Jiri Kropac
@jiriatvirlab.bsky.social
Director of Threat Prevention Labs at @ESET
Reposted by Jiri Kropac
#SlowStepper is a feature-rich backdoor with a toolkit of more than 30 components. We analyzed and documented it in a previous blogpost about the compromise of a South Korean VPN service provider. www.welivesecurity.com/en/eset-rese... 4/5
PlushDaemon compromises supply chain of Korean VPN service
ESET researchers uncover a supply-chain attack against a VPN provider in South Korea by a new China-aligned APT group we have named PlushDaemon.
www.welivesecurity.com
November 19, 2025 at 10:12 AM
#SlowStepper is a feature-rich backdoor with a toolkit of more than 30 components. We analyzed and documented it in a previous blogpost about the compromise of a South Korean VPN service provider. www.welivesecurity.com/en/eset-rese... 4/5
Reposted by Jiri Kropac
When a network device (e.g., a router) is compromised, EdgeStepper begins to redirect all DNS queries to a malicious DNS node that replies with the IP address of the node that performs update hijacking of popular Chinese software such as Sogou Pinyin Method. 2/5
November 19, 2025 at 10:12 AM
When a network device (e.g., a router) is compromised, EdgeStepper begins to redirect all DNS queries to a malicious DNS node that replies with the IP address of the node that performs update hijacking of popular Chinese software such as Sogou Pinyin Method. 2/5
Reposted by Jiri Kropac
The targeted sectors include defense, metal engineering, and the UAV sector. The attackers left the keyword “drone” in their payloads, directly suggesting one of their goals. 3/9
October 23, 2025 at 4:10 AM
The targeted sectors include defense, metal engineering, and the UAV sector. The attackers left the keyword “drone” in their payloads, directly suggesting one of their goals. 3/9
Reposted by Jiri Kropac
Android #ToSpy, the spyware used in the other campaign, masquerades solely as the ToTok app. It is distributed through phishing websites impersonating app distribution platforms, such as the Samsung Galaxy Store. 3/6
October 2, 2025 at 9:24 AM
Android #ToSpy, the spyware used in the other campaign, masquerades solely as the ToTok app. It is distributed through phishing websites impersonating app distribution platforms, such as the Samsung Galaxy Store. 3/6
Reposted by Jiri Kropac
The same CVE was recently seen exploited in the wild by other groups (e.g., RomCom), and described by ESET Research in a blogpost - www.welivesecurity.com/en/eset-rese... 2/6
Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability
ESET Research discover a zero-day vulnerability in WinRAR being exploited in the wild in the guise of job application documents.
www.welivesecurity.com
September 26, 2025 at 1:13 PM
The same CVE was recently seen exploited in the wild by other groups (e.g., RomCom), and described by ESET Research in a blogpost - www.welivesecurity.com/en/eset-rese... 2/6
Reposted by Jiri Kropac
HybridPetya installs a malicious EFI application to the EFI System Partition, which then encrypts the Master File Table file, an essential metadata file with information about all files on the NTFS-formatted partition. 2/8
September 12, 2025 at 9:02 AM
HybridPetya installs a malicious EFI application to the EFI System Partition, which then encrypts the Master File Table file, an essential metadata file with information about all files on the NTFS-formatted partition. 2/8
Reposted by Jiri Kropac
We performed an internet-wide scan to complement ESET telemetry and identify additional servers affected by this threat: at least 65 servers have been affected by late June 2025, mostly in Brazil, Thailand, and Vietnam. 2/6
September 4, 2025 at 10:06 AM
We performed an internet-wide scan to complement ESET telemetry and identify additional servers affected by this threat: at least 65 servers have been affected by late June 2025, mostly in Brazil, Thailand, and Vietnam. 2/6
Reposted by Jiri Kropac
Rungan is a passive C++ backdoor capable of executing commands on the compromised server. 4/6
September 4, 2025 at 10:06 AM
Rungan is a passive C++ backdoor capable of executing commands on the compromised server. 4/6
Reposted by Jiri Kropac
This vulnerability was also exploited by another threat actor, independently discovered by the Russian cybersecurity company BI.ZONE, who claim Paper Werewolf began using CVE-2025-8088 on July 22, just a few days after RomCom did. 6/7
bi.zone/expertise/bl...
bi.zone/expertise/bl...
Paper Werewolf атакует Россию с использованием уязвимости нулевого дня в WinRAR
Кластер Paper Werewolf продолжает атаковать российские организации — на этот раз с использованием уязвимостей в WinRAR
bi.zone
August 11, 2025 at 9:09 AM
This vulnerability was also exploited by another threat actor, independently discovered by the Russian cybersecurity company BI.ZONE, who claim Paper Werewolf began using CVE-2025-8088 on July 22, just a few days after RomCom did. 6/7
bi.zone/expertise/bl...
bi.zone/expertise/bl...
Reposted by Jiri Kropac
On July 24, we alerted the WinRAR team, which released version 7.13 just six days later. We advise all users to install the latest version as soon as possible. We would also like to thank the WinRAR team for its cooperation and quick response. 3/7 x.com/WinRAR_RARLA...
WinRAR on X: "📢In case you haven't noticed, we've released a new version! ⏫Update today!🚀 https://t.co/Rj4h5hnODw" / X
📢In case you haven't noticed, we've released a new version! ⏫Update today!🚀 https://t.co/Rj4h5hnODw
x.com
August 11, 2025 at 9:09 AM
On July 24, we alerted the WinRAR team, which released version 7.13 just six days later. We advise all users to install the latest version as soon as possible. We would also like to thank the WinRAR team for its cooperation and quick response. 3/7 x.com/WinRAR_RARLA...