#ESETresearch's Eric Howard will be presenting at Botconf. Join him in Reims, France to hear about “GopherWhisper, Uncovering an APT’s secrets through its own words” on Apr 15 at 17.15 CEST. For more information, check out https://www.botconf.eu/botconf-2026/#id_schedule
New China‑aligned APT GopherWhisper: first seen in 2025 deploying backdoor LaxGopher inside a Mongolian government institution. The group’s backdoors abuse legit services for C2 (Slack, Discord, Microsoft Graph). Hardcoded tokens let us peek into ops and post‑compromise activity.
We recovered 5K+ C2 messages (activity since 2023‑11), mapped tools (LaxGopher, RatGopher, BoxOfFriends, JabGopher, FriendDelivery, CompactGopher, SSLORDoor), and saw exfil via file.io, presentation will provide defender tips. Full research will be later released on WeLiveSecurity.com

#ESETresearch has identified an Akira lookalike ransomware campaign targeting South America. The threat actor is using a Babukbased encryptor that appends the .akira extension and drops a ransom note that mimics Akira both in Tor URLs and the overall content.
The ransom note is almost identical to Akira’s with some parts omitted. The crucial difference is the planted Tor link that is not under Akira’s control. The ransom note is also named ___________akira_readme.txt (the leading underscores is another difference to real Akira).
The ransom note also references the official Akira leak sites (Dedicated Leak Sites - DLSs), but plants a custom Tor link for the ransom payment negotiation. The link is currently not working. Notably, Akira itself warns about potential copycats on their DLS.
Aside from the encryptor, the threat actor utilized Mimikatz and exfiltrated sensitive data using rclone. Copycat attempts like this one are rare, but not unheard of. Victims should never trust threat actors based solely on their claims.
IoCs: 9B484760D563B3768EAA93802AFD4EA9C3F92780 (win.exe)
https://akirad2pbdhjlczfbunj4jbbv7ox4ixdti3xq35mqxsl3yzjqhg3lmqd[.]onion

#ESETresearch has identified a Silver Fox campaign that actively takes advantage of the current annual tax filing and organizational change season in Japan, a period when companies generate a high volume of legitimate financial and HRrelated communications. https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/
In this operation, Silver Fox sends tailored spearphishing emails crafted to look like one of such communication. To make the emails appear authentic, the attackers often include the name of the targeted company directly in the subject line.
The sender fields often impersonate employees at the targeted companies. This indicates Silver Fox performs reconnaissance before attacking. Using names that the targets are likely to recognize, makes it more difficult to distinguish the messages from real internal notifications.
The emails typically contain either a malicious attachment or a link leading to a malicious file. The files are named to resemble common HR, financial, or tax-related documents.
Opening the malicious files drops ValleyRAT, a remote access trojan that Silver Fox has used across multiple campaigns. Once deployed, it enables the actor to take remote control of the machine and harvest sensitive information. ESET products detect this malware as Win64/Valley.
Note that even though ESET observes the most activity in Japan, Silver Fox also currently operates in Taiwan, India, Indonesia, Australia, the United Kingdom, and Brazil. IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/silver_fox

#ESETresearch detected a recent intrusion at a University of Warsaw consistent with #Interlock ransomware gang. Thanks to early warning from our experts and the university's swift cooperation, the attack was disrupted before encryptors could be deployed. https://www.eset.com/pl/about/newsroom/press-releases/news/to-analitycy-eset-zidentyfikowali-atak-na-uniwersytet-warszawski/
According to our investigation, the artifacts and infrastructure overlap with Interlock activity. We observed the use of #NodeSnake RAT and Interlock RAT, both of which are referenced in CISA’s #StopRansomware advisory. https://www.cisa.gov/sites/default/files/2025-07/aa25-203a-stopransomware-interlock-072225.pdf
The intrusion is a continuation of the threat actor’s campaign described in the April 2025 QorumCyber report, using an updated toolset. Our telemetry shows the actor targeted the education vertical in additional regions as well. https://www.quorumcyber.com/wp-content/uploads/2025/04/20250416-Higher-Education-Sector-RAT-MP.pdf
New in this campaign, we saw an updated, more-heavily-obfuscated NodeSnake RAT build. The updated version leverages WebSocket instead of the previously used HTTP. C&C infrastructure remains proxied mostly over Cloudflare’s *.trycloudflare[.]com infrastructure.
NodeSnake RAT was used to deliver its own updates and additional payloads including the legitimate tool AzCopy (for exfiltration), a PowerShell SystemBC proxy and a ConnectWise MSI installer (RMM).
Interlock RAT (adobe.log) is executed via a scheduled task Microsoft\Windows\Defrag\ScheduledDefrg, masquerading as a defragmentation task.
IoCs:
Interlock RAT
CEB69DFDD768AA08B86F1D5628BD3A38C1FE8C1F
Interlock RAT C&Cs:
172.86.68[.]64
23.227.203[.]123
77.42.75[.]119
NodeSnake C&Cs:
deserve-coordinated-fairy-tier.trycloudflare[.]com
survey-tennessee-blind-corners.trycloudflare[.]com
dvd-diagnostic-oakland-signals.trycloudflare[.]com
practitioners-ons-boom-utc.trycloudflare[.]com
donnellykilbakk[.]cc
PowerShell SystemBC C&C:
91.99.97[.]247
ConnectWise C&C:
partyglacierhip[.]top

In cybersecurity, labels can distract from what really matters. At #RSAC2026, #ESETresearch’s Robert Lipovský will break down recent campaigns linked to state-sponsored actors and explore how hybrid threat tactics are evolving. The session focuses on practical defender takeaways - understanding behaviors, improving detection, and strengthening preparedness.

#ESETresearch has analyzed the resurgence of Sednit – one of the most long‑running Russia‑aligned APT groups – now using a modern toolkit built around paired implants, BeardShell and Covenant, each using a different cloud provider for resilience. https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/
ESET researchers tied Sednit’s advanced implant team reboot to a 2024 case in Ukraine, where SlimAgent emerged – a keylogger built on the codebase of the infamous Xagent, Sednit’s flagship 2010-era backdoor.
Sednit also deployed BeardShell, an implant that executes PowerShell commands via a legitimate cloud service and uses a distinctive obfuscation technique also found in Xtunnel, Sednit’s network pivoting tool from the 2010s.
Across 2025–2026, Sednit paired BeardShell with Covenant, the final block of its modern toolkit – a heavily reworked open-source implant built for long‑term espionage with a new protocol riding on another legitimate cloud provider.
Detailed analysis of Sednit’s modern toolkits is available at https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/

#BREAKING #ESETresearch has discovered the first known Android malware to use generative AI in its execution flow; we have named it #PromptSpy. The malware abuses Google’s #Gemini to achieve persistence on the compromised device. https://www.welivesecurity.com/en/eset-research/promptspy-ushers-in-era-android-threats-using-genai/
Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions to ensure that the malicious app remains pinned in the recent apps list, preventing it from being easily swiped away or killed by the system.
Since Android malware often relies on hardcoded UI navigation, employing generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly increase the number of potential victims.
PromptSpy abuses Accessibility Services to deploy a #VNC module on victim devices, so attackers can see the screen and perform actions remotely, as well as block the victim from manually uninstalling the malicious app (which uses invisible overlays, here marked in red).
The analyzed samples are available on VirusTotal and seem to be used in a real campaign targeting users in 🇦🇷, though we can’t rule out them being a part of a proof-of-concept. At the same time, the analyzed malware samples point toward PromptSpy being developed in a Chinese-speaking environment.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc

#BREAKING #ESETresearch provides technical details on #DynoWiper, a data‑wiping malware used in a data‑destruction incident on December 29, 2025, affecting a company in Poland’s energy sector.
https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/
@CERT_Polska_en did an excellent job investigating the incident and published a detailed analysis in a report:
https://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025/
#ESETresearch attributes the attack to the 🇷🇺 Russia‑aligned #Sandworm APT group with medium confidence, based on strong overlaps in behavior and TTPs with multiple earlier Sandworm attacks. Specifically, DynoWiper operates in a broadly similar fashion to the ZOV wiper, which we attribute to Sandworm with high confidence.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/dynowiper

#ESETresearch has uncovered a new #Android spyware campaign using novel romance scam tactics to target individuals in 🇵🇰 Pakistan, with an added social engineering element previously unseen in similar schemes. https://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/
The spyware used in the campaign, which we named #GhostChat, uses the icon of a legitimate chat app. After installation from unknown sources, login credentials and unlock codes are required to access the app and individual chat profiles, respectively.
The credentials and codes are not processed by any server and are hardcoded in the app, implying that they are probably distributed along with the app by the threat actor.
This impression of personalization and exclusive access is rarely seen in mobile threat campaigns and suggests a highly targeted social engineering effort. Under its façade lies the true purpose of the app: data exfiltration.
Upon installation, GhostChat immediately requests permissions and begins exfiltrating data – even before login. It continuously monitors new images, scans for documents every five minutes, and exfiltrates sensitive information from the device.
The GhostChat campaign is part of a broader, multiplatform, spy operation. In related activity, victims are lured into scanning QR codes on websites impersonating Pakistan’s Ministry of Defence, thereby giving the threat actors access to private #WhatsApp communications.
The same domain (buildthenations[.]info), also used to impersonate the Ministry of Defence website, mimics Pakistan’s Emergency Response Team and delivers a payload via #ClickFix, targeting desktop devices.
The operation blends mobile spyware, social engineering, and desktop exploitation, targeting users in 🇵🇰 Pakistan. Despite its specific targeting, there are insufficient similarities in TTPs to attribute this campaign to any known threat actor at this point.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/ghostchat
Read the full analysis on WeLiveSecurity: https://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/

#ESETresearch’s @LukasStefanko will speak at Ransomware Resilience 2026 on Monday, Jan 19 in Kuala Lumpur at 4pm local time!
Discover how Android NFC threats evolved to enable unauthorized ATM withdrawals. Learn about NGate - the first Android malware to execute an NFC relay attack for remote ATM cash-outs. #RR2026