ESET Research
@esetresearch.bsky.social
📤 1189
📥 13
📝 538
Security research and breaking news straight from ESET Research Labs. welivesecurity.com/research/
#ESETresearch
discovered and reported to @certcc 11 old Microsoft-signed UEFI shim bootloaders that allow bypassing UEFI Secure Boot on most UEFI systems. Read about it at
www.welivesecurity.com/en/eset-rese...
1/5
loading . . .
Forgotten UEFI shims undermining Secure Boot
ESET researchers discovered 11 vulnerable UEFI shim bootloaders signed by Microsoft that allow attackers to bypass UEFI Secure Boot by exploiting decade-old vulnerabilities.
https://www.welivesecurity.com/en/eset-research/forgotten-uefi-shims-undermining-secure-boot/
about 3 hours ago
1
4
5
ESET Threat Report H1 2026: thousands of malicious Agentic AI skills identified, first AI-powered Android malware appears, and ClickFix expands beyond fake CAPTCHA prompts. Attackers are rapidly adapting to new platforms and technologies . Full report:
web-assets.esetstatic.com/wls/en/paper...
6 days ago
1
4
2
#ESETresearch
has published a technical analysis of new malicious tools and major infrastructure changes observed in 2025 in the arsenal of the Russia-aligned
#Gamaredon
#APTgroup
targeting Ukraine 🇺🇦. Blogpost:
www.welivesecurity.com/en/eset-rese...
1/8
loading . . .
Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances
ESET Research analyzes Gamaredon’s new toolset and the group’s growing reliance on legitimate online services to hide its C&C infrastructure and exfiltrate stolen data.
https://www.welivesecurity.com/en/eset-research/gamaredon-2025-leveraging-tunnels-workers-dead-drops-new-alliances
19 days ago
1
7
4
#ESETresearch
analyzed the robust EDR-killer toolset of the RaaS gang Gentlemen. Thanks to our continued incident-level visibility, we could provide a uniquely deep view into the group’s EDR-killer development practices.
www.welivesecurity.com/en/eset-rese...
1/6
loading . . .
https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/
26 days ago
1
5
3
#ESETresearch
has observed DeadLock ransomware expanding its use of Polygon blockchain smart contracts. Previously used only for chat proxy server address rotation, DeadLock has now added a new contract with the gang's DLS entries - a first of its kind we are aware of. 1/6
28 days ago
1
6
2
#ESETresearch
discovered two as-yet undocumented Windows variants of
#SprySOCKS
, a previously Linux-only backdoor reportedly used by
#FishMonger
. We attribute the new Windows variants to
#FishMonger
with high confidence.
www.welivesecurity.com/en/eset-rese...
1/4
loading . . .
FishMonger’s arsenal upgraded: SprySOCKS for Windows
ESET researchers have discovered SprySOCKS for Windows, FishMonger’s backdoor weaponizing a kernel driver for advanced stealthiness.
https://www.welivesecurity.com/en/eset-research/fishmongers-arsenal-upgraded-sprysocks-windows/
28 days ago
1
7
6
#ESETresearch
has discovered a supply-chain attack targeting stock investors in Vietnam, distributing SPECTRALVIPER through the update mechanism of the FireAnt Metakit stock investment platform.
www.welivesecurity.com/en/eset-rese...
1/4
about 1 month ago
2
7
7
#ESETresearch
released its latest APT Activity Report (Oct 2025–Mar 2026): 🇨🇳China-aligned groups focused on Venezuela, Gulf states, and AI & robotics industry in 🇰🇷South Korea, while 🇰🇵North Korea-aligned APTs targeted the nuclear sector. Full report:
web-assets.esetstatic.com/wls/en/paper...
about 2 months ago
0
5
4
#ESETresearch
analyzed 2025 activity of the China -aligned Webworm APT group, focusing on its evolving toolset and techniques.
www.welivesecurity.com/en/eset-rese...
1/8
loading . . .
Webworm: New burrowing techniques
ESET researchers describe new tools and techniques that the Webworm APT group recently added to its arsenal.
https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/
about 2 months ago
1
8
3
#ESETresearch
uncovered a new compromise that we attribute to
#FrostyNeighbor
, using links in malicious PDFs sent via spearphishing attachments to target governmental organizations in Ukraine. @dmnsch
welivesecurity.com/en/eset-rese...
1/5
about 2 months ago
1
10
5
#ESETresearch
has uncovered CallPhantom scam apps, previously available on Google Play, that claim to provide call history data for any phone number, in exchange for payment. That’s impossible – and the data is entirely fabricated.
www.welivesecurity.com/en/eset-rese...
1/5
2 months ago
1
4
2
#ESETresearch
uncovered a multiplatform supply-chain attack by the North Korean
#ScarCruft
APT group targeting the Yanbian region via backdoor-laced Windows and Android games.
www.welivesecurity.com/en/eset-rese...
1/6
2 months ago
1
11
5
Approximately a month ago, F5 published advisory on malware deployed to BIG-IP systems vulnerable to CVE-2025-53521.
#ESETresearch
discovered two related malware components on VirusTotal and named the threat
#PoisonedRefresh
. 1/6
my.f5.com/manage/s/art...
loading . . .
myF5
https://my.f5.com/manage/s/article/K000160486
3 months ago
1
3
4
#BREAKING
#ESETresearch
uncovered an active NGate Android malware campaign targeting Spanish speaking users, combining fake app distribution, NFC relay abuse, PIN harvesting, and a shared Devil NFC MaaS backend. The operation is tied to the Devil NFC infrastructure used in Spain since Jan 2026 1/10
loading . . .
3 months ago
1
9
2
#ESETresearch
discovered
#GopherWhisper
, a new China-aligned APT group that targeted a governmental entity in Mongolia.
www.welivesecurity.com/en/eset-rese...
1/7
loading . . .
https://www.welivesecurity.com/en/eset-research/gopherwhisper-burrow-full-malware/
3 months ago
2
6
4
#ESETresearch
discovered a new
#NGate
malware variant that abuses the legitimate
#HandyPay
app, which has been patched with possibly AI-generated malicious code. The campaign is ongoing and targets Android users in Brazil.
www.welivesecurity.com/en/eset-rese...
1/6
loading . . .
https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/
3 months ago
1
7
3
Cisco Talos recently published an analysis of an EDR killer used by the
#Qilin
#ransomware
gang.
#ESETresearch
tracks this threat as
#CardSpaceKiller
and we recently provided additional insights in our blog
www.welivesecurity.com/en/eset-rese...
1/6
loading . . .
EDR killers explained: Beyond the drivers
ESET researchers dive deeper into the EDR killer ecosystem, disclosing how attackers abuse vulnerable drivers.
https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/
3 months ago
1
11
4
#ESETresearch's
Eric Howard will be presenting at Botconf. Join him in Reims, France to hear about “GopherWhisper, Uncovering an APT’s secrets through its own words” on Apr 15 at 17.15 CEST. For more information, check out
www.botconf.eu/botconf-2026...
1/3
3 months ago
1
3
3
#ESETresearch
has identified an Akira lookalike ransomware campaign targeting South America. The threat actor is using a Babukbased encryptor that appends the .akira extension and drops a ransom note that mimics Akira both in Tor URLs and the overall content. 1/5
3 months ago
1
10
4
#ESETresearch
has identified a Silver Fox campaign that actively takes advantage of the current annual tax filing and organizational change season in Japan, a period when companies generate a high volume of legitimate financial and HRrelated comms.
www.welivesecurity.com/en/business-...
1/8
loading . . .
A cunning predator: How Silver Fox preys on Japanese firms this tax season
Silver Fox is back in Japan, spoofing tax and HR emails timed to the one season when many people don’t think twice about opening them
https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/
4 months ago
1
4
3
#ESETresearch
detected a recent intrusion at a University of Warsaw consistent with
#Interlock
ransomware gang. Thanks to early warning from our experts and the university's swift cooperation, the attack was disrupted before encryptors could be deployed.
www.eset.com/pl/about/new...
1/8
loading . . .
To analitycy ESET zidentyfikowali atak na Uniwersytet Warszawski
News about ESET's events and conferences, directly from the maker of legendary NOD32 technology.
https://www.eset.com/pl/about/newsroom/press-releases/news/to-analitycy-eset-zidentyfikowali-atak-na-uniwersytet-warszawski/
4 months ago
1
6
4
In cybersecurity, labels can distract from what really matters. At
#RSAC2026
,
#ESETresearch’s
Robert LipovskĂ˝ will break down recent campaigns linked to state-sponsored actors and explore how hybrid threat tactics are evolving. The session focuses on practical defender takeaways.
4 months ago
0
2
0
#ESETresearch
is hiring! Passionate about geopolitics, cyberespionage and cyber threat intelligence? We have a new opening for a strategic threat intelligence analyst at our Montréal office. Come join the team!
eset.wd3.myworkdayjobs.com/ESET_Externa...
loading . . .
Analyste du renseignement stratégique sur les menaces – Cyberespionnage / Strategic Threat Intelligence Analyst – Cyberespionage
Résumé du poste / Summary English version follows ------------------------------------------------------------------------------------------------------------------------------- Nous sommes à la reche...
https://eset.wd3.myworkdayjobs.com/ESET_External/job/Montreal/Analyste-du-renseignement-stratgique-sur-les-menaces---Cyberespionnage---Strategic-Threat-Intelligence-Analyst---Cyberespionage_JR-05715
4 months ago
0
6
3
#ESETresearch
analyzed more than 80 EDR killers, seen across real-world intrusions, and used ESET telemetry to document how these tools operate, who uses them, and how they evolve beyond simple driver abuse.
www.welivesecurity.com/en/eset-rese...
1/6
4 months ago
1
13
9
#ESETresearch
has analyzed the resurgence of Sednit – one of the most long‑running Russia‑aligned APT groups – now using a modern toolkit built around paired implants, BeardShell and Covenant, each using a different cloud provider for resilience.
www.welivesecurity.com/en/eset-rese...
1/5
loading . . .
Sednit reloaded: Back in the trenches
ESET researchers document how the Sednit APT group has reemerged with a modern toolkit centered on two paired implants – BeardShell and Covenant.
https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/
4 months ago
1
8
6
#BREAKING
#ESETresearch
has discovered the first known Android malware to use generative AI in its execution flow; we have named it
#PromptSpy
. The malware abuses Google’s
#Gemini
to achieve persistence on the compromised device.
www.welivesecurity.com/en/eset-rese...
1/6
5 months ago
1
10
7
#BREAKING
#ESETresearch
provides technical details on
#DynoWiper
, a data‑wiping malware used in a data‑destruction incident on December 29, 2025, affecting a company in Poland’s energy sector.
www.welivesecurity.com/en/eset-rese...
1/5
loading . . .
https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/
6 months ago
1
10
10
#ESETresearch
has uncovered a new
#Android
spyware campaign using novel romance scam tactics to target individuals in 🇵🇰 Pakistan, with an added social engineering element previously unseen in similar schemes.
www.welivesecurity.com/en/eset-rese...
1/9
loading . . .
Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan
ESET researchers discover an Android spyware campaign targeting users in Pakistan via romance scam tactics, revealing links to a broader spy operation.
https://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/#article-111/9
6 months ago
1
8
4
#BREAKING
#ESETresearch
identified the wiper
#DynoWiper
used in an attempted disruptive cyberattack against the Polish energy sector on Dec 29, 2025. At this point, no successful disruption is known, but the malware’s design clearly indicates destructive intent. 1/5
6 months ago
1
34
34
#ESETresearch’s
Lukas Stefanko will speak at Ransomware Resilience 2026 on Mon, Jan 19 in Kuala Lumpur at 4pm local time! Discover how Android NFC threats evolved to enable unauthorized ATM withdrawals. Learn about NGate - first Android malware to execute NFC relay attack for remote ATM cash-outs.
6 months ago
0
3
0
According to ESET telemetry, threat actors keep finding new ways to exploit
#NFC
technology: detections surged by 78% compared to H1 2025; however, overall numbers remain low. 1/6
6 months ago
1
2
1
In 2025,
#ESETresearch
saw a 62% year-over-year increase in detections of fake investment and snake oil scams – tracked as HTML/Nomani – amounting to hundreds of thousands of detections and over 64,000 unique URLs blocked. 1/5
6 months ago
1
1
2
In H2 2025,
#ESETresearch
saw a thirtyfold increase in
#CloudEyE
detections, amounting to more than 100,000 hits over the course of six months. CloudEyE is a
#MaaS
downloader and cryptor used to conceal and deploy other malware, such as
#Rescoms
,
#Formbook
, and
#Agent
Tesla. 1/5
6 months ago
1
5
2
In 2025,
#ESETresearch
analyzed hundreds of hands-on-keyboard ransomware attacks, mostly hitting manufacturing, construction, retail, technology, and healthcare. Most of these were seen in the US (17%), Spain (5%), and France, Italy, and Canada (4% each). 1/5
7 months ago
1
4
4
#ESETresearch
has revisited CVE 2025 50165, a critical remote code execution vulnerability in the WindowsCodecs.dll library when processing JPG images, one of the most widely used image format s.
www.welivesecurity.com/en/eset-rese...
1/6
7 months ago
1
3
2
#ESETresearch
has detected a new MSIL loader, named
#BlackHawk
, protected by three layers of obfuscation, all of which show strong signs of being AI-generated. 1/9
7 months ago
1
4
1
#ESETresearch
has discovered a new 🇨🇳-aligned APT group,
#LongNosedGoblin
. This group focuses on cyberespionage and targets mainly governmental entities in Southeast Asia and Japan.
www.welivesecurity.com/en/eset-rese...
1/7
loading . . .
LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan
ESET researchers discovered a China-aligned APT group, LongNosedGoblin, which uses Group Policy to deploy cyberespionage tools across networks of governmental institutions.
https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/
7 months ago
1
6
7
ESET Threat Report H2 2025: NFC threats grow in scale and sophistication, ransomware victim numbers surge, and AI-powered malware becomes reality with PromptLock. The threat landscape is evolving fast – read the full report:
web-assets.esetstatic.com/wls/en/paper...
#ESETresearch
7 months ago
0
2
2
#ESETresearch
analyzed the
#Gamaredon
VBScript payload recently flagged by @ClearskySec. It wipes registry Run keys, scheduled tasks, and kills processes – however, our assessment is that this is likely to clean researchers’ machines, not a shift to destructive ops.
x.com/ClearskySec/...
1/4
loading . . .
https://x.com/ClearskySec/status/1995061537183011084
7 months ago
1
4
2
#ESETresearch
discovered a new
#MuddyWater
campaign targeting critical infrastructure in 🇮🇱 Israel and 🇪🇬 Egypt, using a new backdoor – MuddyViper – and a variety of post-compromise tools
www.welivesecurity.com/en/eset-rese...
1/7
loading . . .
MuddyWater: Snakes by the riverbank
MuddyWater targets critical infrastructure in Israel and Egypt, relying on custom malware, improved tactics, and a predictable playbook.
https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
7 months ago
1
7
6
#ESETresearch
is heading to
#AVAR2025
? Dec 4, Thursday in Kuala Lumpur, 11:00–11:30 MYT. ESET researchers Anton Cherepanov & Peter Strýček present: "Sniffing Around: Unmasking the LongNosedGoblin operation in Southeast Asia and Japan”. 1/3
7 months ago
1
3
3
#ESETresearch
discovered unique toolset, QuietEnvelope, targeting the MailGates email protection system of Taiwanesw co OpenFind. The toolset was uploaded in an archive, named spam_log.7z, to VirusTotal from Taiwan. It contains Perl scripts, 3 stealthy backdoors, argument runner, and misc files. 1/8
8 months ago
1
8
10
#ESETresearch
discovered unique toolset, QuietEnvelope, targeting the MailGates email protection system of Taiwanesw co OpenFind. The toolset was uploaded in an archive, named spam_log.7z, to VirusTotal from Taiwan. It contains Perl scripts, 3 stealthy backdoors, argument runner, and misc files. 1/8
8 months ago
1
4
1
#ESETresearch
discovered and analyzed a previously undocumented malicious tool for network devices that we have named
#EdgeStepper
, enabling China-aligned
#PlushDaemon
APT to perform adversary-in-the-middle to hijack updates to deliver malware.
www.welivesecurity.com/en/eset-rese...
1/5
loading . . .
PlushDaemon compromises network devices for adversary-in-the-middle attacks
ESET researchers have discovered a network implant used by the China-aligned PlushDaemon APT group to perform adversary-in-the-middle attacks.
https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/
8 months ago
1
13
7
We are deeply saddened by the passing of David Harley, a brilliant cybersecurity expert, former ESET Senior Research Fellow, author and long-time Virus Bulletin contributor. David's legacy spans decades of research, writing, and public speaking. Rest in peace, David. You will be missed. đź’™
8 months ago
0
8
3
#ESETresearch
identified an active campaign distributing
#NGate
– Android NFC relay malware used for contactless payment fraud – targeting Brazilian users. It is available for download via fake Google Play sites mimicking 4 major banks and 1 e-commerce app. 1/4
8 months ago
1
3
3
#ESETresearch
has released its latest APT Activity Report (Apr–Sep 2025): China-aligned groups targeted Latin America amid US-China tensions. Russia-aligned groups intensified ops against Ukraine & EU states. Full report:
web-assets.esetstatic.com/wls/en/paper...
8 months ago
0
5
5
#ESETresearch
discovered a new wave of the well-known North Korea-aligned Lazarus campaign Operation DreamJob, now targeting the drone industry.
welivesecurity.com/en/eset-rese...
1/9
9 months ago
1
9
10
Join @Invest_Ottawa & the Embassy of the Slovak Republic in Canada for a Cybersecurity Roundtable with Chief
#ESETresearch
Officer Roman Kováč: Oct 20, 2025, 3–4:30 PM, 7 Bayview Station Rd, Ottawa. RSVP by Oct 15:
bit.ly/46X9eV9
1/3
9 months ago
1
4
0
#ESETresearch
has identified two campaigns targeting Android users in the 🇦🇪. The campaigns, which are still ongoing, distribute previously undocumented spyware impersonating
#Signal
and
#ToTok
via deceptive websites.
www.welivesecurity.com/en/eset-rese...
1/6
loading . . .
New spyware campaigns target privacy-conscious Android users in the UAE
ESET researchers have discovered campaigns distributing spyware disguised as Android Signal and ToTok apps, targeting users in the United Arab Emirates.
https://www.welivesecurity.com/en/eset-research/new-spyware-campaigns-target-privacy-conscious-android-users-uae/
10 months ago
1
6
9
Load more
feeds!
log in