the following data: user contacts, device information files such as chat backups, images, documents, audio, and video, among others. ESET findings suggest that the ToSpy campaign likely began in mid-2022.

For a more detailed analysis and technical breakdown of Android/Spy.ProSpy and Android/Spy.ToSpy, check out the latest ESET Research blog post, “New spyware campaigns target privacy-conscious Android users in the UAE” on WeLiveSecurity.com.

ESET today released a new and improved version of its free ESET Basic Cybersecurity Awareness Training. The revamped Basic course introduces an immersive storyline, interactive modules, and refreshed content designed to empower employees to be the first line of defence and help organizations of all sizes reduce employee-related cyber risks. 

For companies that need to track course completions or require training that meets HIPAA, PCI, SOX, GDPR, CCPA, and cyber insurance compliance requirements, ESET offers a comprehensive 90-minute Premium Cybersecurity Awareness Training. Re-released last fall, the premium course, “Digital Shadows: Cryptic Chronicles,” offers dozens of modules, unlimited phishing simulation tests, dashboards for administrators to track learners’ status, a customizable training portal, reporting and course completion certificates, engaging gamification, and more.

The updated Basic course places employees in the role of a cyber investigator at NetDetect, a fictional cybersecurity team tasked with helping organizations recover from breaches and fortify defenses. Learners are immediately drawn into a mission supporting EVX, an electric vehicle company whose groundbreaking battery technology has made it a target for cybercriminals. Guided by a storyline, employees analyze a breach, uncover risky behaviors, and put protective practices into action. Modules cover key topics, including creating and managing strong passwords, safeguarding email and spotting phishing attempts, protecting against malware, identifying personalized attacks, and staying secure while working online.

This October, the launch coincides with the start of Cybersecurity Awareness Month. Over the last two decades, Cybersecurity Awareness Month has grown into a collaborative effort between government and industry to enhance cybersecurity awareness, encourage actions to reduce online risk, and generate discussion on cyber threats on a national and global scale. 

ESET has also launched a Cybersecurity Awareness Kit today, which includes access to the free ESET Cybersecurity Awareness Training, ESET’s 2025 H1 Threat Report, and a free 30-day business trial of ESET’s full-featured security solution. On Oct. 23, consumers can also learn about the real-world applications and vulnerabilities of facial recognition technology from ESET’s Webinar, The Rise and Risk of Facial Recognition. To explore these resources, visit https://www.eset.com/us/business/cybersecurity-awareness-month-kit/.

To learn more about ESET Cybersecurity Awareness Training – Basic and Premium offerings, visit https://www.eset.com/us/business/cybertraining/. 

ESET Research has released new findings on DeceptiveDevelopment, also known as Contagious Interview – a threat group aligned with North Korea that has grown increasingly active in recent years. The group is primarily focused on cryptocurrency theft, targeting freelance developers across Windows, Linux, and macOS platforms. The newly published research paper traces the group’s evolution from early malware families to more advanced toolsets. These campaigns rely heavily on sophisticated social engineering tactics, including fake job interviews and the ClickFix technique, to deliver malware and exfiltrate cryptocurrency. ESET also analyzed open-source intelligence (OSINT) data that sheds light on the operations of North Korean IT workers involved in fraudulent employment schemes and their ties to DeceptiveDevelopment. These findings are being presented today at the annual Virus Bulletin (VB) Conference.

DeceptiveDevelopment is a North Korea-aligned group active since at least 2023, focused on financial gain. The group targets software developers on all major systems – Windows, Linux, and macOS – and especially those in cryptocurrency and Web3 projects. Initial access is achieved exclusively via various social engineering techniques like ClickFix, and fake recruiter profiles similar to Lazarus’s Operation DreamJob to deliver trojanized codebases during staged job interviews. Its most typical payloads are the BeaverTail, OtterCookie, and WeaselStore infostealers, and the InvisibleFerret modular RAT.

The attackers opted for various methods to compromise users, relying on clever social engineering tricks. Via both fake and hijacked profiles, they pose as recruiters on platforms like LinkedIn, Upwork, Freelancer.com, and Crypto Jobs List. They offer fake lucrative job opportunities in order to attract their target’s interest. Victims are requested to participate in a coding challenge or pre-interview task.

In addition to fake recruiter accounts, the attackers have customized and improved the social engineering method called ClickFix. Victims are lured to a fake job interview site and asked to fill out a detailed application form, investing significant time and effort. At the final step, they’re prompted to record a video answer, but the site displays a camera error and offers a “How to fix” link. This link instructs users to open a terminal and copy a command that should solve the camera or microphone issue, which instead of fixing the issue, downloads and executes malware.

While research into DeceptiveDevelopment is primarily based on data from ESET telemetry and reverse-engineering the group’s toolset, it is interesting to point out its connections to fraud operations by North Korean IT workers. According to the FBI’s “Most Wanted” poster, the IT worker campaign has been ongoing since at least April 2017 and has become increasingly prominent in recent years. In a joint advisory released in May 2022, the IT worker campaign is described as a coordinated effort by North Korea-aligned workers to gain employment at overseas companies, whose salaries are then used as funding for the regime. They have also been known to steal internal company data and use it for extortion, as stated in an announcement by the FBI in January 2025.

As ESET Research discovered from available OSINT data, fake CVs, and other related materials, the IT workers mainly focus on employment and contract work in the West, specifically prioritizing the United States. However, our findings based on the acquired materials have shown a shift toward Europe, with targets in countries such as France, Poland, Ukraine, and Albania. The workers utilize AI to perform their job tasks and rely heavily on AI for manipulating photos in their profile pictures and CVs, and even perform face swaps in real-time video interviews to look like the persona they are currently using. They utilize remote interviewing platforms like Zoom, MiroTalk, FreeConference, or Microsoft Teams for various social engineering techniques. Proxy interviewing poses a severe risk to employers, since hiring of an illegitimate employee from a sanctioned country may not only be irresponsible or underperforming, but could also evolve into a dangerous insider threat.

The research paper “DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception” summarizes the evolution of the group’s two flagship toolsets, InvisibleFerret and BeaverTail. At the same time, it identifies newly discovered links between DeceptiveDevelopment’s Tropidoor backdoor and the PostNapTea RAT used by the Lazarus group. Furthermore, it provides a comprehensive analysis of TsunamiKit and WeaselStore, new toolkits used by DeceptiveDevelopment and documents the functionality of a WeaselStore C&C server and its API.

For a more detailed analysis of DeceptiveDevelopment operations and tools, check out the latest ESET Research white paper “DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception” or the brief accompanying blogpost on WeLiveSecurity.com. M

ESET Research has uncovered the first known cases of collaboration between Gamaredon and Turla. Both threat groups are associated with the main Russian intelligence agency, the FSB, and in tandem attacked high-profile targets in Ukraine. On the affected machines, Gamaredon deployed a wide range of tools, and on one of those machines, Turla was able to issue commands via Gamaredon implants.

Notably, in February 2025, ESET Research detected the execution of Turla’s Kazuar backdoor by Gamaredon’s PteroGraphin and PteroOdd on a machine in Ukraine. PteroGraphin was used to restart the Kazuar v3 backdoor, possibly after it crashed or was not launched automatically. Thus, PteroGraphin was probably used as a recovery method by Turla. This is the first time that anyone has been able to link these two groups together via technical indicators. In April and June 2025, ESET detected that Kazuar v2 was deployed using Gamaredon tools PteroOdd and PteroPaste.

Kazuar v3 is the latest branch of the Kazuar family, itself an advanced C# espionage implant that ESET believes is used exclusively by Turla; it was first seen in 2016. Other malware deployed by Gamaredon was PteroLNK, PteroStew, and PteroEffigy.

As already mentioned, both are part of the Russian FSB. According to Security Service of Ukraine, Gamaredon is thought to be operated by officers of Center 18 of the FSB (aka the Center for Information Security) in Crimea, which is part of the FSB’s counterintelligence service. As for Turla, the UK’s National Cyber Security Centre attributes the group to the Center 16 of the FSB, which is Russia’s main signals intelligence agency.

From an organizational perspective, it is worth noting that the two entities commonly associated with Turla and Gamaredon have a long history of reported collaboration, which can be traced back to the Cold War era. 2022’s full-scale invasion of Ukraine has probably reinforced this convergence, with ESET data clearly showing Gamaredon and Turla activities focusing on the Ukrainian defense sector in recent months.

Gamaredon has been active since at least 2013. It is responsible for many attacks, mostly against Ukrainian governmental institutions. Turla, also known as Snake, is an infamous cyberespionage group that has been active since at least 2004, possibly extending back into the late 1990s. It mainly focuses on high-profile targets, such as governments and diplomatic entities, in Europe, Central Asia, and the Middle East. It is known for having breached major organizations such as the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.

For a more detailed analysis and technical breakdown of Turla and Gamaredon’s interactions, check out the latest ESET Research blogpost “Gamaredon X Turla collab” on WeLiveSecurity.com

ESET Research has discovered a new threat actor, which it has named GhostRedirector. In June 2025, this threat actor compromised at least 65 Windows servers, mainly in Brazil, Thailand, Vietnam, and the United States. Other victims were located in Canada, Finland, India, the Netherlands, the Philippines, and Singapore. GhostRedirector used two previously undocumented, custom tools: a passive C++ backdoor that ESET has named Rungan, and a malicious Internet Information Services (IIS) module it has named Gamshen. GhostRedirector is very likely a China-aligned threat actor. While Rungan has the capability of executing commands on a compromised server, the purpose of Gamshen is to provide SEO fraud as-a-service to manipulate Google search engine results, boosting the page ranking of a configured target website. Its purpose is to artificially promote various gambling websites.

Besides Rungan and Gamshen, GhostRedirector also uses a series of other custom tools, in addition to the publicly known exploits EfsPotato and BadPotato, to create a privileged user on the server that can be used to download and execute other malicious components with higher privileges. Alternatively, it can be used as a fallback in case the Rungan backdoor or other malicious tools are removed from the compromised server.

While the victims are located in different geographic regions, most of the compromised servers located in the United States appear to have been leased to companies that are based in Brazil, Thailand, and Vietnam, where most of the other compromised servers are actually located. Thus, ESET Research believes that GhostRedirector was more interested in targeting victims in Latin America and Southeast Asia. GhostRedirector hasn’t shown interest in a particular vertical or sector; instead, ESET has identified victims across multiple sectors, including education, healthcare, insurance, transportation, technology, and retail.

Based on ESET telemetry, GhostRedirector probably gains initial access to its victims by exploiting a vulnerability, likely an SQL Injection.  The attackers compromise a Windows server, then download and execute various malicious tools: a privilege escalation tool, malware that drops multiple webshells, or the already mentioned backdoor and IIS Trojan. In addition to the obvious purpose of the privilege escalation tools, they can also be used as a fallback in case the group loses access to the compromised server. Backdoor capabilities include network communication, file execution, directory listing, and manipulating both Services and Windows registry keys.

ESET telemetry detected attacks by GhostRedirector between December 2024 and April 2025, and an internet-wide scan from June 2025 identified further victims. ESET notified all the identified victims it discovered via the scan about the compromise. Mitigation recommendations can be found in our previously published comprehensive white paper.

For a more detailed analysis and technical breakdown of GhostRedirector, check out the latest ESET Research blogpost, “GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes,” on WeLiveSecurity.com.

Countries where GhostRedirector victims were detected: