ESET Research
@esetresearch.bsky.social
Security research and breaking news straight from ESET Research Labs.
welivesecurity.com/research/
welivesecurity.com/research/
IoCs
Android/Spy.NGate.BD
223D7AA925549C9C657C017F06CF7C19595C2CEE
5a341dc1-98f9-4264-859a-e8bc6d236024-00-1vfeomyys26m9.janeway.replit[.]dev
googleplay-santander.pages[.]dev
googleplay-bb.pages[.]dev
googleplay-itau.pages[.]dev
googleplay-mercadolivre.pages[.]dev
googleplay-bradesco.pages[.]dev 4/4
Android/Spy.NGate.BD
223D7AA925549C9C657C017F06CF7C19595C2CEE
5a341dc1-98f9-4264-859a-e8bc6d236024-00-1vfeomyys26m9.janeway.replit[.]dev
googleplay-santander.pages[.]dev
googleplay-bb.pages[.]dev
googleplay-itau.pages[.]dev
googleplay-mercadolivre.pages[.]dev
googleplay-bradesco.pages[.]dev 4/4
November 6, 2025 at 2:00 PM
IoCs
Android/Spy.NGate.BD
223D7AA925549C9C657C017F06CF7C19595C2CEE
5a341dc1-98f9-4264-859a-e8bc6d236024-00-1vfeomyys26m9.janeway.replit[.]dev
googleplay-santander.pages[.]dev
googleplay-bb.pages[.]dev
googleplay-itau.pages[.]dev
googleplay-mercadolivre.pages[.]dev
googleplay-bradesco.pages[.]dev 4/4
Android/Spy.NGate.BD
223D7AA925549C9C657C017F06CF7C19595C2CEE
5a341dc1-98f9-4264-859a-e8bc6d236024-00-1vfeomyys26m9.janeway.replit[.]dev
googleplay-santander.pages[.]dev
googleplay-bb.pages[.]dev
googleplay-itau.pages[.]dev
googleplay-mercadolivre.pages[.]dev
googleplay-bradesco.pages[.]dev 4/4
#NGate captures NFC card data and relays it to an attacker-controlled device, which uses the data for ATM withdrawals or POS payments—all without physical access to the victim’s card. We described #NGate in details in our blogpost in 2024
www.welivesecurity.com/en/eset-rese... 3/4
www.welivesecurity.com/en/eset-rese... 3/4
November 6, 2025 at 2:00 PM
#NGate captures NFC card data and relays it to an attacker-controlled device, which uses the data for ATM withdrawals or POS payments—all without physical access to the victim’s card. We described #NGate in details in our blogpost in 2024
www.welivesecurity.com/en/eset-rese... 3/4
www.welivesecurity.com/en/eset-rese... 3/4
It shares the same package name (com.billy.cardemv) as some #NGate / #PhantomCard variants targeting Brazil, suggesting it could be a new version still focused on Brazil. 2/4
November 6, 2025 at 2:00 PM
It shares the same package name (com.billy.cardemv) as some #NGate / #PhantomCard variants targeting Brazil, suggesting it could be a new version still focused on Brazil. 2/4
IoCs available on our GitHub: github.com/eset/malware... 9/9
malware-ioc/nukesped_lazarus at master · eset/malware-ioc
Indicators of Compromises (IOC) of our various investigations - eset/malware-ioc
github.com
October 23, 2025 at 4:10 AM
IoCs available on our GitHub: github.com/eset/malware... 9/9
These precedents, along with this campaign’s targeting and observed technical artifacts, strongly suggest that Lazarus intended to collect sensitive information on UAV-related technology, likely for reverse engineering. 8/9
October 23, 2025 at 4:10 AM
These precedents, along with this campaign’s targeting and observed technical artifacts, strongly suggest that Lazarus intended to collect sensitive information on UAV-related technology, likely for reverse engineering. 8/9
In recent years, multiple campaigns affecting the aerospace sector have been attributed to North Korea-aligned threat actors (including by ESET). This suggests cyberespionage might be one of the tools leveraged by the regime to modernize its UAV arsenal. www.welivesecurity.com/2020/06/17/o... 7/9
Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies
ESET research uncovers attacks against several high-profile aerospace and military companies in Europe and the Middle East, with several hints suggesting a possible link to the Lazarus group.
www.welivesecurity.com
October 23, 2025 at 4:10 AM
In recent years, multiple campaigns affecting the aerospace sector have been attributed to North Korea-aligned threat actors (including by ESET). This suggests cyberespionage might be one of the tools leveraged by the regime to modernize its UAV arsenal. www.welivesecurity.com/2020/06/17/o... 7/9
This campaign comes as North Korea is reportedly scaling up its drone program, with strong indications that reverse engineering and intellectual property theft are playing a major role in designing its new UAVs. 6/9
October 23, 2025 at 4:10 AM
This campaign comes as North Korea is reportedly scaling up its drone program, with strong indications that reverse engineering and intellectual property theft are playing a major role in designing its new UAVs. 6/9
The companies targeted in this Operation DreamJob campaign are all active in the defense sector, and at least two of them are also somewhat involved in the drone industry, producing either UAV components or drone-related software. 5/9
October 23, 2025 at 4:10 AM
The companies targeted in this Operation DreamJob campaign are all active in the defense sector, and at least two of them are also somewhat involved in the drone industry, producing either UAV components or drone-related software. 5/9
Lazarus again used the DLL proxying technique, analogous to that seen in its 2023 attack against a Spanish aerospace company. 4/9
October 23, 2025 at 4:10 AM
Lazarus again used the DLL proxying technique, analogous to that seen in its 2023 attack against a Spanish aerospace company. 4/9
The targeted sectors include defense, metal engineering, and the UAV sector. The attackers left the keyword “drone” in their payloads, directly suggesting one of their goals. 3/9
October 23, 2025 at 4:10 AM
The targeted sectors include defense, metal engineering, and the UAV sector. The attackers left the keyword “drone” in their payloads, directly suggesting one of their goals. 3/9
Targets are attracted to a lucrative job offer and lured to execute trojanized PDF readers or VNC tools. This social engineering technique seems to have been working well for several years, suggesting many employees still have insufficient awareness of this tactic. 2/9
October 23, 2025 at 4:10 AM
Targets are attracted to a lucrative job offer and lured to execute trojanized PDF readers or VNC tools. This social engineering technique seems to have been working well for several years, suggesting many employees still have insufficient awareness of this tactic. 2/9
Speakers include: Viera Grigová, Slovak Ambassador to Canada; Sophie Chen, Director at Invest Ottawa and Roman Kováč, Chief Research Officer at ESET’s global threat research, working with agencies like CISA, ENISA & Europol to counter advanced threats. Expect insights into global cyber defense. 3/3
October 14, 2025 at 1:01 PM
Speakers include: Viera Grigová, Slovak Ambassador to Canada; Sophie Chen, Director at Invest Ottawa and Roman Kováč, Chief Research Officer at ESET’s global threat research, working with agencies like CISA, ENISA & Europol to counter advanced threats. Expect insights into global cyber defense. 3/3
#ESET, the EU’s largest cybersecurity vendor, will showcase its Threat Intelligence capabilities for governments, critical infrastructure, and private sector organizations seeking robust cybersecurity solutions. 2/3
October 14, 2025 at 1:01 PM
#ESET, the EU’s largest cybersecurity vendor, will showcase its Threat Intelligence capabilities for governments, critical infrastructure, and private sector organizations seeking robust cybersecurity solutions. 2/3
IoCs available in our GitHub repo: github.com/eset/malware... 6/6
malware-ioc/prospytospy at master · eset/malware-ioc
Indicators of Compromises (IOC) of our various investigations - eset/malware-ioc
github.com
October 2, 2025 at 9:24 AM
IoCs available in our GitHub repo: github.com/eset/malware... 6/6
Despite similar objectives and techniques, ESET tracks the two campaigns separately due to differences in infrastructure and delivery. Users should avoid downloading apps or plugins from unofficial sources, especially those claiming to enhance trusted services. 5/6
October 2, 2025 at 9:24 AM
Despite similar objectives and techniques, ESET tracks the two campaigns separately due to differences in infrastructure and delivery. Users should avoid downloading apps or plugins from unofficial sources, especially those claiming to enhance trusted services. 5/6
After compromising their targets, both ProSpy and ToSpy exfiltrate data in the background, including documents, media, files, and contacts. ToSpy in particular also targets .ttkmbackup files, suggesting a focus on chat history and app data. 4/6
October 2, 2025 at 9:24 AM
After compromising their targets, both ProSpy and ToSpy exfiltrate data in the background, including documents, media, files, and contacts. ToSpy in particular also targets .ttkmbackup files, suggesting a focus on chat history and app data. 4/6
Android #ToSpy, the spyware used in the other campaign, masquerades solely as the ToTok app. It is distributed through phishing websites impersonating app distribution platforms, such as the Samsung Galaxy Store. 3/6
October 2, 2025 at 9:24 AM
Android #ToSpy, the spyware used in the other campaign, masquerades solely as the ToTok app. It is distributed through phishing websites impersonating app distribution platforms, such as the Samsung Galaxy Store. 3/6
The first campaign deployed Android #ProSpy camouflaged as upgrades or plugins for Signal and ToTok apps, named Signal Encryption Plugin or ToTok Pro. 2/6
October 2, 2025 at 9:24 AM
The first campaign deployed Android #ProSpy camouflaged as upgrades or plugins for Signal and ToTok apps, named Signal Encryption Plugin or ToTok Pro. 2/6
CDB0F9C6FC4120EFB911F5BB4E801300992BD560
CA0151D9AEE5408F3080CA108FA4EEB2C6785628
4626615651A9CC8CE0FD078DF281CA275D6D28C4
3EA2987D67A16450313E5DCC80C15C956F758486
0FC8B3117692C21A1750473771BCFB5D60CE306A
🌐documents-pdf.serveftp[.]com
document-ua.serveftp[.]com
pdf-download.serveftp[.]com
6/6
CA0151D9AEE5408F3080CA108FA4EEB2C6785628
4626615651A9CC8CE0FD078DF281CA275D6D28C4
3EA2987D67A16450313E5DCC80C15C956F758486
0FC8B3117692C21A1750473771BCFB5D60CE306A
🌐documents-pdf.serveftp[.]com
document-ua.serveftp[.]com
pdf-download.serveftp[.]com
6/6
September 26, 2025 at 1:13 PM
CDB0F9C6FC4120EFB911F5BB4E801300992BD560
CA0151D9AEE5408F3080CA108FA4EEB2C6785628
4626615651A9CC8CE0FD078DF281CA275D6D28C4
3EA2987D67A16450313E5DCC80C15C956F758486
0FC8B3117692C21A1750473771BCFB5D60CE306A
🌐documents-pdf.serveftp[.]com
document-ua.serveftp[.]com
pdf-download.serveftp[.]com
6/6
CA0151D9AEE5408F3080CA108FA4EEB2C6785628
4626615651A9CC8CE0FD078DF281CA275D6D28C4
3EA2987D67A16450313E5DCC80C15C956F758486
0FC8B3117692C21A1750473771BCFB5D60CE306A
🌐documents-pdf.serveftp[.]com
document-ua.serveftp[.]com
pdf-download.serveftp[.]com
6/6