Mastodawn

#ESETresearch discovered a new #NGate malware variant that abuses the legitimate #HandyPay app, which has been patched with possibly AI-generated malicious code. The campaign is ongoing and targets Android users in Brazil. https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/ @lukasstefanko
HandyPay is an Android app that enables relaying #NFC data from one device to another. Using the trojanized version, attackers can transfer victim’s payment card data to their own device and use it for unauthorized payments. The code can also capture payment card PINs.
Since HandyPay is significantly cheaper compared to paying for established #MaaS offerings with similar NFC relay functionality, the threat actors most probably decided on trojanizing the app as a cost-cutting measure.
We found two NGate samples being used in the campaign: one distributed via a website impersonating a 🇧🇷 lottery, the other via a fake Google Play page for a supposed card protection app. The trojanized HandyPay has never been available on the official Google Play store.
The code inside the maliciously patched HandyPay appears to have been developed with the assistance of #AI, as the logs contain emoji that are typical of AI-generated text, although definitive proof remains elusive.
IoCs are available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/ngate

ESET Research Apr 10

Cisco Talos recently published an analysis of an EDR killer used by the #Qilin #ransomware gang. #ESETresearch tracks this threat as #CardSpaceKiller and we recently provided additional insights in our blog https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/
While we didn’t obtain direct evidence, we strongly believe that CardSpaceKiller is offered as a product on the darknet for reasons covered in the blog. We’ve detected it used by #Akira, #Medusa, and #MedusaLocker affiliates too.
The packer (identified as VX Crypt by Sophos) is not unique to this killer; it’s a PaaS used with other malware like #BumbleBee. But it is the single choice for the killer’s developer; unprotected samples were used only in 2025-02 https://www.sophos.com/en-us/blog/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/
Beyond msimg32.dll mentioned in the Talos‘ blog, VX Crypt also names the payloads rtworkq.dll and version.dll, all abusing DLL side-loading for evasion. We’ve also observed an EXE variant in the wild, named 0th3r_av5.exe https://blog.talosintelligence.com/qilin-edr-killer/
Additional IoCs: 127B50C8185986A52AE66BF6E7E67A6FD787C4FC (version.dll)

22640D48F2E2A56C7A0708356B2B6990676B58B3 (version.dll)

3030DF03F36EC4C96B36B2E328FE3D7D9082811A (0th3r_av5.exe)

52D0358FF84295D231BC180CEDFDAF96631D67B4 (rtworkq.dll)
5D3CF785A440133A899412B800742716287D0B06 (msimg32.dll)

A3BDB419703A70157F2B7BD1DC2E4C9227DD9FE8 (0th3r_av5.exe)

ESET Research Apr 8

#ESETresearch's Eric Howard will be presenting at Botconf. Join him in Reims, France to hear about “GopherWhisper, Uncovering an APT’s secrets through its own words” on Apr 15 at 17.15 CEST. For more information, check out https://www.botconf.eu/botconf-2026/#id_schedule
New China‑aligned APT GopherWhisper: first seen in 2025 deploying backdoor LaxGopher inside a Mongolian government institution. The group’s backdoors abuse legit services for C2 (Slack, Discord, Microsoft Graph). Hardcoded tokens let us peek into ops and post‑compromise activity.
We recovered 5K+ C2 messages (activity since 2023‑11), mapped tools (LaxGopher, RatGopher, BoxOfFriends, JabGopher, FriendDelivery, CompactGopher, SSLORDoor), and saw exfil via file.io, presentation will provide defender tips. Full research will be later released on WeLiveSecurity.com

ESET Research Apr 2

#ESETresearch has identified an Akira lookalike ransomware campaign targeting South America. The threat actor is using a Babukbased encryptor that appends the .akira extension and drops a ransom note that mimics Akira both in Tor URLs and the overall content.
The ransom note is almost identical to Akira’s with some parts omitted. The crucial difference is the planted Tor link that is not under Akira’s control. The ransom note is also named ___________akira_readme.txt (the leading underscores is another difference to real Akira).
The ransom note also references the official Akira leak sites (Dedicated Leak Sites - DLSs), but plants a custom Tor link for the ransom payment negotiation. The link is currently not working. Notably, Akira itself warns about potential copycats on their DLS.
Aside from the encryptor, the threat actor utilized Mimikatz and exfiltrated sensitive data using rclone. Copycat attempts like this one are rare, but not unheard of. Victims should never trust threat actors based solely on their claims.
IoCs: 9B484760D563B3768EAA93802AFD4EA9C3F92780 (win.exe)
https://akirad2pbdhjlczfbunj4jbbv7ox4ixdti3xq35mqxsl3yzjqhg3lmqd[.]onion

ESET Research Mar 27

#ESETresearch has identified a Silver Fox campaign that actively takes advantage of the current annual tax filing and organizational change season in Japan, a period when companies generate a high volume of legitimate financial and HRrelated communications. https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/
In this operation, Silver Fox sends tailored spearphishing emails crafted to look like one of such communication. To make the emails appear authentic, the attackers often include the name of the targeted company directly in the subject line.
The sender fields often impersonate employees at the targeted companies. This indicates Silver Fox performs reconnaissance before attacking. Using names that the targets are likely to recognize, makes it more difficult to distinguish the messages from real internal notifications.
The emails typically contain either a malicious attachment or a link leading to a malicious file. The files are named to resemble common HR, financial, or tax-related documents.
Opening the malicious files drops ValleyRAT, a remote access trojan that Silver Fox has used across multiple campaigns. Once deployed, it enables the actor to take remote control of the machine and harvest sensitive information. ESET products detect this malware as Win64/Valley.
Note that even though ESET observes the most activity in Japan, Silver Fox also currently operates in Taiwan, India, Indonesia, Australia, the United Kingdom, and Brazil. IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/silver_fox

ESET Research Mar 24

#ESETresearch detected a recent intrusion at a University of Warsaw consistent with #Interlock ransomware gang. Thanks to early warning from our experts and the university's swift cooperation, the attack was disrupted before encryptors could be deployed. https://www.eset.com/pl/about/newsroom/press-releases/news/to-analitycy-eset-zidentyfikowali-atak-na-uniwersytet-warszawski/
According to our investigation, the artifacts and infrastructure overlap with Interlock activity. We observed the use of #NodeSnake RAT and Interlock RAT, both of which are referenced in CISA’s #StopRansomware advisory. https://www.cisa.gov/sites/default/files/2025-07/aa25-203a-stopransomware-interlock-072225.pdf
The intrusion is a continuation of the threat actor’s campaign described in the April 2025 QorumCyber report, using an updated toolset. Our telemetry shows the actor targeted the education vertical in additional regions as well. https://www.quorumcyber.com/wp-content/uploads/2025/04/20250416-Higher-Education-Sector-RAT-MP.pdf
New in this campaign, we saw an updated, more-heavily-obfuscated NodeSnake RAT build. The updated version leverages WebSocket instead of the previously used HTTP. C&C infrastructure remains proxied mostly over Cloudflare’s *.trycloudflare[.]com infrastructure.
NodeSnake RAT was used to deliver its own updates and additional payloads including the legitimate tool AzCopy (for exfiltration), a PowerShell SystemBC proxy and a ConnectWise MSI installer (RMM).
Interlock RAT (adobe.log) is executed via a scheduled task Microsoft\Windows\Defrag\ScheduledDefrg, masquerading as a defragmentation task.
IoCs:
Interlock RAT
CEB69DFDD768AA08B86F1D5628BD3A38C1FE8C1F
Interlock RAT C&Cs:
172.86.68[.]64
23.227.203[.]123
77.42.75[.]119
NodeSnake C&Cs:
deserve-coordinated-fairy-tier.trycloudflare[.]com
survey-tennessee-blind-corners.trycloudflare[.]com
dvd-diagnostic-oakland-signals.trycloudflare[.]com
practitioners-ons-boom-utc.trycloudflare[.]com
donnellykilbakk[.]cc
PowerShell SystemBC C&C:
91.99.97[.]247
ConnectWise C&C:
partyglacierhip[.]top

ESET Research Mar 23

In cybersecurity, labels can distract from what really matters. At #RSAC2026, #ESETresearch’s Robert Lipovský will break down recent campaigns linked to state-sponsored actors and explore how hybrid threat tactics are evolving. The session focuses on practical defender takeaways - understanding behaviors, improving detection, and strengthening preparedness.

ESET Research Mar 20

#ESETresearch is hiring! Passionate about geopolitics, cyberespionage and cyber threat intelligence? We have a new opening for a strategic threat intelligence analyst at our Montréal office. Come join the team!
https://eset.wd3.myworkdayjobs.com/ESET_External/job/Montreal/Analyste-du-renseignement-stratgique-sur-les-menaces---Cyberespionnage---Strategic-Threat-Intelligence-Analyst---Cyberespionage_JR-05715

Analyste du renseignement stratégique sur les menaces – Cyberespionnage / Strategic Threat Intelligence Analyst – Cyberespionage

Résumé du poste / Summary English version follows ------------------------------------------------------------------------------------------------------------------------------- Nous sommes à la recherche d'un.e Analyste du renseignement stratégique sur les menaces axé sur le cyberespionnage pour rejoindre l'un des centres de R&D suivants: Bratislava, Montréal, Prague – tous faisant partie d’ESET Recherche. Description du poste / Job description ESET Recherche ESET Recherche est une équipe de chercheur.euse.s du monde entier qui analysent et ont l'intention de perturber les opérations de cyberespionnage et de cybercriminalité les plus complexes. Nous travaillons en collaboration avec d'autres équipes internes pour améliorer les produits d’ESET et créer des détections de logiciels malveillants résilientes. Notre objectif principal est de comprendre comment les groupes de menaces opèrent pour mieux protéger notre clientèle et perturber les activités malveillantes. Notre équipe produit des rapports privés à la disposition de la clientèle d'ESET Threat Intelligence (https://www.eset.com/ca-fr/entreprises/services/threat-intelligence/). Nous partageons également notre expertise publiquement sur le blogue d'ESET (https://www.welivesecurity.com/fr/a-propos-eset-recherche/) et lors de conférences techniques renommées dans le monde entier, notamment Black Hat, Botconf, CYBERWARCON, RSA et Virus Bulletin. En tant qu'Analyste du renseignement stratégique sur les menaces, vous collaborerez avec des chercheurs.euse.s en logiciels malveillants spécialisé.e.s dans la rétro-ingénierie et le suivi du réseau, enrichirez nos rapports de renseignements stratégiques et informerez nos clients des dernières tendances dans le paysage cyber. Ce rôle n'implique pas la chasse aux menaces ou la recherche technique sur les menaces. Rôle et responsabilités Analyser les tendances et les impacts des opérations de cyberespionnage et de cybersabotage, et évaluer ces opérations d'un point de vue géopolitique. Rédiger des rapports du renseignement stratégique sur les menaces en tirant parti des recherches techniques existantes effectuées par les équipes de recherche en logiciels malveillants d'ESET, de l’OSINT et de votre propre analyse. Enrichir les rapports techniques d’informations sur la motivation des attaquants, la victimologie et le contexte géopolitique plus large pour améliorer le travail de l’équipe de recherche sur les logiciels malveillants. Résumer les données du renseignement, par exemple afin de contribuer à notre rapport d’activité APT semestriel. Intéragir et répondre aux solicitations de la clientèle de nos services de renseignement sur les menaces. Donner des présentations lors de conférences publiques. Déplacements internationaux, jusqu'à 20 % Compétences techniques, connaissances et qualifications 5 ans d'expérience dans le renseignement stratégique sur les cybermenaces ou dans un domaine connexe (géopolitique, etc.). Connaissance approfondie de la géopolitique régionale, en particulier en Asie ou en Europe de l'Est. Connaissance des auteurs de cybermenaces (APT) et du monde du renseignement. Expertise dans l'analyse du renseignement sur les menaces, y compris l'attribution de cyberincidents. Familiarité avec des frameworks tels que MITRE ATT&CK, la Kill Chain ou le diamond model. Solides compétences en rédaction et en expression orale en anglais (la plupart des publications et des engagements d’allocutions se feront en anglais). Capacité de transmettre du contenu technique à des personnes non techniques. Esprit de synthèse et capaciter à résumer des analyses complexes sous la forme de rapports et briefings courts. Connaissance de l’écosystème médiatique et maîtrise de l’évaluation des sources. En retour, nous vous proposons Culture décontractée, amicale et ouverte sans code vestimentaire formel Environnement de travail diversifié et multiculturel Activités d'équipe engageantes et événements de l'entreprise (y compris les consolidations d'équipe et les 5 à 7) Options de modèle de travail hybride Occasions d'assister à divers formations, cours, conférences et rencontres Avantages supplémentaires, tant financiers que non financiers ------------------------------------------------------------------------------------------------------------------------------- We are looking for a Strategic Threat Intelligence Analyst focused on cyberespionage to join one of the following R&D centers: Bratislava, Montreal, Prague - all part of ESET Research. ESET Research ESET Research is a team of researchers all over the world who analyze, and intend to disrupt, the most complex cyberespionage and cybercrime operations. We work in collaboration with other internal teams to improve ESET products and create resilient malware detections. Our primary goal is to understand how threat groups operate to better protect our customers and disrupt malicious activities. Our team produces private reports available to ESET Threat Intelligence customers (https://www.eset.com/int/business/services/threat-intelligence/). We also share our expertise publicly on ESET’s blog (https://www.welivesecurity.com/en/about-eset-research/) and at renowned technical conferences worldwide, including Black Hat, Botconf, CYBERWARCON, RSA, and Virus Bulletin. As a strategic threat intelligence analyst, you will collaborate with malware researchers specializing in reverse-engineering and network tracking, enhance our reporting with strategic-level insights, and brief our customers on the latest trends in the cyber landscape. This role does not involve threat hunting or technical threat research. Duties and responsibilities Analyze cyberespionage/cyber sabotage operations trends and impacts and evaluate these operations from a geopolitical perspective. Write strategic threat intelligence reports by leveraging existing technical research done by ESET malware researchers, OSINT, and your own analysis. Enrich technical reports with information about attackers’ motivation, victimology, and the broader geopolitical context to enhance malware researchers’ work. Summarize intelligence data, for example, by contributing to our bi-annual “APT Activity Report”. Brief customers of our threat intelligence services. Deliver presentations at public conferences. International travel, up to 20% Key technical skills, knowledge and qualifications 5 years of experience in strategic cyber threat intelligence or related field (geopolitics, etc.). In-depth knowledge of regional geopolitics, especially in Asia or Eastern Europe. Familiarity with cyberespionage threat actors (APTs) and the intelligence landscape. Expertise in threat intelligence analysis, including cyber-incident attribution. Familiarity with frameworks such as MITRE ATT&CK, the Kill Chain or the diamond model. Strong English writing and speaking skills (most of the publications and speaking engagements will be delivered in English). Ability to convey technical content to non-technical people. Ability to synthesize information and distill complex analyses into concise reports and briefings. Knowledge of the media ecosystem and strong source‑evaluation skills. In return, we offer you Casual, friendly and open culture with no formal dress code Diverse and multicultural work environment Engaging team activities and company events (including team buildings and after work gatherings) Hybrid work model options Opportunities for attending diverse trainings, courses, conferences, and meetups Additional benefits and perks, both financial and non-financial #LI-MF1 #senior #LI-Hybrid Avantages du poste / Benefits Santé et bien-être Régime d'assurance privée collective Plan d'épargne retraite collectif Programme d'activité physique Supports à vélos intérieurs et programme de partage de vélos Bureau à domicile Jours de congé supplémentaires Horaires de travail flexibles Bureau Rafraîchissements au bureau (fruits, snacks, boissons et café) Petit-déjeuner 5 à 7 / Réunions après le travail Activités de renforcement de l'esprit d'équipe Salon commun (« Living room ») avec PlayStation, ping-pong et baby-foot Activités de Noël Autres Apprentissage LinkedIn/ Udemi Programme de fidélisation (jours de vacances supplémentaires, bonus financier, gâteaux) Recommandation d'un ami Licence ESET gratuite pour les amis et la famille Cadeaux de Noël ________________ Health & well-being Group private insurance plan Group retirement savings plan Physical activity program Interior bike racks and bike sharing program Home office Extra days off Flexible work hours Office Refreshments in office (fruit, snacks, drinks & coffee) Breakfast 5 à 7 / Afterwork get togethers Teambuilding activities Common lounge ("Living room") with PlayStation, ping-pong and foosball tables Christmas activities Other LinkedIn Learning/ Udemi Loyalty program (extra vacation days, financial bonus, cake/cupcakes) Friend referral Christmas gifts Emplacement principal / Primary location Montreal Autres lieux d'implantation / Additional locations Type d'heure / Time type Full time Join ESET Talent Community and we will contact you. This is an option for candidates who haven't found any interesting job opening and would like to send us their CV. ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyberthreats — securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. Driven by science, ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive, evidence-based approach to security. ESET is committed to world-class scientific research and powerful threat intelligence, backed by R&D centers and a strong global partner network. ESET's purpose is not only to provides cutting-edge digital security, but also to actively contribute to a more innovative and responsible society in terms of education, science and research. At ESET, diversity, equity, and inclusion (DEI) are integral to our corporate culture. We believe in creating a respectful environment, where everyone feels valued and respected, welcoming applications from individuals of all backgrounds, including race, gender, age, religion, disability, and sexual orientation. Learn more about ESET.

ESET Research Mar 19

#ESETresearch analyzed more than 80 EDR killers, seen across real-world intrusions, and used ESET telemetry to document how these tools operate, who uses them, and how they evolve beyond simple driver abuse. https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/
By following attacker workflows, we identified how affiliates reuse the same vulnerable drivers across unrelated codebases and how individual EDR killers switch drivers over time, demonstrating that driver-centric attribution is unreliable.
We emphasize that in RaaS gangs, it is the affiliates, not the operators, who select and deploy the EDR killers, complicating defense strategies, but also revealing otherwise hidden affiliations.
Our research highlights a significant rise in commercialized tooling, including packer-as-a-service ecosystems and hardened EDR killers that incorporate encrypted drivers, obfuscation, and external payload staging.
Based on these findings and the difficulties of driver blocking, we emphasize a prevention-first approach to defense that focuses on stopping the user-mode component of the EDR killer before any vulnerable driver is loaded, rather than relying solely on kernel-level blocking.
IoCs are available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/edr_killers

EDR killers explained: Beyond the drivers

ESET researchers dive deeper into the EDR killer ecosystem, disclosing how attackers abuse vulnerable drivers.

ESET Research Mar 10

#ESETresearch has analyzed the resurgence of Sednit – one of the most long‑running Russia‑aligned APT groups – now using a modern toolkit built around paired implants, BeardShell and Covenant, each using a different cloud provider for resilience. https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/
ESET researchers tied Sednit’s advanced implant team reboot to a 2024 case in Ukraine, where SlimAgent emerged – a keylogger built on the codebase of the infamous Xagent, Sednit’s flagship 2010-era backdoor.
Sednit also deployed BeardShell, an implant that executes PowerShell commands via a legitimate cloud service and uses a distinctive obfuscation technique also found in Xtunnel, Sednit’s network pivoting tool from the 2010s.
Across 2025–2026, Sednit paired BeardShell with Covenant, the final block of its modern toolkit – a heavily reworked open-source implant built for long‑term espionage with a new protocol riding on another legitimate cloud provider.
Detailed analysis of Sednit’s modern toolkits is available at https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/