Mastodawn

Jean-Ian Boutin Sep 19, 2025

ESET Research Sep 19, 2025

#ESETresearch has discovered the first known cases of collaboration between Gamaredon and Turla, in Ukraine. Both groups are affiliated with the FSB, Russia’s main domestic intelligence and security agency.
In February 2025, we noticed Gamaredon’s PteroGraphin restarting Turla’s Kazuar v3 backdoor. In April and June we detected that Kazuar v2 was deployed via Gamaredon’s PteroOdd and PteroPaste. We now believe with high confidence that Gamaredon provides initial access to Turla.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/turla
https://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/

malware-ioc/turla at master · eset/malware-ioc

Indicators of Compromises (IOC) of our various investigations - eset/malware-ioc

GitHub

Jean-Ian Boutin Sep 16, 2025

ESET Research Sep 16, 2025

#ESETresearch’s Matthieu Faou and Zoltán Rusnák will present at Labscon 2025 @labscon_io: “Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine”. Join them in Scottsdale, September 19 at 11:00 AM MST.
They will detail the first technical evidence of operational collaboration between two of the most notorious Russia-aligned cyberespionage groups: Gamaredon and Turla. While both have previously been linked to the FSB, our observations mark the first time that Gamaredon is known to have actively facilitated Turla’s access to high-value Ukrainian targets.
Between February and June 2025, we tracked multiple incidents where some Gamaredon custom tools — particularly PteroGraphin and PteroOdd — were used to deploy Turla’s flagship backdoor, Kazuar.

Jean-Ian Boutin Jul 24, 2025

ESET Research Jul 24, 2025

#BREAKING #ESETResearch has been monitoring the recently discovered #ToolShell zero-day vulnerabilities in #SharePoint Server: CVE-2025-53770 and CVE-2025-53771. SharePoint Online in Microsoft 365 is not impacted. https://www.welivesecurity.com/en/eset-research/toolshell-an-all-you-can-eat-buffet-for-threat-actors/
ESET first detected an attempt to exploit part of the execution chain on July 17 in Germany 🇩🇪. Here, the final #webshell payload was not delivered. The first time we registered the payload was on July 18 in Italy 🇮🇹. We have since seen active ToolShell exploitation all over the world.
We have uncovered several IP addresses that were used in the attacks from July 17 to July 22. The charts show the timeline of the attacks from the three most active of these IP addresses.
ToolShell is being exploited by all sorts of threat actors, from petty cybercriminals to state-sponsored groups, among them China 🇨🇳-aligned #APTs. We expect these attacks to continue taking advantage of unpatched systems.
IoCs available in our GitHub repo: https://github.com/eset/

Jean-Ian Boutin May 23, 2025

ESET Research May 22, 2025

The #FBI and #DCIS disrupted #Danabot. #ESET was one of several companies that cooperated in this effort. https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/
#ESETresearch has been involved in this operation since 2018. Our contribution included providing technical analyses of the malware and its backend infrastructure, as well as identifying Danabot’s C&C servers. Danabot is a #MaaS #infostealer that has also been seen pushing additional malware – even #ransomware, such as #LockBit, #Buran, and #Crisis – to compromised systems.
We have analyzed Danabot campaigns all around the world and found a substantial number of distinct samples of the malware, as well as identified more than 1,000 C&Cs.
This infostealer is frequently promoted on underground forums. The affiliates are offered an administration panel application, a backconnect tool for real-time control of bots, and a proxy server application that relays the communication between the bots and the C&C server.
IoCs are available in our GitHub repo. You can expect updates with more details in the coming days. https://github.com/eset/malware-ioc/tree/master/danabot

Danabot: Analyzing a fallen empire

ESET Research shares its findings on the workings of Danabot, an infostealer recently disrupted in a multinational law enforcement operation.

Jean-Ian Boutin May 21, 2025

ESET Research May 21, 2025

#ESETresearch, in collaboration with #Microsoft, BitSight, Lumen, Cloudflare, CleanDNS, and GMO Registry, has helped disrupt #LummaStealer – a notorious malware-as-a-service infostealer. https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-lumma-stealer
This disruption operation targeted Lumma Stealer’s C&C infrastructure, rendering much of the exfiltration network inoperative. ESET processed tens of thousands of Lumma samples to extract C&C servers and affiliate IDs. Infostealers are often precursors to major cyberattacks.
Between June 2024 and May 2025, ESET tracked 3,353 unique Lumma Stealer C&C domains, which is an average of around 74 new domains per week. The malware evolved constantly, with updates to encryption, protocols, and Steam-profile- and Telegram-based dead-drop resolvers.
#Microsoft’s Digital Crimes Unit, with the help of ESET and other partners, seized Lumma Stealer’s infrastructure and control panel. #ESET continues monitoring for possible resurgence.
IoCs available on our GitHub: https://github.com/eset/malware-ioc/tree/master/lummastealer

ESET takes part in global operation to disrupt Lumma Stealer

Our intense monitoring of tens of thousands of malicious samples helped this global disruption operation

Jean-Ian Boutin Apr 30, 2025

ESET Research Apr 30, 2025

#ESETResearch analyzed the toolset of the China-aligned APT group that we have named #TheWizards. It can move laterally on compromised networks by performing adversary-in-the-middle (AitM) attacks to hijack software updates. https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/
Since at least 2022, the group has targeted individuals, companies, and unknown entities in the Philippines, the United Arab Emirates, Cambodia, mainland China, and Hong Kong.
#TheWizards deploy a tool we have named #Spellbinder, which implements IPv6 SLAAC spoofing to redirect IPv6 traffic to the machine running Spellbinder, making it act as a malicious IPv6-capable router.
Spellbinder intercepts DNS queries associated with update domains for Chinese software. We focus on a recent case in which an update of Tencent QQ was hijacked to deploy TheWizards’ signature backdoor, WizardNet.
In our blogpost, we also discuss links we uncovered between #TheWizards and the Chinese company Dianke Network Security Technology, also known as UPSEC.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/thewizards

TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks

ESET researchers publish an analysis of Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks.

Jean-Ian Boutin Apr 9, 2025

ESET Research Apr 9, 2025

Join #ESETresearch and our very own @matthieu_faou during #Northsec conference in Montreal for “Weaponizing XSS: Cyberespionage tactics in webmail exploitation” talk. Learn how XSS vulnerabilities let attackers inject malicious scripts into webmails.
#ESET team spent 2 years studying these vulnerabilities in webmail portals, finding zero-day flaws in Roundcube & MDaemon. Discover how Russia-aligned Sednit, GreenCube, and Belarus-aligned Winter Vivern exploited XSS flaws in Roundcube, Zimbra,MDaemon & Horde to steal emails from high-value targets.
Don't miss the presentation on May 15 at 13:45 Montreal time. #CyberSecurity #Infosec https://nsec.io/session/2025-weaponizing-xss-cyberespionage-tactics-in-webmail-exploitation.html

AI SecureOps: Attacking & Defending AI Applications & Agents

NorthSec 2026

Jean-Ian Boutin Jan 13, 2025

Éric Freyssinet Jan 12, 2025

L’évolution préoccupante des grandes plateformes de réseaux sociaux – Blog @ericfreyss

https://eric.freyssi.net/2025/01/12/levolution-preoccupante-des-grandes-plateformes-de-reseaux-sociaux/

L’évolution préoccupante des grandes plateformes de réseaux sociaux – Investigation & transformation numériques

Jean-Ian Boutin Aug 28, 2024

Russia-Ukraine Daily News Aug 28, 2024

🇫🇷 French authorities issued arrest warrants for #Telegram CEO Pavel Durov and his co-founder brother Nikolai in March, according to a French administrative document seen exclusively by POLITICO.

The document indicates the French undercover investigation into Telegram is wider and began months earlier than previously known. The case revolves around Telegram’s refusal to cooperate with a French police enquiry into child sex abuse.

https://www.politico.eu/article/exclusive-telegram-ceo-brother-nikolai-durov-wanted-france-authorities-pavel-durov/

#france