Jiri Kropac
@jiriatvirlab.bsky.social
Director of Threat Prevention Labs at @ESET
Reposted by Jiri Kropac
#ESETresearch discovered unique toolset, QuietEnvelope, targeting the MailGates email protection system of Taiwanesw co OpenFind. The toolset was uploaded in an archive, named spam_log.7z, to VirusTotal from Taiwan. It contains Perl scripts, 3 stealthy backdoors, argument runner, and misc files. 1/8
November 24, 2025 at 5:57 PM
#ESETresearch discovered unique toolset, QuietEnvelope, targeting the MailGates email protection system of Taiwanesw co OpenFind. The toolset was uploaded in an archive, named spam_log.7z, to VirusTotal from Taiwan. It contains Perl scripts, 3 stealthy backdoors, argument runner, and misc files. 1/8
Reposted by Jiri Kropac
#SlowStepper is a feature-rich backdoor with a toolkit of more than 30 components. We analyzed and documented it in a previous blogpost about the compromise of a South Korean VPN service provider. www.welivesecurity.com/en/eset-rese... 4/5
PlushDaemon compromises supply chain of Korean VPN service
ESET researchers uncover a supply-chain attack against a VPN provider in South Korea by a new China-aligned APT group we have named PlushDaemon.
www.welivesecurity.com
November 19, 2025 at 10:12 AM
#SlowStepper is a feature-rich backdoor with a toolkit of more than 30 components. We analyzed and documented it in a previous blogpost about the compromise of a South Korean VPN service provider. www.welivesecurity.com/en/eset-rese... 4/5
Reposted by Jiri Kropac
When a network device (e.g., a router) is compromised, EdgeStepper begins to redirect all DNS queries to a malicious DNS node that replies with the IP address of the node that performs update hijacking of popular Chinese software such as Sogou Pinyin Method. 2/5
November 19, 2025 at 10:12 AM
When a network device (e.g., a router) is compromised, EdgeStepper begins to redirect all DNS queries to a malicious DNS node that replies with the IP address of the node that performs update hijacking of popular Chinese software such as Sogou Pinyin Method. 2/5
Reposted by Jiri Kropac
A Canadian couple has lost CAD$1 million (USD$710,000) to online scammers.
The couple, in their 70s, fell victim to a tech support scam that showed error messages on their laptop and then got daily calls from the scammers until they ran out of money
www.ctvnews.ca/toronto/cons...
The couple, in their 70s, fell victim to a tech support scam that showed error messages on their laptop and then got daily calls from the scammers until they ran out of money
www.ctvnews.ca/toronto/cons...
‘We’re devastated’: Ontario seniors give away more than $1 million to scammers
Fraud and cybercrime cost Canadians more than $630 million last year, with many of the victims being seniors.
www.ctvnews.ca
November 2, 2025 at 5:54 PM
A Canadian couple has lost CAD$1 million (USD$710,000) to online scammers.
The couple, in their 70s, fell victim to a tech support scam that showed error messages on their laptop and then got daily calls from the scammers until they ran out of money
www.ctvnews.ca/toronto/cons...
The couple, in their 70s, fell victim to a tech support scam that showed error messages on their laptop and then got daily calls from the scammers until they ran out of money
www.ctvnews.ca/toronto/cons...
Reposted by Jiri Kropac
We are deeply saddened by the passing of David Harley, a brilliant cybersecurity expert, former ESET Senior Research Fellow, author and long-time Virus Bulletin contributor.
David's legacy spans decades of research, writing, and public speaking.
Rest in peace, David. You will be missed. 💙
David's legacy spans decades of research, writing, and public speaking.
Rest in peace, David. You will be missed. 💙
November 7, 2025 at 3:33 PM
We are deeply saddened by the passing of David Harley, a brilliant cybersecurity expert, former ESET Senior Research Fellow, author and long-time Virus Bulletin contributor.
David's legacy spans decades of research, writing, and public speaking.
Rest in peace, David. You will be missed. 💙
David's legacy spans decades of research, writing, and public speaking.
Rest in peace, David. You will be missed. 💙
Reposted by Jiri Kropac
Meta’s own researchers concluded that a third of the scams in the U.S. happen over its platforms and that fraudulent ads and those for banned products might contribute a tenth of its revenue. www.reuters.com/investigatio...
Meta is earning a fortune on a deluge of fraudulent ads, documents show
Meta projected 10% of its 2024 revenue would come from ads for scams and banned goods, and it internally estimates that its platforms show users 15 billion scam ads a day, company documents show.
www.reuters.com
November 6, 2025 at 3:44 PM
Meta’s own researchers concluded that a third of the scams in the U.S. happen over its platforms and that fraudulent ads and those for banned products might contribute a tenth of its revenue. www.reuters.com/investigatio...
Reposted by Jiri Kropac
#ESETresearch identified an active campaign distributing #NGate – Android NFC relay malware used for contactless payment fraud – targeting Brazilian users.
It is available for download via fake Google Play sites mimicking 4 major banks and 1 e-commerce app. 1/4
It is available for download via fake Google Play sites mimicking 4 major banks and 1 e-commerce app. 1/4
November 6, 2025 at 2:00 PM
#ESETresearch identified an active campaign distributing #NGate – Android NFC relay malware used for contactless payment fraud – targeting Brazilian users.
It is available for download via fake Google Play sites mimicking 4 major banks and 1 e-commerce app. 1/4
It is available for download via fake Google Play sites mimicking 4 major banks and 1 e-commerce app. 1/4
Reposted by Jiri Kropac
#ESETresearch has released its latest APT Activity Report (Apr–Sep 2025): China-aligned groups targeted Latin America amid US-China tensions. Russia-aligned groups intensified ops against Ukraine & EU states. Full report: web-assets.esetstatic.com/wls/en/paper...
November 6, 2025 at 11:58 AM
#ESETresearch has released its latest APT Activity Report (Apr–Sep 2025): China-aligned groups targeted Latin America amid US-China tensions. Russia-aligned groups intensified ops against Ukraine & EU states. Full report: web-assets.esetstatic.com/wls/en/paper...
Reposted by Jiri Kropac
The targeted sectors include defense, metal engineering, and the UAV sector. The attackers left the keyword “drone” in their payloads, directly suggesting one of their goals. 3/9
October 23, 2025 at 4:10 AM
The targeted sectors include defense, metal engineering, and the UAV sector. The attackers left the keyword “drone” in their payloads, directly suggesting one of their goals. 3/9
Reposted by Jiri Kropac
#ESETresearch discovered a new wave of the well-known North Korea-aligned Lazarus campaign Operation DreamJob, now targeting the drone industry.
welivesecurity.com/en/eset-rese... 1/9
welivesecurity.com/en/eset-rese... 1/9
October 23, 2025 at 4:10 AM
#ESETresearch discovered a new wave of the well-known North Korea-aligned Lazarus campaign Operation DreamJob, now targeting the drone industry.
welivesecurity.com/en/eset-rese... 1/9
welivesecurity.com/en/eset-rese... 1/9
Reposted by Jiri Kropac
The dates of #botconf2026 - The Botnet and Malware Ecosystems Fighting Conference have been confirmed for our
13th ed - Workshops (14th) & Conference (15th-17th) April 2026 in Reims, France
The CFP is online and ends on January 2nd 2026
https://www.botconf.eu/call-for-proposals/
13th ed - Workshops (14th) & Conference (15th-17th) April 2026 in Reims, France
The CFP is online and ends on January 2nd 2026
https://www.botconf.eu/call-for-proposals/
Call for proposals – Botconf 2026
www.botconf.eu
October 15, 2025 at 2:26 PM
The dates of #botconf2026 - The Botnet and Malware Ecosystems Fighting Conference have been confirmed for our
13th ed - Workshops (14th) & Conference (15th-17th) April 2026 in Reims, France
The CFP is online and ends on January 2nd 2026
https://www.botconf.eu/call-for-proposals/
13th ed - Workshops (14th) & Conference (15th-17th) April 2026 in Reims, France
The CFP is online and ends on January 2nd 2026
https://www.botconf.eu/call-for-proposals/
Reposted by Jiri Kropac
Android #ToSpy, the spyware used in the other campaign, masquerades solely as the ToTok app. It is distributed through phishing websites impersonating app distribution platforms, such as the Samsung Galaxy Store. 3/6
October 2, 2025 at 9:24 AM
Android #ToSpy, the spyware used in the other campaign, masquerades solely as the ToTok app. It is distributed through phishing websites impersonating app distribution platforms, such as the Samsung Galaxy Store. 3/6
Reposted by Jiri Kropac
#ESETresearch has identified two campaigns targeting Android users in the 🇦🇪. The campaigns, which are still ongoing, distribute previously undocumented spyware impersonating #Signal and #ToTok via deceptive websites. www.welivesecurity.com/en/eset-rese... 1/6
New spyware campaigns target privacy-conscious Android users in the UAE
ESET researchers have discovered campaigns distributing spyware disguised as Android Signal and ToTok apps, targeting users in the United Arab Emirates.
www.welivesecurity.com
October 2, 2025 at 9:24 AM
#ESETresearch has identified two campaigns targeting Android users in the 🇦🇪. The campaigns, which are still ongoing, distribute previously undocumented spyware impersonating #Signal and #ToTok via deceptive websites. www.welivesecurity.com/en/eset-rese... 1/6
Reposted by Jiri Kropac
The same CVE was recently seen exploited in the wild by other groups (e.g., RomCom), and described by ESET Research in a blogpost - www.welivesecurity.com/en/eset-rese... 2/6
Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability
ESET Research discover a zero-day vulnerability in WinRAR being exploited in the wild in the guise of job application documents.
www.welivesecurity.com
September 26, 2025 at 1:13 PM
The same CVE was recently seen exploited in the wild by other groups (e.g., RomCom), and described by ESET Research in a blogpost - www.welivesecurity.com/en/eset-rese... 2/6
Reposted by Jiri Kropac
#ESETresearch has observed #Gamaredon exploiting CVE-2025-8088 (#WinRAR path traversal) in an ongoing spearphishing campaign. This vulnerability allows arbitrary file write via crafted RAR archives. 1/6
September 26, 2025 at 1:13 PM
#ESETresearch has observed #Gamaredon exploiting CVE-2025-8088 (#WinRAR path traversal) in an ongoing spearphishing campaign. This vulnerability allows arbitrary file write via crafted RAR archives. 1/6
Reposted by Jiri Kropac
NEW: The U.K.'s National Crime Agency announced an arrest linked to the ransomware attack against Collins Aerospace, which caused disruptions at several European airports over the weekend.
The man is out on bail, and the agency said the investigation is “in its early stages and remains ongoing.”
The man is out on bail, and the agency said the investigation is “in its early stages and remains ongoing.”
UK police arrest man linked to ransomware attack that caused airport disruptions in Europe | TechCrunch
The U.K.s National Crime Agency said the investigation into the ransomware attack against Collins Aerospace is “in its early stages and remains ongoing.”
techcrunch.com
September 24, 2025 at 1:15 PM
NEW: The U.K.'s National Crime Agency announced an arrest linked to the ransomware attack against Collins Aerospace, which caused disruptions at several European airports over the weekend.
The man is out on bail, and the agency said the investigation is “in its early stages and remains ongoing.”
The man is out on bail, and the agency said the investigation is “in its early stages and remains ongoing.”
Reposted by Jiri Kropac
#ESETresearch has discovered the first known cases of collaboration between Gamaredon and Turla, in Ukraine. Both groups are affiliated with the FSB, Russia’s main domestic intelligence and security agency. www.welivesecurity.com/en/eset-rese...
1/3
1/3
Gamaredon X Turla collab
ESET researchers reveal how the notorious APT group Turla collaborates with fellow FSB-associated group known as Gamaredon to compromise high‑profile targets in Ukraine.
www.welivesecurity.com
September 19, 2025 at 9:27 AM
#ESETresearch has discovered the first known cases of collaboration between Gamaredon and Turla, in Ukraine. Both groups are affiliated with the FSB, Russia’s main domestic intelligence and security agency. www.welivesecurity.com/en/eset-rese...
1/3
1/3
Reposted by Jiri Kropac
HybridPetya installs a malicious EFI application to the EFI System Partition, which then encrypts the Master File Table file, an essential metadata file with information about all files on the NTFS-formatted partition. 2/8
September 12, 2025 at 9:02 AM
HybridPetya installs a malicious EFI application to the EFI System Partition, which then encrypts the Master File Table file, an essential metadata file with information about all files on the NTFS-formatted partition. 2/8
Reposted by Jiri Kropac
#ESETresearch uncovers GhostRedirector, a threat actor compromising Windows servers with a C++ Backdoor named Rungan and Gamshen, a native IIS malware www.welivesecurity.com/en/eset-rese... 1/6
GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes
ESET researchers have identified a new threat actor targeting Windows servers with a passive C++ backdoor and a malicious IIS module that manipulates Google search results.
www.welivesecurity.com
September 4, 2025 at 10:06 AM
#ESETresearch uncovers GhostRedirector, a threat actor compromising Windows servers with a C++ Backdoor named Rungan and Gamshen, a native IIS malware www.welivesecurity.com/en/eset-rese... 1/6
Reposted by Jiri Kropac
We performed an internet-wide scan to complement ESET telemetry and identify additional servers affected by this threat: at least 65 servers have been affected by late June 2025, mostly in Brazil, Thailand, and Vietnam. 2/6
September 4, 2025 at 10:06 AM
We performed an internet-wide scan to complement ESET telemetry and identify additional servers affected by this threat: at least 65 servers have been affected by late June 2025, mostly in Brazil, Thailand, and Vietnam. 2/6
Reposted by Jiri Kropac
Rungan is a passive C++ backdoor capable of executing commands on the compromised server. 4/6
September 4, 2025 at 10:06 AM
Rungan is a passive C++ backdoor capable of executing commands on the compromised server. 4/6
Reposted by Jiri Kropac
#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7
August 26, 2025 at 3:38 PM
#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7
Reposted by Jiri Kropac
This vulnerability was also exploited by another threat actor, independently discovered by the Russian cybersecurity company BI.ZONE, who claim Paper Werewolf began using CVE-2025-8088 on July 22, just a few days after RomCom did. 6/7
bi.zone/expertise/bl...
bi.zone/expertise/bl...
Paper Werewolf атакует Россию с использованием уязвимости нулевого дня в WinRAR
Кластер Paper Werewolf продолжает атаковать российские организации — на этот раз с использованием уязвимостей в WinRAR
bi.zone
August 11, 2025 at 9:09 AM
This vulnerability was also exploited by another threat actor, independently discovered by the Russian cybersecurity company BI.ZONE, who claim Paper Werewolf began using CVE-2025-8088 on July 22, just a few days after RomCom did. 6/7
bi.zone/expertise/bl...
bi.zone/expertise/bl...
Reposted by Jiri Kropac
On July 24, we alerted the WinRAR team, which released version 7.13 just six days later. We advise all users to install the latest version as soon as possible. We would also like to thank the WinRAR team for its cooperation and quick response. 3/7 x.com/WinRAR_RARLA...
WinRAR on X: "📢In case you haven't noticed, we've released a new version! ⏫Update today!🚀 https://t.co/Rj4h5hnODw" / X
📢In case you haven't noticed, we've released a new version! ⏫Update today!🚀 https://t.co/Rj4h5hnODw
x.com
August 11, 2025 at 9:09 AM
On July 24, we alerted the WinRAR team, which released version 7.13 just six days later. We advise all users to install the latest version as soon as possible. We would also like to thank the WinRAR team for its cooperation and quick response. 3/7 x.com/WinRAR_RARLA...
Reposted by Jiri Kropac
#ESETresearch has discovered a zero-day vulnerability in WinRAR, exploited in the wild by Russia-aligned #RomCom @dmnsch @cherepanov74 www.welivesecurity.com/en/eset-rese...
1/7
1/7
August 11, 2025 at 9:09 AM
#ESETresearch has discovered a zero-day vulnerability in WinRAR, exploited in the wild by Russia-aligned #RomCom @dmnsch @cherepanov74 www.welivesecurity.com/en/eset-rese...
1/7
1/7