Skip to content

ESET Research analyzed a critical flaw in Windows Imaging Component, which abuses JPG files

ESET researchers have concluded an in-depth examination of CVE-2025-50165, a Windows Imaging Component vulnerability. Although classified as critical, ESET’s root cause analysis suggests the complexity of exploitation makes large-scale attacks highly improbable.
Technical Distinction: The flaw exists in the encoding and compression stage of a JPG image, not the decoding (rendering) stage. Simply viewing a malicious image will not trigger the vulnerability.

Root Cause: WindowsCodecs.dll

The vulnerability occurs when WindowsCodecs.dll attempts to encode a JPG image using 12-bit or 16-bit data precision. The specific function involved, jpeg_finish_compress, is triggered during specific actions such as saving an image or generating system thumbnails.

Expert Analysis

“Our analysis indicates that exploitation is harder than it appears,” says ESET researcher Romain Dumont. “A host application is only vulnerable if it allows JPG images to be re-encoded, and even then, an attacker would need precise control over heap manipulation and address leaks to achieve remote code execution.”

Key Takeaways

  • Open Source Roots: The component utilizes libjpeg-turbo, which saw similar vulnerabilities patched in late 2024.
  • Reproduction: ESET has successfully reproduced the system crash using a 12-bit/16-bit JPG test method.
  • Status: Microsoft released a patch for this vulnerability in August; users are encouraged to verify their systems are up to date.
For the full technical report, visit WeLiveSecurity.com and search for “Revisiting CVE-2025-50165.”

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

ESET Threat Report: AI-driven attacks on the rise; NFC threats increase and evolve in sophistication

ESET Research has released its H2 2025 Threat Report with statistics from June through November 2025.
NFC threats have continued to evolve in scale and sophistication, with several notable upgrades and new malicious campaigns seen in H2 2025.
ESET observed several improvements in scams including higher-quality deepfakes, signs of AI-generated phishing sites, and short-lived ad campaigns to avoid detection.
Even though Lumma Stealer managed to come back after the May 2025 disruption, its detections declined by 86% in H2 2025.

BRATISLAVA — December 16, 2025 — ESET Research has released its latest Threat Report, which summarizes threat landscape trends seen in ESET telemetry and from the perspective of both ESET threat detection and research experts, from June through November 2025.  AI-powered malware moved from theory to reality in H2 2025, as ESET discovered PromptLock – the first known AI-driven ransomware, capable of generating malicious scripts on the fly. While AI is still mainly used for crafting convincing phishing and scam content, PromptLock – and the handful of other AI-driven threats identified to this day – signal a new era of threats.

“Fraudsters behind the Nomani investment scams have also refined their techniques – we have observed higher-quality deepfakes, signs of AI-generated phishing sites, and increasingly short-lived ad campaigns to avoid detection,” says Jiří Kropáč, Director of ESET Threat Prevention Labs. In ESET telemetry, detections of Nomani scams grew 62% year-over-year, with the trend declining slightly in H2 2025. Nomani scams have recently been expanding from Meta to other platforms, including YouTube.

On the ransomware scene, victim numbers surpassed 2024 totals well before year’s end, with ESET Research projections pointing to a 40% year-over-year increase. Akira and Qilin now dominate the ransomware-as-a-service market, while low-profile newcomer Warlock introduced innovative evasion techniques. EDR killers continued to proliferate, highlighting that endpoint detection and response tools remain a significant obstacle for ransomware operators.

On the mobile platform, NFC threats continued to grow in scale and sophistication, with an 87% increase in ESET telemetry and several notable upgrades and campaigns observed in H2 2025. NGate  – a pioneer among NFC threats, first discovered by ESET– received an upgrade in the form of contact stealing, likely laying the groundwork for future attacks. RatOn, entirely new malware on the NFC fraud scene, brought a rare fusion of remote access trojan (RAT) capabilities and NFC relay attacks, showing cybercriminals’ determination to pursue new attack avenues. RatOn was distributed through fake Google Play pages and ads mimicking an adult version of TikTok, and a digital bank ID service.  PhantomCard – new NGate-based malware adapted to the Brazilian market – was seen in multiple campaigns in Brazil in H2 2025.

Furthermore, after its global disruption in May, the Lumma Stealer infostealer managed to briefly resurface – twice – but its glory days are most likely over. Detections plummeted by 86% in H2 2025 compared to the first half of the year, and a significant distribution vector of Lumma Stealer – the HTML/FakeCaptcha trojan, used in ClickFix attacks – nearly vanished from ESET telemetry.

Meanwhile, CloudEyE, also known as GuLoader, surged into prominence, skyrocketing almost thirtyfold according to ESET telemetry. Distributed via malicious email campaigns, this malware-as-a-service downloader and cryptor is used to deploy other malware, including ransomware, as well as infostealer juggernauts such as Rescoms, Formbook, and Agent Tesla. Poland was most affected by this threat, with 32% of CloudEyE attack attempts in H2 2025 detected here.

For more information, check out the ESET Threat Report H2 2025 on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

 

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Iran’s MuddyWater targets critical infrastructure in Israel and Egypt, masquerades as Snake game – ESET Research discovers

  • ESET researchers have identified new MuddyWater (Iran-aligned cyberespionage group) activity primarily targeting critical infrastructure organizations in Israel, with one confirmed target in Egypt.
  • The group used more advanced techniques to deploy MuddyViper, a new backdoor, by using a loader (Fooder) that reflectively loads it into memory and executes it.
  • ESET provides technical analyses of the tools used in this campaign.

MONTREAL, BRATISLAVADecember 2, 2025 — ESET researchers have identified new MuddyWater activity primarily targeting organizations in Israel, with one confirmed target in Egypt. The victims in Israel were in the technology, engineering, manufacturing, local government, and educational sectors. MuddyWater, also referred to as Mango Sandstorm or TA450, is an Iran-aligned cyberespionage group known for its persistent targeting of government and critical infrastructure sectors, often leveraging custom malware and publicly available tools, and has links to the Ministry of Intelligence and National Security of Iran. In this campaign, the attackers deployed a set of previously undocumented, custom tools with the objective of improving defense evasion and persistence. New backdoor MuddyViper enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. The campaign leverages additional credential stealers. Among these tools is Fooder, a custom loader that masquerades as the classic Snake game.

In this campaign, initial access is typically achieved through spearphishing emails, often containing PDF attachments that link to installers for remote monitoring and management (RMM) software hosted on free file-sharing platforms such as OneHub, Egnyte, or Mega. These links lead to the download of tools including Atera, Level, PDQ, and SimpleHelp. Among the tools deployed by MuddyWater operators is also the VAX One backdoor, named after the legitimate software which it impersonates: Veeam, AnyDesk, Xerox, and the OneDrive updater service.

The group’s continued reliance on this familiar playbook makes its activity relatively easy to detect and block. However, in this case, the group also used more advanced techniques to deploy MuddyViper, a new backdoor, by using a loader (Fooder) that reflectively loads MuddyViper into memory and executes it. Several versions of Fooder masquerade as the classic Snake game, hence the designation, MuddyViper. Another notable characteristic of Fooder is its frequent use of a custom delay function that implements the core logic of the Snake game, combined with “Sleep” API calls. These features are intended to delay execution in an attempt to hide malicious behavior from automated analysis systems. Additionally, MuddyWater developers adopted CNG, the next-generation Windows cryptographic API, which is unique for Iran-aligned groups and somewhat atypical across the broader threat landscape. During this campaign, the operators deliberately avoided hands-on-keyboard interactive sessions, which is a historically noisy technique often characterized by mistyped commands. Thus, while some components remain noisy and easily detected, as is typical for MuddyWater, overall this campaign shows signs of technical evolution – increased precision, strategic targeting, and a more advanced toolset.

The post-compromise toolset also includes multiple credential stealers: CE-Notes, which targets Chromium-based browsers; LP-Notes, which stages and verifies stolen credentials; and Blub, which steals login data from Chrome, Edge, Firefox, and Opera browsers.

MuddyWater was first introduced to the public in 2017 by Unit 42, whose description of the group’s activity is consistent with ESET’s profiling – a focus on cyberespionage, the use of malicious documents as attachments designed to prompt users to enable macros and bypass security controls, and primarily targeting entities located in the Middle East.

Notable past activities include Operation Quicksand (2020), a cyberespionage campaign targeting Israeli government entities and telecommunications organizations, which exemplifies the group’s evolution from basic phishing tactics to more advanced, multistage operations; and a campaign targeting political groups and organizations in Türkiye, demonstrating the group’s geopolitical focus, its ability to adapt social engineering tactics to local contexts, and reliance on modular malware and flexible C&C infrastructure.

ESET has documented multiple campaigns attributed to MuddyWater that highlight the group’s evolving toolset and shifting operational focus. In March and April 2023, MuddyWater targeted an unidentified victim in Saudi Arabia, and the group conducted a campaign in January and February 2025 that was notable for its operational overlap with Lyceum (an OilRig subgroup). This cooperation suggests that MuddyWater may be acting as an initial access broker for other Iran-aligned groups.

For a more detailed analysis of the latest MuddyWater campaign, check out the latest ESET Research blogpost “MuddyWater: Snakes by the riverbank” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

Overview of Fooder loading MuddyViper or other supported payloads


About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

【資安快訊】65台Exchange Server遭駭客入侵並植入鍵盤側錄程式,企圖竊取使用者帳號與密碼資訊

資安公司 Positive Technologies 發現,駭客針對全球至少 65 台 Microsoft Exchange Server 展開攻擊,並成功在 Outlook Web Access(OWA)登入頁植入鍵盤側錄工具(Keylogger),試圖竊取使用者帳號密碼。此次攻擊已持續超過一年,受害範圍涵蓋 26 個國家,其中以越南、俄羅斯與台灣最為嚴重,受害單位包括政府機關、IT 公司、工業與物流業者。
攻擊者透過將惡意 JavaScript 程式碼注入至 OWA 頁面,例如登入按鈕元件,偽裝成正常操作邏輯,誘使使用者在登入時不自覺將帳密資料送出。被側錄的資料會儲存在 Exchange 主機本地特定路徑,或傳送至駭客控制的遠端伺服器。這類攻擊多利用已知但未修補的 Exchange Server 漏洞,包括 CVE-2021-34473、CVE-2021-31207 等,顯示許多組織未定期維護更新系統。
為降低風險,資安專家建議立即修補 Exchange 系統已知漏洞、啟用 MFA 強化登入驗證,並透過網站內容安全政策(CSP)等方式防範惡意程式碼注入。同時,應定期稽核登入頁面完整性,監控可疑的外部請求與異常登入行為,避免帳密資料在未察覺下遭到竊取。此次事件再次凸顯即便是內部應用入口,如 OWA,也可能成為駭客入侵與竊資的破口,企業應全面審視並強化資安防線。
強化漏洞管理與修補機制,避免成為攻擊跳板。 

資安建議:
1. 立即修補漏洞:儘速安裝所有已知 Exchange Server 安全更新(特別是 CVE-2021-34473、CVE-2021-31207 等關鍵漏洞)。
Atera/IT服務管理解決方案 】 提供的遠端管理平台包括漏洞管理與修補功能,可以自動化修補過程以及進行漏洞掃描,對於中小型企業來說是個便捷的選擇。
2. 導入 WAF 或反惡意行為代理
Penta Security WAPPLES/WAAP安全解決方案】企業級 Web 應用程式防火牆(WAF),透過行為分析與規則比對技術,辨識並阻擋各種 Web 層攻擊,確保網站與 API 的安全性與合規性。
3. 偵測並阻擋可疑注入或鍵盤側錄活動的 HTTP 流量。
ESET /企業資安解決方案】ESET Mail Security 是 ESET 專為 Microsoft Exchange Server、IBM Domino 及 Linux 郵件伺服器 所設計的 電子郵件防護解決方案。ESET Endpoint Security 啟用瀏覽器防護、加密的記憶體防護、鍵盤防護。

原文出處:【iThome新聞】65臺Exchange Server遭鎖定,駭客埋入鍵盤側錄工具,企圖挖掘用戶帳密資料

【資安快訊】SharePoint漏洞造成美國國家機構資安危機

零日攻擊蔓延,資安防線備受考驗
隨著全球企業與政府組織高度仰賴數位協作平台,像是 Microsoft SharePoint 等企業核心應用已成為現代辦公生態的基石。然而,這類系統一旦出現「零日漏洞」(Zero-Day Vulnerability),其所引發的連鎖風險可能遠超預期。

【事件背景】 
2025 年 7 月,微軟(Microsoft)爆出重大資安事件,旗下 SharePoint Server 被揭露存在兩個零日漏洞(CVE-2025-53770 與 CVE-2025-53771),並已遭具有中國背景的駭客組織利用,成功入侵美國國家機構等等關鍵機構。
根據報導,他們運用一種名為「ToolShell」的惡意工具鏈攻擊 SharePoint Server 並取得內部系統的長期存取權限。駭客可藉此取得敏感文件、部署後門程式,甚至建立C2通道進行橫向滲透。

【實際影響與已知攻擊】
本次事件最具爭議的是攻擊波及美國國家核子安全局(NNSA)與能源部等關鍵基礎設施機構。報導指出,駭客成功竊取部分機密檔案,部分尚未判定是否與核能或武器計畫相關。
根據微軟後續調查與 Microsoft Threat Intelligence 的說明,該攻擊並非大規模入侵,而是經由極具針對性的攻擊所造成。攻擊者極可能先入侵某個合作廠商帳號,再借此進入內部網路。
事件揭露後,美國政府要求所有 SharePoint 使用單位緊急評估環境風險,並在 72 小時內完成修補作業。微軟亦已於 7 月 19 日發布修補更新,並建議未能及時修補的用戶應立刻停用對外連接埠。

【資安啟示與因應建議】
1. 零信任不再是選項,而是基本生存機制
此次事件再度證明傳統網路邊界概念已經失效。即便是政府單位與企業資安團隊,也必須全面導入零信任架構(Zero Trust Architecture, ZTA),透過持續驗證、動態資源存取控管,以及使用者行為分析來降低橫向移動的可能性。

2. 第三方服務與帳號監控是防線破口
若攻擊是從外部供應鏈起始,則加強合作廠商、承包商與跨部門帳號存取權限的控管就更為重要。建議導入整合型 IAM(Identity and Access Management)與供應鏈資安風險評估流程。

3. 提早導入威脅情報與自動化修補
企業可以透過訂閱 CVE Feed等資訊與建置資安情資(開源/商業)平台,並強化漏洞評估與改進企業內部通報機制,經由完整SOP讓資安團隊能有更快的應變。

本次 SharePoint 零日攻擊事件,從國家級駭客組織精準的入侵路徑、微軟產品安全機制的缺失,再到政府單位應變節奏,每一個環節都透露出我們在面對深度複雜威脅時的脆弱。做為資安從業人員,這不僅是一場攻防演練的案例,更是一份對未來網路戰爭(Cyberwarfare)的警訊。

原文出處:
1. Segura® 官方網站 https://segura.security/segura-v4
2. US agency overseeing nuclear weapons breached in Microsoft SharePoint attack https://www.windowscentral.com/microsoft/us-agency-overseeing-nuclear-weapons-breached-in-microsoft-sharepoint-attack?utm_source=chatgpt.com

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×