Threat Intelligence can save money, and it doesn’t need to be hard to understand.

Even people living thousands of years ago understood that “knowledge is power”, and amidst the digital era’s rapid developments in technology, including both cyber threats and cyber defense, this ancient wisdom applies more than ever.

A poignant  example, recent ESET research about the newly discovered China-aligned APT group PlushDaemon presented by ESET Malware Researcher Facundo Muñoz at JSAC 2025 conference. This research demonstrates how various users who were seeking protection in the form of a legitimate South-Korean VPN service but, alas, what they attempted to install was in fact trojanized VPN software that delivered spyware.

ESET endpoint protection stopped the malware, but for those who additionally field ESET Threat intelligence and its diversity of feeds, an even more powerful tool lays at their disposal – knowledge. Knowledge about the new threat, the compromised but legitimate URL, and Indicators of compromise (IoC). Using this knowledge, they could readily avoid the threat and check their defenses against the documented PlushDaemon tools.

In May 2024, ESET researchers noticed detections of malicious code in an NSIS installer for Windows that users from South Korea had downloaded from the website of a legitimate South Korean VPN company. This installer deployed both the legitimate software and the malicious implant that ESET researchers named SlowStepper.

Another attack vector for PlushDaemon is to intercept network traffic, hijack update protocols, redirect traffic to attacker-controlled servers, and deliver its SlowStepper implant.

However, SlowStepper is a backdoor that attempts to establish communication with a C&C server to receive further instructions. Once communication is established, SlowStepper can process multiple commands such as:

• Collecting information from the compromised machine such as computer name, list of running processes, list of installed applications, whether cameras or microphones are connected, and more.
• Executing a Python module from its toolkit; the output and any files created by the module are sent to the server.
• Deleting the specified file.
• Process various commands such as creating a complete report about the specified file or deleting the specified file, directory, or all files in a directory.
• Uninstalls SlowStepper by removing its persistence mechanism and removing its files.

Going through the list of SlowStepper’s capabilities, it becomes clear that supply-chain attacks pose significant risks to businesses including financial losses due to system downtime, lost revenue, remediation costs, and reputational damage.

These attacks can also lead to data breaches and consequences can be ruinous. The average cost of a data breach jumped to USD 4.88 million from USD 4.45 million in 2023, according to IBM’s Cost of a Data Breach Report 2024. In fact, third-party breaches including supply chain breaches are among the top 3 factors that amplified breach costs.

On top of that, supply-chain attacks are not rare. Verizon’s 2024 Data Breach Investigations Report (DBIR) saw a 68% year-over-year growth in supply-chain attacks.

Yet, these attacks are only a fraction of cyber threats out there. See this list of most frequent attack vectors, according to IBM’s report:

• Stolen or compromised credentials – 16 %
• Phishing – 15 %
• Cloud misconfiguration – 12%
• Unknown zero-day vulnerability – 11 %
• Business Email Compromise – 10 %
• Malicious insider – 7 %

Seeing these increasingly sophisticated attacks and how businesses are growing concerned about their cybersecurity, there is no surprise that the global threat intelligence market is projected to grow from USD 5.80 billion in 2024 to USD 24.05 billion by 2032.

IBM’s report calculated that a threat intelligence solution decreases average data breach cost by more than USD 240,000.

At the ESET WORLD 2024 conference, Tope Olufon, senior analyst at Forrester, a leading global market research company, stressed the importance of threat intelligence claiming that organizations need to understand the threat landscape and be prepared for upcoming threats.

However, organizations should also be smart about how they use the provided information – threat intelligence is not about counting detected samples but putting them into context and identifying the right stakeholders, according to Mr. Olufon.

Thanks to ESET LiveGrid technology, there are more than 110 million endpoints acting as sensors detecting malware. Combine this data with knowledge of ESET award-wining researchers, and you get a powerful tool that keeps users informed about the current threat landscape, adversaries, malicious programs and their properties, the servers used to propagate them, and even the URLs and domains which spread them.

A threat intelligence feed is an ongoing stream of data related to potential or current threats to an organization’s security that can be easily integrated to SIEM and TIP platforms. Instead of receiving a large amount of non-curated data, ESET shares a curated feed that features top-notch categorization and is pre-filtered for customers to use according to their preferences. Filtering is done by ESET researchers, who understand the internal data intimately.

Such filtering has multiple advantages for users. ESET feeds may be smaller in quantity, but all of the data are relevant and come with a very low rate of false positives. They also come with a significant amount of additional contextual data.

APT Reports provide contextual information about various adversaries, the latest APTs, technical analysis of threats, and activity summaries of the threat landscape. If a new threat is spreading quickly, ESET sends activity alert reports. Users can secure access to both human-readable reports and machine-readable Indicators of Compromise (IoCs).

If you are interested in ESET research blogs like PlushDaemon, or publicly available ESET APT Activity Reports and Threat Reports, bear in mind that these are just the tip of the iceberg of what you can see in documents received from ESET Threat Intelligence.

Now ESET has updated its Threat Intelligence service which consists of 15 feeds and has restructured the ESET APT reports into 3 tiers. Thus, businesses can choose what’s right for them. For example, while a large enterprise can get all the feeds and the highest tier APT report, some other businesses may opt just for a few feeds that are essential to secure their operations.

Users of the ESET Threat Intelligence APT Reports’ Advanced and Ultimate tiers can reduce complexity further with ESET AI Advisor, a specialized AI chatbot designed to provide information about APTs.

Here is the list of feeds:

1. Malicious files feed
2. Domain feed
3. URL feed
4. IP feed
5. Botnet feed with two subfeeds:
   a) Botnet – C&C feed
   b) Botnet – Targets feed
6. APT IoC feed
7. Android infostealer feed
8. Android threats feed
9. Cryptoscam feed
10. Malicious email attachments feed
11. Phishing URL feed
12. Ransomware feed
13. Scam URL feed
14. Smishing feed
15. SMS scam feed

As the world of cybercrime evolves rapidly, new threats are more sophisticated and agile, having access to intelligence about the threat landscape becomes a necessity. ESET Threat Intelligence and its data feeds can set businesses’ minds at ease knowing that they regularly receive the latest information about specific dangers.

What’s more, ESET works tirelessly to make this service as simple-to-use as possible. With APT reports enhanced by AI, curated intelligence feeds, filtering, and seamless integration, businesses can have the current threat landscape for breakfast.

• ESET adds Ransomware Remediation to the ESET PROTECT Platform – offering next-gen ransomware rollback enhanced with remediation features. Working in tandem with ESET’s proprietary Ransomware Shield, Ransomware Remediation enables comprehensive rollback through automated file restoration from secure backups, limiting threat actor attempts to raise remediation costs.
• ESET Cloud Office Security module updated with anti-spoofing and homoglyph protection, profoundly improving email security.
• ESET has also expanded the availability of AI Advisor to its EDR/XDR customers, including those with ESET PROTECT Enterprise, ESET PROTECT Elite, and ESET PROTECT MDR subscriptions – while making performance updates.

LAS VEGAS, Nev. — March 25, 2025 — ESET, a global leader in cybersecurity solutions, today released new updates for the ESET PROTECT Platform, including Ransomware Remediation, a new way to prevent ransomware encryption from causing long-term business disruption, as well as new functionalities for ESET Cloud Office Security and the ESET AI Advisor. These new cybersecurity features were launched at ESET World 2025, taking place in Las Vegas from March 24 to 26, 2025, at the ARIA Resort & Casino.

As ransomware attacks increase in sophistication, threat actors seek to undermine nearly all areas of business security and stability. One well-known and -used attack is encryption, which prevents you from accessing your device and the data stored on it. Causing costly process disruption, and ultimately forcing firms to pay to decrypt their systems, threat actors often target system backups, such as Volume Shadow Copy, by immediately deleting or corrupting them. This makes recovery nearly impossible and drives up remediation costs.

Building on ESET LiveSense, ESET’s next-gen Ransomware Remediation feature works in concert with Ransomware Shield to immediately create backups until the system confirms whether the suspicious activity is malicious or benign. If malicious, Ransomware Shield will kill the process and roll back the files from the newly created secure backups. If benign, the backups created can be discarded. Unlike other solutions, Ransomware Remediation has its own protected storage section on the drive, where files cannot be modified, corrupted, or deleted by the attacker. This differentiator actively solves one of the most common failings of regular backups during a ransomware attack. As a free addition for customers signed up for the ESET PROTECT Advanced tier and above, Ransomware Remediation is available for Windows-based systems.

“ESET has a history of innovation in mitigating ransomware, both in the context of our endpoint security platform, our service offerings such as ESET MDR, and our part in the ‘No More Ransom’ initiative, which partners with law enforcement and IT Security companies to disrupt cybercriminal businesses with ransomware connections,” said Michal Jankech, Vice President, Enterprise & SMB/MSP at ESET. “ESET’s Ransomware Remediation delivers comprehensive Ransomware defense, from encryption, theft and data holding. Easy to use, ESET’s Ransomware Remediation offers businesses peace of mind as we help them in the fight against ransomware.”

ESET has added anti-spoofing and homoglyph protection to its ESET Cloud Office Security module, preventing attackers from pretending to be trusted sources while also identifying their efforts to disguise malicious domains or URLs through letter substitution from other alphabets. Moreover, ESET Cloud Office Security now also has an email clawback feature, enabling swift recall and quarantine of any delivered emails deemed suspicious. New dashboards are visually enhanced and include fully customizable tabs and components that fit a user’s specific needs.

ESET has also expanded the availability of AI Advisor to its EDR/XDR customers, including those with ESET PROTECT Enterprise, ESET PROTECT Elite, and ESET PROTECT MDR subscriptions – while making performance updates. By investing in AI, businesses are able to access SOC-level advisory, enabling enhanced security analyst workflows. Unlike other vendor offerings and typical generative AI assistants that focus on soft features like administration or device management, ESET AI Advisor seamlessly integrates into the day-to-day operations of security analysts. This is a gamechanger for companies with limited IT resources that want to utilize the advantages of advanced XDR solutions and threat intelligence feeds.

For more information about the ESET LiveSense technologies used by the ESET PROTECT Platform, please visit here.

For more information about the ESET PROTECT Platform, please visit our dedicated webpage.

For more information about ESET Cloud Office Security and the ESET AI Advisor, please visit our webpage and our AI blog.

To discover how ESET has been handling ransomware, please read ESET MDR success stories and ESET Inspect’s preventive power.

• ESET Research releases its analysis of the current ransomware ecosystem with focus on ransomware-as-a-service gang RansomHub.
• ESET discovered links between the RansomHub, Play, Medusa, and BianLian ransomware gangs by following the trail of tooling that RansomHub offers its affiliates.
• ESET analysis documents findings about EDRKillShifter and offers insights into the emerging threat of EDR killers.

PRAGUE, BRATISLAVA — March 26, 2025 — ESET researchers have released a deep-dive analysis about significant changes in the ransomware ecosystem, with focus on the newly emerged and currently dominating ransomware-as-a-service gang RansomHub. The report shares previously unpublished insights into RansomHub’s affiliate structure and uncovers clear connections between this newly emerged giant and well-established gangs Play, Medusa, and BianLian. Furthermore, ESET highlights the emerging threat of Endpoint Detection and Response (EDR) killers, unmasking EDRKillShifter, a custom EDR killer developed and maintained by RansomHub. ESET has observed an increase in ransomware affiliates using EDR killer code derived from publicly available proofs of concept, while the set of drivers being abused is largely unchanged.

“The fight against ransomware reached two milestones in 2024: LockBit and BlackCat, formerly the top two gangs, dropped out of the picture. And for the first time since 2022, recorded ransomware payments dropped significantly by a stunning 35%. On the other hand, the recorded number of victims announced (to be outed publicly) on dedicated leak sites increased by roughly 15%. A big part of this increase is due to RansomHub, a new ransomware-as-a-service (RaaS) gang that emerged around the time of law-enforcement Operation Cronos, which disrupted LockBit activities,” says ESET researcher Jakub Souček, who investigated RansomHub.

Just as any emerging RaaS gang, RansomHub needed to attract affiliates — who rent ransomware services from operators — and since there is strength in numbers, the operators weren’t very picky. The initial advertisement was posted on the Russian-speaking RAMP forum in early February 2024, eight days before the first victims were posted. RansomHub prohibits attacking nations from the post-Soviet Commonwealth of Independent States, Cuba, North Korea, or China. Interestingly, it lures affiliates in with the promise that they will receive the whole ransom payment to their wallet, and the operators trust the affiliates to share 10% with them, something quite unique.

In May, RansomHub operators made a significant update: They introduced their own EDR killer — a special type of malware designed to terminate, blind, or crash the security product installed on a victim’s system — typically by abusing a vulnerable driver.

RansomHub’s EDR killer, named EDRKillShifter, is a custom tool developed and maintained by the gang. EDRKillShifter is offered to RansomHub affiliates. Functionality-wise, it is a typical EDR killer targeting a large variety of security solutions that the RansomHub operators expect to find protecting the networks they aim to breach.

“The decision to implement a killer and offer it to affiliates as part of the RaaS program is rare. Affiliates are typically on their own to find ways to evade security products — some reuse existing tools, while more technically oriented ones modify existing proofs of concept or utilize EDR killers available as a service on the dark web. ESET researchers saw a steep increase in the use of EDRKillShifter, and not exclusively in RansomHub cases,” explains Souček.

Advanced EDR killers consist of two parts — a user mode component responsible for orchestration (the killer code) and a legitimate, but vulnerable, driver. The execution is typically very straightforward — the killer code installs the vulnerable driver, typically embedded in its data or resources, iterates over a list of process names of security software, and issues a command to the vulnerable driver, resulting in triggering the vulnerability and killing the process from kernel mode. “Defending against EDR killers is challenging. Threat actors need admin privileges to deploy an EDR killer, so ideally, their presence should be detected and mitigated before they reach that point,” adds Souček.

ESET discovered that RansomHub’s affiliates are working for three rival gangs — Play, Medusa, and BianLian. Discovering a link between RansomHub and Medusa is not that surprising, as it is common knowledge that ransomware affiliates often work for multiple operators simultaneously. On the other hand, one way to explain Play and BianLian having access to EDRKillShifter is that they hired the same RansomHub affiliate, which is unlikely given the closed nature of both gangs. Another, more plausible explanation is that trusted members of Play and BianLian are collaborating with rivals, even newly emerged ones like RansomHub, and then repurposing the tooling they receive from those rivals in their own attacks. Play has been linked to the North Korea-aligned group Andariel.

For a more detailed analysis of RansomHub and EDRKillShifter, check out the latest ESET Research blogpost “Shifting the sands of RansomHub’s EDRKillShifter” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

Schematic overview of the links between Medusa, RansomHub, BianLian, and Play