The IT Nerd

ESET researchers have uncovered two Android spyware campaigns targeting individuals interested in secure communication apps, namely Signal and ToTok. These campaigns distribute malware through deceptive websites and social engineering and appear to target residents of the United Arab Emirates (UAE). ESET’s investigation led to the discovery of two previously undocumented spyware families: Android/Spy.ProSpy impersonates upgrades or plugins for the Signal app and the controversial and discontinued ToTok app, and Android/Spy.ToSpy impersonates the ToTok app. The ToSpy campaigns are ongoing, as suggested by C&C servers that remain active.

ESET Research discovered the ProSpy campaign in June 2025, and it has likely been ongoing since 2024. ProSpy is being distributed through three deceptive websites designed to impersonate communication platforms Signal and ToTok. These sites offer malicious APKs posing as improvements, disguised as a Signal Encryption Plugin and ToTok Pro. The use of a domain name ending in the substring ae.net may suggest that the campaign targets individuals residing in the United Arab Emirates, as AE is the two-letter country code for the UAE.

During the investigation, ESET discovered five more malicious APKs using the same spyware codebase, posing as an enhanced version of the ToTok messaging app under the name ToTok Pro. ToTok, a controversial free messaging and calling app developed in the United Arab Emirates, was removed from Google Play and Apple’s App Store in December 2019 due to surveillance concerns. Given that its user base is primarily located in the UAE, it is likely that ToTok Pro may be targeting users in this region, who may be more liable to download the app from unofficial sources in their own region.

Upon execution, both malicious apps request permissions to access contacts, SMS messages, and files stored on the device. If these permissions are granted, ProSpy starts exfiltrating data in the background. The Signal Encryption Plugin extracts device information, stored SMS messages, and the contact list, and it exfiltrates other files – such as chat backups, audio, video, and images.

In June 2025, ESET telemetry systems flagged another previously undocumented Android spyware family actively distributed in the wild, originating from a device located in the UAE. ESET labeled the malware Android/Spy.ToSpy. Later investigation revealed four deceptive distribution websites impersonating the ToTok app. Given the app’s regional popularity and the impersonation tactics used by the threat actors, it is reasonable to speculate that the primary targets of this spyware campaign are users in the UAE or surrounding regions. In the background, the spyware can collect and exfiltrate the following data: user contacts, device information files such as chat backups, images, documents, audio, and video, among others. ESET findings suggest that the ToSpy campaign likely began in mid-2022.

For a more detailed analysis and technical breakdown of Android/Spy.ProSpy and Android/Spy.ToSpy, check out the latest ESET Research blog post, “New spyware campaigns target privacy-conscious Android users in the UAE” on WeLiveSecurity.com.

ESET today released a new and improved version of its free ESET Basic Cybersecurity Awareness Training. The revamped Basic course introduces an immersive storyline, interactive modules, and refreshed content designed to empower employees to be the first line of defence and help organizations of all sizes reduce employee-related cyber risks. 

For companies that need to track course completions or require training that meets HIPAA, PCI, SOX, GDPR, CCPA, and cyber insurance compliance requirements, ESET offers a comprehensive 90-minute Premium Cybersecurity Awareness Training. Re-released last fall, the premium course, “Digital Shadows: Cryptic Chronicles,” offers dozens of modules, unlimited phishing simulation tests, dashboards for administrators to track learners’ status, a customizable training portal, reporting and course completion certificates, engaging gamification, and more.

The updated Basic course places employees in the role of a cyber investigator at NetDetect, a fictional cybersecurity team tasked with helping organizations recover from breaches and fortify defenses. Learners are immediately drawn into a mission supporting EVX, an electric vehicle company whose groundbreaking battery technology has made it a target for cybercriminals. Guided by a storyline, employees analyze a breach, uncover risky behaviors, and put protective practices into action. Modules cover key topics, including creating and managing strong passwords, safeguarding email and spotting phishing attempts, protecting against malware, identifying personalized attacks, and staying secure while working online.

This October, the launch coincides with the start of Cybersecurity Awareness Month. Over the last two decades, Cybersecurity Awareness Month has grown into a collaborative effort between government and industry to enhance cybersecurity awareness, encourage actions to reduce online risk, and generate discussion on cyber threats on a national and global scale. 

ESET has also launched a Cybersecurity Awareness Kit today, which includes access to the free ESET Cybersecurity Awareness Training, ESET’s 2025 H1 Threat Report, and a free 30-day business trial of ESET’s full-featured security solution. On Oct. 23, consumers can also learn about the real-world applications and vulnerabilities of facial recognition technology from ESET’s Webinar, The Rise and Risk of Facial Recognition. To explore these resources, visit https://www.eset.com/us/business/cybersecurity-awareness-month-kit/.

To learn more about ESET Cybersecurity Awareness Training – Basic and Premium offerings, visit https://www.eset.com/us/business/cybertraining/. 

ESET Research has released new findings on DeceptiveDevelopment, also known as Contagious Interview – a threat group aligned with North Korea that has grown increasingly active in recent years. The group is primarily focused on cryptocurrency theft, targeting freelance developers across Windows, Linux, and macOS platforms. The newly published research paper traces the group’s evolution from early malware families to more advanced toolsets. These campaigns rely heavily on sophisticated social engineering tactics, including fake job interviews and the ClickFix technique, to deliver malware and exfiltrate cryptocurrency. ESET also analyzed open-source intelligence (OSINT) data that sheds light on the operations of North Korean IT workers involved in fraudulent employment schemes and their ties to DeceptiveDevelopment. These findings are being presented today at the annual Virus Bulletin (VB) Conference.

DeceptiveDevelopment is a North Korea-aligned group active since at least 2023, focused on financial gain. The group targets software developers on all major systems – Windows, Linux, and macOS – and especially those in cryptocurrency and Web3 projects. Initial access is achieved exclusively via various social engineering techniques like ClickFix, and fake recruiter profiles similar to Lazarus’s Operation DreamJob to deliver trojanized codebases during staged job interviews. Its most typical payloads are the BeaverTail, OtterCookie, and WeaselStore infostealers, and the InvisibleFerret modular RAT.

The attackers opted for various methods to compromise users, relying on clever social engineering tricks. Via both fake and hijacked profiles, they pose as recruiters on platforms like LinkedIn, Upwork, Freelancer.com, and Crypto Jobs List. They offer fake lucrative job opportunities in order to attract their target’s interest. Victims are requested to participate in a coding challenge or pre-interview task.

In addition to fake recruiter accounts, the attackers have customized and improved the social engineering method called ClickFix. Victims are lured to a fake job interview site and asked to fill out a detailed application form, investing significant time and effort. At the final step, they’re prompted to record a video answer, but the site displays a camera error and offers a “How to fix” link. This link instructs users to open a terminal and copy a command that should solve the camera or microphone issue, which instead of fixing the issue, downloads and executes malware.

While research into DeceptiveDevelopment is primarily based on data from ESET telemetry and reverse-engineering the group’s toolset, it is interesting to point out its connections to fraud operations by North Korean IT workers. According to the FBI’s “Most Wanted” poster, the IT worker campaign has been ongoing since at least April 2017 and has become increasingly prominent in recent years. In a joint advisory released in May 2022, the IT worker campaign is described as a coordinated effort by North Korea-aligned workers to gain employment at overseas companies, whose salaries are then used as funding for the regime. They have also been known to steal internal company data and use it for extortion, as stated in an announcement by the FBI in January 2025.

As ESET Research discovered from available OSINT data, fake CVs, and other related materials, the IT workers mainly focus on employment and contract work in the West, specifically prioritizing the United States. However, our findings based on the acquired materials have shown a shift toward Europe, with targets in countries such as France, Poland, Ukraine, and Albania. The workers utilize AI to perform their job tasks and rely heavily on AI for manipulating photos in their profile pictures and CVs, and even perform face swaps in real-time video interviews to look like the persona they are currently using. They utilize remote interviewing platforms like Zoom, MiroTalk, FreeConference, or Microsoft Teams for various social engineering techniques. Proxy interviewing poses a severe risk to employers, since hiring of an illegitimate employee from a sanctioned country may not only be irresponsible or underperforming, but could also evolve into a dangerous insider threat.

The research paper “DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception” summarizes the evolution of the group’s two flagship toolsets, InvisibleFerret and BeaverTail. At the same time, it identifies newly discovered links between DeceptiveDevelopment’s Tropidoor backdoor and the PostNapTea RAT used by the Lazarus group. Furthermore, it provides a comprehensive analysis of TsunamiKit and WeaselStore, new toolkits used by DeceptiveDevelopment and documents the functionality of a WeaselStore C&C server and its API.

For a more detailed analysis of DeceptiveDevelopment operations and tools, check out the latest ESET Research white paper “DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception” or the brief accompanying blogpost on WeLiveSecurity.com. M

ESET Research has uncovered the first known cases of collaboration between Gamaredon and Turla. Both threat groups are associated with the main Russian intelligence agency, the FSB, and in tandem attacked high-profile targets in Ukraine. On the affected machines, Gamaredon deployed a wide range of tools, and on one of those machines, Turla was able to issue commands via Gamaredon implants.

Notably, in February 2025, ESET Research detected the execution of Turla’s Kazuar backdoor by Gamaredon’s PteroGraphin and PteroOdd on a machine in Ukraine. PteroGraphin was used to restart the Kazuar v3 backdoor, possibly after it crashed or was not launched automatically. Thus, PteroGraphin was probably used as a recovery method by Turla. This is the first time that anyone has been able to link these two groups together via technical indicators. In April and June 2025, ESET detected that Kazuar v2 was deployed using Gamaredon tools PteroOdd and PteroPaste.

Kazuar v3 is the latest branch of the Kazuar family, itself an advanced C# espionage implant that ESET believes is used exclusively by Turla; it was first seen in 2016. Other malware deployed by Gamaredon was PteroLNK, PteroStew, and PteroEffigy.

As already mentioned, both are part of the Russian FSB. According to Security Service of Ukraine, Gamaredon is thought to be operated by officers of Center 18 of the FSB (aka the Center for Information Security) in Crimea, which is part of the FSB’s counterintelligence service. As for Turla, the UK’s National Cyber Security Centre attributes the group to the Center 16 of the FSB, which is Russia’s main signals intelligence agency.

From an organizational perspective, it is worth noting that the two entities commonly associated with Turla and Gamaredon have a long history of reported collaboration, which can be traced back to the Cold War era. 2022’s full-scale invasion of Ukraine has probably reinforced this convergence, with ESET data clearly showing Gamaredon and Turla activities focusing on the Ukrainian defense sector in recent months.

Gamaredon has been active since at least 2013. It is responsible for many attacks, mostly against Ukrainian governmental institutions. Turla, also known as Snake, is an infamous cyberespionage group that has been active since at least 2004, possibly extending back into the late 1990s. It mainly focuses on high-profile targets, such as governments and diplomatic entities, in Europe, Central Asia, and the Middle East. It is known for having breached major organizations such as the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.

For a more detailed analysis and technical breakdown of Turla and Gamaredon’s interactions, check out the latest ESET Research blogpost “Gamaredon X Turla collab” on WeLiveSecurity.com

ESET Research has discovered a new threat actor, which it has named GhostRedirector. In June 2025, this threat actor compromised at least 65 Windows servers, mainly in Brazil, Thailand, Vietnam, and the United States. Other victims were located in Canada, Finland, India, the Netherlands, the Philippines, and Singapore. GhostRedirector used two previously undocumented, custom tools: a passive C++ backdoor that ESET has named Rungan, and a malicious Internet Information Services (IIS) module it has named Gamshen. GhostRedirector is very likely a China-aligned threat actor. While Rungan has the capability of executing commands on a compromised server, the purpose of Gamshen is to provide SEO fraud as-a-service to manipulate Google search engine results, boosting the page ranking of a configured target website. Its purpose is to artificially promote various gambling websites.

Besides Rungan and Gamshen, GhostRedirector also uses a series of other custom tools, in addition to the publicly known exploits EfsPotato and BadPotato, to create a privileged user on the server that can be used to download and execute other malicious components with higher privileges. Alternatively, it can be used as a fallback in case the Rungan backdoor or other malicious tools are removed from the compromised server.

While the victims are located in different geographic regions, most of the compromised servers located in the United States appear to have been leased to companies that are based in Brazil, Thailand, and Vietnam, where most of the other compromised servers are actually located. Thus, ESET Research believes that GhostRedirector was more interested in targeting victims in Latin America and Southeast Asia. GhostRedirector hasn’t shown interest in a particular vertical or sector; instead, ESET has identified victims across multiple sectors, including education, healthcare, insurance, transportation, technology, and retail.

Based on ESET telemetry, GhostRedirector probably gains initial access to its victims by exploiting a vulnerability, likely an SQL Injection.  The attackers compromise a Windows server, then download and execute various malicious tools: a privilege escalation tool, malware that drops multiple webshells, or the already mentioned backdoor and IIS Trojan. In addition to the obvious purpose of the privilege escalation tools, they can also be used as a fallback in case the group loses access to the compromised server. Backdoor capabilities include network communication, file execution, directory listing, and manipulating both Services and Windows registry keys.

ESET telemetry detected attacks by GhostRedirector between December 2024 and April 2025, and an internet-wide scan from June 2025 identified further victims. ESET notified all the identified victims it discovered via the scan about the compromise. Mitigation recommendations can be found in our previously published comprehensive white paper.

For a more detailed analysis and technical breakdown of GhostRedirector, check out the latest ESET Research blogpost, “GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes,” on WeLiveSecurity.com.

Countries where GhostRedirector victims were detected:

ESET today celebrates the ten year anniversary of its Canadian operations. Since August 13, 2015, ESET Canada has grown steadily, earning the trust of more than 15,000 businesses nationwide. The Canadian sales and marketing operations in Toronto are strengthened through collaboration with the ESET Research Centre in Montreal, a key contributor to the company’s global threat research and regional threat detection capabilities. 

As an advocate for cybersecurity innovation in Canada, ESET has forged strong ties with leading tech ecosystems, including the city of Markham, home to its Canadian head office. Markham’s vibrant technology sector and collaborative business environment make it a strategic base for ESET’s continued engagement coast-to-coast. 

 Over the past decade, ESET Canada has grown its presence through strong reseller partnerships, a focus on key verticals such as education, manufacturing and critical infrastructure, and expanded services to meet the evolving threat landscape.  
 
10 highlights from ESET Canada’s 10-year journey include: 

• Nationwide Expansion: Enhanced presence across Canada, including increased support and engagement in Western Canada through dedicated tech, sales, and customer-facing roles. 
• Brand Visibility: Secured the company’s first major league sponsorship with the Calgary Flames.  
• Cloud-First Infrastructure: Opened a Canadian data centre to address data sovereignty. Today, more than 51 per cent of ESET Canada’s endpoint customers are on the cloud, surpassing the national average of 48.1 per cent. (Analysis: Mason) 
• Strategic Relocation: Moved operations to Markham to deepen ties with Canada’s innovation hub. 
• Industry Recognition: In 2025, ESET Canada received its 17^th eCN Reseller Choice Award and its first Markham Board of Trade Excellence Award for High Quality and Service. 
• Partner-First Mode: Established a robust partner ecosystem, with 95 per cent of revenue flowing through the reseller channel. 
• MSP Growth: Achieved consistent double-digit growth in MSP (Managed Service Provider) sales, driven by strong partner enablement, scalable offerings, and growing demand for flexible, subscription-based cybersecurity solutions. 
• MDR Expansion: Launched and scaled MDR (Managed Detection and Response) — now ESET Canada’s fastest-growing service. 
• Market Positioning: Maintained a consistent top 8 market position in the Endpoint Protection Platform (EPP) according to Gartner. In a rapidly shifting vendor landscape, ESET’s stability and trusted performance continue to stand out.  
• Customer Loyalty: Achieved a Net Promoter Score (NPS) of 54, far above industry benchmarks and a clear sign of customer trust. 

In addition to supporting more than 15,000 Canadian businesses, ESET helps safeguard households and individuals across the country with award-winning protection for smartphones, laptops, and connected homes.

This milestone in Canada comes as ESET celebrates 35 years as a global pioneer in proactive digital protection. Since 1987, ESET has grown into one of the world’s leading cybersecurity companies, protecting more than 100 million users across 180 countries with innovative, AI-native security solutions.  

ESET maintains regional offices in Bratislava, San Diego, Singapore, and Buenos Aires, supporting its vision of building a safer digital future for everyone. 

ESET researchers have discovered a previously unknown vulnerability in WinRAR, exploited in the wild by Russia-aligned group RomCom. According to ESET telemetry, malicious archives were used in spearphishing campaigns between July 18 to July 21, 2025, targeting financial, manufacturing, defense, and logistics companies in Europe and Canada. The aim of the attacks was cyberespionage. This is at least the third time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild

Disguised as an application document, the weaponized archives exploited a path traversal flow to compromise its targets. In the spearphishing email, the attackers sent a CV hoping that a curious target would open it. According to ESET telemetry, none of the targets were compromised. The attackers, however, had conducted reconnaissance beforehand and the emails were highly targeted. Successful exploitation attempts delivered various backdoors used by RomCom group – specifically, a SnipBot variant, RustyClaw, and the Mythic agent.

ESET Research attributes the observed activities to RomCom with high confidence based on the targeted region, tactics, techniques, and procedures  (TTPs), and the malware used. RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596) is a Russia-aligned group that conducts both opportunistic campaigns against selected business verticals and targeted espionage operations. The group’s focus has shifted to include espionage operations collecting intelligence, in parallel with its more conventional cybercrime operations. The backdoor used by the group is capable of executing commands and downloading additional modules to the victim’s machine. It is not the first time that RomCom has used exploits to compromise its victims. In 2023-06, the group performed a spearphishing campaign targeting defense and governmental entities in Europe, with lures related to the Ukrainian World Congress.

For a more detailed analysis and technical breakdown of RomCom’s latest campaign, check out the latest ESET Research blogpost “RomCom exploits a new vulnerability in the wild, this time in WinRAR” on WeLiveSecurity.com.

ESET is proud to announce the winners of its tenth annual Women in Cybersecurity Scholarship. Selected from a highly competitive pool of applicants across the US and Canada, the ten scholarship recipients impressed the review panel with their academic achievements, passion for cybersecurity, and commitment to making a positive impact in STEM fields.

This year marks a milestone in the program’s evolution with the continued expansion of the Cybersecurity Trailblazer Award Tier, a designation reserved for the most exceptional applicants who have demonstrated outstanding technical proficiency, leadership, and a deep, sustained focus on cybersecurity. The recipients of this year’s Cybersecurity Trailblazer Awards are U.S.’ Alexis Eskenazi, Crystal Yang, and Ismat Jarin, each receiving a $10,000 scholarship in recognition of their exemplary work. The Canadian Trailblazer recipients are Azka Siddiqui and Constance Prevot, each receiving a $5,000 scholarship for their remarkable contributions and potential to drive change within the field.

This year, Canada also saw the launch of the Future Leader Award, a new scholarship tier recognizing emerging talent with strong potential in the field of cybersecurity. Five students were selected to receive $1,000 scholarships: Yushika Jhundoo, Meadow Agbor, Tina Ismail, Vrinda Joshi, and Yashvi Shah. Together, these individuals have shown exceptional promise as future leaders in cybersecurity. Their ambitions and achievements reflect the values at the heart of the Women in Cybersecurity Scholarship: innovation, inclusion, and impact.

ESET North America awarded $45,000 in scholarships this year to celebrate the program’s tenth anniversary, reaffirming its commitment to building a more inclusive and secure digital future.

Learn more about the Trailblazer Award recipients:

Alexis Eskenazi, Berkeley, California, United States: Alexis Eskenazi’s journey into cybersecurity began with competitive robotics, where building championship-level robots sparked her interest in how connected systems function. That passion led her to launch Eskenazi Ed-Tech & AI Consulting, bringing hands-on STEM education to over 400 students globally. From mentoring the world’s first all-female Indigenous robotics team in New Zealand to researching vulnerabilities in U.S. healthcare and semiconductor infrastructure, Alexis blends technical insight with education and policy to advance a more secure, inclusive digital world.

Crystal Yang, Katy, Texas, United States: Crystal Yang’s interest in cybersecurity was sparked by watching scam-baiting videos, which seem humorous on the surface, but reveal just how vulnerable people can be to social engineering. Determined to fight back, she built TimeWaster3000, an AI-powered bot that wastes scammers’ time using natural language processing and speech recognition. As the founder of Audemy.org, Crystal has also created AI-driven educational games used by more than 5,000 blind and visually impaired students worldwide and implemented in 19 schools. Today, she is focused on cybersecurity projects aimed at scam awareness and social engineering defense for businesses.

Ismat Jarin, Irvine, California, United States: Ismat Jarin’s path to cybersecurity began in her home country, where early experiences with societal biases and privacy violations fueled her resolve to protect underrepresented communities through technology. She became the first woman from her town to rank in the top 2% nationally for admission to her country’s top engineering university, later earning a Master’s in Systems and Security from UM Dearborn and now pursuing a Ph.D. at UC Irvine. Her research explores privacy risks in AI/LLMs and emerging technologies and has been published at leading conferences like PETS, NeurIPS(WiML) and CODASPY. Beyond research, Ismat is a passionate mentor and advocate, helping first-generation and underrepresented students find belonging and success in cybersecurity.

Azka Siddiqui, Mississauga, Ontario, Canada: Azka Siddiqui’s passion for computer science began in fourth grade when she programmed Dash robots during a classroom activity, sparking her fascination with the intersection of hardware and software. Her interest in cybersecurity solidified during a 2024 internship at Nokia, where she helped refine an advanced filter tool that monitored over 10,000 alarms. In addition to furthering her technical skills, Azka serves as Vice Chair of a national nonprofit empowering girls in STEM, has led a coding club spanning three Canadian provinces, and conducted research on smart-grid anomaly detection and eye-tracking technologies in university labs. This fall, Azka will begin her Honours Bachelor of Applied Science in Computer Engineering at the University of Waterloo, where she plans to focus on cybersecurity and AI with an emphasis on making digital spaces safer for women.

Constance Prevot, Mount Royal, Quebec, Canada: Constance Prevot’s journey into cybersecurity began at Concordia University, where a Capture-The-Flag competition sparked a passion that would shape her academic and professional path. She has since represented Canada at the 2024 International Cybersecurity Competition in Chile, served as a SOC Analyst at OnePoint for Desjardins, conducted adversary-focused research at GoSecure, and co-presented her findings at conferences including HOPE and BSides. As President of Concordia University’s Software Engineering and Computer Science Society, she has led initiatives to make cybersecurity education more accessible, including launching “compétitionsquebec,” a platform cataloging local competitions and training resources.

Future Leader Awards: This inaugural award proudly recognizes five exceptional students who exemplify the next generation of innovators and changemakers. With a $1,000 award, these students are being honored not only for their academic excellence but also for their passion and potential to shape the future of technology. This year’s awardees are:

• Yushika Jhundoo (Ottawa, ON) – Computer Science, University of Ottawa: Tech community builder and cybersecurity enthusiast dedicated to inclusive outreach and digital empowerment.
• Meadow Agbor (Calgary, AB) – Computer Information Systems, Mount Royal University (MRU): Cybersecurity intern and youth mentor with a passion for digital safety and inclusive community engagement.
• Tina Ismail (Mississauga, ON) – Electrical Engineering, McMaster University: Cybersecurity enthusiast and IEEE leader blending technical innovation, educational research, and creative expression.
• Vrinda Joshi (Markham, ON) – Systems Design Engineering (Co-op), University of Waterloo: STEM equity advocate and nonprofit co-founder empowering youth through coding, robotics, and hands-on innovation.
• Yashvi Shah (Caledon, ON) – Computer Engineering (Co-op), University of Toronto: Innovative researcher and tech educator with experience in AI, 3D simulation, and youth empowerment through coding and wellness initiatives.

Learn more about the Women in Cybersecurity Scholarship here.

The Iran-aligned threat group BladedFeline has targeted Kurdish and Iraqi government officials in a recent cyber-espionage campaign, according to ESET researchers. The group deployed a range of malicious tools discovered within the compromised systems, indicating a continued effort to maintain and expand access to high-ranking officials and government organizations in Iraq and the Kurdish region. The latest campaign highlights BladedFeline’s evolving capabilities, featuring two tunneling tools (Laret and Pinar), various supplementary tools, and, most notably, a custom backdoor Whisper and a malicious Internet Information Services (IIS) module PrimeCache, both identified and named by ESET.

Whisper logs into a compromised webmail account on a Microsoft Exchange server and uses it to communicate with the attackers via email attachments. PrimeCache also serves as a backdoor: it is a malicious IIS module. PrimeCache also bears similarities to the RDAT backdoor used by OilRig Advanced Persistent Threat (APT) group.

Based on these code similarities, as well as on further evidence presented in this blogpost, ESET assesses that BladedFeline is a very likely subgroup of OilRig, an Iran-aligned APT group going after governments and businesses in the Middle East. The initial implants in the latest campaign can be traced back to OilRig. These tools reflect the group’s strategic focus on persistence and stealth within targeted networks.

BladedFeline has worked consistently to maintain illicit access to Kurdish diplomatic officials, while simultaneously exploiting a regional telecommunications provider in Uzbekistan, and developing and maintaining access to officials in the government of Iraq.

ESET Research assesses that BladedFeline is targeting the Kurdish and Iraqi governments for cyberespionage purposes, with an eye toward maintaining strategic access to the computers of high-ranking officials in both governmental entities. The Kurdish diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned threat actors to spy on and potentially manipulate. In Iraq, these threat actors are most probably trying to counter the influence of Western governments following the US invasion and occupation of the country.

In 2023, ESET Research discovered that BladedFeline targeted Kurdish diplomatic officials with the Shahmaran backdoor, and previously reported on its activities in ESET APT Activity reports. The group has been active since at least 2017, when it compromised officials within the Kurdistan Regional Government, but is not the only subgroup of OilRig that ESET Research is monitoring. ESET has been tracking Lyceum, also known as HEXANE or Storm-0133, as another OilRig subgroup. Lyceum focuses on targeting various Israeli organizations, including governmental and local governmental entities and organizations in healthcare.

ESET expects that BladedFeline will persist with implant development in order to maintain and expand access within its compromised victim set for cyberespionage.

For a more detailed analysis and technical breakdown of BladedFeline’s tools used in Operation RoundPress, check out the latest ESET Research blogpost “Whispering in the dark” on WeLiveSecurity.com.

ESET has participated in a major infrastructure disruption of the notorious infostealer, Danabot, by the US Department of Justice, the FBI, and US Department of Defense’s Defense Criminal Investigative Service. U.S. agencies were working closely with Germany’s Bundeskriminalamt, the Netherlands’ National Police, and the Australian Federal Police . ESET took part in the effort alongside Amazon, CrowdStrike, Flashpoint, Google, Intel471, PayPal, Proofpoint, Team Cymru and Zscaler. ESET Research, which has been tracking Danabot since 2018, contributed assistance that included providing technical analysis of the malware and its backend infrastructure, as well as identifying Danabot’s C&C servers. During that period, ESET analyzed various Danabot campaigns all over the world, with Poland, Italy, Spain and Turkey historically being one of the most targeted countries. The joint takedown effort also led to the identification of individuals responsible for Danabot development, sales, administration, and more.

These law enforcement operations were conducted under Operation Endgame — an ongoing global initiative aimed at identifying, dismantling, and prosecuting cybercriminal networks. Coordinated by Europol and Eurojust, the operation successfully took down critical infrastructure used to deploy ransomware through malicious software.

The authors of Danabot operate as a single group, offering their tool for rental to potential affiliates, who subsequently employ it for their malicious purposes by establishing and managing their own botnets. Danabot’s authors have developed a vast variety of features to assist customers with their malevolent motives. The most prominent features offered by Danabot include: the ability to steal various data from browsers, mail clients, FTP clients, and other popular software; keylogging and screen recording; real-time remote control of the victims’ systems; file grabbing (commonly used for stealing cryptocurrency wallets); support for Zeus-like webinjects and form grabbing; and arbitrary payload upload and execution. Besides utilizing its stealing capabilities, ESET Research has observed a variety of payloads being distributed via Danabot over the years.  Furthermore, ESET has encountered instances of Danabot being used to download ransomware onto already compromised systems.

In addition to typical cybercrime, Danabot has also been used in less conventional activities such as utilizing compromised machines for launching DDoS attacks… for example, a DDoS attack against Ukraine’s Ministry of Defense soon after the Russian invasion of Ukraine.

Throughout its existence, according to ESET monitoring, Danabot has been a tool of choice for many cybercriminals and each of them has used different means of distribution. Danabot’s developers even partnered with the authors of several malware cryptors and loaders, and offered special pricing for a distribution bundle to their customers, helping them with the process.  Recently, out of all distribution mechanisms ESET observed, the misuse of Google Ads to display seemingly relevant, but actually malicious, websites among the sponsored links in Google search results stands out as one of the most prominent methods to lure victims into downloading Danabot. The most popular ploy is packing the malware with legitimate software and offering such a package through bogus software sites or websites falsely promising users to help them find unclaimed funds. The latest addition to these social engineering techniques are deceptive websites offering solutions for fabricated computer issues, whose only purpose is to lure victims into execution of a malicious command secretly inserted into the user’s clipboard.

The typical toolset provided by Danabot’s authors to their affiliates includes an administration panel application, a backconnect tool for real-time control of bots, and a proxy server application that relays the communications between the bots and the actual C&C server. Affiliates can choose from various options to generate new Danabot builds, and it’s their responsibility to distribute these builds through their own campaigns.

For technical overview of Danabot and insight into its operation, check out ESET Research blogpost: “Danabot: Analyzing a fallen empire” on WeLiveSecurity.com.