Latest news with #NorthKorea-aligned
Mid East Info
22-05-2025
- Business
- Mid East Info
ESET Research APT Report: Russian cyberattacks in Ukraine intensify; Sandworm unleashes new destructive wiper
ESET has released its latest advanced persistent threat (APT) report. Russian APT groups intensified attacks against Ukraine and the EU, exploiting zero-day vulnerabilities and deploying wipers. China-aligned groups like Mustang Panda and DigitalRecyclers continued their espionage campaigns targeting the EU government and maritime sectors. North Korea-aligned groups expanded their financially motivated campaigns using fake job listings and social engineering. ESET Research has released its latest APT Activity Report, which highlights activities of select APT groups that were documented by ESET researchers from October 2024 through March 2025. During the monitored period, Russia-aligned threat actors, notably Sednit and Gamaredon, maintained aggressive campaigns primarily targeting Ukraine and EU countries. Ukraine was subjected to the greatest intensity of cyberattacks against the country's critical infrastructure and governmental institutions. The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT. China-aligned threat actors continued engaging in persistent espionage campaigns with a focus on European organizations. Gamaredon remained the most prolific actor targeting Ukraine, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. 'The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organizations,' says ESET Director of Threat Research Jean-Ian Boutin. Sednit refined its exploitation of cross-site scripting vulnerabilities in webmail services, expanding Operation RoundPress from Roundcube to include Horde, MDaemon, and Zimbra. ESET discovered that the group successfully leveraged a zero-day vulnerability in MDaemon Email Server (CVE-2024-11182) against Ukrainian companies. Several Sednit attacks against defense companies located in Bulgaria and Ukraine used spearphishing email campaigns as a lure. Another Russia-aligned group, RomCom, demonstrated advanced capabilities by deploying zero-day exploits against Mozilla Firefox (CVE 2024 9680) and Microsoft Windows (CVE 2024 49039). In Asia, China-aligned APT groups continued their campaigns against governmental and academic institutions. At the same time, North Korea-aligned threat actors significantly increased their operations directed at South Korea, placing particular emphasis on individuals, private companies, embassies, and diplomatic personnel. Mustang Panda remained the most active, targeting governmental institutions and maritime transportation companies via Korplug loaders and malicious USB drives. DigitalRecyclers continued targeting EU governmental entities, employing the KMA VPN anonymization network and deploying the RClient, HydroRShell, and GiftBox backdoors. PerplexedGoblin used its new espionage backdoor, which ESET named NanoSlate, against a Central European government entity, while Webworm targeted a Serbian government organization using SoftEther VPN, emphasizing the continued popularity of this tool among China-aligned groups. Elsewhere in Asia, North Korea-aligned threat actors were particularly active in financially motivated campaigns. DeceptiveDevelopment significantly broadened its targeting, using fake job listings primarily within the cryptocurrency, blockchain, and finance sectors. The group employed innovative social engineering techniques to distribute the multiplatform WeaselStore malware. The Bybit cryptocurrency theft, attributed by the FBI to TraderTraitor APT group, involved a supply-chain compromise of Safe{Wallet} that caused losses of approximately USD 1.5 billion. Meanwhile, other North Korea-aligned groups saw fluctuations in their operational tempo: In early 2025, Kimsuky and Konni returned to their usual activity levels after a noticeable decline at the end of 2024, shifting their targeting away from English-speaking think tanks, NGOs, and North Korea experts to focus primarily on South Korean entities and diplomatic personnel; and Andariel resurfaced, after a year of inactivity, with a sophisticated attack against a South Korean industrial software company. Iran-aligned APT groups maintained their primary focus on the Middle East region, predominantly targeting governmental organizations and entities within the manufacturing and engineering sectors in Israel. Additionally, ESET observed a significant global uptick in cyberattacks against technology companies, largely attributed to increased activity by North Korea-aligned DeceptiveDevelopment. 'The highlighted operations are representative of the broader threat landscape that we investigated during this period. They illustrate the key trends and developments, and contain only a small fraction of the cybersecurity intelligence data provided to customers of ESET APT reports,' adds Boutin. Intelligence shared in the private reports is primarily based on proprietary ESET telemetry data and has been verified by ESET researchers, who prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups. These threat intelligence analyses, known as ESET APT Reports PREMIUM, assist organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. More information about ESET APT Reports PREMIUM and its delivery of high-quality, actionable tactical and strategic cybersecurity threat intelligence is available at the ESET Threat Intelligence page. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research. About ESET ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown— securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit or follow our social media, podcasts and blogs.
Channel Post MEA
21-05-2025
- Channel Post MEA
ESET APT Report Unveils Intensified Russian Cyberattacks on Ukraine
ESET Research has released its latest APT Activity Report, which highlights activities of select APT groups that were documented by ESET researchers from October 2024 through March 2025. During the monitored period, Russia-aligned threat actors, notably Sednit and Gamaredon, maintained aggressive campaigns primarily targeting Ukraine and EU countries. Ukraine was subjected to the greatest intensity of cyberattacks against the country's critical infrastructure and governmental institutions. The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT. China-aligned threat actors continued engaging in persistent espionage campaigns with a focus on European organizations. Gamaredon remained the most prolific actor targeting Ukraine, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. 'The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organizations,' says ESET Director of Threat Research Jean-Ian Boutin. Sednit refined its exploitation of cross-site scripting vulnerabilities in webmail services, expanding Operation RoundPress from Roundcube to include Horde, MDaemon, and Zimbra. ESET discovered that the group successfully leveraged a zero-day vulnerability in MDaemon Email Server (CVE-2024-11182) against Ukrainian companies. Several Sednit attacks against defense companies located in Bulgaria and Ukraine used spearphishing email campaigns as a lure. Another Russia-aligned group, RomCom, demonstrated advanced capabilities by deploying zero-day exploits against Mozilla Firefox (CVE 2024 9680) and Microsoft Windows (CVE 2024 49039). In Asia, China-aligned APT groups continued their campaigns against governmental and academic institutions. At the same time, North Korea-aligned threat actors significantly increased their operations directed at South Korea, placing particular emphasis on individuals, private companies, embassies, and diplomatic personnel. Mustang Panda remained the most active, targeting governmental institutions and maritime transportation companies via Korplug loaders and malicious USB drives. DigitalRecyclers continued targeting EU governmental entities, employing the KMA VPN anonymization network and deploying the RClient, HydroRShell, and GiftBox backdoors. PerplexedGoblin used its new espionage backdoor, which ESET named NanoSlate, against a Central European government entity, while Webworm targeted a Serbian government organization using SoftEther VPN, emphasizing the continued popularity of this tool among China-aligned groups. Elsewhere in Asia, North Korea-aligned threat actors were particularly active in financially motivated campaigns. DeceptiveDevelopment significantly broadened its targeting, using fake job listings primarily within the cryptocurrency, blockchain, and finance sectors. The group employed innovative social engineering techniques to distribute the multiplatform WeaselStore malware. The Bybit cryptocurrency theft, attributed by the FBI to TraderTraitor APT group, involved a supply-chain compromise of Safe{Wallet} that caused losses of approximately USD 1.5 billion. Meanwhile, other North Korea-aligned groups saw fluctuations in their operational tempo: In early 2025, Kimsuky and Konni returned to their usual activity levels after a noticeable decline at the end of 2024, shifting their targeting away from English-speaking think tanks, NGOs, and North Korea experts to focus primarily on South Korean entities and diplomatic personnel; and Andariel resurfaced, after a year of inactivity, with a sophisticated attack against a South Korean industrial software company. Iran-aligned APT groups maintained their primary focus on the Middle East region, predominantly targeting governmental organizations and entities within the manufacturing and engineering sectors in Israel. Additionally, ESET observed a significant global uptick in cyberattacks against technology companies, largely attributed to increased activity by North Korea-aligned DeceptiveDevelopment. 'The highlighted operations are representative of the broader threat landscape that we investigated during this period. They illustrate the key trends and developments, and contain only a small fraction of the cybersecurity intelligence data provided to customers of ESET APT reports,' adds Boutin. Intelligence shared in the private reports is primarily based on proprietary ESET telemetry data and has been verified by ESET researchers, who prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups. These threat intelligence analyses, known as ESET APT Reports PREMIUM, assist organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. More information about ESET APT Reports PREMIUM and its delivery of high-quality, actionable tactical and strategic cybersecurity threat intelligence is available at the ESET Threat Intelligence page. 0 0
Yahoo
20-05-2025
- Yahoo
ESET Research APT Report: Russian cyberattacks in Ukraine intensify; Sandworm unleashes new destructive wiper
ESET APT Report ESET has released its latest advanced persistent threat (APT) report. Russian APT groups intensified attacks against Ukraine and the EU, exploiting zero-day vulnerabilities and deploying wipers. China-aligned groups like Mustang Panda and DigitalRecyclers continued their espionage campaigns targeting the EU government and maritime sectors. North Korea-aligned groups expanded their financially motivated campaigns using fake job listings and social engineering. BRATISLAVA, Slovakia, May 20, 2025 (GLOBE NEWSWIRE) -- ESET Research has released its latest APT Activity Report, which highlights activities of select APT groups that were documented by ESET researchers from October 2024 through March 2025. During the monitored period, Russia-aligned threat actors, notably Sednit and Gamaredon, maintained aggressive campaigns primarily targeting Ukraine and EU countries. Ukraine was subjected to the greatest intensity of cyberattacks against the country's critical infrastructure and governmental institutions. The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT. China-aligned threat actors continued engaging in persistent espionage campaigns with a focus on European organizations. Gamaredon remained the most prolific actor targeting Ukraine, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. 'The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organizations,' says ESET Director of Threat Research Jean-Ian Boutin. Sednit refined its exploitation of cross-site scripting vulnerabilities in webmail services, expanding Operation RoundPress from Roundcube to include Horde, MDaemon, and Zimbra. ESET discovered that the group successfully leveraged a zero-day vulnerability in MDaemon Email Server (CVE-2024-11182) against Ukrainian companies. Several Sednit attacks against defense companies located in Bulgaria and Ukraine used spearphishing email campaigns as a lure. Another Russia-aligned group, RomCom, demonstrated advanced capabilities by deploying zero-day exploits against Mozilla Firefox (CVE 2024 9680) and Microsoft Windows (CVE 2024 49039). In Asia, China-aligned APT groups continued their campaigns against governmental and academic institutions. At the same time, North Korea-aligned threat actors significantly increased their operations directed at South Korea, placing particular emphasis on individuals, private companies, embassies, and diplomatic personnel. Mustang Panda remained the most active, targeting governmental institutions and maritime transportation companies via Korplug loaders and malicious USB drives. DigitalRecyclers continued targeting EU governmental entities, employing the KMA VPN anonymization network and deploying the RClient, HydroRShell, and GiftBox backdoors. PerplexedGoblin used its new espionage backdoor, which ESET named NanoSlate, against a Central European government entity, while Webworm targeted a Serbian government organization using SoftEther VPN, emphasizing the continued popularity of this tool among China-aligned groups. Elsewhere in Asia, North Korea-aligned threat actors were particularly active in financially motivated campaigns. DeceptiveDevelopment significantly broadened its targeting, using fake job listings primarily within the cryptocurrency, blockchain, and finance sectors. The group employed innovative social engineering techniques to distribute the multiplatform WeaselStore malware. The Bybit cryptocurrency theft, attributed by the FBI to TraderTraitor APT group, involved a supply-chain compromise of Safe{Wallet} that caused losses of approximately USD 1.5 billion. Meanwhile, other North Korea-aligned groups saw fluctuations in their operational tempo: In early 2025, Kimsuky and Konni returned to their usual activity levels after a noticeable decline at the end of 2024, shifting their targeting away from English-speaking think tanks, NGOs, and North Korea experts to focus primarily on South Korean entities and diplomatic personnel; and Andariel resurfaced, after a year of inactivity, with a sophisticated attack against a South Korean industrial software company. Iran-aligned APT groups maintained their primary focus on the Middle East region, predominantly targeting governmental organizations and entities within the manufacturing and engineering sectors in Israel. Additionally, ESET observed a significant global uptick in cyberattacks against technology companies, largely attributed to increased activity by North Korea-aligned DeceptiveDevelopment. 'The highlighted operations are representative of the broader threat landscape that we investigated during this period. They illustrate the key trends and developments, and contain only a small fraction of the cybersecurity intelligence data provided to customers of ESET APT reports,' adds Boutin. Intelligence shared in the private reports is primarily based on proprietary ESET telemetry data and has been verified by ESET researchers, who prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups. These threat intelligence analyses, known as ESET APT Reports PREMIUM, assist organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. More information about ESET APT Reports PREMIUM and its delivery of high-quality, actionable tactical and strategic cybersecurity threat intelligence is available at the ESET Threat Intelligence page. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research. About ESET ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown — securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit or follow our social media, podcasts and blogs. A photo accompanying this announcement is available at: CONTACT: Media contact: Jessica Beffa 720-413-4938Sign in to access your portfolio
Mid East Info
27-02-2025
- Mid East Info
North Korea-aligned DeceptiveDevelopment targets freelance developers with infostealers, ESET Research discovers
Since 2024, ESET researchers have observed a series of malicious North Korea-aligned activities, where the operators, posing as software development recruiters, entice the victims with fake employment offers. Subsequently, they try to serve their targets with software projects that conceal infostealing malware. ESET Research calls this activity cluster DeceptiveDevelopment. This North Korea-aligned activity is currently not attributed by ESET to any known threat actor. It targets freelance software developers through spearphishing on job-hunting and freelancing sites, aiming to steal cryptocurrency wallets and login information from browsers and password managers. 'As part of a fake job interview process, the DeceptiveDevelopment operators ask their targets to take a coding test, such as adding a feature to an existing project, with the files necessary for the task usually hosted on private repositories on GitHub or other similar platforms. Unfortunately for the eager work candidate, these files are trojanized: Once they download and execute the project, the victim's computer gets compromised,' explains ESET researcher Matěj Havránek, who made the discovery and analyzed DeceptiveDevelopment. DeceptiveDevelopment's tactics, techniques, and procedures are similar to several other known North Korea-aligned operations. Operators behind DeceptiveDevelopment target software developers on Windows, Linux, and macOS. They steal cryptocurrency primarily for financial gain, with a possible secondary objective of cyberespionage. To approach their targets, these operators use fake recruiter profiles on social media. The attackers don't distinguish based on geographical location, instead aiming to compromise as many victims as possible to increase the likelihood of successfully extracting funds and information. DeceptiveDevelopment primarily uses two malware families as part of its activities, delivered in two stages. In the first stage, BeaverTail (infostealer, downloader) acts as a simple login stealer, extracting browser databases containing saved logins, and as a downloader for the second stage, InvisibleFerret (infostealer, RAT), which includes spyware and backdoor components, and is also capable of downloading the legitimate AnyDesk remote management and monitoring software for post-compromise activities. In order to pose as recruiters, the attackers copy profiles of existing people or even construct new personas. They then either directly approach their potential victims on job-hunting and freelancing platforms, or post fake job listings there. While some of these profiles are set up by the attackers themselves, others are potentially compromised profiles of real people on the platform, modified by the attackers. Some of the platforms where these interactions occur are generic job-hunting ones, while others focus primarily on cryptocurrency and blockchain projects and are thus more in line with the attackers' goals. The platforms include LinkedIn, Upwork, We Work Remotely, Moonlight, and Crypto Jobs List. Victims receive the project files either directly via file transfer on the site, or through a link to a repository like GitHub, GitLab, or Bitbucket. They are asked to download the files, add features or fix bugs, and report back to the recruiter. Additionally, they are instructed to build and execute the project in order to test it, which is where the initial compromise happens. The attackers often use a clever trick to hide their malicious code: They place it in an otherwise benign component of the project, usually within backend code unrelated to the task given to the developer, where they append it as a single line behind a long comment. This way, it is moved off-screen and stays mostly hidden. 'The DeceptiveDevelopment cluster is an addition to an already large collection of money-making schemes employed by North Korea-aligned actors and conforms to an ongoing trend of shifting focus from traditional money to cryptocurrencies,' concludes Havránek. For a more detailed analysis and technical breakdown of DeceptiveDevelopment, check out the latest ESET Research blogpost, 'DeceptiveDevelopment targets freelance developers,' on Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.
Channel Post MEA
27-02-2025
- Channel Post MEA
North Korea-aligned DeceptiveDevelopment Targets Freelance Developers with Infostealers
ESET researchers have observed a series of malicious North Korea-aligned activities. The operators, posing as software development recruiters, entice the victims with fake employment offers. Subsequently, they try to serve their targets with software projects that conceal info-stealing malware. ESET Research calls this activity cluster DeceptiveDevelopment. This North Korea-aligned activity is currently not attributed by ESET to any known threat actor. It targets freelance software developers through spearphishing on job-hunting and freelancing sites, aiming to steal cryptocurrency wallets and login information from browsers and password managers. 'As part of a fake job interview process, the DeceptiveDevelopment operators ask their targets to take a coding test, such as adding a feature to an existing project, with the files necessary for the task usually hosted on private repositories on GitHub or other similar platforms. Unfortunately for the eager work candidate, these files are trojanized: Once they download and execute the project, the victim's computer gets compromised,' explains ESET researcher Matěj Havránek, who made the discovery and analyzed DeceptiveDevelopment. DeceptiveDevelopment's tactics, techniques, and procedures are similar to several other known North Korea-aligned operations. Operators behind DeceptiveDevelopment target software developers on Windows, Linux, and macOS. They steal cryptocurrency primarily for financial gain, with a possible secondary objective of cyberespionage. To approach their targets, these operators use fake recruiter profiles on social media. The attackers don't distinguish based on geographical location, instead aiming to compromise as many victims as possible to increase the likelihood of successfully extracting funds and information. DeceptiveDevelopment primarily uses two malware families as part of its activities, delivered in two stages. In the first stage, BeaverTail (infostealer, downloader) acts as a simple login stealer, extracting browser databases containing saved logins, and as a downloader for the second stage, InvisibleFerret (infostealer, RAT), which includes spyware and backdoor components, and is also capable of downloading the legitimate AnyDesk remote management and monitoring software for post-compromise activities. In order to pose as recruiters, the attackers copy profiles of existing people or even construct new personas. They then either directly approach their potential victims on job-hunting and freelancing platforms, or post fake job listings there. While some of these profiles are set up by the attackers themselves, others are potentially compromised profiles of real people on the platform, modified by the attackers. Some of the platforms where these interactions occur are generic job-hunting ones, while others focus primarily on cryptocurrency and blockchain projects and are thus more in line with the attackers' goals. The platforms include LinkedIn, Upwork, We Work Remotely, Moonlight, and Crypto Jobs List. Victims receive the project files either directly via file transfer on the site, or through a link to a repository like GitHub, GitLab, or Bitbucket. They are asked to download the files, add features or fix bugs, and report back to the recruiter. Additionally, they are instructed to build and execute the project in order to test it, which is where the initial compromise happens. The attackers often use a clever trick to hide their malicious code: They place it in an otherwise benign component of the project, usually within backend code unrelated to the task given to the developer, where they append it as a single line behind a long comment. This way, it is moved off-screen and stays mostly hidden. 'The DeceptiveDevelopment cluster is an addition to an already large collection of money-making schemes employed by North Korea-aligned actors and conforms to an ongoing trend of shifting focus from traditional money to cryptocurrencies,' concludes Havránek. 0 0
