ESET Research
@esetresearch.bsky.social
Security research and breaking news straight from ESET Research Labs.
welivesecurity.com/research/
welivesecurity.com/research/
We are deeply saddened by the passing of David Harley, a brilliant cybersecurity expert, former ESET Senior Research Fellow, author and long-time Virus Bulletin contributor.
David's legacy spans decades of research, writing, and public speaking.
Rest in peace, David. You will be missed. 💙
David's legacy spans decades of research, writing, and public speaking.
Rest in peace, David. You will be missed. 💙
November 7, 2025 at 3:33 PM
We are deeply saddened by the passing of David Harley, a brilliant cybersecurity expert, former ESET Senior Research Fellow, author and long-time Virus Bulletin contributor.
David's legacy spans decades of research, writing, and public speaking.
Rest in peace, David. You will be missed. 💙
David's legacy spans decades of research, writing, and public speaking.
Rest in peace, David. You will be missed. 💙
#NGate captures NFC card data and relays it to an attacker-controlled device, which uses the data for ATM withdrawals or POS payments—all without physical access to the victim’s card. We described #NGate in details in our blogpost in 2024
www.welivesecurity.com/en/eset-rese... 3/4
www.welivesecurity.com/en/eset-rese... 3/4
November 6, 2025 at 2:00 PM
#NGate captures NFC card data and relays it to an attacker-controlled device, which uses the data for ATM withdrawals or POS payments—all without physical access to the victim’s card. We described #NGate in details in our blogpost in 2024
www.welivesecurity.com/en/eset-rese... 3/4
www.welivesecurity.com/en/eset-rese... 3/4
#ESETresearch identified an active campaign distributing #NGate – Android NFC relay malware used for contactless payment fraud – targeting Brazilian users.
It is available for download via fake Google Play sites mimicking 4 major banks and 1 e-commerce app. 1/4
It is available for download via fake Google Play sites mimicking 4 major banks and 1 e-commerce app. 1/4
November 6, 2025 at 2:00 PM
#ESETresearch identified an active campaign distributing #NGate – Android NFC relay malware used for contactless payment fraud – targeting Brazilian users.
It is available for download via fake Google Play sites mimicking 4 major banks and 1 e-commerce app. 1/4
It is available for download via fake Google Play sites mimicking 4 major banks and 1 e-commerce app. 1/4
#ESETresearch has released its latest APT Activity Report (Apr–Sep 2025): China-aligned groups targeted Latin America amid US-China tensions. Russia-aligned groups intensified ops against Ukraine & EU states. Full report: web-assets.esetstatic.com/wls/en/paper...
November 6, 2025 at 11:58 AM
#ESETresearch has released its latest APT Activity Report (Apr–Sep 2025): China-aligned groups targeted Latin America amid US-China tensions. Russia-aligned groups intensified ops against Ukraine & EU states. Full report: web-assets.esetstatic.com/wls/en/paper...
This campaign comes as North Korea is reportedly scaling up its drone program, with strong indications that reverse engineering and intellectual property theft are playing a major role in designing its new UAVs. 6/9
October 23, 2025 at 4:10 AM
This campaign comes as North Korea is reportedly scaling up its drone program, with strong indications that reverse engineering and intellectual property theft are playing a major role in designing its new UAVs. 6/9
Lazarus again used the DLL proxying technique, analogous to that seen in its 2023 attack against a Spanish aerospace company. 4/9
October 23, 2025 at 4:10 AM
Lazarus again used the DLL proxying technique, analogous to that seen in its 2023 attack against a Spanish aerospace company. 4/9
The targeted sectors include defense, metal engineering, and the UAV sector. The attackers left the keyword “drone” in their payloads, directly suggesting one of their goals. 3/9
October 23, 2025 at 4:10 AM
The targeted sectors include defense, metal engineering, and the UAV sector. The attackers left the keyword “drone” in their payloads, directly suggesting one of their goals. 3/9
Join @Invest_Ottawa & the Embassy of the Slovak Republic in Canada for a Cybersecurity Roundtable with Chief #ESETresearch Officer Roman Kováč: Oct 20, 2025, 3–4:30 PM, 7 Bayview Station Rd, Ottawa. RSVP by Oct 15: bit.ly/46X9eV9 1/3
October 14, 2025 at 1:01 PM
Join @Invest_Ottawa & the Embassy of the Slovak Republic in Canada for a Cybersecurity Roundtable with Chief #ESETresearch Officer Roman Kováč: Oct 20, 2025, 3–4:30 PM, 7 Bayview Station Rd, Ottawa. RSVP by Oct 15: bit.ly/46X9eV9 1/3
Android #ToSpy, the spyware used in the other campaign, masquerades solely as the ToTok app. It is distributed through phishing websites impersonating app distribution platforms, such as the Samsung Galaxy Store. 3/6
October 2, 2025 at 9:24 AM
Android #ToSpy, the spyware used in the other campaign, masquerades solely as the ToTok app. It is distributed through phishing websites impersonating app distribution platforms, such as the Samsung Galaxy Store. 3/6
#ESETresearch has observed #Gamaredon exploiting CVE-2025-8088 (#WinRAR path traversal) in an ongoing spearphishing campaign. This vulnerability allows arbitrary file write via crafted RAR archives. 1/6
September 26, 2025 at 1:13 PM
#ESETresearch has observed #Gamaredon exploiting CVE-2025-8088 (#WinRAR path traversal) in an ongoing spearphishing campaign. This vulnerability allows arbitrary file write via crafted RAR archives. 1/6
Two exciting panels featuring #ESETresearch’s Righard Zwienenberg at #VB2025 in Berlin @virusbtn - from stories of the past to debates about the future of vulnerability handling. Here's what to expect 👇1/3
September 22, 2025 at 12:25 PM
Two exciting panels featuring #ESETresearch’s Righard Zwienenberg at #VB2025 in Berlin @virusbtn - from stories of the past to debates about the future of vulnerability handling. Here's what to expect 👇1/3
#ESETresearch’s Robert Lipovský will present at Labscon 2025: “ The Curse of Salt Typhoon: FamousSparrow goes after the US financial sector“. Join him in Scottsdale, AZ, September 19 at 12:00 PM MST 1/5
September 18, 2025 at 5:36 AM
#ESETresearch’s Robert Lipovský will present at Labscon 2025: “ The Curse of Salt Typhoon: FamousSparrow goes after the US financial sector“. Join him in Scottsdale, AZ, September 19 at 12:00 PM MST 1/5
#ESETresearch’s Matthieu Faou and Zoltán Rusnák will present at Labscon 2025 @labscon_io: “Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine”. Join them in Scottsdale, September 19 at 11:00 AM MST. 1/3
September 16, 2025 at 6:47 AM
#ESETresearch’s Matthieu Faou and Zoltán Rusnák will present at Labscon 2025 @labscon_io: “Gamaredon x Turla: Unveiling a 2025 Espionage Alliance Targeting Ukraine”. Join them in Scottsdale, September 19 at 11:00 AM MST. 1/3
HybridPetya can bypass UEFI Secure Boot by exploiting CVE-2024-7344. We found an archive containing the whole EFI partition, likely from a system already encrypted by HybridPetya – the UEFI ransomware app is hidden in a specially crafted cloak.dat file related to this vuln. 4/8
September 12, 2025 at 9:02 AM
HybridPetya can bypass UEFI Secure Boot by exploiting CVE-2024-7344. We found an archive containing the whole EFI partition, likely from a system already encrypted by HybridPetya – the UEFI ransomware app is hidden in a specially crafted cloak.dat file related to this vuln. 4/8
While the individual disk sectors are being encrypted with Salsa20, the infamous fake CHKDSK message is displayed, making the victim believe the disk is being checked for errors – a throwback to Petya. The ransom note design also draws from HybridPetya’s predecessors. 3/8
September 12, 2025 at 9:02 AM
While the individual disk sectors are being encrypted with Salsa20, the infamous fake CHKDSK message is displayed, making the victim believe the disk is being checked for errors – a throwback to Petya. The ransom note design also draws from HybridPetya’s predecessors. 3/8
HybridPetya installs a malicious EFI application to the EFI System Partition, which then encrypts the Master File Table file, an essential metadata file with information about all files on the NTFS-formatted partition. 2/8
September 12, 2025 at 9:02 AM
HybridPetya installs a malicious EFI application to the EFI System Partition, which then encrypts the Master File Table file, an essential metadata file with information about all files on the NTFS-formatted partition. 2/8
Gamshen is a malicious native IIS module participating in an SEO fraud-as-a-service scheme. By modifying responses to requests coming from search engine crawlers, it attempts to improve search ranking of third-party, gambling websites through shady SEO techniques. 5/6
September 4, 2025 at 10:06 AM
Gamshen is a malicious native IIS module participating in an SEO fraud-as-a-service scheme. By modifying responses to requests coming from search engine crawlers, it attempts to improve search ranking of third-party, gambling websites through shady SEO techniques. 5/6
Rungan is a passive C++ backdoor capable of executing commands on the compromised server. 4/6
September 4, 2025 at 10:06 AM
Rungan is a passive C++ backdoor capable of executing commands on the compromised server. 4/6
Attackers execute various tools on their victims’ systems that are based on the EfsPotato and BadPotato exploits. They use this malware to create an unauthorized user in the administrators group. 3/6
September 4, 2025 at 10:06 AM
Attackers execute various tools on their victims’ systems that are based on the EfsPotato and BadPotato exploits. They use this malware to create an unauthorized user in the administrators group. 3/6
We performed an internet-wide scan to complement ESET telemetry and identify additional servers affected by this threat: at least 65 servers have been affected by late June 2025, mostly in Brazil, Thailand, and Vietnam. 2/6
September 4, 2025 at 10:06 AM
We performed an internet-wide scan to complement ESET telemetry and identify additional servers affected by this threat: at least 65 servers have been affected by late June 2025, mostly in Brazil, Thailand, and Vietnam. 2/6
This supports our belief that it was an proof of concept rather than fully operational malware deployed in the wild. Nonetheless, our findings remain valid - the discovered samples represent the first known case of AI-powered ransomware. 2/2
September 3, 2025 at 12:00 PM
This supports our belief that it was an proof of concept rather than fully operational malware deployed in the wild. Nonetheless, our findings remain valid - the discovered samples represent the first known case of AI-powered ransomware. 2/2
For its file encryption mechanism, the PromptLock ransomware utilizes the SPECK 128-bit encryption algorithm 4/7
August 26, 2025 at 3:38 PM
For its file encryption mechanism, the PromptLock ransomware utilizes the SPECK 128-bit encryption algorithm 4/7
Based on the detected user files, the malware may exfiltrate data, encrypt it, or potentially destroy it. Although the destruction functionality appears to be not yet implemented. #Bitcoin address used in the prompt appears to belong to Bitcoin creator en.wikipedia.org/wiki/Satoshi... 3/7
August 26, 2025 at 3:38 PM
Based on the detected user files, the malware may exfiltrate data, encrypt it, or potentially destroy it. Although the destruction functionality appears to be not yet implemented. #Bitcoin address used in the prompt appears to belong to Bitcoin creator en.wikipedia.org/wiki/Satoshi... 3/7
#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7
August 26, 2025 at 3:38 PM
#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7