ESET Research
@esetresearch.bsky.social
Security research and breaking news straight from ESET Research Labs.
welivesecurity.com/research/
welivesecurity.com/research/
We are deeply saddened by the passing of David Harley, a brilliant cybersecurity expert, former ESET Senior Research Fellow, author and long-time Virus Bulletin contributor.
David's legacy spans decades of research, writing, and public speaking.
Rest in peace, David. You will be missed. 💙
David's legacy spans decades of research, writing, and public speaking.
Rest in peace, David. You will be missed. 💙
November 7, 2025 at 3:33 PM
We are deeply saddened by the passing of David Harley, a brilliant cybersecurity expert, former ESET Senior Research Fellow, author and long-time Virus Bulletin contributor.
David's legacy spans decades of research, writing, and public speaking.
Rest in peace, David. You will be missed. 💙
David's legacy spans decades of research, writing, and public speaking.
Rest in peace, David. You will be missed. 💙
#ESETresearch identified an active campaign distributing #NGate – Android NFC relay malware used for contactless payment fraud – targeting Brazilian users.
It is available for download via fake Google Play sites mimicking 4 major banks and 1 e-commerce app. 1/4
It is available for download via fake Google Play sites mimicking 4 major banks and 1 e-commerce app. 1/4
November 6, 2025 at 2:00 PM
#ESETresearch identified an active campaign distributing #NGate – Android NFC relay malware used for contactless payment fraud – targeting Brazilian users.
It is available for download via fake Google Play sites mimicking 4 major banks and 1 e-commerce app. 1/4
It is available for download via fake Google Play sites mimicking 4 major banks and 1 e-commerce app. 1/4
#ESETresearch has released its latest APT Activity Report (Apr–Sep 2025): China-aligned groups targeted Latin America amid US-China tensions. Russia-aligned groups intensified ops against Ukraine & EU states. Full report: web-assets.esetstatic.com/wls/en/paper...
November 6, 2025 at 11:58 AM
#ESETresearch has released its latest APT Activity Report (Apr–Sep 2025): China-aligned groups targeted Latin America amid US-China tensions. Russia-aligned groups intensified ops against Ukraine & EU states. Full report: web-assets.esetstatic.com/wls/en/paper...
#ESETresearch discovered a new wave of the well-known North Korea-aligned Lazarus campaign Operation DreamJob, now targeting the drone industry.
welivesecurity.com/en/eset-rese... 1/9
welivesecurity.com/en/eset-rese... 1/9
October 23, 2025 at 4:10 AM
#ESETresearch discovered a new wave of the well-known North Korea-aligned Lazarus campaign Operation DreamJob, now targeting the drone industry.
welivesecurity.com/en/eset-rese... 1/9
welivesecurity.com/en/eset-rese... 1/9
Join @Invest_Ottawa & the Embassy of the Slovak Republic in Canada for a Cybersecurity Roundtable with Chief #ESETresearch Officer Roman Kováč: Oct 20, 2025, 3–4:30 PM, 7 Bayview Station Rd, Ottawa. RSVP by Oct 15: bit.ly/46X9eV9 1/3
October 14, 2025 at 1:01 PM
Join @Invest_Ottawa & the Embassy of the Slovak Republic in Canada for a Cybersecurity Roundtable with Chief #ESETresearch Officer Roman Kováč: Oct 20, 2025, 3–4:30 PM, 7 Bayview Station Rd, Ottawa. RSVP by Oct 15: bit.ly/46X9eV9 1/3
#ESETresearch has identified two campaigns targeting Android users in the 🇦🇪. The campaigns, which are still ongoing, distribute previously undocumented spyware impersonating #Signal and #ToTok via deceptive websites. www.welivesecurity.com/en/eset-rese... 1/6
New spyware campaigns target privacy-conscious Android users in the UAE
ESET researchers have discovered campaigns distributing spyware disguised as Android Signal and ToTok apps, targeting users in the United Arab Emirates.
www.welivesecurity.com
October 2, 2025 at 9:24 AM
#ESETresearch has identified two campaigns targeting Android users in the 🇦🇪. The campaigns, which are still ongoing, distribute previously undocumented spyware impersonating #Signal and #ToTok via deceptive websites. www.welivesecurity.com/en/eset-rese... 1/6
#ESETresearch has observed #Gamaredon exploiting CVE-2025-8088 (#WinRAR path traversal) in an ongoing spearphishing campaign. This vulnerability allows arbitrary file write via crafted RAR archives. 1/6
September 26, 2025 at 1:13 PM
#ESETresearch has observed #Gamaredon exploiting CVE-2025-8088 (#WinRAR path traversal) in an ongoing spearphishing campaign. This vulnerability allows arbitrary file write via crafted RAR archives. 1/6
#ESETresearch has uncovered the North Korea-aligned threat actor, DeceptiveDevelopment, targeting freelance developers with trojanized coding challenges and fake job interviews.
www.welivesecurity.com/en/eset-rese... 1/6
www.welivesecurity.com/en/eset-rese... 1/6
www.welivesecurity.com
September 25, 2025 at 9:24 AM
#ESETresearch has uncovered the North Korea-aligned threat actor, DeceptiveDevelopment, targeting freelance developers with trojanized coding challenges and fake job interviews.
www.welivesecurity.com/en/eset-rese... 1/6
www.welivesecurity.com/en/eset-rese... 1/6
Two exciting panels featuring #ESETresearch’s Righard Zwienenberg at #VB2025 in Berlin @virusbtn - from stories of the past to debates about the future of vulnerability handling. Here's what to expect 👇1/3
September 22, 2025 at 12:25 PM
Two exciting panels featuring #ESETresearch’s Righard Zwienenberg at #VB2025 in Berlin @virusbtn - from stories of the past to debates about the future of vulnerability handling. Here's what to expect 👇1/3
#ESETresearch has discovered the first known cases of collaboration between Gamaredon and Turla, in Ukraine. Both groups are affiliated with the FSB, Russia’s main domestic intelligence and security agency. www.welivesecurity.com/en/eset-rese...
1/3
1/3
Gamaredon X Turla collab
ESET researchers reveal how the notorious APT group Turla collaborates with fellow FSB-associated group known as Gamaredon to compromise high‑profile targets in Ukraine.
www.welivesecurity.com
September 19, 2025 at 9:27 AM
#ESETresearch has discovered the first known cases of collaboration between Gamaredon and Turla, in Ukraine. Both groups are affiliated with the FSB, Russia’s main domestic intelligence and security agency. www.welivesecurity.com/en/eset-rese...
1/3
1/3
#ESETresearch’s Robert Lipovský will present at Labscon 2025: “ The Curse of Salt Typhoon: FamousSparrow goes after the US financial sector“. Join him in Scottsdale, AZ, September 19 at 12:00 PM MST 1/5
September 18, 2025 at 5:36 AM
#ESETresearch’s Robert Lipovský will present at Labscon 2025: “ The Curse of Salt Typhoon: FamousSparrow goes after the US financial sector“. Join him in Scottsdale, AZ, September 19 at 12:00 PM MST 1/5
#ESETresearch’s Matthieu Faou and Zoltán Rusnák will present at Labscon 2025 @labscon_io: “Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine”. Join them in Scottsdale, September 19 at 11:00 AM MST. 1/3
September 16, 2025 at 6:47 AM
#ESETresearch’s Matthieu Faou and Zoltán Rusnák will present at Labscon 2025 @labscon_io: “Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine”. Join them in Scottsdale, September 19 at 11:00 AM MST. 1/3
#ESETresearch has discovered #HybridPetya ransomware on VirusTotal: a UEFI-compatible copycat of the infamous Petya/NotPetya malware. HybridPetya is capable of bypassing UEFI Secure Boot on outdated systems. www.welivesecurity.com/en/eset-rese... 1/8
www.welivesecurity.com
September 12, 2025 at 9:02 AM
#ESETresearch has discovered #HybridPetya ransomware on VirusTotal: a UEFI-compatible copycat of the infamous Petya/NotPetya malware. HybridPetya is capable of bypassing UEFI Secure Boot on outdated systems. www.welivesecurity.com/en/eset-rese... 1/8
#ESETresearch uncovers GhostRedirector, a threat actor compromising Windows servers with a C++ Backdoor named Rungan and Gamshen, a native IIS malware www.welivesecurity.com/en/eset-rese... 1/6
GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes
ESET researchers have identified a new threat actor targeting Windows servers with a passive C++ backdoor and a malicious IIS module that manipulates Google search results.
www.welivesecurity.com
September 4, 2025 at 10:06 AM
#ESETresearch uncovers GhostRedirector, a threat actor compromising Windows servers with a C++ Backdoor named Rungan and Gamshen, a native IIS malware www.welivesecurity.com/en/eset-rese... 1/6
#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7
August 26, 2025 at 3:38 PM
#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7
#ESETresearch’s very own Peter Kálnai along with Matěj Havránek will present at #VB2025 @virusbtn.bsky.social: “DeceptiveDevelopment and 🇰🇵 North Korean IT workers: from primitive crypto theft to sophisticated AI-based deception.” Join them in Berlin, September 25 at 14:30 CEST. 1/3
August 21, 2025 at 9:33 AM
#ESETresearch’s very own Peter Kálnai along with Matěj Havránek will present at #VB2025 @virusbtn.bsky.social: “DeceptiveDevelopment and 🇰🇵 North Korean IT workers: from primitive crypto theft to sophisticated AI-based deception.” Join them in Berlin, September 25 at 14:30 CEST. 1/3
#ESETresearch has discovered a zero-day vulnerability in WinRAR, exploited in the wild by Russia-aligned #RomCom @dmnsch @cherepanov74 www.welivesecurity.com/en/eset-rese...
1/7
1/7
August 11, 2025 at 9:09 AM
#ESETresearch has discovered a zero-day vulnerability in WinRAR, exploited in the wild by Russia-aligned #RomCom @dmnsch @cherepanov74 www.welivesecurity.com/en/eset-rese...
1/7
1/7
#ESETresearch joins Europol’s Cyber Intelligence Extension Programme (CIEP) 🤝 We are proud to announce ESET’s participation in the pilot phase of CIEP, a new initiative launched by Europol 's European Cybercrime Centre (EC3). 1/5
August 7, 2025 at 1:38 PM
#ESETresearch joins Europol’s Cyber Intelligence Extension Programme (CIEP) 🤝 We are proud to announce ESET’s participation in the pilot phase of CIEP, a new initiative launched by Europol 's European Cybercrime Centre (EC3). 1/5
#BREAKING #ESETresearch can confirm the news of #Lumma Stealer's revival. ESET telemetry and botnet tracking show that operators are rebuilding their infrastructure, with their renewed activity reaching similar levels to those before the #disruption in May 2025. 1/6
July 25, 2025 at 10:18 AM
#BREAKING #ESETresearch can confirm the news of #Lumma Stealer's revival. ESET telemetry and botnet tracking show that operators are rebuilding their infrastructure, with their renewed activity reaching similar levels to those before the #disruption in May 2025. 1/6
In H1 2025, #ESETResearch telemetry recorded a 160% surge in #Android adware & clicker detections. Leading this spike is a colorfully branded threat #Kaleidoscope, responsible for 28% of all Android #adware detections in H1. 1/6
July 25, 2025 at 6:09 AM
In H1 2025, #ESETResearch telemetry recorded a 160% surge in #Android adware & clicker detections. Leading this spike is a colorfully branded threat #Kaleidoscope, responsible for 28% of all Android #adware detections in H1. 1/6
#BREAKING #ESETResearch has been monitoring the recently discovered #ToolShell zero-day vulnerabilities in #SharePoint Server: CVE-2025-53770 and CVE-2025-53771. SharePoint Online in Microsoft 365 is not impacted. www.welivesecurity.com/en/eset-rese... 1/5
https://welivesecurity.com/en/eset-resear…
July 24, 2025 at 9:11 AM
#BREAKING #ESETResearch has been monitoring the recently discovered #ToolShell zero-day vulnerabilities in #SharePoint Server: CVE-2025-53770 and CVE-2025-53771. SharePoint Online in Microsoft 365 is not impacted. www.welivesecurity.com/en/eset-rese... 1/5
#ClickFix went from virtually non-existent to the second most common attack vector blocked by #ESET, surpassed only by #phishing. This novel social engineering technique accounted for nearly 8% of all detections in H1 2025. #ESETresearch 1/7
July 18, 2025 at 12:06 PM
#ClickFix went from virtually non-existent to the second most common attack vector blocked by #ESET, surpassed only by #phishing. This novel social engineering technique accounted for nearly 8% of all detections in H1 2025. #ESETresearch 1/7
#ESETresearch has mapped the labyrinth of #AsyncRAT forks, identifying the most prevalent versions of this open-source malware. While some variants are mere curiosities, others pose a more tenacious threat. www.welivesecurity.com/en/eset-rese... 1/7
Unmasking AsyncRAT: Navigating the labyrinth of forks
ESET researchers map out the labyrinthine relationships among the vast hierarchy of AsyncRAT variants.
www.welivesecurity.com
July 15, 2025 at 12:10 PM
#ESETresearch has mapped the labyrinth of #AsyncRAT forks, identifying the most prevalent versions of this open-source malware. While some variants are mere curiosities, others pose a more tenacious threat. www.welivesecurity.com/en/eset-rese... 1/7
In May 2025, #ESET participated in operations that largely disrupted the infrastructure of two notorious infostealers: #LummaStealer and #Danabot. 1/6
July 11, 2025 at 12:27 PM
In May 2025, #ESET participated in operations that largely disrupted the infrastructure of two notorious infostealers: #LummaStealer and #Danabot. 1/6
After years of dominance in #ESET’s top #infostealer statistics, the era of #AgentTesla has come to an end. It finished H1 2025 in fourth place, its numbers having decreased by 57%. The reason? It is no longer under active development. 1/4
July 9, 2025 at 12:12 PM
After years of dominance in #ESET’s top #infostealer statistics, the era of #AgentTesla has come to an end. It finished H1 2025 in fourth place, its numbers having decreased by 57%. The reason? It is no longer under active development. 1/4