Security research and breaking news straight from ESET Research Labs. welivesecurity.com/research/https://bsky.app/profile/esetresearch.bsky.socialhttps://bsky.app/profile/esetresearch.bsky.social/post/3ml3vswuxhk2w#ESETresearch uncovered a multiplatform supply-chain attack by the North Korean #ScarCruft APT group targeting the Yanbian region via backdoor-laced Windows and Android games. https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/ 1/605 May 2026 09:48 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3ml3vswuxhk2whttps://bsky.app/profile/esetresearch.bsky.social/post/3mkaw3bxues2kApproximately a month ago, F5 published advisory on malware deployed to BIG-IP systems vulnerable to CVE-2025-53521. #ESETresearch discovered two related malware components on VirusTotal and named the threat #PoisonedRefresh. 1/6 https://my.f5.com/manage/s/article/K00016048624 Apr 2026 16:10 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mkaw3bxues2khttps://bsky.app/profile/esetresearch.bsky.social/post/3mk5yro7gm22m#BREAKING #ESETresearch uncovered an active NGate Android malware campaign targeting Spanish speaking users, combining fake app distribution, NFC relay abuse, PIN harvesting, and a shared Devil NFC MaaS backend. The operation is tied to the Devil NFC infrastructure used in Spain since Jan 2026 1/1023 Apr 2026 12:21 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mk5yro7gm22mhttps://bsky.app/profile/esetresearch.bsky.social/post/3mk5nmurx5k2t#ESETresearch discovered #GopherWhisper, a new China-aligned APT group that targeted a governmental entity in Mongolia. https://www.welivesecurity.com/en/eset-research/gopherwhisper-burrow-full-malware/ 1/723 Apr 2026 09:01 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mk5nmurx5k2thttps://bsky.app/profile/esetresearch.bsky.social/post/3mjymqzngoc2q#ESETresearch discovered a new #NGate malware variant that abuses the legitimate #HandyPay app, which has been patched with possibly AI-generated malicious code. The campaign is ongoing and targets Android users in Brazil. https://www.welivesecurity.com/en/eset-research/new-ngate-variant-hides-in-a-trojanized-nfc-payment-app/ 1/621 Apr 2026 09:02 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mjymqzngoc2qhttps://bsky.app/profile/esetresearch.bsky.social/post/3mj5had6yfs2eCisco Talos recently published an analysis of an EDR killer used by the #Qilin #ransomware gang. #ESETresearch tracks this threat as #CardSpaceKiller and we recently provided additional insights in our blog https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/ 1/610 Apr 2026 13:42 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mj5had6yfs2ehttps://bsky.app/profile/esetresearch.bsky.social/post/3miy252s6p22d#ESETresearch's Eric Howard will be presenting at Botconf. Join him in Reims, France to hear about “GopherWhisper, Uncovering an APT’s secrets through its own words” on Apr 15 at 17.15 CEST. For more information, check out https://www.botconf.eu/botconf-2026/#id_schedule 1/308 Apr 2026 10:04 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3miy252s6p22dhttps://bsky.app/profile/esetresearch.bsky.social/post/3miiouhsy322i#ESETresearch has identified an Akira lookalike ransomware campaign targeting South America. The threat actor is using a Babukbased encryptor that appends the .akira extension and drops a ransom note that mimics Akira both in Tor URLs and the overall content. 1/502 Apr 2026 07:32 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3miiouhsy322ihttps://bsky.app/profile/esetresearch.bsky.social/post/3mhzkbqak322j#ESETresearch has identified a Silver Fox campaign that actively takes advantage of the current annual tax filing and organizational change season in Japan, a period when companies generate a high volume of legitimate financial and HRrelated comms. https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/ 1/827 Mar 2026 07:00 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mhzkbqak322jhttps://bsky.app/profile/esetresearch.bsky.social/post/3mhrzhpa6vs2f#ESETresearch detected a recent intrusion at a University of Warsaw consistent with #Interlock ransomware gang. Thanks to early warning from our experts and the university's swift cooperation, the attack was disrupted before encryptors could be deployed. https://www.eset.com/pl/about/newsroom/press-releases/news/to-analitycy-eset-zidentyfikowali-atak-na-uniwersytet-warszawski/ 1/824 Mar 2026 07:11 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mhrzhpa6vs2fhttps://bsky.app/profile/esetresearch.bsky.social/post/3mhpnk2day226In cybersecurity, labels can distract from what really matters. At #RSAC2026, #ESETresearch’s Robert Lipovský will break down recent campaigns linked to state-sponsored actors and explore how hybrid threat tactics are evolving. The session focuses on practical defender takeaways.23 Mar 2026 08:32 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mhpnk2day226https://bsky.app/profile/esetresearch.bsky.social/post/3mhi4b3ol6k2u#ESETresearch is hiring! Passionate about geopolitics, cyberespionage and cyber threat intelligence? We have a new opening for a strategic threat intelligence analyst at our Montréal office. Come join the team! https://eset.wd3.myworkdayjobs.com/ESET_External/job/Montreal/Analyste-du-renseignement-stratgique-sur-les-menaces---Cyberespionnage---Strategic-Threat-Intelligence-Analyst---Cyberespionage_JR-0571520 Mar 2026 08:34 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mhi4b3ol6k2uhttps://bsky.app/profile/esetresearch.bsky.social/post/3mhfqoyxtes2r#ESETresearch analyzed more than 80 EDR killers, seen across real-world intrusions, and used ESET telemetry to document how these tools operate, who uses them, and how they evolve beyond simple driver abuse. https://www.welivesecurity.com/en/eset-research/edr-killers-explained-beyond-the-drivers/ 1/619 Mar 2026 10:02 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mhfqoyxtes2rhttps://bsky.app/profile/esetresearch.bsky.social/post/3mgpldzzz3s23#ESETresearch has analyzed the resurgence of Sednit – one of the most long‑running Russia‑aligned APT groups – now using a modern toolkit built around paired implants, BeardShell and Covenant, each using a different cloud provider for resilience. https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/ 1/510 Mar 2026 14:28 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mgpldzzz3s23https://bsky.app/profile/esetresearch.bsky.social/post/3mf7fmxmzwk26#BREAKING #ESETresearch has discovered the first known Android malware to use generative AI in its execution flow; we have named it #PromptSpy. The malware abuses Google’s #Gemini to achieve persistence on the compromised device. https://www.welivesecurity.com/en/eset-research/promptspy-ushers-in-era-android-threats-using-genai/ 1/619 Feb 2026 10:37 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mf7fmxmzwk26https://bsky.app/profile/esetresearch.bsky.social/post/3mdn3t7h5v226#BREAKING #ESETresearch provides technical details on #DynoWiper, a data‑wiping malware used in a data‑destruction incident on December 29, 2025, affecting a company in Poland’s energy sector. https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/ 1/530 Jan 2026 10:29 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mdn3t7h5v226https://bsky.app/profile/esetresearch.bsky.social/post/3mdi425znnk2f#ESETresearch has uncovered a new #Android spyware campaign using novel romance scam tactics to target individuals in 🇵🇰 Pakistan, with an added social engineering element previously unseen in similar schemes. https://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/ 1/9 https://www.welivesecurity.com/en/eset-research/love-actually-fake-dating-app-used-lure-targeted-spyware-campaign-pakistan/#article-111/928 Jan 2026 10:49 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mdi425znnk2fhttps://bsky.app/profile/esetresearch.bsky.social/post/3md44r4veyc2e#BREAKING #ESETresearch identified the wiper #DynoWiper used in an attempted disruptive cyberattack against the Polish energy sector on Dec 29, 2025. At this point, no successful disruption is known, but the malware’s design clearly indicates destructive intent. 1/523 Jan 2026 16:30 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3md44r4veyc2ehttps://bsky.app/profile/esetresearch.bsky.social/post/3mck4ha6wuc2g#ESETresearch’s Lukas Stefanko will speak at Ransomware Resilience 2026 on Mon, Jan 19 in Kuala Lumpur at 4pm local time! Discover how Android NFC threats evolved to enable unauthorized ATM withdrawals. Learn about NGate - first Android malware to execute NFC relay attack for remote ATM cash-outs.16 Jan 2026 12:37 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mck4ha6wuc2ghttps://bsky.app/profile/esetresearch.bsky.social/post/3mchcnldvc22pAccording to ESET telemetry, threat actors keep finding new ways to exploit #NFC technology: detections surged by 78% compared to H1 2025; however, overall numbers remain low. 1/615 Jan 2026 09:50 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mchcnldvc22phttps://bsky.app/profile/esetresearch.bsky.social/post/3mcc6se4nu22iIn 2025, #ESETresearch saw a 62% year-over-year increase in detections of fake investment and snake oil scams – tracked as HTML/Nomani – amounting to hundreds of thousands of detections and over 64,000 unique URLs blocked. 1/513 Jan 2026 08:58 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mcc6se4nu22ihttps://bsky.app/profile/esetresearch.bsky.social/post/3mbqp6vnpa22oIn H2 2025, #ESETresearch saw a thirtyfold increase in #CloudEyE detections, amounting to more than 100,000 hits over the course of six months. CloudEyE is a #MaaS downloader and cryptor used to conceal and deploy other malware, such as #Rescoms, #Formbook, and #Agent Tesla. 1/506 Jan 2026 10:03 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mbqp6vnpa22ohttps://bsky.app/profile/esetresearch.bsky.social/post/3mb4r7ers5s2jIn 2025, #ESETresearch analyzed hundreds of hands-on-keyboard ransomware attacks, mostly hitting manufacturing, construction, retail, technology, and healthcare. Most of these were seen in the US (17%), Spain (5%), and France, Italy, and Canada (4% each). 1/529 Dec 2025 11:46 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mb4r7ers5s2jhttps://bsky.app/profile/esetresearch.bsky.social/post/3manqs2ifbk2u#ESETresearch has revisited CVE 2025 50165, a critical remote code execution vulnerability in the WindowsCodecs.dll library when processing JPG images, one of the most widely used image format s. https://www.welivesecurity.com/en/eset-research/revisiting-cve-2025-50165-critical-flaw-windows-imaging-component/ 1/623 Dec 2025 12:28 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3manqs2ifbk2uhttps://bsky.app/profile/esetresearch.bsky.social/post/3madvo2osn22v#ESETresearch has detected a new MSIL loader, named #BlackHawk, protected by three layers of obfuscation, all of which show strong signs of being AI-generated. 1/919 Dec 2025 14:29 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3madvo2osn22vhttps://bsky.app/profile/esetresearch.bsky.social/post/3mabaojcx5c2i#ESETresearch has discovered a new 🇨🇳-aligned APT group, #LongNosedGoblin. This group focuses on cyberespionage and targets mainly governmental entities in Southeast Asia and Japan. https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/ 1/718 Dec 2025 13:08 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3mabaojcx5c2ihttps://bsky.app/profile/esetresearch.bsky.social/post/3ma4eq4abek2pESET Threat Report H2 2025: NFC threats grow in scale and sophistication, ransomware victim numbers surge, and AI-powered malware becomes reality with PromptLock. The threat landscape is evolving fast – read the full report: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf #ESETresearch16 Dec 2025 14:37 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3ma4eq4abek2phttps://bsky.app/profile/esetresearch.bsky.social/post/3m7a45bm6h22v#ESETresearch analyzed the #Gamaredon VBScript payload recently flagged by @ClearskySec. It wipes registry Run keys, scheduled tasks, and kills processes – however, our assessment is that this is likely to clean researchers’ machines, not a shift to destructive ops. https://x.com/ClearskySec/status/1995061537183011084 1/405 Dec 2025 08:49 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3m7a45bm6h22vhttps://bsky.app/profile/esetresearch.bsky.social/post/3m6yuf64iwc2v#ESETresearch discovered a new #MuddyWater campaign targeting critical infrastructure in 🇮🇱 Israel and 🇪🇬 Egypt, using a new backdoor – MuddyViper – and a variety of post-compromise tools https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/ 1/702 Dec 2025 11:42 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3m6yuf64iwc2vhttps://bsky.app/profile/esetresearch.bsky.social/post/3m6wkhilvhc23#ESETresearch is heading to #AVAR2025? Dec 4, Thursday in Kuala Lumpur, 11:00–11:30 MYT. ESET researchers Anton Cherepanov & Peter Strýček present: "Sniffing Around: Unmasking the LongNosedGoblin operation in Southeast Asia and Japan”. 1/301 Dec 2025 13:39 +0000at://did:plc:u4jt77a2vcxw74anqy3jipb4/app.bsky.feed.post/3m6wkhilvhc23