banner
esetresearch.bsky.social
ESET Research
@esetresearch.bsky.social
1K followers 13 following 280 posts
Security research and breaking news straight from ESET Research Labs. welivesecurity.com/research/
Posts Media Videos Starter Packs
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 6d
IoCs available in our GitHub repo: github.com/eset/malware... 6/6
malware-ioc/prospytospy at master · eset/malware-ioc
Indicators of Compromises (IOC) of our various investigations - eset/malware-ioc
github.com
1
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 6d
Despite similar objectives and techniques, ESET tracks the two campaigns separately due to differences in infrastructure and delivery. Users should avoid downloading apps or plugins from unofficial sources, especially those claiming to enhance trusted services. 5/6
1 1
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 6d
After compromising their targets, both ProSpy and ToSpy exfiltrate data in the background, including documents, media, files, and contacts. ToSpy in particular also targets .ttkmbackup files, suggesting a focus on chat history and app data. 4/6
1 1
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 6d
Android #ToSpy, the spyware used in the other campaign, masquerades solely as the ToTok app. It is distributed through phishing websites impersonating app distribution platforms, such as the Samsung Galaxy Store. 3/6
1 1 2
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 6d
The first campaign deployed Android #ProSpy camouflaged as upgrades or plugins for Signal and ToTok apps, named Signal Encryption Plugin or ToTok Pro. 2/6
1 1
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 6d
#ESETresearch has identified two campaigns targeting Android users in the 🇦🇪. The campaigns, which are still ongoing, distribute previously undocumented spyware impersonating #Signal and #ToTok via deceptive websites. www.welivesecurity.com/en/eset-rese... 1/6
New spyware campaigns target privacy-conscious Android users in the UAE
ESET researchers have discovered campaigns distributing spyware disguised as Android Signal and ToTok apps, targeting users in the United Arab Emirates.
www.welivesecurity.com
1 9 6
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 12d
CDB0F9C6FC4120EFB911F5BB4E801300992BD560
CA0151D9AEE5408F3080CA108FA4EEB2C6785628
4626615651A9CC8CE0FD078DF281CA275D6D28C4
3EA2987D67A16450313E5DCC80C15C956F758486
0FC8B3117692C21A1750473771BCFB5D60CE306A
🌐documents-pdf.serveftp[.]com
document-ua.serveftp[.]com
pdf-download.serveftp[.]com
6/6
1 2
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 12d
IoCs:
🚨 VBS/Pterodo.CFC trojan
📄 6DF9312CD3EA11D94A01C4663C07907F6DFC59CB
D23B477B0103AFA8691E9AE9CE50912A2EA50D3B
AC6F459A218532F183004798936BB1A239349C20
0CDC5544413E80F78212E418E7936308A285E8DC
67A99D1D57116CD10B7082814B8CF25EB1FB9007
C8138F1CDD65FB4A3C93A7F7514C0133781FB89B 5/6
1 1 1
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 12d
CVE-2025-8088 abuses a flaw in WinRAR’s handling of file paths in RAR archives. By crafting a file with ..\..\ sequences in its ADS, attackers can write files outside the extraction directory, which allows dropping files into the Startup folder. 4/6
1 1 1
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 12d
Now, Gamaredon is abusing it to drop malicious payloads via spearphishing lures, targeting 🇺🇦 Ukrainian governmental entities. 3/6
1 1 1
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 12d
The same CVE was recently seen exploited in the wild by other groups (e.g., RomCom), and described by ESET Research in a blogpost - www.welivesecurity.com/en/eset-rese... 2/6
Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability
ESET Research discover a zero-day vulnerability in WinRAR being exploited in the wild in the guise of job application documents.
www.welivesecurity.com
1 2 2
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 12d
#ESETresearch has observed #Gamaredon exploiting CVE-2025-8088 (#WinRAR path traversal) in an ongoing spearphishing campaign. This vulnerability allows arbitrary file write via crafted RAR archives. 1/6
1 9 16
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 13d
IoCs available in our GitHub repo: github.com/eset/malware... 6/6
malware-ioc/deceptivedevelopment at master · eset/malware-ioc
Indicators of Compromises (IOC) of our various investigations - eset/malware-ioc
github.com
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 13d
While DeceptiveDevelopment focuses on malware, OSINT shows ties to North Korean IT workers who use fake identities to secure remote jobs, thus surreptitiously funding North Korean state operations. 5/6
1
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 13d
Some components, like Tropidoor and AkdoorTea, show code similarities with Lazarus-linked malware, suggesting shared tooling across these North Korea-aligned groups. 4/6
1
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 13d
DeceptiveDevelopment’s toolset spans multiple platforms and languages: #BeaverTail (infostealer), #InvisibleFerret (modular RAT), #WeaselStore (Go/Python RAT), and #TsunamiKit (.NET spyware). 3/6
1
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 13d
Victims are lured with fake job offers and asked to complete trojanized coding challenges hosted on private GitHub/GitLab repos. These projects contain obfuscated malware, often hidden in long comments outside the IDE view. The group also utilizes the ClickFix technique. 2/6
1
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 13d
#ESETresearch has uncovered the North Korea-aligned threat actor, DeceptiveDevelopment, targeting freelance developers with trojanized coding challenges and fake job interviews.
www.welivesecurity.com/en/eset-rese... 1/6
www.welivesecurity.com
1 6 6
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 16d
Righard, Robin Staa, John Alexander & Geri Revay debate CVE handling vs. bounty-hunting. Is either model sustainable in today’s threat landscape? Join their debate: The wheels on the CVE go round and round; Sept 25, 15:00–15:30 CEST www.virusbulletin.com/conference/v... 3/3
Virus Bulletin :: TIPS: Panel: The wheels on the CVE go round and round: breaking the cycle of vulnerability fatigue
VB2025 TIPS presentation: Panel: The wheels on the CVE go round and round: breaking the cycle of vulnerability fatigue, Righard Zwienenberg, Robin Staa, John Alexander, Geri Revay
www.virusbulletin.com
1
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 16d
Righard joins Jan Hruska, Pavel Baudis & Tjark Auerbach to reflect on the rich history of our field. Got a legendary story you've heard? Ask them to uncover the truth in panel debate: Tales from the Old West; Sept 24, 17:00–17:30 CEST www.virusbulletin.com/conference/v... 2/3
Virus Bulletin :: Panel: Tales from the Old West
VB2025 presentation: Panel: Tales from the Old West, Righard Zwienenberg, Jan Hruska, Pavel Baudis & Tjark Auerbach
www.virusbulletin.com
1 1
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 16d
Two exciting panels featuring #ESETresearch’s Righard Zwienenberg at #VB2025 in Berlin @virusbtn - from stories of the past to debates about the future of vulnerability handling. Here's what to expect 👇1/3
1 2 3
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 19d
IoCs available in our GitHub repo: github.com/eset/malware... 3/3
malware-ioc/turla at master · eset/malware-ioc
Indicators of Compromises (IOC) of our various investigations - eset/malware-ioc
github.com
2
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 19d
In February 2025, we noticed Gamaredon’s PteroGraphin restarting Turla’s Kazuar v3 backdoor. In April and June we detected that Kazuar v2 was deployed via Gamaredon’s PteroOdd and PteroPaste. We now believe with high confidence that Gamaredon provides initial access to Turla. 2/3
1 2
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 19d
#ESETresearch has discovered the first known cases of collaboration between Gamaredon and Turla, in Ukraine. Both groups are affiliated with the FSB, Russia’s main domestic intelligence and security agency. www.welivesecurity.com/en/eset-rese...
1/3
Gamaredon X Turla collab
ESET researchers reveal how the notorious APT group Turla collaborates with fellow FSB-associated group known as Gamaredon to compromise high‑profile targets in Ukraine.
www.welivesecurity.com
1 6 7
esetresearch.bsky.social
ESET Research @esetresearch.bsky.social · 21d
FamousSparrow remained active throughout 2025, and this presentation will highlight its most recent operations. 5/5
2