Aryeh Goretsky

@[email protected]
442 Followers
1.2K Following
239 Posts

Security researcher and antivirus pioneer who's been at the intersection of security research, education, and community for over three decades.

Formerly the Distinguished Researcher at #ESET, and first employee at #McAfee.

Moderator at the Lenovo, Neowin, and Scots Newsletter forums, and Intel Insider Council member. 14× Microsoft MVP award recipient.

Blog (work)https://www.welivesecurity.com/authors/goretsky
Blog (personal)https://goretsky.wordpress.com/
🦋https://bsky.app/profile/goretsky.bsky.social
Reddithttps://www.reddit.com/u/goretsky
Aryeh Goretsky2h ago
ESET Research16h ago
#ESETresearch has discovered a supply-chain attack targeting stock investors in Vietnam, distributing SPECTRALVIPER through the update mechanism of the FireAnt Metakit stock investment platform. https://www.welivesecurity.com/en/eset-research/oceanlotus-external-espionage-domestic-targeting/
ESET telemetry suggests that the attack started around October 2025 and ended in March 2026. In our investigation, only a small subset of exposed users received the final backdoor, SPECTRALVIPER, suggesting selective targeting.
Detailed analysis of the supply chain, the contour of OceanLotus’s victimology in recent years, and the architecture of its signature backdoor, SPECTRALVIPER, is available at:
https://www.welivesecurity.com/en/eset-research/oceanlotus-external-espionage-domestic-targeting/
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/oceanlotus
Aryeh Goretsky3d ago
Catalin Cimpanu4d ago

Microsoft has taken down 73 of its own GitHub source code repositories after they were infected with a worm.

The repos appear to have been infected with Miasma, a variant of the Shai-Hulud worm.

https://opensourcemalware.com/blog/miasma-reaches-azure

The Blight Reaches Microsoft: 73 Repos Disabled in 105 Seconds

GitHub disabled 73 Microsoft repositories across four of its GitHub organizations — the entire Azure Functions org, the whole Durable Task family, and a row of AI sample apps — in a 105-second sweep on June 5. The recompromised durabletask package sits at the center, and the fingerprints point at the open-sourced Miasma worm.

Aryeh GoretskyJun 2
It was 16 years ago today: https://old.reddit.com/r/reddit.com/comments/ca4bl/time_to_get_classy/
Aryeh GoretskyMay 29
ESET ResearchMay 28
#ESETresearch released its latest APT Activity Report (Oct 2025–Mar 2026): 🇨🇳China-aligned groups focused on Venezuela, Gulf states, and AI & robotics industry in 🇰🇷South Korea, while 🇰🇵North Korea-aligned APTs targeted the nuclear sector. Full report: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2025-q1-2026.pdf
Aryeh GoretskyMay 29

Interesting editorial from Tommi Uhlemann of AV-Comparatives about Microsoft's assertion that Windows 11 no longer requires third-party antivirus: https://av-comparatives.org/is-microsoft-defender-enough/

What's particularly interesting is that Microsoft seems to have walked back this claim, and removed their blog post. It still lives on in the Internet Archive at https://web.archive.org/web/20260421190944/https://www.microsoft.com/en-us/windows/learning-center/best-antivirus-software-for-windows, though.

Is Microsoft Defender enough on its own? The independent view.

Defender has improved a lot. But our latest test data, recent Defender CVEs and the shift to AI-scale vulnerability discovery raise a different question: what do you fall back on when one layer is not enough?

AV-Comparatives
Aryeh GoretskyMay 22
RebaneMay 20

back in 2022 i found a bug that would let me, with no user interaction, turn any chromium-based browser into a permanent js botnet member

in edge, you wouldn't even notice anything out-of-place, and would stay connected to the c2 even after closing the browser

today, almost 4 years later, the bug is finally public:
https://issues.chromium.org/issues/40062121

Aryeh GoretskyMay 21
ESET ResearchMay 20
#ESETresearch analyzed 2025 activity of the 🇨🇳-aligned Webworm APT group, focusing on its evolving toolset and techniques. https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/
Webworm’s latest campaigns mark a shift in its targeting away from Asia toward Europe and Africa. In 2025, it attacked governmental entities in 🇧🇪 Belgium, 🇮🇹 Italy, 🇷🇸 Serbia, 🇪🇸 Spain and 🇵🇱 Poland, as well as a university in 🇿🇦 South Africa.
The group seems to have stopped deploying the Trochilus and McRat backdoors; instead, it introduced new, custom-made backdoors: EchoCreep, which uses Discord for C&C communication, and GraphWorm, which uses Microsoft Graph API for the same purpose.
On an operator server, we discovered a directory listing with open-source utilities used to scrape victim web server files and directories, and to search for vulnerabilities within. One directory contained reconnaissance commands used against more than 50 unique targets.
While going over EchoCreep’s Discord messages, we uncovered a GitHub repository that was a direct fork of the legitimate WordPress repository. Webworm uses it as a file stager for its tools and malware.
The group also continues to employ various proxy utilities. In 2025, it added four custom-made ones to its arsenal: WormFrp, ChainWorm, SmuxProxy, and WormSocket.
We presented these findings at #ESETWorld2026 in a talk titled: China-aligned Webworm targets EU countries, abuses Discord and government-hosted public apps.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/webworm
Aryeh GoretskyMay 17

Just read about the passing of Peter G. Neumann:
https://www.nytimes.com/2026/05/17/obituaries/peter-g-neumann-dead.html. Another giant from the computer security world lost.

My interactions with him through comp.risks were rare over the years, but I was an avid reader.

Rest in peace.

Peter G. Neumann, Who Warned of Computer Security Risks, Dies at 93

For decades, he criticized the industry’s lax attitudes toward both computer security and individual digital privacy. And he developed solutions.

The New York Times
Aryeh GoretskyMay 15
ESET ResearchMay 14
#ESETresearch uncovered a new compromise that we attribute to #FrostyNeighbor, using links in malicious PDFs sent via spearphishing attachments to target governmental organizations in Ukraine. @dmnsch https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/
The compromise chain is the newest observed to date, and starts with a blurry lure PDF file that contains a malicious link to download a document hosted on a delivery server. If the request does not come from an expected victim, the server delivers a benign PDF file.
If the victim request comes from an expected location, the server instead delivers a malicious RAR archive, containing the first stage and displays an unblurred version of the PDF file as a decoy, while executing the next stage silently.
The victim’s computer-related information is collected, and its fingerprint is sent to the C&C server. The response contains a Cobalt Strike beacon as initial implant only if the victim is of interest.
Detailed analysis is available at https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/. IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/frostyneighbor
Aryeh GoretskyMay 12
Seems to be my day for drama on #Reddit: https://www.reddit.com/r/24hoursupport/comments/1takvfs/mod_post_warning_about_fraudulent_requests_and/