• ESET has released its latest Threat Report, which summarizes threat landscape trends seen in ESET telemetry and from the perspective of ESET experts, from December 2023 through May 2024.
• Infostealers started to impersonate generative AI tools such as Midjourney, Sora, and Gemini. 
• New mobile malware GoldPickaxe is capable of stealing facial recognition data to create deepfake videos.
• RedLine Stealer saw several detection spikes in ESET H1 2024 telemetry, caused by campaigns in Spain, Japan and Germany.
• Balada Injector, a gang notorious for exploiting WordPress plugin vulnerabilities, continued to run rampant in the first half of 2024, compromising over 20,000 websites as ESET telemetry detected 400,000 hits.

BRATISLAVA — June 27, 2024 — ESET has released its latest Threat Report, which summarizes threat landscape trends seen in ESET telemetry and from the perspective of both ESET threat detection and research experts, from December 2023 through May 2024. These past six months painted a dynamic landscape of Android financial threats, malware going after victims’ mobile banking funds – be they in the form of “traditional” banking malware or, more recently, cryptostealers. Infostealing malware can now be found impersonating generative AI tools, and new mobile malware GoldPickaxe is capable of stealing facial recognition data to create deepfake videos used by the malware’s operators to authenticate fraudulent financial transactions. Video games and cheating tools used in online multiplayer games were recently found to contain infostealer malware such as the RedLine Stealer, which saw several detection spikes in H1 2024 in ESET telemetry.

“GoldPickaxe has both Android and iOS versions and has been targeting victims in Southeast Asia through localized malicious apps. As ESET researchers investigated this malware family, they discovered that an older Android sibling of GoldPickaxe, called GoldDiggerPlus, has also tunneled its way to Latin America and South Africa by actively targeting victims in these regions,” explains Jiří Kropáč, Director of ESET Threat Detection.

In recent months Infostealing malware also began to utilize the impersonation of generative AI tools. In H1 2024, Rilide Stealer was spotted misusing the names of generative AI assistants, such as OpenAI’s Sora and Google’s Gemini, to entice potential victims. In another malicious campaign, the Vidar infostealer was lurking behind a supposed Windows desktop app for AI image generator Midjourney – even though Midjourney’s AI model is only accessible via Discord. Since 2023, ESET Research has increasingly seen cybercriminals abusing the AI theme – a trend that is expected to continue.

Gaming enthusiasts who ventured out of the official gaming ecosystem were attacked by infostealers, as some cracked video games and cheating tools used in online multiplayer games were recently found to contain infostealer malware such as Lumma Stealer and RedLine Stealer. RedLine Stealer saw several detection spikes in H1 2024 in ESET telemetry, caused by campaigns in Spain, Japan, and Germany. Its recent waves were so significant that RedLine Stealer detections in H1 2024 surpassed those from H2 2023 by a third.

Balada Injector, a gang notorious for exploiting WordPress plug-in vulnerabilities, continued to run rampant in the first half of 2024, compromising over 20,000 websites and racking up over 400,000 hits in ESET telemetry for the variants used in the gang’s recent campaign. On the ransomware scene, former leading player LockBit was knocked off its pedestal by Operation Chronos, a global disruption conducted by law enforcement in February 2024. Although ESET telemetry recorded two notable LockBit campaigns in H1 2024, these were found to be the result of non-LockBit gangs using the leaked LockBit builder.

The ESET Threat Report features news about recently released deep-dive investigation into one of the most advanced server-side malware campaigns, which is still growing – Ebury group, with their malware and botnet. Over the years, Ebury has been deployed as a backdoor to compromise almost 400,000 Linux, FreeBSD, and OpenBSD servers; more than 100,000 were still compromised as of late 2023.

For more information, check out the ESET Threat Report H1 2024 on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Is it strange that cybersecurity companies would be called to share their expertise in a military simulation of today’s digital battlespace? The answer seems to be a resounding no.

However, despite being civilian organizations that don’t drill cyber-military scenarios, full-stack cybersecurity companies consider every day to be the real thing, with malware researchers, threat monitoring analysts, and product R&D teams alternating in various combinations to help set up and test our clients’ IT security and monitor for and deter threats. To be successful, our teams must master an agile phalanx-like approach to protect the collective of online users.

The phalanx, an ancient box-like formation that enabled classical Greek heavy infantry – composed of citizen-soldiers – to rapidly form ranks into a tight defensive structure of overlapping shields, is a well-chosen muse for Locked Shields, the annual cyber-wargaming event organized by the NATO Cooperative Cyber Defense Centre of Excellence. Locked Shields, and the phalanx that inspired it, is the perfect bridge to connect today’s digital present to the analog past, demonstrating that Trojan horses and other ancient battle tactics are still relevant in today’s battlespace.

On April 24-25, more than 60 ESET system engineers, security monitoring analysts, malware researchers and analysts, and communications specialists formed ranks with defenders from the Slovak and Hungarian militaries and the private and academic sectors to defend our assigned battlespace, within a virtual nation named Berylia, against massive cyberattacks designed to cripple the country and create public unrest.

Underpinned by this year’s Locked Shields theme “Collaboration is our protection,” our citizen-soldiers used their skills, experience, and tool sets to achieve fourth place out of 18 teams. To give a further sense of scale, the simulation brought together over 4,000 participants from 39 countries to deliver the largest Locked Shields event yet.

Along with our on-loan cyber warriors and their significant professional experience, ESET brought several pieces of critical kit to the simulated battlespace:

• ESET PROTECT: Our comprehensive AI-native multilayered security platform. With ESET LiveGrid and LiveGuard (Advanced) layers enabled, PROTECT was deployed in its most potent configuration.
• ESET Inspect: The mature XDR-enabling detection and response module of the ESET PROTECT Platform.

Team Berylia was given a few windows of time to explore the virtual battlespace and calibrate tools before the hostilities began. This meant establishing the processes of:

• Deploying ESET endpoint security solutions, the ESET Inspect agent, and other security agents.
• Setting up and configuring the IT systems Team Berylia would use to manage the power grid, gas distribution, air defense, satellite, 5G, and situational awareness systems, to name a few.
• Calibrating ESET Inspect detections to Berylia’s network, thus reducing noise and giving our defenders the time to allocate threat monitoring and remediation capacity where the battle dictated.

Based on our experience with providing detection and response services to our customers, we also established other proven processes and tools, deployed across critical areas, that tremendously helped us during the execution phase.

The exercise included elements that strongly correlated with a security vendor’s business-as-usual operations. For example, ESET and others supplied communications experts who were tasked with preparing reports, such as the SITREP (situation report), used to help defenders keep track of the cyber situation and the status of all capabilities, and the Cyber Threat Intelligence report (CTIREP), which provides an evidence-based analysis of emerging threats.

In parallel, the legal team managed cooperation agreements between infrastructure operators in Berylia, and their cross-border allies, to share electricity and provided counsel to ensure defensive operations remained adherent to international law.

We successfully rebuffed the network attacks on the firewall and against the following systems: air defense, gas distribution, and power grid. In addition, the defenders quickly hunted down most of the pre-planted backdoors, both known and custom, severely limiting the usefulness of this attack vector for the Lock Shields’ (aggressor) red team. Unfortunately, a simulated thunderstorm took down our power grid.

But fortune smiles upon the prepared. Our communications and legal teams, and power grid operators, were able to mitigate the impact in a great demonstration of teamwork and coordinated operations between multiple (defender) blue teams. This was proof that a phalanx can still be deployed, even in the modern hybrid battlespace. Cooperation with the friendly neighboring teams happened in two key ways:

• First, quick communication, legal analysis, and agreements with neighboring power suppliers allowed electricity supply to be restored.
• Second, we provided these neighbors with threat intelligence derived from the attacks we had already experienced.

This collaborative defense approach was backed by the sharing of indicators of compromise (IoCs) via the Malware Information Sharing Platform (MISP) server, which provided mutually enriching data points for threat hunting by all blue teams.

In short, this cyber-battle simulation was an intensively immersive experience for all the technologists involved, be it threat analysts trying to understand tactics to anticipate the next stages of an attack or engineers configuring cyber defenses. Locked Shields is proof that our experts, well versed in operations on the digital front lines, could drop the normal constraints of cybersecurity for businesses and partner with both national and European defense structures when called upon.

With collaboration being the focus of the 15th annual exercise under the theme “Collaboratio tutela nostra est,” or ‘Collaboration is our protection’, ESET supplied the Slovak-Hungarian team with defensive capabilities that contributed to the team’s top three placings in:

• Cyber threat intelligence
• Client-side protection
• Forensics
• Strategic communications

Taking fourth place out of 18 participating teams, made up of similarly composed cross-country units, the Slovak-Hungarian team successfully achieved its strategic objectives, building not only on expertise and state-of-the-art security technologies but, most importantly, on communication and intensive cooperation between the participants.

Likely considered underdogs by many, we punched well above our weight and tested ourselves and our security technologies to the limit. ESET considers this fertile ground for new ideas and further collaboration experience and a great demonstration of the reasons why we’ve been successful at protecting progress for more than 30 years.