#ClickFix went from virtually non-existent to the second most common attack vector blocked by #ESET, surpassed only by #phishing. This novel social engineering technique accounted for nearly 8% of all detections in H1 2025. #ESETresearch
ClickFix lures users by displaying bogus error messages followed by quick fix instructions, including copy-pasting malicious code. Running the code in the victim’s command line interpreter delivers malware such as #RATs, infostealers, and cryptominers.
Between H2 2024 and H1 2025, ESET’s detection for ClickFix, HTML/FakeCaptcha, skyrocketed by 517%. Most detections in ESET telemetry were reported from Japan (23%), Peru (6%), and Poland, Spain, and Slovakia (>5% each).
What makes #ClickFix so effective? The fake error message looks convincing; instructions are simple, yet the copied command is too technical for most users to understand. Pasting it into cmd leads to compromise with final payloads, including #DarkGate or #LummaStealer.
While #ClickFix was introduced by cybercriminals, it’s since been adopted by APT groups: Kimsuky, Lazarus; Callisto, Sednit; MuddyWater; APT36. NK-aligned actors used it to target developers, steal crypto and passwords from Metamask and #macOS Keychain.
#ClickFix uses psychological manipulation by presenting fake issues and offering quick solutions, which makes it dangerously efficient. It appears in many forms – error popups, email attachments, fake reCAPTCHAs – highlighting the need for greater vigilance online.
Read more in the #ESETThreatReport:
🔗 https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

#ESETresearch has mapped the labyrinth of #AsyncRAT forks, identifying the most prevalent versions of this open-source malware. While some variants are mere curiosities, others pose a more tenacious threat. https://www.welivesecurity.com/en/eset-research/unmasking-asyncrat-navigating-labyrinth-forks/
AsyncRAT comes with the typical RAT functionalities, including keylogging, screen capturing, and credential theft. Other threat actors have developed a multitude of variants based on its source code.
Our analysis revealed the most widely used and deployed forks of AsyncRAT, with the most prevalent among them being #DcRat.
Although DcRat holds a smaller share compared to AsyncRAT, it offers notable improvements. These include advanced evasion techniques, and the use of an open-source library for more efficient binary data serialization.
AsyncRAT forks often include prank-style plugins, such as for opening and closing the CD tray and turning off the monitor. Spoof versions dubbed SantaRAT and BoratRAT have also emerged – mostly intended as jokes.
AsyncRAT and its variants demonstrate how quickly and creatively threat actors can adapt open-source code – especially with the assistance of #LLMs. This underscores the importance of proactive detection and effective analysis of emerging threats.
IoCs available on our GitHub: https://github.com/eset/malware-ioc/tree/master/

In May 2025, #ESET participated in operations that largely disrupted the infrastructure of two notorious infostealers: #LummaStealer and #Danabot.
As part of the Lumma Stealer disruption effort, carried out in conjunction with Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, ESET supplied technical analysis and statistical information.
Danabot was targeted by the #FBI and #DCIS, alongside #OperationEndgame led by #Europol and #Eurojust. ESET participated together with several other companies. We provided the analysis of the malware’s backend infrastructure and identified its C&C servers.
Before these takedowns, both infostealers were on the rise: in H1 2025, Lumma Stealer detections grew by 21%, while Danabot’s numbers increased by more than 50%.
For a time, Lumma Stealer was the primary payload of HTML/FakeCaptcha trojan, used in the #ClickFix social engineering attacks that we also cover in this issue of the #ESETThreatReport. In recent months, we have seen Danabot being delivered via ClickFix as well.
For more details on these two operations and on the ClickFix attacks, read the latest #ESETThreatReport: https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

After years of dominance in #ESET’s top #infostealer statistics, the era of #AgentTesla has come to an end. It finished H1 2025 in fourth place, its numbers having decreased by 57%. The reason? It is no longer under active development.
The threat actors behind Agent Tesla have reportedly lost access to the servers with the malware’s source code. A successor appeared almost immediately – another #MaaS threat, known as #SnakeStealer or #SnakeKeylogger, has claimed the number one spot.
Recommended as a suitable replacement directly in Agent Tesla’s Telegram channel, SnakeStealer now takes up almost a fifth of all infostealer detections registered by ESET telemetry. Between H2 2024 and H1 2025, its detections more than doubled.
If you want to find out more information about this changing of the guard in the infostealer threat landscape, head on over to #ESETThreatReport: https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

#ESETresearch has conducted a comprehensive technical analysis of new malicious tools and significant updates observed in 2024 in the arsenal of the Russia-aligned #Gamaredon #APTgroup targeting Ukraine🇺🇦. https://www.welivesecurity.com/en/eset-research/gamaredon-2024-cranking-out-spearphishing-campaigns-ukraine-evolved-toolset/
In 2024, #Gamaredon returned to exclusively targeting Ukrainian governmental institutions, significantly increasing the size and frequency of its #spearphishing campaigns compared to previous years, as shown in the chart.
Besides spearphishing, #Gamaredon continues to use custom malware for lateral movement, weaponizing USB and now also network drives via updated versions of PteroLNK. Additionally, the new tool PteroTickle weaponizes Python apps converted to executables.
The VBScript version of PteroLNK has become the group’s most frequently updated tool. It now weaponizes network drives, hides targeted folders, and creates malicious LNK files using JavaScript executed by mshta.exe.
Gamaredon added stealthier methods to known tools. For example, PteroPSDoor now uses WMI event subscriptions and FileSystemWatcher to quietly monitor files, reducing noisy operations that could alert defenders.
The new tool PteroGraphin implements uncommon persistence via Excel add-ins, creating a hidden channel for payload delivery through Telegraph. Later, Gamaredon simplified its persistence, relying instead on scheduled tasks alone.
Another notable addition is PteroBox, a new PowerShell-based file stealer that exfiltrates files to Dropbox. It prioritizes sensitive documents, tracks exfiltrated files via MD5 hashes, and monitors USB insertions through WMI events
In 2024, Gamaredon went to great lengths to bypass network-based blocking. It increasingly hid its C&C servers behind Cloudflare tunnels and leveraged third-party DNS services, Codeberg repositories, and Telegraph posts to evade detection.
Our detailed technical analysis of the latest Gamaredon tools and techniques is available in the white paper: https://web-assets.esetstatic.com/wls/en/papers/white-papers/gamaredon-in-2024.pdf
IoCs are provided in the white paper and at https://github.com/eset/

ESET Threat Report H1 2025: #ClickFix attacks surge 500%, SnakeStealer tops infostealer charts, and NFC fraud jumps 35x. Plus, chaos in the ransomware underworld and a new Android adware menace—Kaleidoscope. Dive into the full report: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h12025.pdf #ESETresearch

#ESETresearch analyzed a campaign deployed by BladedFeline, an Iran-aligned threat actor with likely ties to #OilRig. We discovered the campaign, which targeted Kurdish and Iraqi government officials, in 2024. https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/
BladedFeline, a cyberespionage group active since at least 2017, develops malware for strategic access within the Kurdistan Regional Government and the government of Iraq. We discovered BladedFeline in 2023 after it targeted Kurdish officials with the #Shahmaran backdoor.
The systems compromised in the latest campaign contained the #Whisper backdoor, a malicious IIS module #PrimeCache, two reverse tunnels, and several supplementary tools. Whisper uses #MicrosoftExchange server to communicate with the attackers via email attachments.
We believe with medium confidence that BladedFeline is a subgroup of OilRig, an 🇮🇷-based APT group also known as APT34 or Hazel Sandstorm.
First, there were OilRig tools present in the systems compromised in this campaign. BladedFeline’s PrimeCache also shares code similarities with OilRig’s #RDAT backdoor. Moreover, as does OilRig, BladedFeline targets organizations in the Middle East.
IoCs will be available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/

The #FBI and #DCIS disrupted #Danabot. #ESET was one of several companies that cooperated in this effort. https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/
#ESETresearch has been involved in this operation since 2018. Our contribution included providing technical analyses of the malware and its backend infrastructure, as well as identifying Danabot’s C&C servers. Danabot is a #MaaS #infostealer that has also been seen pushing additional malware – even #ransomware, such as #LockBit, #Buran, and #Crisis – to compromised systems.
We have analyzed Danabot campaigns all around the world and found a substantial number of distinct samples of the malware, as well as identified more than 1,000 C&Cs.
This infostealer is frequently promoted on underground forums. The affiliates are offered an administration panel application, a backconnect tool for real-time control of bots, and a proxy server application that relays the communication between the bots and the C&C server.
IoCs are available in our GitHub repo. You can expect updates with more details in the coming days. https://github.com/eset/malware-ioc/tree/master/danabot

#ESETresearch, in collaboration with #Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, has helped disrupt #LummaStealer – a notorious malware-as-a-service infostealer. https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-lumma-stealer
This disruption operation targeted Lumma Stealer’s C&C infrastructure, rendering much of the exfiltration network inoperative. ESET processed tens of thousands of Lumma samples to extract C&C servers and affiliate IDs. Infostealers are often precursors to major cyberattacks.
Between June 2024 and May 2025, ESET tracked 3,353 unique Lumma Stealer C&C domains, which is an average of around 74 new domains per week. The malware evolved constantly, with updates to encryption, protocols, and Steam-profile- and Telegram-based dead-drop resolvers.
#Microsoft’s Digital Crimes Unit, with the help of ESET and other partners, seized Lumma Stealer’s infrastructure and control panel. #ESET continues monitoring for possible resurgence.
IoCs available on our GitHub: https://github.com/eset/malware-ioc/tree/master/lummastealer

#ESETresearch has published its latest APT Activity Report, covering October 2024 to March 2025 (Q4 2024–Q1 2025). China-aligned groups like Mustang Panda and DigitalRecyclers continued their espionage campaigns targeting the EU government and maritime sectors.
North Korea-aligned groups, e.g., DeceptiveDevelopment, expanded their financially motivated campaigns using fake job listings and social engineering. Russian APTs intensified attacks against Ukraine and the EU, exploiting zero-day vulns. https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2024-q1-2025.pdf