Mastodawn

#ESETresearch has revisited CVE 2025 50165, a critical remote code execution vulnerability in the WindowsCodecs.dll library when processing JPG images, one of the most widely used image format s. https://www.welivesecurity.com/en/eset-research/revisiting-cve-2025-50165-critical-flaw-windows-imaging-component/
The vulnerability, found by Zscaler in May 2025, stems from an uninitialized pointer dereference during the compression process of 12-bit precision JPG streams.
Our deep dive analysis took us on a journey inside the JPG file format and Windows Imaging Component internals, allowing us to reproduce the crash and find an alternative vulnerable code path, stemming from the same problem but for 16-bit precision JPG streams.
Our investigation revealed that the vulnerable component uses the open-source library libjpeg-turbo, in which similar issues were found and resolved in December 2024.
Studying libjpeg-turbo commits enabled us to explore other potentially vulnerable code paths and reassess exploitability: the flaw, although ranked critical by Microsoft, is likely unexploitable.
Finally, while we studied the immediate patch, we also looked at newer versions of WindowsCodecs.dll and observed that additional mitigations were subsequently implemented. Time to patch!

ESET Research 5d ago

#ESETresearch has detected a new MSIL loader, named #BlackHawk, protected by three layers of obfuscation, all of which show strong signs of being AI-generated.
The first layer is a VBS script. It stands out due to its clean formatting, overly complex implementation, meaningful function and variable names, and clear comments and sectioning, features typical for AI-generated code.
The second layer is a PowerShell script that begins with comments accurately describing its functionality, and multiple implementations of the same decryption function, along with multiple execution methods – another potential residue of AI fine-tunning.
The third layer is another PowerShell script containing a base64-encoded BlackHawk loader and the final payload. AI-generated artifacts are evident in this stage too, similar to those observed in the earlier layers.
ESET researchers have observed BlackHawk being used in spearphishing campaigns to deliver #AgentTesla, targeting hundreds of endpoints in Romanian small and medium-sized companies.
The name BlackHawk is based on the main class name of the loader (BLACKHAWK.DOWN), version information, and a PDB file (blackhawk.pdb), all indicating the developer also using this naming.
Researchers at K7 have also observed #BlackHawk being deployed in another campaign, with only slight variations in the obfuscation layers across different samples. This offers further evidence of prompt engineering techniques used to optimize stealth. https://labs.k7computing.com/index.php/phantom-3-5-initial-vector-analysis-forensics/
This discovery illustrates another area that attackers can potentially improve by using generative AI - namely code protection. In the case of BlackHawk, however, the deployment of these techniques was rather heavy-handed.
IoCs: 39C2E88D3F8E5EB5F2829420861209C5B33F26A1 The first layer of BlackHawk 86B55EFF8EE238161EF34A99086F6D1E482595E4 BlackHawk loader

ESET Research 6d ago

#ESETresearch has discovered a new 🇨🇳-aligned APT group, #LongNosedGoblin. This group focuses on cyberespionage and targets mainly governmental entities in Southeast Asia and Japan. https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/
LongNosedGoblin uses Group Policy to deploy malware and move laterally across the compromised network. Its toolset consists mainly of malicious C#/.NET applications.
One of them is NosyHistorian, used to gather the victim’s browser history and decide where to deploy further malware. This includes NosyDoor, a backdoor that uses cloud services for C&C. NosyDoor also employs living-off-the-land techniques in its execution chain.
Our blogpost describes the discovery of LongNosedGoblin, goes over its known campaigns, and provides a detailed analysis of the group’s toolset.
We also recently presented these findings at #AVAR2025 in a talk titled Sniffing Around: Unmasking the LongNosedGoblin operation in Southeast Asia and Japan.
https://events.aavar.org/cybersecurity-conference/index.php/sniffing-around-unmasking-the-longnosedgoblin-operation-in-southeast-asia-and-japan/
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/longnosedgoblin

ESET Research Dec 16

ESET Threat Report H2 2025: NFC threats grow in scale and sophistication, ransomware victim numbers surge, and AI-powered malware becomes reality with PromptLock. The threat landscape is evolving fast – read the full report: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf #ESETresearch

ESET Research Dec 5

#ESETresearch analyzed the #Gamaredon VBScript payload recently flagged by @ClearskySec. It wipes registry Run keys, scheduled tasks, and kills processes – however, our assessment is that this is likely to clean researchers’ machines, not a shift to destructive ops. https://x.com/ClearskySec/status/1995061537183011084
The script is similar to Gamaredon VBScripts we analyzed before. It removes all registry values under well-known Run/RunOnce keys + several legitimate keys commonly abused by Gamaredon. It also deletes all scheduled tasks and terminates PowerShell, VBScript, and Mshta processes.
Gamaredon often stores malicious files with random names in %USERPROFILE%. Instead of pinpointing specific files, the script recursively deletes everything from the C:\Users directory – collateral damage seems acceptable to Gamaredon operators.
This behavior suggests Gamaredon wants to erase traces when uninstalling its malware – most likely due to recognizing researcher environments – not a pivot to destructive activities. Espionage remains their primary goal. https://www.virustotal.com/gui/file/9a39423ec90dc06a3058279cd744c08d83252d1c7096633b9853e435cc205755

ClearSky Cyber Security (@ClearskySec) on X

A new wiper attack has been identified by ClearSky Cyber Security affecting Ukraine. We named this wiper "GamaWiper" (VBS-based wiper). The intrusion chain begins with the exploitation of a vulnerable WinRAR version (CVE-2025-80880). We assess with moderate confidence that this

X (formerly Twitter)

ESET Research Dec 2

#ESETresearch discovered a new #MuddyWater campaign targeting critical infrastructure in 🇮🇱 Israel and 🇪🇬 Egypt, using a new backdoor – MuddyViper – and a variety of post-compromise tools https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
The group used a custom loader, Fooder, which masquerades as the classic Snake game. Its internal logic mimics the game mechanics to delay execution and hinder automated analysis.
Fooder loads MuddyViper, a new C/C++ backdoor that facilitates covert control over compromised systems, the HackBrowserData infostealer, or go-socks5 reverse tunnels that allow attackers to route traffic through compromised machines to obscure the location of its C&C servers.
MuddyViper capabilities include operating a reverse PowerShell or Windows Command Prompt, downloading or uploading files in size-limited chunks, stealing data from a variety of browsers, and displaying a fake Windows Security dialog to trick victims into entering credentials.
The post-compromise toolset also includes multiple credential stealers: CE-Notes, which targets Chromium-based browsers; LP-Notes, which stages and verifies stolen credentials; and Blub, which steals login data from Chrome, Edge, Firefox, and Opera browsers.
While some components remain noisy and easily detected, as is typical for MuddyWater, overall this campaign shows signs of technical evolution – increased precision, strategic targeting, and a more advanced toolset.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/muddywater

ESET Research Dec 1

#ESETresearch is heading to #AVAR2025? Dec 4, Thursday in Kuala Lumpur, 11:00–11:30 MYT.
ESET researchers Anton Cherepanov & Peter Strýček present: "Sniffing Around: Unmasking the LongNosedGoblin operation in Southeast Asia and Japan”.
A deep dive into a cyberespionage campaign targeting organizations in Southeast Asia & Japan, attributed to LongNosedGoblin, active since 2023.
Find out about: Abuse of Active Directory Group Policy for malware delivery, custom payloads like NosyHistorian (browser history infostealer) and advanced backdoors & exfil tools, incl. NosyDoor using OneDrive for C&C and bypassing AMSI.

ESET Research Nov 24

#ESETresearch discovered unique toolset, we named QuietEnvelope, targeting the MailGates email protection system of Taiwanese company OpenFind. The toolset was uploaded in an archive, named spam_log.7z, to VirusTotal from Taiwan 🇹🇼. It contains Perl scripts, three stealthy passive backdoors, an argument runner, and miscellaneous files.
The Perl scripts are mainly responsible for deploying three passive backdoors as a loadable kernel module (LKM), an Apache module, and an injected shellcode. Together, they enable the attackers to have a remote access to a compromised server.
The LKM, internally named smtp_backdoor, monitors ingress TCP traffic on port 6400 and triggers when packets contain the magic string EXEC_OPENFIND: followed by a command. It runs the command and uses a named pipe to read the output, which is then sent back to the client.
The third backdoor is injected into a running mgsmtpd process. It is capable of retrieving file content and executing commands. By default, it responds with 250 OK, suggesting that the backdoor is hooked into the code that is maybe responsible for generating the SMTP response.
The level of sophistication, familiarity with the target environment, and the strings and comments likely intended to blend in suggest that an unknown APT group may be behind this. The debug strings are in simplified Chinese, which is primarily used in Mainland China 🇨🇳.
IoC:

🚨 QuietEnvelope

7C641C8C54C9BF8F6DDC2543675775F332ABB224

D69207244AB48697E15A8BD04D92CC9808C8C994

4ADD582C52D471F552AE3142A60BFAF81EA3AF07

6E2E94CCE6AF92F25C9ED62C4BFE2431C66CABA5

BD05ED2E4135FABFE66E66F2F0D46F7CB3E9412E

95F7CE692877B3A457EAC2E00B51576C4405BC5D

C821B5F25E074F71CD3A36A0F6C5E30E17B1BEEB

C3BC8CB2A44D9EC741493380D28936CE15AB6AA6

ESET Research Nov 19

#ESETresearch discovered and analyzed a previously undocumented malicious tool for network devices that we have named #EdgeStepper, enabling China-aligned #PlushDaemon APT to perform adversary-in-the-middle to hijack updates to deliver malware. https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/
When a network device (e.g., a router) is compromised, EdgeStepper begins to redirect all DNS queries to a malicious DNS node that replies with the IP address of the node that performs update hijacking of popular Chinese software such as Sogou Pinyin Method.
When the software communicates with the hijacking node, it issues instructions to download an update for a DLL; in reality, the downloaders that we call LittleDaemon and DaemonicLogistics ultimately deploy the #SlowStepper backdoor.
#SlowStepper is a feature-rich backdoor with a toolkit of more than 30 components. We analyzed and documented it in a previous blogpost about the compromise of a South Korean VPN service provider. https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/
IoCs available on our GitHub repo: https://github.com/eset/malware-ioc/

ESET Research Nov 7

We are deeply saddened by the passing of David Harley, a brilliant cybersecurity expert, former ESET Senior Research Fellow, author and long-time Virus Bulletin contributor.

David's legacy spans decades of research, writing, and public speaking, always with a focus on making the internet safer for all. He was also a passionate musician and a kind, generous soul.

Rest in peace, David. You will be missed. 💙

WWW 🔗	https://www.welivesecurity.com
Bluesky 🦋	https://bsky.app/profile/esetresearch.bsky.social
Twitter 𝕏	https://twitter.com/esetresearch