#ESETresearch analyzed 2025 activity of the 🇨🇳-aligned Webworm APT group, focusing on its evolving toolset and techniques. https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/
Webworm’s latest campaigns mark a shift in its targeting away from Asia toward Europe and Africa. In 2025, it attacked governmental entities in 🇧🇪 Belgium, 🇮🇹 Italy, 🇷🇸 Serbia, 🇪🇸 Spain and 🇵🇱 Poland, as well as a university in 🇿🇦 South Africa.
The group seems to have stopped deploying the Trochilus and McRat backdoors; instead, it introduced new, custom-made backdoors: EchoCreep, which uses Discord for C&C communication, and GraphWorm, which uses Microsoft Graph API for the same purpose.
On an operator server, we discovered a directory listing with open-source utilities used to scrape victim web server files and directories, and to search for vulnerabilities within. One directory contained reconnaissance commands used against more than 50 unique targets.
While going over EchoCreep’s Discord messages, we uncovered a GitHub repository that was a direct fork of the legitimate WordPress repository. Webworm uses it as a file stager for its tools and malware.
The group also continues to employ various proxy utilities. In 2025, it added four custom-made ones to its arsenal: WormFrp, ChainWorm, SmuxProxy, and WormSocket.
We presented these findings at #ESETWorld2026 in a talk titled: China-aligned Webworm targets EU countries, abuses Discord and government-hosted public apps.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/webworm

#ESETresearch uncovered a new compromise that we attribute to #FrostyNeighbor, using links in malicious PDFs sent via spearphishing attachments to target governmental organizations in Ukraine. @dmnsch https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/
The compromise chain is the newest observed to date, and starts with a blurry lure PDF file that contains a malicious link to download a document hosted on a delivery server. If the request does not come from an expected victim, the server delivers a benign PDF file.
If the victim request comes from an expected location, the server instead delivers a malicious RAR archive, containing the first stage and displays an unblurred version of the PDF file as a decoy, while executing the next stage silently.
The victim’s computer-related information is collected, and its fingerprint is sent to the C&C server. The response contains a Cobalt Strike beacon as initial implant only if the victim is of interest.
Detailed analysis is available at https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/. IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/frostyneighbor

#ESETresearch has uncovered CallPhantom scam apps, previously available on Google Play, that claim to provide call history data for any phone number, in exchange for payment. That’s impossible – and the data is entirely fabricated. @lukasstefanko https://www.welivesecurity.com/en/eset-research/fake-call-logs-real-payments-how-callphantom-tricks-android-users/
We identified 28 CallPhantom apps on Google Play, collectively downloaded 7.3+ million times before we reported them to Google. After victims had paid, the apps generated random phone numbers and matched them with hardcoded names, call times, and durations.
The CallPhantom apps we analyzed mainly targeted Android users in 🇮🇳 India and the broader Asia-Pacific region – many came with India’s +91 country code preselected and support UPI, a payment system used primarily in India.
While some apps requested payment in the form of Google Play subscriptions, others redirected users to third party payment apps or requested card details directly in the app – complicating refund efforts and exposing victims to financial risk.
IoCs are available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/callphantom
Read the full analysis on WeLiveSecurity: https://www.welivesecurity.com/en/eset-research/fake-call-logs-real-payments-how-callphantom-tricks-android-users/

Approximately a month ago, F5 published advisory on malware deployed to BIG-IP systems vulnerable to CVE-2025-53521. #ESETresearch discovered two related malware components on VirusTotal and named the threat #PoisonedRefresh.
https://my.f5.com/manage/s/article/K000160486
First, umount infects /usr/sbin/httpd by prepending a malicious ELF binary to the legitimate binary, as long as the first command-line argument is /mnt/tm_install/<dir>. The sample is expected to be run as root and will disable SELinux.
Interestingly, for /mnt/tm_install/usr, the sample also infects umount, httpd, and rc.local files located within the tm_install directory. This is presumably done to infect the installation media, allowing the malware to persist and spread to other BIG-IP systems.
Although attribution is still undecided, the initial access vector and deployed malware suggest a sophisticated threat actor. Note that benign functionality is preserved. Therefore, follow F5's security advisory to identify potential compromise.
IoC:
🚨PoisonedRefresh
E5066C2490197FFBE0E916BC232114A61CB09A16
7A2FC3510B502D8FDC2548F907AF08308840851C
E2D6C74E815A07F555CD678F7AD0EFEDEAE98ECD

#BREAKING #ESETresearch uncovered an active NGate Android malware campaign targeting Spanish speaking users, combining fake app distribution, NFC relay abuse, PIN harvesting, and a shared Devil NFC MaaS backend. The operation is tied to the Devil NFC infrastructure used in 🇪🇸 Spain since January 2026
Distribution: We identified a domain distributing NGate malware targeting Spanish speaking users, with sample uploaded to VirusTotal.
The malware is disguised as a NFC Security app called “Seguridad NFC – Bloqueador de Cargos” and delivered through a fake Google Play website:
https://piaystore.it[.]com
Domain was registered on 2026 04 18, resolving to 65.109.108[.]183
Shared infrastructure & MaaS:
The same IP (65.109.108[.]183) also hosts:
https://devilxclusive[.]lol
This domain exposes an admin panel branded “Devil NFC”, which appears to provide NGate as NFC MaaS, linking distribution and backend operations.
NGate functionality:
The app can exfiltrate SMS messages and load a phishing screen from its hardcoded C&C server, mimicking generic account lock warning and instructing victims to hold their payment card against the back of the smartphone and then enter the card’s PIN.
Both NFC data and PINs are exfiltrated to the C&C server.
Bank‑branded NFC phishing:
NGate supports custom bank‑branded NFC phishing templates, embedded at build time by the operator.
In this campaign, we observed templates impersonating Santander Bank, shifting from generic warnings to targeted bank abuse.
NFC relay:
The NFC relay server – to transfer NFC data - is dynamically returned via C&C and decrypted as 65.109.108[.]183:5568 — the same IP used for hosting and distribution.
Session & victim tracking:
NGate requests a session ID from C&C, receiving an incrementing value representing number of connections (e.g., "conexion_id": 854).
This appears to track successful C&C connections, not completed fraud.
Separately, when a victim submits their card PIN, the server returns another incrementing ID — 40 at analysis time — representing confirmed cases where victims tapped a card and entered their PIN.
Historical connection
We have identified that this activity targeteing Spanish speaking users directly connects to earlier Devil NFC MaaS campaigns impersonating:
• Jan 2026: Shein app
• Feb 2026: CaixaBank and Santander Protect, and Seguridad Integral
• Mar 2026: Unicaja Key distributed via SMS links and Dispositivo Seguro
• Apr 2026: Unicaja Protect, Seguridad NFC
Unicaja publicly warned customers about this campaign https://x.com/UnicajaBanco/status/2033877029234377163
Victimology:
We detected Caixabank Protect, Seguridad Integral, and Unicaja Key malicious apps in Feb and Mar 2026 on Android devices in Spain
IoCs:
IoCs are available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/ngate

#ESETresearch discovered #GopherWhisper, a new China-aligned APT group that targeted a governmental entity in Mongolia. https://www.welivesecurity.com/en/eset-research/gopherwhisper-burrow-full-malware/
The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal.
Of the seven tools we discovered, four are backdoors – LaxGopher, RatGopher, and BoxOfFriends are written in Go, and SSLORDoor in C++. The rest comprise the injector JabGopher, the Go-based exfiltration tool CompactGopher, and the loader FriendDelivery.
GopherWhisper abuses legitimate services, notably #Discord, #Outlook, #Slack, and file.io for C&C communication and exfiltration. We managed to extract thousands of Slack and Discord C&C messages, gaining insight into the inner workings of the group.
Timestamp inspection of the messages showed that the bulk were sent during working hours in the UTC+8 time zone, which aligns with China. We also discovered that the group’s Slack and Discord servers were being used as C&Cs for LaxGopher and RatGopher.
We presented these findings on April 15th, at the #Botconf2026 conference in a talk titled Meet GopherWhisper: Uncovering an APT’s secrets through its own words.
Our detailed analysis of GopherWhisper’s toolset and C&C traffic is also available in our latest white paper: https://web-assets.esetstatic.com/wls/en/papers/white-papers/gopherwhisper-burrow-full-malware.pdf IoCs can be found there, as well as in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/gopherwhisper

#ESETresearch discovered a new #NGate malware variant that abuses the legitimate #HandyPay app, which has been patched with possibly AI-generated malicious code. The campaign is ongoing and targets Android users in Brazil. https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/ @lukasstefanko
HandyPay is an Android app that enables relaying #NFC data from one device to another. Using the trojanized version, attackers can transfer victim’s payment card data to their own device and use it for unauthorized payments. The code can also capture payment card PINs.
Since HandyPay is significantly cheaper compared to paying for established #MaaS offerings with similar NFC relay functionality, the threat actors most probably decided on trojanizing the app as a cost-cutting measure.
We found two NGate samples being used in the campaign: one distributed via a website impersonating a 🇧🇷 lottery, the other via a fake Google Play page for a supposed card protection app. The trojanized HandyPay has never been available on the official Google Play store.
The code inside the maliciously patched HandyPay appears to have been developed with the assistance of #AI, as the logs contain emoji that are typical of AI-generated text, although definitive proof remains elusive.
IoCs are available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/ngate

#ESETresearch's Eric Howard will be presenting at Botconf. Join him in Reims, France to hear about “GopherWhisper, Uncovering an APT’s secrets through its own words” on Apr 15 at 17.15 CEST. For more information, check out https://www.botconf.eu/botconf-2026/#id_schedule
New China‑aligned APT GopherWhisper: first seen in 2025 deploying backdoor LaxGopher inside a Mongolian government institution. The group’s backdoors abuse legit services for C2 (Slack, Discord, Microsoft Graph). Hardcoded tokens let us peek into ops and post‑compromise activity.
We recovered 5K+ C2 messages (activity since 2023‑11), mapped tools (LaxGopher, RatGopher, BoxOfFriends, JabGopher, FriendDelivery, CompactGopher, SSLORDoor), and saw exfil via file.io, presentation will provide defender tips. Full research will be later released on WeLiveSecurity.com