Skip to content

ESET Uncovers “PromptSpy” – The Era of AI-Driven Android Threats

ESET researchers have discovered PromptSpy, the first known Android threat to utilize generative AI (Google Gemini) within its execution flow. By prompting an AI model to interpret UI elements, the malware achieves a level of adaptability previously unseen in mobile threats.

Technical Breakthrough: PromptSpy uses Gemini to receive dynamic instructions on how to “lock” itself in the recent apps list, ensuring the malicious process remains active and cannot be easily closed by the user.
 

Key Capabilities

Remote VNC Access
Lockscreen Data Theft
Invisible UI Overlays
Screen Activity Recording
AES-Encrypted C&C
Anti-Uninstallation Logic
 

Distribution and Targeting

The malware currently targets users in Argentina by impersonating the Morgan Chase bank (using the name MorganArg). It is distributed through malicious third-party websites and is not present on the official Google Play Store.

Critical Removal Procedure

Because PromptSpy uses invisible overlays to block uninstallation, users must follow these steps:

  1. Reboot into Safe Mode: Typically by long-pressing the “Power Off” option in the power menu.
  2. Navigate to Settings: Go to Settings → Apps.
  3. Uninstall: Locate “MorganArg” and select Uninstall.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

ESET Finalist: Cybersecurity Community Awards 2026

ESET, a global leader in cybersecurity, has been recognized by the Expert Insights Cybersecurity Community Awards 2026 as a finalist in the prestigious “Best Security Company” category.

Industry Leadership: Finalists were selected based on nominations from global IT professionals and independent research, emphasizing real-world impact over “pay-to-play” marketing.
 

A Legacy of Advanced Protection

Driven by the same engineers who founded the company over 30 years ago, ESET protects millions of users through an AI-native security portfolio. Key offerings include:

  • XDR & MDR: Next-generation prevention and response.
  • APT Tracking: Specialized research teams monitoring sophisticated threat groups.
  • Global Footprint: Trusted by critical industries and governments in 178 territories.
“A single layer of defense is not enough in today’s evolving landscape. This recognition reflects the trust our customers place in us and our dedication to intelligence-driven security.”
— Ryan Grant, Country Manager, ESET U.S. and Canada
 

Cast Your Vote

Support the cybersecurity innovators making a global difference. Community voting remains open until February 20, 2026.

 

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

ESET Research analyzed a critical flaw in Windows Imaging Component, which abuses JPG files

ESET researchers have concluded an in-depth examination of CVE-2025-50165, a Windows Imaging Component vulnerability. Although classified as critical, ESET’s root cause analysis suggests the complexity of exploitation makes large-scale attacks highly improbable.
Technical Distinction: The flaw exists in the encoding and compression stage of a JPG image, not the decoding (rendering) stage. Simply viewing a malicious image will not trigger the vulnerability.

Root Cause: WindowsCodecs.dll

The vulnerability occurs when WindowsCodecs.dll attempts to encode a JPG image using 12-bit or 16-bit data precision. The specific function involved, jpeg_finish_compress, is triggered during specific actions such as saving an image or generating system thumbnails.

Expert Analysis

“Our analysis indicates that exploitation is harder than it appears,” says ESET researcher Romain Dumont. “A host application is only vulnerable if it allows JPG images to be re-encoded, and even then, an attacker would need precise control over heap manipulation and address leaks to achieve remote code execution.”

Key Takeaways

  • Open Source Roots: The component utilizes libjpeg-turbo, which saw similar vulnerabilities patched in late 2024.
  • Reproduction: ESET has successfully reproduced the system crash using a 12-bit/16-bit JPG test method.
  • Status: Microsoft released a patch for this vulnerability in August; users are encouraged to verify their systems are up to date.
For the full technical report, visit WeLiveSecurity.com and search for “Revisiting CVE-2025-50165.”

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

ESET Threat Report: AI-driven attacks on the rise; NFC threats increase and evolve in sophistication

ESET Research has released its H2 2025 Threat Report with statistics from June through November 2025.
NFC threats have continued to evolve in scale and sophistication, with several notable upgrades and new malicious campaigns seen in H2 2025.
ESET observed several improvements in scams including higher-quality deepfakes, signs of AI-generated phishing sites, and short-lived ad campaigns to avoid detection.
Even though Lumma Stealer managed to come back after the May 2025 disruption, its detections declined by 86% in H2 2025.

BRATISLAVA — December 16, 2025 — ESET Research has released its latest Threat Report, which summarizes threat landscape trends seen in ESET telemetry and from the perspective of both ESET threat detection and research experts, from June through November 2025.  AI-powered malware moved from theory to reality in H2 2025, as ESET discovered PromptLock – the first known AI-driven ransomware, capable of generating malicious scripts on the fly. While AI is still mainly used for crafting convincing phishing and scam content, PromptLock – and the handful of other AI-driven threats identified to this day – signal a new era of threats.

“Fraudsters behind the Nomani investment scams have also refined their techniques – we have observed higher-quality deepfakes, signs of AI-generated phishing sites, and increasingly short-lived ad campaigns to avoid detection,” says Jiří Kropáč, Director of ESET Threat Prevention Labs. In ESET telemetry, detections of Nomani scams grew 62% year-over-year, with the trend declining slightly in H2 2025. Nomani scams have recently been expanding from Meta to other platforms, including YouTube.

On the ransomware scene, victim numbers surpassed 2024 totals well before year’s end, with ESET Research projections pointing to a 40% year-over-year increase. Akira and Qilin now dominate the ransomware-as-a-service market, while low-profile newcomer Warlock introduced innovative evasion techniques. EDR killers continued to proliferate, highlighting that endpoint detection and response tools remain a significant obstacle for ransomware operators.

On the mobile platform, NFC threats continued to grow in scale and sophistication, with an 87% increase in ESET telemetry and several notable upgrades and campaigns observed in H2 2025. NGate  – a pioneer among NFC threats, first discovered by ESET– received an upgrade in the form of contact stealing, likely laying the groundwork for future attacks. RatOn, entirely new malware on the NFC fraud scene, brought a rare fusion of remote access trojan (RAT) capabilities and NFC relay attacks, showing cybercriminals’ determination to pursue new attack avenues. RatOn was distributed through fake Google Play pages and ads mimicking an adult version of TikTok, and a digital bank ID service.  PhantomCard – new NGate-based malware adapted to the Brazilian market – was seen in multiple campaigns in Brazil in H2 2025.

Furthermore, after its global disruption in May, the Lumma Stealer infostealer managed to briefly resurface – twice – but its glory days are most likely over. Detections plummeted by 86% in H2 2025 compared to the first half of the year, and a significant distribution vector of Lumma Stealer – the HTML/FakeCaptcha trojan, used in ClickFix attacks – nearly vanished from ESET telemetry.

Meanwhile, CloudEyE, also known as GuLoader, surged into prominence, skyrocketing almost thirtyfold according to ESET telemetry. Distributed via malicious email campaigns, this malware-as-a-service downloader and cryptor is used to deploy other malware, including ransomware, as well as infostealer juggernauts such as Rescoms, Formbook, and Agent Tesla. Poland was most affected by this threat, with 32% of CloudEyE attack attempts in H2 2025 detected here.

For more information, check out the ESET Threat Report H2 2025 on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

 

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Iran’s MuddyWater targets critical infrastructure in Israel and Egypt, masquerades as Snake game – ESET Research discovers

  • ESET researchers have identified new MuddyWater (Iran-aligned cyberespionage group) activity primarily targeting critical infrastructure organizations in Israel, with one confirmed target in Egypt.
  • The group used more advanced techniques to deploy MuddyViper, a new backdoor, by using a loader (Fooder) that reflectively loads it into memory and executes it.
  • ESET provides technical analyses of the tools used in this campaign.

MONTREAL, BRATISLAVADecember 2, 2025 — ESET researchers have identified new MuddyWater activity primarily targeting organizations in Israel, with one confirmed target in Egypt. The victims in Israel were in the technology, engineering, manufacturing, local government, and educational sectors. MuddyWater, also referred to as Mango Sandstorm or TA450, is an Iran-aligned cyberespionage group known for its persistent targeting of government and critical infrastructure sectors, often leveraging custom malware and publicly available tools, and has links to the Ministry of Intelligence and National Security of Iran. In this campaign, the attackers deployed a set of previously undocumented, custom tools with the objective of improving defense evasion and persistence. New backdoor MuddyViper enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. The campaign leverages additional credential stealers. Among these tools is Fooder, a custom loader that masquerades as the classic Snake game.

In this campaign, initial access is typically achieved through spearphishing emails, often containing PDF attachments that link to installers for remote monitoring and management (RMM) software hosted on free file-sharing platforms such as OneHub, Egnyte, or Mega. These links lead to the download of tools including Atera, Level, PDQ, and SimpleHelp. Among the tools deployed by MuddyWater operators is also the VAX One backdoor, named after the legitimate software which it impersonates: Veeam, AnyDesk, Xerox, and the OneDrive updater service.

The group’s continued reliance on this familiar playbook makes its activity relatively easy to detect and block. However, in this case, the group also used more advanced techniques to deploy MuddyViper, a new backdoor, by using a loader (Fooder) that reflectively loads MuddyViper into memory and executes it. Several versions of Fooder masquerade as the classic Snake game, hence the designation, MuddyViper. Another notable characteristic of Fooder is its frequent use of a custom delay function that implements the core logic of the Snake game, combined with “Sleep” API calls. These features are intended to delay execution in an attempt to hide malicious behavior from automated analysis systems. Additionally, MuddyWater developers adopted CNG, the next-generation Windows cryptographic API, which is unique for Iran-aligned groups and somewhat atypical across the broader threat landscape. During this campaign, the operators deliberately avoided hands-on-keyboard interactive sessions, which is a historically noisy technique often characterized by mistyped commands. Thus, while some components remain noisy and easily detected, as is typical for MuddyWater, overall this campaign shows signs of technical evolution – increased precision, strategic targeting, and a more advanced toolset.

The post-compromise toolset also includes multiple credential stealers: CE-Notes, which targets Chromium-based browsers; LP-Notes, which stages and verifies stolen credentials; and Blub, which steals login data from Chrome, Edge, Firefox, and Opera browsers.

MuddyWater was first introduced to the public in 2017 by Unit 42, whose description of the group’s activity is consistent with ESET’s profiling – a focus on cyberespionage, the use of malicious documents as attachments designed to prompt users to enable macros and bypass security controls, and primarily targeting entities located in the Middle East.

Notable past activities include Operation Quicksand (2020), a cyberespionage campaign targeting Israeli government entities and telecommunications organizations, which exemplifies the group’s evolution from basic phishing tactics to more advanced, multistage operations; and a campaign targeting political groups and organizations in Türkiye, demonstrating the group’s geopolitical focus, its ability to adapt social engineering tactics to local contexts, and reliance on modular malware and flexible C&C infrastructure.

ESET has documented multiple campaigns attributed to MuddyWater that highlight the group’s evolving toolset and shifting operational focus. In March and April 2023, MuddyWater targeted an unidentified victim in Saudi Arabia, and the group conducted a campaign in January and February 2025 that was notable for its operational overlap with Lyceum (an OilRig subgroup). This cooperation suggests that MuddyWater may be acting as an initial access broker for other Iran-aligned groups.

For a more detailed analysis of the latest MuddyWater campaign, check out the latest ESET Research blogpost “MuddyWater: Snakes by the riverbank” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

Overview of Fooder loading MuddyViper or other supported payloads


About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×