Since the first known appearance of AceCryptor back in 2016, many malware authors have used the services of this cryptor, even the best-known crimeware like Emotet, back when it didn’t use its own cryptor.

Even when security practitioners commonly advise people to only download software from reputable sites, people still download files from distinctly non-reputable places and get compromised as a result.

ESET Research uncovered a campaign by the APT group known as Evasive Panda targeting an international NGO in China with malware delivered through updates of popular Chinese software.

Researchers were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload: the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account.

In the wrong hands, the data gleaned from the devices – including customer data, router-to-router authentication keys, application lists, and much more – is enough to launch a cyberattack.

Threat actors are going after victims’ cryptocurrency funds using trojanized Telegram and WhatsApp applications for Android and Windows. The malware can switch cryptocurrency wallet addresses sent in chat messages with attackers' wallet addresses.

ESET researchers have identified an active Transparent Tribe campaign, targeting mostly Indian and Pakistani Android users – presumably with a military or political orientation.

This backdoor is part of an ongoing campaign that researchers can trace back to early January 2023. Unlike most of the group’s malware, MQsTTang doesn’t seem to be based on existing families or publicly available projects.

The WinorDLL64 payload serves as a backdoor that most notably acquires extensive system information, provides means for file manipulation, such as exfiltrating, overwriting, and removing files, and executes additional commands.

ESET researchers discovered a spearphishing campaign targeting Japanese political entities a few weeks before the House of Councillors elections, and in the process uncovered a previously undescribed MirrorFace credential stealer