mastodon.ie is one of the many independent Mastodon servers you can use to participate in the fediverse.
Irish Mastodon - run from Ireland, we welcome all who respect the community rules and members.

Administered by:

Server stats:

1.7K
active users

#ESETresearch

1 post1 participant0 posts today

#ESETresearch publishes its investigation of Operation RoundPress, which uses XSS vulnerabilities to target high-value webmail servers. We attribute the operation to Sednit with medium confidence. welivesecurity.com/en/eset-res
In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra.. For MDaemon, Sednit exploited the zero-day XSS vulnerability CVE-2024-11182.
Most victims were governmental entities and defense companies in Eastern Europe, although we have observed governments in Africa, Europe, and South America being targeted as well.
Our blogpost provides an analysis of the JavaScript payloads, which we named SpyPress. They are able to steal webmail credentials, and exfiltrate contacts and email messages from the victim’s mailbox. IoCs available in our GitHub repo: github.com/eset/malware-ioc/tr 5/5

Join #ESETResearch's Damien Schaeffer at PivotCon 2025 for "Hello Zebrocy, my old friend!" on May 8 at 2pm CEST in Malaga.
Damien will discuss Zebrocy, 🇷🇺 APT group. After going silent since 2021, we discovered a 2023 attack on a 🇺🇦 governmental organization. The attack used a malicious document to download complex malware, including an obfuscated Python backdoor, keylogger, and file stealer.
By analyzing artifacts, we found similarities with older Zebrocy tools. ESET telemetry helped us attribute recent campaigns to Zebrocy, targeting Central Asia and Eastern Europe. The group uses minimal footprint tactics.
His presentation uncovers Zebrocy's multiyear espionage campaign, highlighting its evolving toolset and stealthy operations. The group's infrastructure is recalibrated for each campaign, aiming to maintain access for cyberespionage. Save the date: pivotcon.org/agenda-2025/

#ESETResearch analyzed the toolset of the China-aligned APT group that we have named #TheWizards. It can move laterally on compromised networks by performing adversary-in-the-middle (AitM) attacks to hijack software updates. welivesecurity.com/en/eset-res
Since at least 2022, the group has targeted individuals, companies, and unknown entities in the Philippines, the United Arab Emirates, Cambodia, mainland China, and Hong Kong.
#TheWizards deploy a tool we have named #Spellbinder, which implements IPv6 SLAAC spoofing to redirect IPv6 traffic to the machine running Spellbinder, making it act as a malicious IPv6-capable router.
Spellbinder intercepts DNS queries associated with update domains for Chinese software. We focus on a recent case in which an update of Tencent QQ was hijacked to deploy TheWizards’ signature backdoor, WizardNet.
In our blogpost, we also discuss links we uncovered between #TheWizards and the Chinese company Dianke Network Security Technology, also known as UPSEC.
IoCs available in our GitHub repo: github.com/eset/malware-ioc/tr

Join #ESETResearch's Romain Dumont at BSides Calgary for "Reverse One Zero Day, Get One Free!" on May 2 at 8pm local time.
In his talk, Romain will explore how ESET found a zero-day vulnerability in WPS Office for Windows (CVE-2024-7262) exploited by APT-C-60 for espionage. This one-click remote code execution bug targets the software suite, popular in Asia with 500M users.
Our analysis revealed weaponized MHTML-formatted spreadsheets exploiting a path traversal bug due to poor input sanitization. Developers used their knowledge of WPS Office and Windows internals to bypass constraints.
Further analysis of the patch led us to the discovery of a logic flaw introduced by the latter. We demonstrate how a single bit created an alternate path for arbitrary code execution (CVE-2024-7263). 📅 Save the date ➡️ hackertracker.app/event/?conf=BSIDESCALGARY2025&event=60453

Join #ESETresearch and our very own @matthieu_faou during #Northsec conference in Montreal for “Weaponizing XSS: Cyberespionage tactics in webmail exploitation” talk. Learn how XSS vulnerabilities let attackers inject malicious scripts into webmails.
#ESET team spent 2 years studying these vulnerabilities in webmail portals, finding zero-day flaws in Roundcube & MDaemon. Discover how Russia-aligned Sednit, GreenCube, and Belarus-aligned Winter Vivern exploited XSS flaws in Roundcube, Zimbra,MDaemon & Horde to steal emails from high-value targets.
Don't miss the presentation on May 15 at 13:45 Montreal time. #CyberSecurity #Infosec nsec.io/session/2025-weaponizi

#ESETresearch noticed two #MirrorFace Excel documents, known as #ROAMINGMOUSE, were uploaded to VirusTotal from #Taiwan in March 2025. The documents contain a malicious VBA macro that deploys #ANEL backdoor on the compromised machine. @dbreitenbacher
The contents of the documents are written in traditional Chinese and the date used follows the Republic of China calendar. Based on this data and other information available to ESET, we assess with medium confidence that the target was a Taiwanese research institute.
Even though MirrorFace has been previously reported on targeting a Taiwanese entity, this is for the first time we don’t see any relation to Japan.
Our investigation indicates that both documents were used to target the same institute. MirrorFace employed a call-to-action textbox, asking targets to press “Enable editing” and then “Enable content” buttons to show the data in the worksheet.
Using multiple different malicious documents to compromise the same entity is an approach that was also observed in 2024 in “Case 1: Japanese research institute” described in our blogpost welivesecurity.com/en/eset-res.
The overall compromise chain, leading to the execution of #ANEL to establish the initial foothold, remained the same as some observed in 2024. In particular, the approach was described as “Case 1” in Trend Micro’s report trendmicro.com/en_us/research/.
The overall compromise chain, leading to the execution of #ANEL to establish the initial foothold, remained the same as some observed in 2024. In particular, the approach was described as “Case 1” in Trend Micro’s report trendmicro.com/en_us/research/.
Besides the documents, a sample of #ANELLDR loader and a sample of #FaceXInjector were uploaded to VirusTotal from Taiwan around the same time as well.
IoCs

1BAC9E61C0D433964972BC91A5F38F31B85558C1 (ROAMINGMOUSE)
634D52E10E168A61C8201130F44925CC497C1251 (ROAMINGMOUSE)
E5F20192DB09EA033FEDD9CCEB782321EBB9C66E (FaceXInjector)
948CA0DAC99470775523809C1E7E60740B70C0FD (ANELLDR)
C&Cs:
64.176.34[.]120 (ANEL)
192.46.215[.]56 (ANEL)

#ESETresearch discovered previously unknown links between the #RansomHub, #Medusa, #BianLian, and #Play ransomware gangs, and leveraged #EDRKillShifter to learn more about RansomHub’s affiliates. @SCrow357 welivesecurity.com/en/eset-res
RansomHub emerged in February 2024 and in just three months reached the top of the ransomware ladder, recruiting affiliates from disrupted #LockBit and #BlackCat. Since then, it dominated the ransomware world, showing similar growth as LockBit once did.
Previously linked to North Korea-aligned group #Andariel, Play strictly denies operating as #RaaS. We found its members utilized RansomHub’s EDR killer EDRKillShifter, multiple times during their intrusions, meaning some members likely became RansomHub affiliates.
BianLian focuses on extortion-only attacks and does not publicly recruit new affiliates. Its access to EDRKillShifter suggests a similar approach as Play – having trusted members, who are not limited to working only with them.
Medusa, same as RansomHub, is a typical RaaS gang, actively recruiting new affiliates. Since it is common knowledge that affiliates of such RaaS groups often work for multiple operators, this connection is to be expected.
Our blogpost also emphasizes the growing threat of EDR killers. We observed an increase in the number of such tools, while the set of abused drivers remains quite small. Gangs such as RansomHub and #Embargo offer their killers as part of the affiliate program.
IoCs available on our GitHub: github.com/eset/malware-ioc/tr

In July 2024, #ESETresearch discovered that the China-aligned #FamousSparrow APT group, thought at the time to have been inactive since 2022, compromised the network of a US trade group and a Mexican research institute. welivesecurity.com/en/eset-res
While helping the 🇺🇸 company remediate the compromise, we discovered FamousSparrow’s toolset hidden within the network. It included two previously undocumented versions of the group’s flagship backdoor, #SparrowDoor, one of them modular.
Both of these versions are a significant improvement over the older ones, especially in terms of code quality and architecture, implementing parallelization of time-consuming commands.
This campaign is also the first documented time that FamousSparrow used #ShadowPad, a privately sold modular backdoor known to only be supplied to threat actors affiliated with China.
IoCs available in our GitHub repo: github.com/eset/malware-ioc/tr

#ESETresearch published its investigation of Operation FishMedley, a global espionage operation by the China-aligned APT group FishMonger. We identified seven victims – including governments, NGOs, and think tanks – across Asia, Europe, and the US.
welivesecurity.com/en/eset-res

The same operation was the subject of a recent US DOJ indictment against I SOON employees and officers of China’s Ministry of Public Security. #ESETresearch independently determined that FishMonger is operated by the Chinese contractor I SOON.
justice.gov/opa/pr/justice-dep

IoCs available in our GitHub: github.com/eset/malware-ioc/tr

www.welivesecurity.comOperation FishMedley targeting governments, NGOs, and think tanksESET Research is publishing its investigation of Operation FishMedley, a global espionage operation by the China-aligned APT group FishMonger.

#ESETresearch has uncovered the #MirrorFace Operation AkaiRyū, which extends the group’s usual focus beyond Japan into Europe. The initial lure centered around Expo 2025 in Japan, compromising a Central European diplomatic institute.
welivesecurity.com/en/eset-res

Surprisingly, #MirrorFace used #ANEL – a backdoor historically linked only to #APT10 – highlighting a shift in the group’s tactics and reinforcing suspicions that MirrorFace could be part of the APT10 umbrella.
Operation AkaiRyū began with targeted spearphishing emails referencing the victim’s past correspondence and Expo 2025 , persuading recipients to download malicious attachments.
Once the files were opened, a layered compromise chain ensued . Collaborating with the victim allowed us to perform in-depth analysis, shedding light on MirrorFace’s post-compromise behavior – from credential harvesting to dropping additional tools for lateral movement.

#MirrorFace used an intricate execution chain to stealthily run a highly tweaked #AsyncRAT within #WindowsSandbox, hampering detection efforts. This is the first time we’ve seen MirrorFace employ AsyncRAT.
In another twist, #MirrorFace utilized #VSCode remote tunnels, a tactic enabling covert access and command execution on compromised machines. This approach has also been seen with other China-aligned cyberespionage groups.
The group primarily leveraged #ANEL as a first-stage backdoor, #HiddenFace – MirrorFace’s flagship backdoor – was dropped later in the attack to bolster persistence . Notably absent this time was #LODEINFO, which #MirrorFace typically employs.

We presented our findings about Operation AkaiRyū conducted by #MirrorFace at @jpcert_ac on January 22, 2025: jsac.jpcert.or.jp.
IoCs available in our GitHub repo: github.com/eset/malware-ioc/tr

#ESETresearch has discovered a zero day exploit abusing #CVE-2025-24983 vulnerability in the Windows kernel 🪟 to elevate privileges (#LPE). First seen in the wild in March 2023, the exploit was deployed through #PipeMagic backdoor on the compromised machines.

The exploit targets Windows 8.1 and Server 2012 R2. The vulnerability affects OSes released before Windows 10 build 1809, including still supported Windows Server 2016. It does not affect more recent Windows OSes such as Windows 11.

The vulnerability is a use after free in Win32k driver. In a certain scenario achieved using the #WaitForInputIdle API, the #W32PROCESS structure gets dereferenced one more time than it should, causing UAF. To reach the vulnerability, a race condition must be won.

The patches were released today. Microsoft advisory with security update details is available here:
msrc.microsoft.com/update-guid

#ESETresearch analyzed a campaign by #DeceptiveDevelopment targeting developers with trojanized coding tests. Posing as recruiters, the operators approach their targets on job-hunting platforms, aiming to steal their cryptocurrency wallets and more.

welivesecurity.com/en/eset-res

DeceptiveDevelopment is a 🇰🇵-aligned activity cluster. The attackers target software developers on 🪟 Windows, 🐧Linux, and 🍎 macOS, regardless of geographical location, in order to maximize profits.

The campaign primarily uses two malware families – the first, 🦫 BeaverTail, acts as a simple login stealer, extracting browser databases containing saved logins, and is a downloader for the second stage, InvisibleFerret.

InvisibleFerret is modular 🐍 Python-based malware that includes spyware and backdoor components, and is also capable of downloading the legitimate AnyDesk remote management and monitoring software for post-compromise activities.

While DeceptiveDevelopment’s toolset has already been analyzed by x.com/Unit42_Intel and x.com/GroupIB_TI, our analysis contains details that have not been publicly reported before.

You can find the IoCs in our GitHub repo:
github.com/eset/malware-ioc/tr

#BREAKING #ESETresearch NFC Android malware impersonates banking app in 🇵🇱 Poland. #NGate malware impersonates a banking verification application to steal NFC data and PIN from victims’ physical payment card. x.com/LukasStefanko

TThe threat actor can then use it to withdraw money from ATM via contactless terminal without having payment card.

More information about NGate malware: welivesecurity.com/en/eset-res

IoCs:
C&C: 38.180.222[.]230:5577
Sample: 6A41008744498A3EDDA0BDF763ADC7F157441E1D
Detection name: Android/Spy.NGate.L

The threat landscape in H2 2024 was quite tumultuous when it comes to some of the most prominent infostealer threats. One of them, the notorious #RedLine Stealer, finally met its demise after being taken down by law enforcement in #OperationMagnus.

The power vacuum left by RedLine’s takedown will likely lead to a bump in the activity of other #MaaS infostealers – this was already reflected in a dramatic increase in detections for Lumma Stealer and Formbook.

In ESET telemetry data, Formbook replaced Agent Tesla as the No. 1 infostealer after its detections shot up by more than 200%. Despite operating since 2016, this MaaS threat is constantly under development, which explains why it is still used so frequently by cybercriminals.

Meanwhile, Lumma Stealer had a busy period: its numbers skyrocketed by almost 400% between H1 and H2 2024, it made for about 75% of cryptostealer detections, and even reared its ugly head in a campaign targeting players of Hamster Kombat 🐹⚔️, a mobile clicker game.

To read more about the upheaval in the infostealer threat landscape, head on over to the H2 2024 #ESETThreatReport: web-assets.esetstatic.com/wls/

#ESETresearch discovered and named 🇨🇳 China-aligned #APT group #PlushDaemon who did a supply-chain compromise of a 🇰🇷 South Korean #VPN provider, trojanizing its legitimate software installer with a Windows backdoor we named #SlowStepper.

welivesecurity.com/en/eset-res

The website had been compromised by PlushDaemon since at least November 2023, resulting in users from 🇰🇷 South Korea, 🇨🇳 China, and 🇯🇵 Japan downloading the trojanized installer, which deployed the legitimate software and SlowStepper.

The installer deploys malicious files that contain several components inside a custom-formatted archive , including loaders, a process monitor , legitimate PE files abused for side-loading, and the SlowStepper backdoor.

SlowStepper has several interesting features such as decoding #DNS TXT records of a malicious domain to obtain its C&C servers, and a 🐚 shell mode with custom commands, one of which executes modules of an extensive toolkit stored at the Chinese code repository #gitcode

We presented about #PlushDaemon at #jpcert_ac on January 22, 2025 at jsac.jpcert.or.jp/

IoCs available in our GitHub repository at github.com/eset/malware-ioc/tr