Latest news with #ESET
Zawya
4 days ago
- Business
- Zawya
ESET participates in operation to disrupt the infrastructure of Danabot infostealer
While primarily developed as an infostealer, Danabot also has been used to distribute additional malware, including ransomware. Danabot's authors promote their toolset through underground forums and offer various rental options to potential affiliates. This ESET Research analysis covers the features used in the latest versions of the malware, the authors' business model, and an overview of the toolset offered to affiliates. Poland, Italy, Spain and Turkey are historically one of the most targeted countries by Danabot. Dubai, UAE: ESET has participated in a major infrastructure disruption of the notorious infostealer, Danabot, by the US Department of Justice, the FBI, and US Department of Defense's Defense Criminal Investigative Service. U.S. agencies were working closely with Germany's Bundeskriminalamt, the Netherlands' National Police, and the Australian Federal Police . ESET took part in the effort alongside Amazon, CrowdStrike, Flashpoint, Google, Intel471, PayPal, Proofpoint, Team Cymru and Zscaler. ESET Research, which has been tracking Danabot since 2018, contributed assistance that included providing technical analysis of the malware and its backend infrastructure, as well as identifying Danabot's C&C servers. During that period, ESET analyzed various Danabot campaigns all over the world, with Poland, Italy, Spain and Turkey historically being one of the most targeted countries. The joint takedown effort also led to the identification of individuals responsible for Danabot development, sales, administration, and more. These law enforcement operations were conducted under Operation Endgame — an ongoing global initiative aimed at identifying, dismantling, and prosecuting cybercriminal networks. Coordinated by Europol and Eurojust, the operation successfully took down critical infrastructure used to deploy ransomware through malicious software. 'Since Danabot has been largely disrupted, we are using this opportunity to share our insights into the workings of this malware-as-a-service operation, covering the features used in the latest versions of the malware, the authors' business model, and an overview of the toolset offered to affiliates. Apart from exfiltrating sensitive data, we have observed that Danabot is also used to deliver further malware, which can include ransomware, to an already compromised system,' says ESET researcher Tomáš Procházka, who investigated Danabot. The authors of Danabot operate as a single group, offering their tool for rental to potential affiliates, who subsequently employ it for their malicious purposes by establishing and managing their own botnets. Danabot's authors have developed a vast variety of features to assist customers with their malevolent motives. The most prominent features offered by Danabot include: the ability to steal various data from browsers, mail clients, FTP clients, and other popular software; keylogging and screen recording; real-time remote control of the victims' systems; file grabbing (commonly used for stealing cryptocurrency wallets); support for Zeus-like webinjects and form grabbing; and arbitrary payload upload and execution. Besides utilizing its stealing capabilities, ESET Research has observed a variety of payloads being distributed via Danabot over the years. Furthermore, ESET has encountered instances of Danabot being used to download ransomware onto already compromised systems. In addition to typical cybercrime, Danabot has also been used in less conventional activities such as utilizing compromised machines for launching DDoS attacks... for example, a DDoS attack against Ukraine's Ministry of Defense soon after the Russian invasion of Ukraine. Throughout its existence, according to ESET monitoring, Danabot has been a tool of choice for many cybercriminals and each of them has used different means of distribution. Danabot's developers even partnered with the authors of several malware cryptors and loaders, and offered special pricing for a distribution bundle to their customers, helping them with the process. Recently, out of all distribution mechanisms ESET observed, the misuse of Google Ads to display seemingly relevant, but actually malicious, websites among the sponsored links in Google search results stands out as one of the most prominent methods to lure victims into downloading Danabot. The most popular ploy is packing the malware with legitimate software and offering such a package through bogus software sites or websites falsely promising users to help them find unclaimed funds. The latest addition to these social engineering techniques are deceptive websites offering solutions for fabricated computer issues, whose only purpose is to lure victims into execution of a malicious command secretly inserted into the user's clipboard. The typical toolset provided by Danabot's authors to their affiliates includes an administration panel application, a backconnect tool for real-time control of bots, and a proxy server application that relays the communications between the bots and the actual C&C server. Affiliates can choose from various options to generate new Danabot builds, and it's their responsibility to distribute these builds through their own campaigns. 'It remains to be seen whether Danabot can recover from the takedown. The blow will, however, surely be felt, since law enforcement managed to unmask several individuals involved in the malware's operations,' concludes Procházka. For technical overview of Danabot and insight into its operation, check out ESET Research blogpost: 'Danabot: Analyzing a fallen empire' on Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research. About ESET ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown— securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit or follow our social media, podcasts and blogs. Media Contact Sanjeev Vistar Communications PO Box 127631 Dubai, UAE Email: sanjeev@
Channel Post MEA
4 days ago
- Business
- Channel Post MEA
ESET Plays Key Role in a Major International Operation to Disrupt Danabot
ESET has played a key role in a major international operation to disrupt Danabot, a notorious malware-as-a-service (MaaS) platform used to steal sensitive data and deliver ransomware. The coordinated takedown was led by the U.S. Department of Justice, the FBI, and the Defense Criminal Investigative Service, in partnership with Europol and global law enforcement agencies from Germany, the Netherlands, and Australia. ESET joined the effort alongside technology giants including Amazon, Google, CrowdStrike, Flashpoint, Intel471, PayPal, Proofpoint, Team Cymru, and Zscaler. ESET Research, which has tracked Danabot since 2018, provided in-depth technical analysis and helped identify the malware's command-and-control (C&C) servers and backend infrastructure. Danabot, historically active in countries such as Poland, Italy, Spain, and Turkey, operates as a single developer group offering its toolkit to affiliates. These affiliates deploy their own botnets to exfiltrate data, deliver further malware, and even launch DDoS attacks. ESET's Tomáš Procházka noted the malware's extensive features, including keylogging, browser and software credential theft, screen recording, remote system control, and payload delivery—often ransomware. The takedown is part of Operation Endgame, an ongoing initiative to dismantle cybercriminal infrastructure. Authorities also identified individuals involved in Danabot's development, sales, and operation, dealing a significant blow to its network. ESET reports that Danabot's authors had commercialized their toolkit by bundling it with malware loaders and cryptors, offering discounted distribution packages. One of the malware's most prominent infection tactics was the abuse of Google Ads to promote fake software sites, luring victims into downloading malware disguised as legitimate software. 'The scale of disruption to Danabot remains to be seen, but unmasking those behind it is a substantial victory for the cybersecurity community,' said Procházka. This operation marks a critical step in the global fight against organized cybercrime, with ESET reaffirming its commitment to collaboration and threat intelligence sharing. 0 0
Mid East Info
4 days ago
- Business
- Mid East Info
ESET participates in operation to disrupt the infrastructure of Danabot infostealer - Middle East Business News and Information
ESET Research has been tracking Danabot's activity since 2018 as part of a global effort that resulted in a major disruption of the malware's infrastructure. While primarily developed as an infostealer, Danabot also has been used to distribute additional malware, including ransomware. Danabot's authors promote their toolset through underground forums and offer various rental options to potential affiliates. This ESET Research analysis covers the features used in the latest versions of the malware, the authors' business model, and an overview of the toolset offered to affiliates. Poland, Italy, Spain and Turkey are historically one of the most targeted countries by Danabot. ESET has participated in a major infrastructure disruption of the notorious infostealer, Danabot, by the US Department of Justice, the FBI, and US Department of Defense's Defense Criminal Investigative Service. U.S. agencies were working closely with Germany's Bundeskriminalamt, the Netherlands' National Police, and the Australian Federal Police . ESET took part in the effort alongside Amazon, CrowdStrike, Flashpoint, Google, Intel471, PayPal, Proofpoint, Team Cymru and Zscaler. ESET Research, which has been tracking Danabot since 2018, contributed assistance that included providing technical analysis of the malware and its backend infrastructure, as well as identifying Danabot's C&C servers. During that period, ESET analyzed various Danabot campaigns all over the world, with Poland, Italy, Spain and Turkey historically being one of the most targeted countries. The joint takedown effort also led to the identification of individuals responsible for Danabot development, sales, administration, and more. These law enforcement operations were conducted under Operation Endgame — an ongoing global initiative aimed at identifying, dismantling, and prosecuting cybercriminal networks. Coordinated by Europol and Eurojust, the operation successfully took down critical infrastructure used to deploy ransomware through malicious software. 'Since Danabot has been largely disrupted, we are using this opportunity to share our insights into the workings of this malware-as-a-service operation, covering the features used in the latest versions of the malware, the authors' business model, and an overview of the toolset offered to affiliates. Apart from exfiltrating sensitive data, we have observed that Danabot is also used to deliver further malware, which can include ransomware, to an already compromised system,' says ESET researcher Tomáš Procházka, who investigated Danabot. The authors of Danabot operate as a single group, offering their tool for rental to potential affiliates, who subsequently employ it for their malicious purposes by establishing and managing their own botnets. Danabot's authors have developed a vast variety of features to assist customers with their malevolent motives. The most prominent features offered by Danabot include: the ability to steal various data from browsers, mail clients, FTP clients, and other popular software; keylogging and screen recording; real-time remote control of the victims' systems; file grabbing (commonly used for stealing cryptocurrency wallets); support for Zeus-like webinjects and form grabbing; and arbitrary payload upload and execution. Besides utilizing its stealing capabilities, ESET Research has observed a variety of payloads being distributed via Danabot over the years. Furthermore, ESET has encountered instances of Danabot being used to download ransomware onto already compromised systems. In addition to typical cybercrime, Danabot has also been used in less conventional activities such as utilizing compromised machines for launching DDoS attacks… for example, a DDoS attack against Ukraine's Ministry of Defense soon after the Russian invasion of Ukraine. Throughout its existence, according to ESET monitoring, Danabot has been a tool of choice for many cybercriminals and each of them has used different means of distribution. Danabot's developers even partnered with the authors of several malware cryptors and loaders, and offered special pricing for a distribution bundle to their customers, helping them with the process. Recently, out of all distribution mechanisms ESET observed, the misuse of Google Ads to display seemingly relevant, but actually malicious, websites among the sponsored links in Google search results stands out as one of the most prominent methods to lure victims into downloading Danabot. The most popular ploy is packing the malware with legitimate software and offering such a package through bogus software sites or websites falsely promising users to help them find unclaimed funds. The latest addition to these social engineering techniques are deceptive websites offering solutions for fabricated computer issues, whose only purpose is to lure victims into execution of a malicious command secretly inserted into the user's clipboard. The typical toolset provided by Danabot's authors to their affiliates includes an administration panel application, a backconnect tool for real-time control of bots, and a proxy server application that relays the communications between the bots and the actual C&C server. Affiliates can choose from various options to generate new Danabot builds, and it's their responsibility to distribute these builds through their own campaigns. 'It remains to be seen whether Danabot can recover from the takedown. The blow will, however, surely be felt, since law enforcement managed to unmask several individuals involved in the malware's operations,' concludes Procházka. For technical overview of Danabot and insight into its operation, check out ESET Research blogpost: 'Danabot: Analyzing a fallen empire' on Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research. About ESET ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown— securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit or follow our social media, podcasts and blogs.
Business Upturn
22-05-2025
- Business
- Business Upturn
ESET participates in operation to disrupt the infrastructure of Danabot infostealer
ESET Research has been tracking Danabot's activity since 2018 as part of a global effort that resulted in a major disruption of the malware's infrastructure. While primarily developed as an infostealer, Danabot also has been used to distribute additional malware, including ransomware. Danabot's authors promote their toolset through underground forums and offer various rental options to potential affiliates. This ESET Research analysis covers the features used in the latest versions of the malware, the authors' business model, and an overview of the toolset offered to affiliates. Poland, Italy, Spain and Turkey are historically one of the most targeted countries by Danabot. PRAGUE and BRATISLAVA, Czech Republic, May 22, 2025 (GLOBE NEWSWIRE) — ESET has participated in a major infrastructure disruption of the notorious infostealer, Danabot, by the US Department of Justice, the FBI, and US Department of Defense's Defense Criminal Investigative Service. U.S. agencies were working closely with Germany's Bundeskriminalamt, the Netherlands' National Police, and the Australian Federal Police. ESET took part in the effort alongside Amazon, CrowdStrike, Flashpoint, Google, Intel471, PayPal, Proofpoint, Team Cymru and Zscaler. ESET Research, which has been tracking Danabot since 2018, contributed assistance that included providing technical analysis of the malware and its backend infrastructure, as well as identifying Danabot's C&C servers. During that period, ESET analyzed various Danabot campaigns all over the world, with Poland, Italy, Spain and Turkey historically being one of the most targeted countries. The joint takedown effort also led to the identification of individuals responsible for Danabot development, sales, administration, and more. 'Since Danabot has been largely disrupted, we are using this opportunity to share our insights into the workings of this malware-as-a-service operation, covering the features used in the latest versions of the malware, the authors' business model, and an overview of the toolset offered to affiliates. Apart from exfiltrating sensitive data, we have observed that Danabot is also used to deliver further malware, which can include ransomware, to an already compromised system,' says ESET researcher Tomáš Procházka, who investigated Danabot. The authors of Danabot operate as a single group, offering their tool for rental to potential affiliates, who subsequently employ it for their malicious purposes by establishing and managing their own botnets. Danabot's authors have developed a vast variety of features to assist customers with their malevolent motives. The most prominent features offered by Danabot include: the ability to steal various data from browsers, mail clients, FTP clients, and other popular software; keylogging and screen recording; real-time remote control of the victims' systems; file grabbing; support for Zeus-like webinjects and form grabbing; and arbitrary payload upload and execution. Besides utilizing its stealing capabilities, ESET Research has observed a variety of payloads being distributed via Danabot over the years. Furthermore, ESET has encountered instances of Danabot being used to download ransomware onto already compromised systems. In addition to typical cybercrime, Danabot has also been used in less conventional activities such as utilizing compromised machines for launching DDoS attacks… for example, a DDoS attack against Ukraine's Ministry of Defense soon after the Russian invasion of Ukraine. Throughout its existence, according to ESET monitoring, Danabot has been a tool of choice for many cybercriminals and each of them has used different means of distribution. Danabot's developers even partnered with the authors of several malware cryptors and loaders, and offered special pricing for a distribution bundle to their customers, helping them with the process. Recently, out of all distribution mechanisms ESET observed, the misuse of Google Ads to display seemingly relevant, but actually malicious, websites among the sponsored links in Google search results stands out as one of the most prominent methods to lure victims into downloading Danabot. The most popular ploy is packing the malware with legitimate software and offering such a package through bogus software sites or websites falsely promising users to help them find unclaimed funds. The latest addition to these social engineering techniques are deceptive websites offering solutions for fabricated computer issues, whose only purpose is to lure victims into execution of a malicious command secretly inserted into the user's clipboard. The typical toolset provided by Danabot's authors to their affiliates includes an administration panel application, a backconnect tool for real-time control of bots, and a proxy server application that relays the communications between the bots and the actual C&C server. Affiliates can choose from various options to generate new Danabot builds, and it's their responsibility to distribute these builds through their own campaigns. 'It remains to be seen whether Danabot can recover from the takedown. The blow will, however, surely be felt, since law enforcement managed to unmask several individuals involved in the malware's operations,' concludes Procházka. For technical overview of Danabot and insight into its operation, check out ESET Research blogpost: 'Danabot: Analyzing a fallen empire' on Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research. Worldwide Danabot detections as seen in ESET telemetry since 2018 About ESET ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown— securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit or follow our social media, podcasts and blogs. A photo accompanying this announcement is available at Disclaimer: The above press release comes to you under an arrangement with GlobeNewswire. Business Upturn takes no editorial responsibility for the same.
Mid East Info
22-05-2025
- Business
- Mid East Info
ESET Research APT Report: Russian cyberattacks in Ukraine intensify; Sandworm unleashes new destructive wiper
ESET has released its latest advanced persistent threat (APT) report. Russian APT groups intensified attacks against Ukraine and the EU, exploiting zero-day vulnerabilities and deploying wipers. China-aligned groups like Mustang Panda and DigitalRecyclers continued their espionage campaigns targeting the EU government and maritime sectors. North Korea-aligned groups expanded their financially motivated campaigns using fake job listings and social engineering. ESET Research has released its latest APT Activity Report, which highlights activities of select APT groups that were documented by ESET researchers from October 2024 through March 2025. During the monitored period, Russia-aligned threat actors, notably Sednit and Gamaredon, maintained aggressive campaigns primarily targeting Ukraine and EU countries. Ukraine was subjected to the greatest intensity of cyberattacks against the country's critical infrastructure and governmental institutions. The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT. China-aligned threat actors continued engaging in persistent espionage campaigns with a focus on European organizations. Gamaredon remained the most prolific actor targeting Ukraine, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. 'The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organizations,' says ESET Director of Threat Research Jean-Ian Boutin. Sednit refined its exploitation of cross-site scripting vulnerabilities in webmail services, expanding Operation RoundPress from Roundcube to include Horde, MDaemon, and Zimbra. ESET discovered that the group successfully leveraged a zero-day vulnerability in MDaemon Email Server (CVE-2024-11182) against Ukrainian companies. Several Sednit attacks against defense companies located in Bulgaria and Ukraine used spearphishing email campaigns as a lure. Another Russia-aligned group, RomCom, demonstrated advanced capabilities by deploying zero-day exploits against Mozilla Firefox (CVE 2024 9680) and Microsoft Windows (CVE 2024 49039). In Asia, China-aligned APT groups continued their campaigns against governmental and academic institutions. At the same time, North Korea-aligned threat actors significantly increased their operations directed at South Korea, placing particular emphasis on individuals, private companies, embassies, and diplomatic personnel. Mustang Panda remained the most active, targeting governmental institutions and maritime transportation companies via Korplug loaders and malicious USB drives. DigitalRecyclers continued targeting EU governmental entities, employing the KMA VPN anonymization network and deploying the RClient, HydroRShell, and GiftBox backdoors. PerplexedGoblin used its new espionage backdoor, which ESET named NanoSlate, against a Central European government entity, while Webworm targeted a Serbian government organization using SoftEther VPN, emphasizing the continued popularity of this tool among China-aligned groups. Elsewhere in Asia, North Korea-aligned threat actors were particularly active in financially motivated campaigns. DeceptiveDevelopment significantly broadened its targeting, using fake job listings primarily within the cryptocurrency, blockchain, and finance sectors. The group employed innovative social engineering techniques to distribute the multiplatform WeaselStore malware. The Bybit cryptocurrency theft, attributed by the FBI to TraderTraitor APT group, involved a supply-chain compromise of Safe{Wallet} that caused losses of approximately USD 1.5 billion. Meanwhile, other North Korea-aligned groups saw fluctuations in their operational tempo: In early 2025, Kimsuky and Konni returned to their usual activity levels after a noticeable decline at the end of 2024, shifting their targeting away from English-speaking think tanks, NGOs, and North Korea experts to focus primarily on South Korean entities and diplomatic personnel; and Andariel resurfaced, after a year of inactivity, with a sophisticated attack against a South Korean industrial software company. Iran-aligned APT groups maintained their primary focus on the Middle East region, predominantly targeting governmental organizations and entities within the manufacturing and engineering sectors in Israel. Additionally, ESET observed a significant global uptick in cyberattacks against technology companies, largely attributed to increased activity by North Korea-aligned DeceptiveDevelopment. 'The highlighted operations are representative of the broader threat landscape that we investigated during this period. They illustrate the key trends and developments, and contain only a small fraction of the cybersecurity intelligence data provided to customers of ESET APT reports,' adds Boutin. Intelligence shared in the private reports is primarily based on proprietary ESET telemetry data and has been verified by ESET researchers, who prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups. These threat intelligence analyses, known as ESET APT Reports PREMIUM, assist organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. More information about ESET APT Reports PREMIUM and its delivery of high-quality, actionable tactical and strategic cybersecurity threat intelligence is available at the ESET Threat Intelligence page. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research. About ESET ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown— securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit or follow our social media, podcasts and blogs.
