ESET ResearchJan 6
In H2 2025, #ESETresearch saw a thirtyfold increase in #CloudEyE detections, amounting to more than 100,000 hits over the course of six months. CloudEyE is a #MaaS downloader and cryptor used to conceal and deploy other malware, such as #Rescoms, #Formbook, and #Agent Tesla.
CloudEyE’s intital stage is a downloader that spreads via #PowerShell scripts, #JavaScript files, and #NSIS executables . These download the next stage – the cryptor component – with the final payload packed within. All of the CloudEyE stages are heavily obfuscated.
Most of CloudEyE attack attempts we registered in H2 2025 targeted Poland (32%). These attacks were part of a wave of email campaigns in Central and Eastern Europe ESET observed in September and October 2025.
In order to appear legitimate, the emails deployed in the campaign were often sent from compromised legitimate accounts and localized to the language of the targeted country. They were usually inquiries about invoice payments, package tracking, and purchase orders.
For further information on CloudEyE, cryptors, and more, head on over to the latest #ESETThreatReport: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf
ESET ResearchJan 22, 2025

#ESETResearch’s monitoring of #AceCryptor revealed a significant decrease in prevalence of the malware in H2 2024: we only observed around 3k unique samples as opposed to 13k in H1 2024. Overall hits went down by 68% compared to H1, and by 87% compared to H2 2023.

Similarly, the number of unique users targeted by AceCryptor campaigns decreased by 58% between H1 and H2 2024, and the decrease was even more pronounced when compared to H2 2023, amounting to 85%.

As for the malware families packed by the cryptor, we could yet again see the usual suspects such as #Rescoms, #Smokeloader, and #Stealc among the most delivered threats.

While much smaller in scale than in previous periods, we still detected two notable campaigns of the malware. First, on July 11, 2024, 500 victims in Germany 🇩🇪 were sent emails with malicious attachments disguised as financial documents inside a password protected archive.

Instead of the documents, the archive contained an AceCryptor executable packing the Racoon Stealer successor #RecordBreaker, which then exfiltrated the victim information to a C&C server with the IP address of 45[.]153[.]231[.]163.

Then on September 23, 2024 more than 1,600 endpoints of small businesses in Czechia 🇨🇿 received emails whose attachments contained an AceCryptor binary packing the #XWorm RAT 🪱🐀. As a C&C, XWorm RAT used easynation[.]duckdns[.]org.

The list of 🔍 Indicators of Compromise (IoCs) can be found in our GitHub repository: https://github.com/eset/malware-ioc/tree/master/ace_cryptor

malware-ioc/ace_cryptor at master · eset/malware-ioc

Indicators of Compromises (IOC) of our various investigations - eset/malware-ioc

GitHub
Teddy / Domingo (🇨🇵/🇬🇧)Dec 29, 2023
A new #malware loader is being used by threat actors to deliver a wide range of information stealers such as #Lumma Stealer (aka LummaC2), #Vidar, #RecordBreaker (aka #Raccoon Stealer V2), and #Rescoms.
#Cybersecurity firm ESET is tracking the trojan under the name Win/TrojanDownloader.Rugmi.
https://thehackernews.com/2023/12/new-rugmi-malware-loader-surges-with.html?&web_view=true
#security #trojans #rugmi
New Rugmi Malware Loader Surges with Hundreds of Daily Detections

Threat actors are using a new malware loader to distribute various information stealers, including Lumma Stealer, Vidar, RecordBreaker, and Rescoms.

The Hacker News