Latest news with #ESETResearch
Mid East Info
27-05-2025
- Business
- Mid East Info
ESET participates in operation to disrupt the infrastructure of Danabot infostealer - Middle East Business News and Information
ESET Research has been tracking Danabot's activity since 2018 as part of a global effort that resulted in a major disruption of the malware's infrastructure. While primarily developed as an infostealer, Danabot also has been used to distribute additional malware, including ransomware. Danabot's authors promote their toolset through underground forums and offer various rental options to potential affiliates. This ESET Research analysis covers the features used in the latest versions of the malware, the authors' business model, and an overview of the toolset offered to affiliates. Poland, Italy, Spain and Turkey are historically one of the most targeted countries by Danabot. ESET has participated in a major infrastructure disruption of the notorious infostealer, Danabot, by the US Department of Justice, the FBI, and US Department of Defense's Defense Criminal Investigative Service. U.S. agencies were working closely with Germany's Bundeskriminalamt, the Netherlands' National Police, and the Australian Federal Police . ESET took part in the effort alongside Amazon, CrowdStrike, Flashpoint, Google, Intel471, PayPal, Proofpoint, Team Cymru and Zscaler. ESET Research, which has been tracking Danabot since 2018, contributed assistance that included providing technical analysis of the malware and its backend infrastructure, as well as identifying Danabot's C&C servers. During that period, ESET analyzed various Danabot campaigns all over the world, with Poland, Italy, Spain and Turkey historically being one of the most targeted countries. The joint takedown effort also led to the identification of individuals responsible for Danabot development, sales, administration, and more. These law enforcement operations were conducted under Operation Endgame — an ongoing global initiative aimed at identifying, dismantling, and prosecuting cybercriminal networks. Coordinated by Europol and Eurojust, the operation successfully took down critical infrastructure used to deploy ransomware through malicious software. 'Since Danabot has been largely disrupted, we are using this opportunity to share our insights into the workings of this malware-as-a-service operation, covering the features used in the latest versions of the malware, the authors' business model, and an overview of the toolset offered to affiliates. Apart from exfiltrating sensitive data, we have observed that Danabot is also used to deliver further malware, which can include ransomware, to an already compromised system,' says ESET researcher Tomáš Procházka, who investigated Danabot. The authors of Danabot operate as a single group, offering their tool for rental to potential affiliates, who subsequently employ it for their malicious purposes by establishing and managing their own botnets. Danabot's authors have developed a vast variety of features to assist customers with their malevolent motives. The most prominent features offered by Danabot include: the ability to steal various data from browsers, mail clients, FTP clients, and other popular software; keylogging and screen recording; real-time remote control of the victims' systems; file grabbing (commonly used for stealing cryptocurrency wallets); support for Zeus-like webinjects and form grabbing; and arbitrary payload upload and execution. Besides utilizing its stealing capabilities, ESET Research has observed a variety of payloads being distributed via Danabot over the years. Furthermore, ESET has encountered instances of Danabot being used to download ransomware onto already compromised systems. In addition to typical cybercrime, Danabot has also been used in less conventional activities such as utilizing compromised machines for launching DDoS attacks… for example, a DDoS attack against Ukraine's Ministry of Defense soon after the Russian invasion of Ukraine. Throughout its existence, according to ESET monitoring, Danabot has been a tool of choice for many cybercriminals and each of them has used different means of distribution. Danabot's developers even partnered with the authors of several malware cryptors and loaders, and offered special pricing for a distribution bundle to their customers, helping them with the process. Recently, out of all distribution mechanisms ESET observed, the misuse of Google Ads to display seemingly relevant, but actually malicious, websites among the sponsored links in Google search results stands out as one of the most prominent methods to lure victims into downloading Danabot. The most popular ploy is packing the malware with legitimate software and offering such a package through bogus software sites or websites falsely promising users to help them find unclaimed funds. The latest addition to these social engineering techniques are deceptive websites offering solutions for fabricated computer issues, whose only purpose is to lure victims into execution of a malicious command secretly inserted into the user's clipboard. The typical toolset provided by Danabot's authors to their affiliates includes an administration panel application, a backconnect tool for real-time control of bots, and a proxy server application that relays the communications between the bots and the actual C&C server. Affiliates can choose from various options to generate new Danabot builds, and it's their responsibility to distribute these builds through their own campaigns. 'It remains to be seen whether Danabot can recover from the takedown. The blow will, however, surely be felt, since law enforcement managed to unmask several individuals involved in the malware's operations,' concludes Procházka. For technical overview of Danabot and insight into its operation, check out ESET Research blogpost: 'Danabot: Analyzing a fallen empire' on Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research. About ESET ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown— securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit or follow our social media, podcasts and blogs.
Business Upturn
22-05-2025
- Business
- Business Upturn
ESET participates in operation to disrupt the infrastructure of Danabot infostealer
ESET Research has been tracking Danabot's activity since 2018 as part of a global effort that resulted in a major disruption of the malware's infrastructure. While primarily developed as an infostealer, Danabot also has been used to distribute additional malware, including ransomware. Danabot's authors promote their toolset through underground forums and offer various rental options to potential affiliates. This ESET Research analysis covers the features used in the latest versions of the malware, the authors' business model, and an overview of the toolset offered to affiliates. Poland, Italy, Spain and Turkey are historically one of the most targeted countries by Danabot. PRAGUE and BRATISLAVA, Czech Republic, May 22, 2025 (GLOBE NEWSWIRE) — ESET has participated in a major infrastructure disruption of the notorious infostealer, Danabot, by the US Department of Justice, the FBI, and US Department of Defense's Defense Criminal Investigative Service. U.S. agencies were working closely with Germany's Bundeskriminalamt, the Netherlands' National Police, and the Australian Federal Police. ESET took part in the effort alongside Amazon, CrowdStrike, Flashpoint, Google, Intel471, PayPal, Proofpoint, Team Cymru and Zscaler. ESET Research, which has been tracking Danabot since 2018, contributed assistance that included providing technical analysis of the malware and its backend infrastructure, as well as identifying Danabot's C&C servers. During that period, ESET analyzed various Danabot campaigns all over the world, with Poland, Italy, Spain and Turkey historically being one of the most targeted countries. The joint takedown effort also led to the identification of individuals responsible for Danabot development, sales, administration, and more. 'Since Danabot has been largely disrupted, we are using this opportunity to share our insights into the workings of this malware-as-a-service operation, covering the features used in the latest versions of the malware, the authors' business model, and an overview of the toolset offered to affiliates. Apart from exfiltrating sensitive data, we have observed that Danabot is also used to deliver further malware, which can include ransomware, to an already compromised system,' says ESET researcher Tomáš Procházka, who investigated Danabot. The authors of Danabot operate as a single group, offering their tool for rental to potential affiliates, who subsequently employ it for their malicious purposes by establishing and managing their own botnets. Danabot's authors have developed a vast variety of features to assist customers with their malevolent motives. The most prominent features offered by Danabot include: the ability to steal various data from browsers, mail clients, FTP clients, and other popular software; keylogging and screen recording; real-time remote control of the victims' systems; file grabbing; support for Zeus-like webinjects and form grabbing; and arbitrary payload upload and execution. Besides utilizing its stealing capabilities, ESET Research has observed a variety of payloads being distributed via Danabot over the years. Furthermore, ESET has encountered instances of Danabot being used to download ransomware onto already compromised systems. In addition to typical cybercrime, Danabot has also been used in less conventional activities such as utilizing compromised machines for launching DDoS attacks… for example, a DDoS attack against Ukraine's Ministry of Defense soon after the Russian invasion of Ukraine. Throughout its existence, according to ESET monitoring, Danabot has been a tool of choice for many cybercriminals and each of them has used different means of distribution. Danabot's developers even partnered with the authors of several malware cryptors and loaders, and offered special pricing for a distribution bundle to their customers, helping them with the process. Recently, out of all distribution mechanisms ESET observed, the misuse of Google Ads to display seemingly relevant, but actually malicious, websites among the sponsored links in Google search results stands out as one of the most prominent methods to lure victims into downloading Danabot. The most popular ploy is packing the malware with legitimate software and offering such a package through bogus software sites or websites falsely promising users to help them find unclaimed funds. The latest addition to these social engineering techniques are deceptive websites offering solutions for fabricated computer issues, whose only purpose is to lure victims into execution of a malicious command secretly inserted into the user's clipboard. The typical toolset provided by Danabot's authors to their affiliates includes an administration panel application, a backconnect tool for real-time control of bots, and a proxy server application that relays the communications between the bots and the actual C&C server. Affiliates can choose from various options to generate new Danabot builds, and it's their responsibility to distribute these builds through their own campaigns. 'It remains to be seen whether Danabot can recover from the takedown. The blow will, however, surely be felt, since law enforcement managed to unmask several individuals involved in the malware's operations,' concludes Procházka. For technical overview of Danabot and insight into its operation, check out ESET Research blogpost: 'Danabot: Analyzing a fallen empire' on Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research. Worldwide Danabot detections as seen in ESET telemetry since 2018 About ESET ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown— securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit or follow our social media, podcasts and blogs. A photo accompanying this announcement is available at Disclaimer: The above press release comes to you under an arrangement with GlobeNewswire. Business Upturn takes no editorial responsibility for the same.
Yahoo
22-05-2025
- Business
- Yahoo
ESET participates in operation to disrupt the infrastructure of Danabot infostealer
ESET Research has been tracking Danabot's activity since 2018 as part of a global effort that resulted in a major disruption of the malware's infrastructure. While primarily developed as an infostealer, Danabot also has been used to distribute additional malware, including ransomware. Danabot's authors promote their toolset through underground forums and offer various rental options to potential affiliates. This ESET Research analysis covers the features used in the latest versions of the malware, the authors' business model, and an overview of the toolset offered to affiliates. Poland, Italy, Spain and Turkey are historically one of the most targeted countries by Danabot. PRAGUE and BRATISLAVA, Czech Republic, May 22, 2025 (GLOBE NEWSWIRE) -- ESET has participated in a major infrastructure disruption of the notorious infostealer, Danabot, by the US Department of Justice, the FBI, and US Department of Defense's Defense Criminal Investigative Service. U.S. agencies were working closely with Germany's Bundeskriminalamt, the Netherlands' National Police, and the Australian Federal Police. ESET took part in the effort alongside Amazon, CrowdStrike, Flashpoint, Google, Intel471, PayPal, Proofpoint, Team Cymru and Zscaler. ESET Research, which has been tracking Danabot since 2018, contributed assistance that included providing technical analysis of the malware and its backend infrastructure, as well as identifying Danabot's C&C servers. During that period, ESET analyzed various Danabot campaigns all over the world, with Poland, Italy, Spain and Turkey historically being one of the most targeted countries. The joint takedown effort also led to the identification of individuals responsible for Danabot development, sales, administration, and more. 'Since Danabot has been largely disrupted, we are using this opportunity to share our insights into the workings of this malware-as-a-service operation, covering the features used in the latest versions of the malware, the authors' business model, and an overview of the toolset offered to affiliates. Apart from exfiltrating sensitive data, we have observed that Danabot is also used to deliver further malware, which can include ransomware, to an already compromised system,' says ESET researcher Tomáš Procházka, who investigated Danabot. The authors of Danabot operate as a single group, offering their tool for rental to potential affiliates, who subsequently employ it for their malicious purposes by establishing and managing their own botnets. Danabot's authors have developed a vast variety of features to assist customers with their malevolent motives. The most prominent features offered by Danabot include: the ability to steal various data from browsers, mail clients, FTP clients, and other popular software; keylogging and screen recording; real-time remote control of the victims' systems; file grabbing; support for Zeus-like webinjects and form grabbing; and arbitrary payload upload and execution. Besides utilizing its stealing capabilities, ESET Research has observed a variety of payloads being distributed via Danabot over the years. Furthermore, ESET has encountered instances of Danabot being used to download ransomware onto already compromised systems. In addition to typical cybercrime, Danabot has also been used in less conventional activities such as utilizing compromised machines for launching DDoS attacks... for example, a DDoS attack against Ukraine's Ministry of Defense soon after the Russian invasion of Ukraine. Throughout its existence, according to ESET monitoring, Danabot has been a tool of choice for many cybercriminals and each of them has used different means of distribution. Danabot's developers even partnered with the authors of several malware cryptors and loaders, and offered special pricing for a distribution bundle to their customers, helping them with the process. Recently, out of all distribution mechanisms ESET observed, the misuse of Google Ads to display seemingly relevant, but actually malicious, websites among the sponsored links in Google search results stands out as one of the most prominent methods to lure victims into downloading Danabot. The most popular ploy is packing the malware with legitimate software and offering such a package through bogus software sites or websites falsely promising users to help them find unclaimed funds. The latest addition to these social engineering techniques are deceptive websites offering solutions for fabricated computer issues, whose only purpose is to lure victims into execution of a malicious command secretly inserted into the user's clipboard. The typical toolset provided by Danabot's authors to their affiliates includes an administration panel application, a backconnect tool for real-time control of bots, and a proxy server application that relays the communications between the bots and the actual C&C server. Affiliates can choose from various options to generate new Danabot builds, and it's their responsibility to distribute these builds through their own campaigns. 'It remains to be seen whether Danabot can recover from the takedown. The blow will, however, surely be felt, since law enforcement managed to unmask several individuals involved in the malware's operations,' concludes Procházka. For technical overview of Danabot and insight into its operation, check out ESET Research blogpost: 'Danabot: Analyzing a fallen empire' on Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research. About ESET ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown— securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit or follow our social media, podcasts and blogs. A photo accompanying this announcement is available at CONTACT: Media contact: Jessica Beffa 720-413-4938
Associated Press
30-04-2025
- Associated Press
ESET Research analyzes tools from the China-aligned TheWizards group, with targets across Asia and the Middle East
SAN DIEGO, April 30, 2025 (GLOBE NEWSWIRE) -- ESET researchers have analyzed Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks by the China-aligned threat actor TheWizards. Spellbinder enables adversary-in-the-middle attacks through IPv6 stateless address autoconfiguration spoofing, which allows the attackers to redirect the update protocols of legitimate Chinese software to malicious servers. Then the legitimate software is tricked into downloading and executing the malicious components that launch the backdoor WizardNet. TheWizards has been constantly active since at least 2022 until the present and, according to ESET telemetry, targets individuals, gambling companies, and unknown entities in the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong. 'We initially discovered and analyzed this tool in 2022, and observed a new version with a few changes that was deployed to compromised machines in 2023 and 2024,' says ESET researcher Facundo Muñoz, who analyzed Spellbinder and WizardNet. 'Our research led us to discover a tool used by the attackers that is designed to perform adversary-in-the-middle attacks using IPv6 SLAAC spoofing to intercept and reply to packets in a network, allowing the attackers to redirect traffic and serve malicious updates to legitimate Chinese software,' explains Muñoz. The final payload in the attack is a backdoor that we named WizardNet – a modular implant that connects to a remote controller to receive and execute .NET modules on the compromised machine. ESET researchers have focused on one of the latest cases, in 2024, in which the update of Tencent QQ software was hijacked. The malicious server that issues the update instructions is still active. This variant of WizardNet supports five commands, three of which allow it to execute .NET modules in memory, thus extending its functionality on the compromised system. TheWizards and the Chinese company Dianke Network Security Technology (also known as UPSEC) – supplier of the DarkNights backdoor (also known as DarkNimbus), appear to be linked. According to NCSC UK, this malicious backdoor also has Tibetan and Uyghur communities among its primary targets. While TheWizards uses a different backdoor – the WizardNet, the hijacking server is configured to serve DarkNights to updating applications running on Android devices. For a more detailed analysis and technical breakdown of TheWizards' tools, check out the latest ESET Research blogpost ' TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks ' on Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research. About ESET ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown — securing businesses, critical infrastructure and individuals. Whether it's endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit or follow our social media, podcasts and blogs. A photo accompanying this announcement is available at Media contact: Jessica Beffa [email protected] 720-413-4938
Zawya
24-03-2025
- Zawya
ESET research reveals Operation FishMedley
Verticals targeted during Operation FishMedley include governments, NGOs, and think tanks across Asia, Europe, and the United States. Operators used implants, such as ShadowPad, SodaMaster, and Spyder, that are common or exclusive to China-aligned threat actors. ESET assesses with high confidence that Operation FishMedley was conducted by the FishMonger APT group. Independent of the Department of Justice (DOJ) indictment, ESET Research confirms that FishMonger is operated by I-SOON. Dubai, UAE: The US Department of Justice (DOJ) recently unsealed an indictment against employees of the Chinese contractor I SOON for their involvement in multiple global espionage operations. Those include attacks that ESET Research previously documented in its Threat Intelligence reports and attributed to the FishMonger group — I-SOON's operational arm — including one involving seven organizations ESET identified as being targeted in a 2022 campaign that ESET named Operation FishMedley. Alongside the indictment, the FBI (which refers to FishMonger as Aquatic Panda) added those named to its Most Wanted list. The indictment describes several attacks that are strongly related to what we published in a private APT intelligence report in early 2023. Today, ESET Research shares technical knowledge about this global campaign that targeted governments, nongovernmental organizations (NGOs), and think tanks across Asia, Europe, and the United States. 'During 2022, ESET investigated several compromises where implants such as ShadowPad and SodaMaster, which are commonly employed by China-aligned threat actors, were used. We were able to cluster seven independent incidents for Operation FishMedley,' says ESET researcher Matthieu Faou, who investigated FishMonger's operation. 'During our research, we were able to independently confirm that FishMonger is an espionage team operated by I SOON, a Chinese contractor based in Chengdu that suffered an infamous document leak in 2024.' adds Faou. During 2022, in Operation FishMedley, FishMonger attacked governmental organizations in Taiwan and Thailand, Catholic charities in Hungary and the United States, an NGO in the United States, a geopolitical think tank in France, and an unknown organization in Turkey. These verticals and countries are diverse, but most are of obvious interest to the Chinese government. In most cases, the attackers seemed to have privileged access inside the local network, such as domain administrator credentials. Operators used implants, such as ShadowPad, SodaMaster, and Spyder, that are common or exclusive to China-aligned threat actors. Among other tools used by FishMonger in FishMedley are a custom password exfiltrating passwords; a tool used to interact with Dropbox, likely used to exfiltrate data from the victim's network; the fscan network scanner; and a NetBIOS scanner. FishMonger — a group operated by the Chinese contractor I SOON — falls under the Winnti Group umbrella and is most likely operating out of China, from the city of Chengdu, where I-SOON's office remains likely to be located. FishMonger is also known as Earth Lusca, TAG 22, Aquatic Panda, or Red Dev 10. ESET published an analysis of this group in early 2020 when it heavily targeted universities in Hong Kong during the civic protests that started in June 2019. The group is known to operate watering-hole attacks. FishMonger's toolset includes ShadowPad, Spyder, Cobalt Strike, FunnySwitch, SprySOCKS, and the BIOPASS RAT. For a more detailed analysis and technical breakdown of FishMonger's operation, FishMedley, check out the latest ESET Research blog post, 'Operation FishMedley,' on Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research. About ESET ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyberthreats — securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit or follow us on LinkedIn, Facebook, and X. Media Contact Sanjeev Vistar Communications PO Box 127631 Dubai, UAE Email: sanjeev@
