Skip to content

ESET Research: Android malware Kamran spying via news app on residents of the disputed Kashmir region

  • ESET Research has discovered Android spyware, which ESET researchers named Kamran, that has been distributed via a possible watering-hole attack on the Hunza News website.
  • The malware targets residents using Urdu language in Gilgit-Baltistan, part of the disputed Kashmir region that is administered by Pakistan.
  • The malicious app prompts the user to grant it permissions to access various information. If accepted, it gathers data about contacts, calendar events, call logs, location information, device files, SMS messages, and images.

BRATISLAVA, KOŠICE — November 09, 2023 — ESET researchers have identified what appears to be a watering-hole attack on a regional news website that delivers news about Gilgit-Baltistan, a region administered by Pakistan. Gilgit-Baltistan consists of the northern region of the greater Kashmir territory, embroiled in longstanding disputes involving India and Pakistan (since 1947) as well as between India and China (since 1959). Watering-hole attacks are a type of threat where a commonly visited website is compromised to serve malware. When opened on a mobile device, the Urdu version of the Hunza News website offers readers the possibility to download the Hunza News Android app directly from the website; however, the app has malicious espionage capabilities. Urdu is the official and main language of communication used for inter-ethnic communication within this disputed region. ESET has named this previously unknown spyware Kamran.

The word Kamran was used by ESET to name this spyware due to its package name “com.kamran.hunzanews.” Kamran is a common given name in Pakistan and other Urdu-speaking regions; in Farsi, which is spoken by some minorities in Gilgit-Baltistan, it means fortunate or lucky.

The Hunza News website has both English and Urdu versions; English is the second official language spoken in the region. The English mobile version doesn’t provide any app for download. However, only the Urdu version on mobile offers to download the Android spyware in question. While the English and Urdu desktop versions also offer the Android spyware, it is not compatible with desktop operating systems. ESET Research reached out to Hunza News regarding Kamran, however, the website provided no response prior to the publication of this research.

The Kamran spyware displays the content of the Hunza News website but also contains custom malicious code. Upon launching, the malicious app prompts the user to grant it permissions to access various information. If accepted, it gathers data about contacts, calendar events, call logs, location information, device files, SMS messages, images, etc. If the requested permissions to the app are granted, Kamran automatically gathers this sensitive user data and uploads it to a hardcoded command and control (C&C) server. The C&C server was reported to Google, as the platform misused by the spyware is provided by them. However, the malware lacks remote control capabilities.

This malicious app has never been offered through the Google Play Store but is instead downloaded from a source referred to as Unknown by Google, to install this app, the user is requested to enable the option to install apps from unknown sources. ESET was able to identify at least 22 compromised smartphones, with five of them being located in Pakistan.

The malicious app appeared on the website sometime between January 7, 2023, and March 21, 2023; the developer certificate of the malicious app was issued on January 10, 2023. During that time, protests were being held in Gilgit-Baltistan for various reasons encompassing land rights, taxation concerns, prolonged power outages, and a decline in subsidized wheat provisions.

“With a high degree of confidence, we can affirm that the malicious app specifically targeted Urdu-speaking users, who accessed the website via Android devices. However, since Kamran demonstrates a unique codebase, distinct from other Android spyware, this prevents its attribution to any known advanced persistent threat – APT – group,” says ESET researcher Lukáš Štefanko, who discovered the Kamran spyware. “This spyware shows once again that it is important to reiterate the importance of downloading apps exclusively from trusted and official sources,” he adds.

Hunza News, likely named after the Hunza District or the Hunza Valley, is an online newspaper delivering news related to the Gilgit-Baltistan region. Internet archive data shows that the site has been delivering news since 2013. In 2015, Hunza News started to provide a legitimate Android application that was available on the Google Play Store. Based on available data, ESET Research believes two versions of this app were released on Google Play, with neither containing any malicious functionality.

For more technical information about Kamran spyware, check out the blogpost “Unlucky Kamran: Android malware spying on Urdu-speaking residents of Gilgit-Baltistan.” Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

 


About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET recognized as a “Strong Performer” in prestigious Endpoint Security report

  • ESET has been cited as a “Strong Performer” in the renowned “Endpoint Security, Q4 2023” report.
  • ESET’s business endpoint solutions excel in endpoint malware and exploit prevention, offering robust mobile device security, device management, and vulnerability and patch management for all supported endpoints. 

BRATISLAVA — November 08, 2023 — ESET, a global cybersecurity leader, has been acknowledged as a “Strong Performer,” according to The Forrester Wave™: Endpoint Security, Q4 2023 report. Forrester, a respected analyst firm, meticulously researched and analyzed 13 top endpoint security vendors in its 25-criterion evaluation to guide security and risk professionals in selecting the right solution for their needs.

The report underscores the critical role of endpoint security solutions, acting as the first and last line of defense for business users, safeguarding their devices from malware, detecting and responding to malicious actions, and resolving incidents swiftly and efficiently. The report states that “ESET’s differentiator is that it’s able to support organizations that need to maintain an air-gapped infrastructure;” highlighting, in our opinion, the company’s commitment to meeting diverse security needs.

The report also noted that ESET has dominant prevention engines when it comes to malware and exploits target at endpoints — its mobile device security provides mobile device management, and the solution includes vulnerability and patch management for all supported endpoints.

Jakub Debski, Chief Product Officer at ESET, stated, “Safeguarding our users and their businesses against the most sophisticated advanced threats is at the core of our business mission at ESET. In today’s rapidly evolving digital landscape, it is essential for businesses to have access to robust and state-of-the-art detection and response tools. We are confident that security and risk professionals can make informed decisions for their organizations by choosing ESET’s innovative solutions — allowing the companies to focus on their operations, simplifying their security through ESET’s unified XDR platform.”

ESET believes Forrester’s recognition positions ESET as a competitive player in the endpoint security market, reinforcing the company’s reputation for delivering advanced and reliable security solutions. ESET remains steadfast in its mission to empower businesses with cutting-edge digital security tools, ensuring robust protection against evolving cyber threats.For more information about ESET and its endpoint security solutions, please read here. The full report can be downloaded here by Forrester clients or through purchase.

For more information about ESET and its endpoint security solutions, please read here.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Simple antivirus is not enough anymore. ESET is introducing all-in-one protection for consumers

BRATISLAVA — November 15, 2023 —ESET, a global leader in cybersecurity, today announced the launch of its new innovative and streamlined offering for consumers. With more than 30 years on the market, ESET has moved to unify its broadly deployed consumer product portfolio. Specifically, ESET is introducing three brand new customer-centric subscription tiers, providing both broad and reliable digital life protection via new features, such as a Virtual Private Network (VPN) and a Browser Privacy & Security extension.

Responding to the increasing demand for an all-in-one solution that offers intuitive use of these new features, ESET is introducing an improved ESET HOME—a comprehensive security management platform. Available across all major operating systems—Windows, macOS, Android, and iOS—and includes visibility into home networks and connected smart devices.

„At ESET, we’re thrilled to unveil our cutting-edge consumer solutions. It’s more than just security – it’s a comprehensive portfolio designed to keep our customers safe in today’s digital landscape. We’re dedicated to advancing technology without compromising their safety. Our team has poured their expertise into creating a powerful blend of AI, human insight, and cloud protection, delivering a state-of-the-art defense against a multitude of cyber threats. The new ESET HOME Security subscription tiers offer multilayered security, protect privacy, and keep the devices and homes of our customers safe. With ESET, they’re not just protected; they’re empowered to explore, connect, and thrive securely,“ said Mária Trnková, Chief Marketing Officer at ESET.

Complete security management platform

Research among ESET customers shows that the vast majority of ESET HOME users define themselves as home admins, those who take care of their household’s digital security. They are tech savvy but don’t want to spend much time managing ESET products. To meet customers’ needs, ESET has made improvements to ESET HOME. Now, as a complete security management platform, it is a seamless part of the user experience. In this version, managing devices, making online purchases, subscription activation and renewal, downloading or upgrading security solutions, and enabling powerful functionalities like VPN security, Password Manager, and more.

To enhance user experience and simplify the platform’s management, ESET has made several interface changes, including the introduction of Overall Protection Status, so users can see the level of protection for their households in one view. This combines both the validity status of a user’s subscriptions and the security status of devices connected to the account in three categories: Protected, Attention Required, and Security Alert.

These changes aim to provide customers with cutting-edge protection, while minimal interaction is needed to set up the product. At the same time, this new ecosystem provides meaningful options and functionality for proactive users who want to control and customize it. ESET HOME is an easy-to-use web portal and mobile app available for both iOS and Android.

Explore new subscription tiers and their features

Also introduced with this launch are three subscription tiers for this new ecosystem—ESET HOME Security Essential, ESET HOME Security Premium, and ESET HOME Security Ultimate. Subscription tiers provide all-in-one protection, from the entry-level of protection up to the ultimate level, covering the complex needs of individuals and their households for digital life privacy and security. ESET HOME Security subscriptions are available on all major operating systems—Windows, macOS, Android, and iOS.

ESET HOME Security Essential is an entry-level subscription tier with protection features, including improved modern endpoint security and multilayered real-time protection, as well as additional tools that further enhance the user’s ability to protect against various threats. Included are the Safe Banking and Safe Browsing features, designed to protect users’ sensitive data, and Network Inspector, a diagnostic tool providing information on the security of the user’s router and display of devices connected to the network. Newly developed browser extensions provide enhancement of the Browser Privacy & Security feature. This includes cleanup tools, such as Browser Cleanup, which cleans cookies, history, and much more from the browser, regularly or on demand.

The middle tier, ESET HOME Security Premium, extends the feature set further by adding other security functionalities, such as a Password Manager, which protects and stores users’ passwords and personal data. This includes an automatic and accurate form-filling feature, saving users time when filling out web forms. Secure Data functionality boosts their privacy and security with powerful encryption of files and removable media, preventing data theft in the event of USB or laptop loss and ensuring secure collaboration and data sharing. ESET HOME Security Premium offers the ESET LiveGuard tool, cloud-based protection specifically designed to mitigate never-before-seen threats.

ESET HOME Security Ultimate is the most advanced subscription tier; it seamlessly provides complex all-in-one protection and introduces a brand-new ESET feature: VPN. This feature is also complemented by the browser extension functionality (Browser Privacy & Security), to ensure that the user’s browsing is protected. Additionally, Metadata Cleanup removes metadata from uploaded pictures to the browsers on Windows. Website Settings Review allows users to easily review and change permissions granted to websites.

Enhancing online security: Introducing VPN feature

ESET’s new VPN feature offers users a confidential internet experience by establishing a private network connection guaranteeing protection while using public Wi-Fi, and enforcing a strict no-logs policy to make it more difficult to track. It encrypts users’ online activities and enables unlimited bandwidth access to geo-restricted content, including unrestricted and private access to websites in more than 60 countries worldwide. Thanks to this feature, users can securely access their home countries’ TV shows and movies while traveling or enjoy their favorite streaming services from different parts of the world. Even more features are available on the VPN service running on desktop, including DNS leak protection, MAC spoofing, proxy gateway for other devices, firewall, and split tunneling. By adding a VPN on iOS, ESET is strengthening its presence on this platform, where Password Manager and ESET HOME are already established.

Device-tailored security solutions

ESET HOME Security takes device protection to a new level by seamlessly integrating a suite of standalone device protection solutions tailored to meet customers’ security needs. This includes ESET NOD32 Antivirus, ESET Mobile Security for Android, Parental Control for Android, and ESET Smart TV Security.

More information about the new consumer offering and subscription tiers can be found here.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET Research: Infamous IoT botnet Mozi taken down via a kill switch

  • ESET researchers have observed the sudden demise of one of the most prolific Internet of Things (IoT) botnets: Mozi has been responsible for the exploitation of hundreds of thousands of devices a year since 2019.
  • ESET observed a drop in Mozi’s activity in India and China in August, later discovering a kill switch that disabled the malware and stripped the Mozi bots of their functionality.
  • There are two potential instigators for this takedown: the original Mozi botnet creator or Chinese law enforcement, perhaps enlisting or forcing the cooperation of the original actor or actors. The sequential targeting of India and then China suggests that the takedown was carried out deliberately, with one country targeted first and the other a week later.

BRATISLAVA — November 1, 2023 — ESET Research recently observed the sudden demise of one of the most prolific Internet of Things (IoT) botnets, named Mozi, infamous for exploiting vulnerabilities in hundreds of thousands of IoT devices each year. User Datagram Protocol (UDP) observed an unanticipated drop in activity that began in India and was also observed in China a week later. The change was caused by an update to Mozi bots that stripped them of their functionality. A few weeks following these events, ESET researchers were able to identify and analyze the kill switch that caused Mozi’s demise.

“The demise of one of the most prolific IoT botnets is a fascinating case of cyber forensics, providing us with intriguing technical information on how such botnets in the wild are created, operated, and dismantled,” says ESET researcher Ivan Bešina, who investigated the disappearance of Mozi.

On September 27, 2023, ESET researchers spotted the control payload (configuration file) inside a UDP message missing the typical content; its new activity was in fact to act as the kill switch responsible for Mozi’s takedown. The kill switch stopped the parent process – the original Mozi malware – and disabled certain system services, replaced the original Mozi file with itself, executed certain router/device configuration commands, and disabled access to various ports.

Despite the drastic reduction in functionality, the Mozi bots have maintained persistence, indicating a deliberate and calculated takedown. ESET analysis of the kill switch showed a strong connection between the botnet’s original source code and recently used control payloads that were signed by the correct private keys.

“There are two potential instigators for this takedown: the original Mozi botnet creator or Chinese law enforcement, perhaps enlisting or forcing the cooperation of the original actor or actors. The sequential targeting of India and then China suggests that the takedown was carried out deliberately, with one country targeted first and the other a week later,” explains Bešina.

For more technical information about the demise of the Mozi botnet, check out the blog post “Who killed Mozi? Finally putting the IoT zombie botnet in its grave” Make sure to follow ESET Research on Twitter (now known as X) for the latest news from ESET Research.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET Research: Winter Vivern attacks Roundcube webmail servers of governments in Europe through zero-day vulnerability

  • ESET researchers discovered that the Winter Vivern group has been exploiting a zero-day XSS vulnerability in Roundcube Webmail.
  • According to ESET telemetry, the campaign targeted Roundcube Webmail servers belonging to governmental entities and a think tank in Europe.
  • Roundcube is an open-source webmail server used by many different organizations.
  • Roundcube patched the vulnerability and released security updates very quickly after being notified by ESET.
  • No manual interaction other than viewing the malicious email message in a web browser is required. The final JavaScript payload can exfiltrate email messages to the command and control server of the group. 

BRATISLAVA, MONTREAL — October 25, 2023 — ESET researchers, during their regular monitoring of the cyberespionage operations of Winter Vivern, discovered that the group recently began exploiting a zero-day XSS vulnerability in the Roundcube Webmail server. In an XSS attack, malicious scripts are injected into otherwise trusted websites. According to ESET telemetry data, the campaign targeted Roundcube Webmail servers belonging to governmental entities and a think tank, all in Europe. ESET Research recommends updating Roundcube Webmail to the latest available version as soon as possible.

ESET discovered the vulnerability on October 12 and immediately reported it to the Roundcube team, who patched the vulnerability and released security updates soon after, on October 14. “We would like to thank the Roundcube developers for their quick reply and for patching the vulnerability in such a short time frame,” says ESET researcher Matthieu Faou, who discovered the vulnerability and Winter Vivern attacks.

“Winter Vivern is a threat to governments in Europe because of its persistence, its very consistent running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated despite being known to contain vulnerabilities,” explains Faou.

Exploitation of the XSS vulnerability CVE-2023-5631 can be done remotely by sending a specially crafted email message. “At first sight, the email doesn’t seem malicious – but if we examine the HTML source code, we can see a tag for SVG graphics at the end that contains an encoded malicious payload,” says Faou. By sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window. No manual interaction other than viewing the message in a web browser is required. The final JavaScript payload can exfiltrate email messages to the command and control server of the group.

Winter Vivern is a cyberespionage group that is thought to have been active since at least 2020 and targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor. ESET believes with low confidence that Winter Vivern is linked to MoustachedBouncer, a sophisticated Belarus-aligned group that we first published about in August 2023. Winter Vivern has been targeting Zimbra and Roundcube email servers belonging to governmental entities since at least 2022.

For more technical information about Winter Vivern, its latest attack, and the Roundcube vulnerability, check out the blogpost “Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers” on WeLiveSecurity. Make sure to follow ESET Research on Twitter (now known as X) for the latest news from ESET Research.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET APT Activity Report: China-aligned groups campaign against EU targets; prime target of Russia-aligned groups remains Ukraine

  • The latest APT Activity Report contains activities of selected APT groups from April 2023 to September 2023.
  • It highlights China-aligned groups’ persistent campaigns in the EU and the evolution of Russia’s cyberwar in Ukraine from sabotage to espionage.
  • Various groups exploited vulnerabilities in WinRAR, Microsoft Exchange servers, and IIS servers.
  • The prime target of Russia-aligned groups remained Ukraine; Telegram users were targeted for data collection.
  • Among the newly discovered China-aligned groups, DigitalRecyclers repeatedly compromised a governmental organization in the EU, TheWizards conducted adversary-in-the-middle attacks, and PerplexedGoblin targeted another governmental organization in the EU.

BRATISLAVA — October 26, 2023 — ESET released its latest report about the activities of selected advanced persistent threat (APT) groups that were observed, investigated, and analyzed by ESET researchers from April 2023 until the end of September 2023. Notably, ESET Research observed various APT groups exploiting known vulnerabilities to exfiltrate data from governmental entities or related organizations. Handpicked findings were presented exclusively to selected journalists during a press event. The presentation and the report explore China-aligned groups’ persistent campaigns in the European Union and the evolution of Russia’s cyberwar in Ukraine from sabotage to espionage.

Russia-aligned Sednit and Sandworm, North Korea-aligned Konni, and geographically unattributed Winter Vivern and SturgeonPhisher seized the opportunity to exploit vulnerabilities in WinRAR (Sednit, SturgeonPhisher, and Konni), Roundcube (Sednit and Winter Vivern), Zimbra (Winter Vivern), and Outlook for Windows (Sednit) to target various governmental organizations, not only in Ukraine but also in Europe and Central Asia. Regarding China-aligned threat actors, GALLIUM probably exploited weaknesses in Microsoft Exchange servers or IIS servers, extending its targeting from telecommunications operators to governmental organizations around the world; MirrorFace probably exploited vulnerabilities in the Proself online storage service; and TA410 probably exploited flaws in the Adobe ColdFusion application server.

Iran- and Middle East-aligned groups continued to operate at high volume, primarily focusing on espionage and data theft from organizations in Israel. Notably, Iran-aligned MuddyWater also targeted an unidentified entity in Saudi Arabia, deploying a payload that suggests the possibility of this threat actor serving as an access development team for a more advanced group.

The prime target of Russia-aligned groups remained Ukraine, where we discovered new versions of the known wipers RoarBat and NikoWiper and a new wiper we named SharpNikoWiper, all deployed by Sandworm. Interestingly, while other groups – such as Gamaredon, GREF, and SturgeonPhisher – target Telegram users to try to exfiltrate information, or at least some Telegram-related metadata, Sandworm actively uses this service for active measure purposes, advertising its cybersabotage operations. However, the most active group in Ukraine continued to be Gamaredon, which significantly enhanced its data-collecting capabilities by redeveloping existing tools and deploying new ones.

North Korea-aligned groups continued to focus on Japan, South Korea, and South Korea-focused entities, employing carefully crafted spear phishing emails. The most active Lazarus scheme observed was Operation DreamJob, luring targets with fake job offers for lucrative positions. This group consistently demonstrated its capability to create malware for all major desktop platforms.

Finally, our researchers uncovered the operations of three previously unidentified China-aligned groups: DigitalRecyclers, repeatedly compromising a governmental organization in the EU; TheWizards, conducting adversary-in-the-middle attacks; and PerplexedGoblin, targeting another governmental organization in the EU.

ESET APT Activity Reports contain only a fraction of the cybersecurity intelligence data provided to customers of ESET’s private APT reports. ESET researchers prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups, in the form of ESET APT Reports PREMIUM, to help organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. Comprehensive descriptions of activities described in this document were therefore previously provided exclusively to our premium customers. More information about ESET APT Reports PREMIUM, which delivers high-quality, strategic, actionable, and tactical cybersecurity threat intelligence, is available on the ESET Threat Intelligence website.

For more technical information, check the full ESET APT Activity Report on WeLiveSecurity. Make sure to follow ESET Research on Twitter (now known as X) for the latest news from ESET Research.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET named Strategic Leader in AV-Comparatives 2023 Endpoint Prevention and Response (EPR) Test

Our strong performance in the AV-Comparatives EPR Test further confirms the ROI of ESET XDR-enabling products and services. Can the test also contextualize ESET’s performance in round five of the MITRE Engenuity ATT&CK® Evaluations: Enterprise?

Introduction

In the recently published Endpoint Prevention and Response (EPR) Comparative Report 2023 by AV-Comparatives, ESET PROTECT Enterprise version 10.1 scored highly in the EPR CyberRisk Quadrant™. Deemed a Strategic Leader along with only three other vendors, ESET sits at the top of the prevention and response capability ranking with the highest detection rate. 

For some ESET partners, and even our sales leads, this result in the AV-Comparatives EPR Test stands in apparent contrast to the substep visibility coverage we provided in the 2023 round of the MITRE Engenuity ATT&CK® Evaluations: Enterprise. Some might argue that the statistical results for the detection and protection scenarios of the evaluation look quite different. Do testers, vendors, and end users all live in separate universes where math isn’t a universal language?

In our view, the APT-minded testers at MITRE Engenuity haven’t created a performance ranking (nor a competitive test) in their examination of protection and detection across the cyberattack chain, at least not one that can be easily compared to other tests. Readers transitioning their consideration from the ATT&CK Evaluations to the AV-Comparatives EPR Test will require a shift in attention. This shift must include a focus on the effectiveness of simulating real-world conditions and, importantly, consideration of the different audiences of the tests — in the case of the EPR Test, both end users and participating vendors.

Comparing audiences

The two tests discussed here have unique audiences in mind. AV-Comparatives has built its EPR Test to evaluate vendors’ product expectations and, critically, to give buyers transparent access to standard and agreed-on outcomes via a methodology that best mimics real-world performance. As part of the service to buyers, third-party testers typically provide their own analysis of the raw data, which is what AV-Comparatives offers in its EPR Report.

In contrast, MITRE Engenuity does not provide comparative analyses of vendor performance in the ATT&CK Evaluations. Indeed, MITRE Engenuity states:

These evaluations are not a competitive analysis. We show the detections we observed without providing a “winner.” Because there is no singular way for analyzing, ranking, or rating the solutions, we instead show how each vendor approaches threat defense within the context of ATT&CK.

This statement makes it abundantly clear that the ATT&CK Evaluations are not a ranking but a resource, first, for vendors, and second, for the security staff at organizations, who can engage thoroughly with the raw data provided.

We can put this another way: third-party tests are both a product and a service that provides its users –  both vendors and end-user businesses – with input to make educated decisions concerning product R&D or business cost and real-world performance, respectively.

Participating in the ATT&CK Evaluations and the EPR Test

Another key point is who participates in these tests. The 2023 round of the MITRE Engenuity ATT&CK® Evaluations: Enterprise tested 29 vendors1 against two attack scenarios built from techniques used by the Turla threat group. Ultimately, this test assists vendors in working on validating their approach to optimized detection and protection – this includes the reasoning behind detecting or not detecting specific substeps in the evaluation.

Conversely, the 2023 AV-Comparatives EPR Test evaluated 12 vendors with a highly comprehensive approach that deployed 50 targeted attack scenarios using a diversity of techniques mapped to the ATT&CK knowledge base. These scenarios were not communicated ahead of the test, a fact that further contrasts the AV-Comparatives approach with that of MITRE Engenuity. The resultant EPR CyberRisk Quadrant factors in product efficacy in breach prevention, the calculated savings, and the product’s purchase, operational accuracy, and workflow delay costs.

Despite the high value of AV-Comparatives’ approach, historically, several participating vendors have opted not to reveal their names. Furthermore, a slew of other vendors who participated in the ATT&CK Evaluations have decided not to participate in the EPR Test. Potential end users of XDR products can rightly question the costs of these untested products and whether those costs potentially degrade the apparent detection capability shown in the ATT&CK Evaluations.

In developing our own capabilities and reviewing our performance in past Engenuity Evaluations, we opine that the usual “price” for a claim of 100% detection or protection in an evaluation is likely paid in false positives. However, our product, ESET PROTECT Enterprise, completed the AV-Comparatives test without producing any false positives – a bit of an ESET obsession, actually.  The fact is, false positives drive real-world costs – costs that could even exceed those of a real compromise – due to IT staff potentially having to spend many hours to handle them.

Our participation in the AV-Comparatives EPR Test is important to help ESET communicate our value to IT security decision-makers. These decision-makers love quadrants such as the EPR CyberRisk Quadrant because they simplify understanding the capability of different products. We can imagine a CISO thinking: “Give me the product with the best detection and protection capability. Oh wait, the CFO reminded me to factor in cost!”

AV-Comparatives’ EPR CyberRisk Quadrant is a great resource for organizations to start evaluating and shortlisting XDR solutions on prevention and TCO metrics, before necessarily diving into the depths of technology and implementation.

1The MITRE Engenuity ATT&CK Evaluations: Enterprise began with 30 vendors. MITRE Engenuity communicates 29 having completed the evaluation.

Comparing methodologies

While AV-Comparatives uses a real-world methodology and provides analysis, MITRE Engenuity provides the emulation plan and results as raw data. If, as an organization, you have the resources and skilled IT staff, you could even rerun an ATT&CK Evaluation in your network, or substeps of it, to obtain highly relevant, real-world feedback on the actual effectiveness and cost of various solutions.

However, without such a personalized rerun, our assessment is that the ATT&CK Evaluations are unsuitable as the primary basis for a purchase decision. Instead, the goal of the evaluations is to provide trained eyes a resource to understand the specific levels of substep visibility that a product offers. Whether the provided level of visibility is suitable for an end user is hotly debated, but our main response is that you don’t need 100% visibility, nor do you need technique detections for every substep. What is necessary, however, is seeing enough relevant substeps – as not every substep is equally important to determine whether an attack is happening – then mitigate and/or stop it.

The DIY analysis required to really extract value from the ATT&CK Evaluations means all readers must be prepared to dive independently into the emulation plan and carefully consider each substep and what that means for your organization. Critically, the more you understand adversarial techniques, the challenges of reconstructing attack chains, and the commonality of events in your environment, the better your analysis and takeaways will be. Thus, the expertise required to interpret and assess the evaluations immediately puts decision-makers, who typically prefer digestible executive summaries, at arm’s length.

The measures taken by AV-Comparatives to offer a best approximate real-world environment, complete with commercially available and open-source attack tools, as well as tactics, techniques, and procedures (TTPs) assembled from MITRE’s ATT&CK knowledge base, underline testing for the service of businesses and institutions that rely on endpoint protection, detection, and response capabilities against real-world attacks.

(source)

The thoughtful approach taken by AV-Comparatives to quantify product performance beyond protection and detection across the attack chain pays big dividends in avoiding problems due to false positives.

A standout example taken from the results of the Turla ATT&CK Evaluation is the number of alerts allowed to be generated without penalty. One vendor had over one million alerts per attack chain. Another vendor’s dashboard showed almost 6.7 million suspicious events. In contrast, ESET Inspect displayed around 6,000 detections (including both endpoint and rule-based detections) on Day One of the evaluation and around 2,000 on Day Two. Keep in mind that the test environments had four or five machines, and MITRE Engenuity did not test products “with a battery of clean scenarios” as AV-Comparatives did!

Betting on both horses

As a vendor, we have clear motivations to maintain our participation in both the MITRE Engenuity ATT&CK Evaluations and the AV-Comparatives EPR Test, which were executed very professionally. Both the EPR Test, with its dual technical and business audience, and the ATT&CK Evaluations, with its (ideally) technical audience, promote advanced security practice.

Betting on multiple horses is nothing new. The high level of engagement by ESET malware researchers and security analysts with the ATT&CK knowledge base has helped drive product R&D around improvements to our EPP, EDR, and threat intelligence products for many years. ESET began contributing to MITRE ATT&CK very early on and now stands among the top 10 out of more than 350 contributors to the ATT&CK knowledge base. Thus, participating in the ATT&CK Evaluations continues the critical dialogue between several teams to balance visibility into and usability of ATT&CK techniques and procedures.

With the internal dialogue established and sustained via our engagement with MITRE Engenuity, our parallel participation in AV-Comparatives’ EPR Test provides the necessary balance to factor in user-centric real-world needs. The result is composite use of both tests because both tests have significant merit and are (different) horses for courses.

Conclusion

With an aim to not only lead in prevention and response, but also to deliver a competitive total cost of ownership score, ESET sees decision-makers as the key readers of the AV-Comparatives EPR Report.

The stimulating dialogue instigated by the MITRE Engenuity ATT&CK Evaluations is a whole other animal. For enterprises, institutions, and other select businesses with SOC teams or skilled security staff in-house, we encourage you to continue leveraging the ATT&CK knowledge base and looking more deeply at the ATT&CK Evaluations. However, we see the true value there as a trigger for innovation, experimentation, and constant improvement.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET PROTECT Enterprise Earns Strategic Leader Recognition in AV-Comparatives EPR Test 2023

ESET PROTECT Enterprise scored highly in the EPR CyberRisk Quadrant™

  • ESET has been named a Strategic Leader in the AV-Comparatives Endpoint Prevention and Response (EPR) Comparative Report 2023.
  • ESET PROTECT Enterprise stands out with its high detection rates, minimal false positives, and intuitive design.

BRATISLAVA, — October 23, 2023 — ESET, a global cybersecurity leader, is pleased to announce that ESET PROTECT Enterprise has been rigorously tested and named a Strategic Leader in the 2023 AV-Comparatives Endpoint Prevention and Response (EPR) Comparative Report. In this assessment, conducted by the esteemed independent testing organization AV-Comparatives, ESET PROTECT Enterprise outperformed 11 other vendors in 50 real-world scenarios testing prevention and response. The resultant EPR CyberRisk Quadrant factors in product efficacy in breach prevention, the calculated savings, and the product’s purchase, operational accuracy, and workflow delay costs.

ESET PROTECT Enterprise version 10.1, which includes ESET PROTECT and ESET INSPECT, has proven its effectiveness in providing robust enterprise prevention and response capabilities against threats of high concern for enterprises. During the test, it effectively countered threats targeted at business users, particularly by halting threats before they could breach organizational networks.

The product displayed a set of safeguards, effectively protecting enterprise systems and networks against the tested scenarios, and achieving the highest detection rate among all products tested. Overall, ESET PROTECT Enterprise showed a 100% Active Response rate and a 100% Passive Response rate across all scenarios, demonstrating its ability to automatically stop attacks and report them accurately. Its alignment with MITRE ATT&CK® tactics, techniques, and procedures (TTPs) greatly assists even entry-level SOC analysts in conducting detailed investigations and escalating incidents when necessary.

As described in the report, ESET PROTECT Enterprise stands out with its high detection rates, minimal false positives, and intuitive design. Enterprises that transitioned to ESET may not only experience enhanced security but also reduce IT costs significantly in comparison to other vendor solutions.

Roman Kováč, Chief Research Officer at ESET, noted: “Being named a Strategic Leader in the 2023 EPR Comparative Report makes us immensely proud. This recognition demonstrates our commitment to providing top-tier cybersecurity solutions for businesses globally. At ESET, we are dedicated to empowering enterprises with cutting-edge technology that not only enhances their security posture but also reduces operational costs. The test results of the EPR Comparative report reinforce our mission to create a safer digital world for all and underscore the effectiveness of our prevention and response capabilities.”

“ESET has consistently proven its strength in endpoint security and EDR, achieving certification in the EPR Test for four consecutive years since its introduction. Notably, ESET´s exceptional performance is also recognized in the leading Business security benchmarks, setting it apart in the industry,” stated by Andreas Clementi, CEO & Founder of AV-Comparatives.

ESET was one of only four vendors to receive the highest certification in the EPR CyberRisk Quadrant. These outstanding results reaffirm ESET’s position as a Strategic Leader, as recognized by AV-Comparatives. ESET continues to excel in the cybersecurity landscape, offering innovative solutions that effectively protect enterprises.

For more information about ESET’s results in the AV-Comparatives EPR Test 2023, click here.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

The ESET Science Award 2023 has announced the laureates of its fifth year

An international jury headed by Nobel Prize laureate, Michel Mayor, has selected this year’s ESET Science Award laureates based on a comprehensive scientometric evaluation process.The laureate in the category of Outstanding Scientist in Slovakia is Igor Lacík, the laureate in the category of Outstanding Scientist in Slovakia under the age of 35 is Matej Baláž and the laureate in the category of Outstanding Academic in Slovakia is Daniela Ostatníková.

BRATISLAVA, 20.10.2023 – On Thursday, 12 October, the ESET Science Award was presented for the fifth time to outstanding personalities of science and education in Slovakia. The ESET Science Award pays tribute to scientists based in Slovakia and highlights their efforts and scientific activities that have an impact on all areas of life. The laureate of the Outstanding Scientist in Slovakia category is Igor Lacík, who works at the Institute of Polymers of the Slovak Academy of Sciences, where he and his team have been successful in finding applications for polymer materials in the treatment of diabetes. The laureate in the category of Outstanding Scientist in Slovakia under 35 years of age is Matej Baláž, who works in the Institute of Geotechnics of the Slovak Academy of Sciences in Košice on solvent-free chemistry, so-called mechanochemistry. Daniela Ostatníková, Head of the Institute of Physiology and Vice-Dean for International Relations at the Faculty of Medicine of the Comenius University in Bratislava, who is researching the causes of autism, is the laureate of the Outstanding Academic in Slovakia category.
The international jury selected the laureates from among the finalists in the categories for Outstanding Scientist in Slovakia and Outstanding Scientist in Slovakia under the age of 35. This year, the international jury was chaired by astrophysicist and Nobel Prize laureate Michel Mayor. The other members of the international jury were Anne Leriche, a researcher and professor, Maria Grazia Valsecchi, an oncologist based in Italy, Dominique Bonvin, a professor based in Switzerland, and Jan Konvalinka, a Czech biochemist.
The chair of the international jury, Michel Mayor, who presented the award in the main category at the gala, praised the science in Slovakia: “Congratulations to our ESET Science Award laureates, as well as to all the finalists who have shown us that Slovakia is home to immense scientific talent. Today, we celebrate not only their work but also the hope and possibilities that science brings to all of us. They remind us that science is an endless journey, and its potential knows no bounds. Their passion, hard work, and dedication are an inspiration to us all.”
The laureate in the category of Outstanding Academic in Slovakia was selected by a committee composed of representatives of Slovak universities. Laureates of all three categories are selected on the basis of demanding criteria, including current scientific research results and publications, measurable scientometric data, involvement in international scientific projects, as well as communication and popularization of scientific knowledge, cooperation with other scientific disciplines, and feedback from close colleagues or students.
“The ESET Science Award is our way of recognizing outstanding scientists. This year’s theme, “Science without Borders”, highlights the need for international collaborations, knowledge sharing and open access to scientific discoveries regardless of geographical or interdisciplinary boundaries. This year’s laureates show us through their work that scientific research is a universal language that transcends borders. Their contribution is a testament to the importance of science to society and the ways in which it can fulfill the lives of us all,” said Richard Marko, CEO of ESET, whose philanthropic arm – the ESET Foundation – is the organizer of the ESET Science Award.
Read more about the ESET Science Award and its laureates here.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

ESET Research announces comprehensive report on Latin America’s threat landscape titled ‘Looking into TUT’s tomb: The universe of threats in LATAM’

  • ESET researchers announced their latest report on Operation King TUT (The Universe of Threats) in Latin America, where they analyzed more than a dozen operations and cybercriminal campaigns between 2019 and 2023.
  • The campaigns exhibit a high level of sophistication, specifically tailoring their approach to enterprise users and governments. 
  • The primary method used to target potential victims is via phishing emails; both the precision and specificity observed in these attacks point to a high level of targeting.

BRATISLAVA, BUENOS AIRES — October 17, 2023 — ESET Research announced today the release of the report “Looking into TUT’s tomb: The universe of threats in LATAM,” which analyzes more than a dozen operations and various cybercriminal campaigns in Latin America. With evolving targeting strategies and techniques, these campaigns exhibit a high level of sophistication, specifically tailoring their approaches to exploit enterprise users, including government sectors. The predominant method of compromising victims is through phishing emails that deliver multiple malicious components.

“Much like the life and mysterious demise of the ancient Egyptian pharaoh Tutankhamun, also known as King Tut, the threat landscape in Latin America remains shrouded in mystery. This is primarily due to limited global attention on evolving malicious campaigns within the region,” says ESET researcher Camilo Gutierrez, based in Buenos Aires, Argentina, who investigated the malicious campaigns. “With parallels to how archaeological excavations of King Tut’s tomb shed light on ancient Egyptian life, we embarked on a journey to delve into less-publicized cyberthreats affecting Latin American countries. Our initiative, named Operation King TUT (The Universe of Threats), sought to explore this significant threat landscape.”

In the paper, ESET Research looks back at various publicly documented campaigns targeting the LATAM region between 2019 and 2023; the vast majority of the detections surrounding these cybercriminal activities are in Latin America and are not associated with global crimeware. Since each of these operations has its own unique traits, and they don’t appear to be linked to a single threat actor, it’s highly likely that multiple actors are at play.

ESET analysis revealed a notable shift from simplistic, opportunistic crimeware to more complex threats. Notably, researchers have observed a transition in targeting, moving from a focus on the general public to high-profile users, including businesses and governmental entities. These threat actors continually update their tools, introducing different evasion techniques to increase the success of their campaigns. Furthermore, while the LATAM region contains the vast majority of victims, in some cases we have seen an expansion of these campaigns targeting countries outside the region, with the actors taking their crimeware business beyond Latin America and mirroring the pattern seen in banking trojans born in Brazil.

“Our comparison also shows that the majority of malicious campaigns seen in the region are directed at enterprise users, including government sectors, by primarily employing spearphishing emails to reach potential victims. Attackers often masquerade as recognized organizations within specific countries in the region, particularly government or tax entities,” says Gutierrez.

The precision and specificity observed in these attacks point to a high level of targeting, indicating that the threat actors have detailed knowledge about their intended victims. In these campaigns, attackers utilize malicious components like downloaders and droppers, mostly created in PowerShell and VBS. Regarding the tools used in these malicious operations in Latin America, ESET observations indicate a preference for remote access trojans.

For more technical information about “Operation King TUT: The universe of threats in LATAM,” read the blog post on WeLiveSecurity. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Described cybercriminal activities were detected exclusively in LATAM countries

 

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.