Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label ESET Research. Show all posts
State Sponsored Hacking
Critical Infrastructure Security DynoWiper ESET Research malware Polish Energy Sector Power Grid Cybersecurity Russia Linked Cyberattack Sandworm State Sponsored Hacking

Sandworm-Associated DynoWiper Malware Targets Polish Power Infrastructure


 

A cyber intrusion targeting the nation's energy infrastructure occurred in late 2025, which security experts have described as one of the largest cyberattacks the nation has faced in many years. It underscores the growing vulnerability of critical national systems in light of increasing geopolitical tensions, which are at odds with one another. 

ESET, a cybersecurity company specializing in cyber security, has uncovered new data indicating that the operation was carried out by Sandworm, an advanced persistent threat group closely aligned with Russia that has been associated with disrupting energy and industrial networks for decades. 

ESET researchers found that a deeper analysis of the malware used during the incident revealed operational patterns and code similarities that are consistent with Sandworm's past campaigns, indicating that the attack follows Sandworm's established playbook for damaging cyber activity. 

According to the assailants, they were planning to use a malware strain named DynoWiper that was designed to permanently destroy files and cripple affected systems by irreversibly destroying them, a strategy which could have caused widespread disruptions across the Poland electricity industry if it had been successful. 

At the time of publication, the Russian Embassy in Washington did not respond to requests for comment. According to cyber experts, Sandworm, which is also known as UAC-0113, APT44, or Seashell Blizzard in the cybersecurity community, has been active for more than a decade and is widely regarded as an act of state-sponsored hacking, most likely aimed at Russian military intelligence agencies. 

The group's ties to Unit 74455 of the Main Intelligence Directorate (GRU) have been established by security researchers after repeated accusations that the organization has committed high-impact cyber-operations intended to disrupt and degrade critical infrastructure systems. 

Throughout its history, Sandworm has been credited with some of the most significant cyber incidents against energy networks, most notably a devastating attack on the Ukraine's power grid nearly a decade ago, which used data-wiping malware and left around 230,000 people without power for a period of nearly 10 days.

It is important to note that this episode still remains a prototypical example of the group's capabilities and intentions, and it continues to shape the assessment of the group's role in more recent attempts to undermine energy systems beyond Ukraine's borders. 

As detailed in a recent report issued by ESET, they believed that the operation bore the hallmarks of Sandworm, a threat actor widely linked to Russia's military and intelligence apparatus, evidenced by its involvement in the operation. 

A data wiping malware, DynoWiper, dubbed DynoWiper, was identified by investigators and tracked as Win32/KillFiles.NMO, which had previously been undocumented, pointing the finger at the group. The wiper campaign was similar in both technical and operational aspects to earlier Sandworm wiper campaigns, especially those that were observed following Russian invasion of Ukraine in February of that year. 

In a statement published by ESET on December 29, 2025, the company stated that the malware had been detected during an attempt to disrupt Poland's energy sector, but that there are no indications that the attackers succeeded in causing outages or permanently damage the energy sector. 

In an email sent on December 29, the Polish authorities confirmed that there was activity observed in the area of two combined heat and power plants and a system used to manage the generation of electricity from renewable sources, such as the power of wind and sun. 

In a public statement, the Prime Minister said that the attacks were directed by groups “directly linked to Russian services,” citing the government's plans to strengthen national defenses through additional safeguards and cybersecurity legislation that will require more stringent requirements on risk management, information technology and operational technology security, and preparedness for incidents. Tusk said this legislation is expected to be implemented very soon. 

Moreover, the timing of the incident attracted the attention of analysts as it coincided with the tenth anniversary of Sandworm's historic attack on Ukraine's power grid in 2015. BlackEnergy and KillDisk malware were deployed during the attack, and the attack caused hours-long blackouts for thousands of people, something that was cited as a continuation of a pattern of disruption campaigns against critical infrastructure that has been occurring for years. 

A company named ESET stated that the attempted intrusion coincided with Sandworm's tenth anniversary of the devastating attack on Ukraine's power grid in the year 2000, though it only provided limited technical information beyond the identification of the malware involved. 

Researchers are pointing out that the use of a custom-built wiper, as well as the pattern of Russian cyber operations in which data-destroying malware has been a strategic tool, aligns with a broader pattern observed in cyber operations. The use of wipers in attacks linked to Moscow has increased significantly since 2022. 

The use of AcidRain to disable roughly 270,000 satellite modems in Ukraine has been an effort to disrupt the communication of the country. A number of campaigns targeting universities, critical infrastructure, and the like have been attributed to Sandworm. This is also true in the case of the NotPetya outbreak in 2017, a destructive worm that in its early stage was targeted at Ukrainian targets, but quickly spread worldwide, causing an estimated $10 billion in damage and securing its place as one of the highest-profile case studies in the history of cybercrime. 

There are no indications yet as to why DynoWiper had failed to trigger power outages in Poland; the investigation has left open the possibility that the operation may have been strategically calibrated to avoid escalation or that strong defenses within the country’s energy grid prevented it. 

In the aftermath of the incident, governments and operators of critical infrastructure across Europe have been reminded once again that energy systems continue to be an attractive target among state-sanctioned cyber operations even when those attacks do not result in immediate disruptions. 

It is noted that security analysts have noted the attempt to deploy DynoWiper in a strategic capacity reflects a continued reliance on destructive malware as a strategy tool, and emphasize the importance of investing in cyber resilience, real-time monitoring, and coordinated incident response across both the information technology as well as operational technologies. 

Although it appears that Polish officials are using the episode as a springboard in order to strengthen their defenses, experts point out that similar threats may not be bound by borders in the near future since geopolitical tensions are unlikely to ease at all. 

Despite the fact that the failure of the attack may offer some reassurance for the time being, it also emphasizes a more significant reality: adversaries continue to search energy networks for weaknesses, and it will be crucial to be prepared and cooperative if we wish to avoid future disruptions, as well as to be able to detect and neutralize malware before it becomes a major problem.
Read more »
Ransomware
AI Cyber Attacks ESET Research Ollama API attack PromptLock Ransomware

PromptLock: the new AI-powered ransomware and what to do about it

 



Security researchers recently identified a piece of malware named PromptLock that uses a local artificial intelligence model to help create and run harmful code on infected machines. The finding comes from ESET researchers and has been reported by multiple security outlets; investigators say PromptLock can scan files, copy or steal selected data, and encrypt user files, with code for destructive deletion present but not active in analysed samples. 


What does “AI-powered” mean here?

Instead of a human writing every malicious script in advance, PromptLock stores fixed text prompts on the victim machine and feeds them to a locally running language model. That model then generates small programs, written in the lightweight Lua language, which the malware executes immediately. Researchers report the tool uses a locally accessible open-weight model called gpt-oss:20b through the Ollama API to produce those scripts. Because the AI runs on the infected computer rather than contacting a remote service, the activity can be harder to spot. 


How the malware works

According to the technical analysis, PromptLock is written in Go, produces cross-platform Lua scripts that work on Windows, macOS and Linux, and uses a SPECK 128-bit encryption routine to lock files in flagged samples. The malware’s prompts include a Bitcoin address that investigators linked to an address associated with the pseudonymous Bitcoin creator known as Satoshi Nakamoto. Early variants have been uploaded to public analysis sites, and ESET treats this discovery as a proof of concept rather than evidence of widespread live attacks. 


Why this matters

Two features make this approach worrying for defenders. First, generated scripts vary each time, which reduces the effectiveness of signature or behaviour rules that rely on consistent patterns. Second, a local model produces no network traces to cloud providers, so defenders lose one common source of detection and takedown. Together, these traits could make automated malware harder to detect and classify. 

Practical, plain steps to protect yourself:

1. Do not run files or installers you do not trust.

2. Keep current, tested backups offline or on immutable storage.

3. Maintain up-to-date operating system and antivirus software.

4. Avoid running untrusted local AI models or services on critical machines, and restrict access to local model APIs.

These steps will reduce the risk from this specific technique and from ransomware in general. 


Bottom line

PromptLock is a clear signal that attackers are experimenting with local AI to automate malicious tasks. At present it appears to be a work in progress and not an active campaign, but the researchers stress vigilance and standard defensive practices while security teams continue monitoring developments. 



Read more »
Turkey
CosmicBeetle Cyber Attacks ESET ESET Research Malware Attack ransomware attacks small business security Small Businesses Turkey

CosmicBeetle Exploits Vulnerabilities in Small Businesses Globally

 

CosmicBeetle is a cybercriminal group exploiting vulnerabilities in software commonly used by small and medium-sized businesses (SMBs) across Turkey, Spain, India, and South Africa. Their main tool, a custom ransomware called ScRansom, is still under development, leading to various issues in the encryption process. This sometimes leaves victims unable to recover their data, making the ransomware not only dangerous but also unpredictable. 

Based on analysis by Slovakian cybersecurity firm ESET, CosmicBeetle’s skills as malware developers are relatively immature. This inexperience has led to chaotic encryption schemes, with one victim’s machines being encrypted multiple times. Such issues complicate the decryption process, making it unreliable for victims to restore their data, even if they comply with ransom demands. Unlike well-established ransomware groups that focus on making the decryption process smoother to encourage payment, CosmicBeetle’s flawed approach undermines its effectiveness, leaving victims in a state of uncertainty. 

Interestingly, the group has attempted to boost its reputation by implying ties to the infamous LockBit group, a well-known and more sophisticated ransomware operation. However, these claims seem to be a tactic to appear more credible to their victims. CosmicBeetle has also joined the RansomHub affiliate program, which allows them to distribute third-party ransomware, likely as an attempt to strengthen their attack strategies. The group primarily targets outdated and unpatched software, especially in SMBs with limited cybersecurity infrastructure. They exploit known vulnerabilities in Veeam Backup & Replication and Microsoft Active Directory. 

While CosmicBeetle doesn’t specifically focus on SMBs, their choice of software vulnerabilities makes smaller organizations, which often lack robust patch management, easy targets. According to ESET, businesses in sectors such as manufacturing, pharmaceuticals, education, healthcare, and legal industries are particularly vulnerable. CosmicBeetle’s attacks are opportunistic, scanning for weak spots in various sectors where companies might not have stringent security measures in place. Turkey, in particular, has seen a high concentration of CosmicBeetle’s attacks, suggesting that the group may be operating from within the region. 

However, organizations in Spain, India, and South Africa have also been affected, illustrating the group’s global reach. CosmicBeetle’s focus on exploiting older vulnerabilities demonstrates the need for businesses to prioritize patching and updating their systems regularly. One key issue with CosmicBeetle’s operations is the immaturity of their ransomware development. Unlike more experienced cybercriminals, CosmicBeetle’s encryption tool is in a constant state of flux, making it unreliable for victims. While ESET has been able to verify that the decryption tool technically works, its rapid and frequent updates leave victims uncertain whether they can fully recover their data. To reduce the risk of falling victim to such attacks, SMBs must prioritize several cybersecurity measures. 

First and foremost, regular software updates and patch management are essential. Vulnerabilities in widely used platforms like Veeam Backup and Microsoft Active Directory must be addressed promptly. Businesses should also invest in employee cybersecurity training, emphasizing the importance of recognizing phishing attacks and suspicious links. In addition to these basic cybersecurity practices, companies should back up their data regularly and have robust incident response plans. Having a reliable backup strategy can mitigate the damage in the event of a ransomware attack, ensuring that data can be restored without paying the ransom. Companies should also invest in cybersecurity solutions that monitor for unusual network activity, providing early warning signs of potential breaches.
Read more »
Telegram
Android App Safety APK Files Cyber Attacks ESET ESET Research Malicious Apps Telegram

EvilVideo Exploit: Telegram Zero-Day Vulnerability Allows Disguised APK Attacks

 

A recent zero-day vulnerability in Telegram for Android, dubbed ‘EvilVideo,’ has been exploited by attackers to send malicious Android APK payloads disguised as video files. This significant security flaw was first brought to light when a threat actor named ‘Ancryno’ started selling the exploit on June 6, 2024, on the Russian-speaking XSS hacking forum. 

The vulnerability affected Telegram versions 10.14.4 and older. ESET researchers discovered the flaw after a proof-of-concept demonstration was shared on a public Telegram channel, allowing them to analyze the malicious payload. They confirmed that the exploit worked on Telegram v10.14.4 and older, naming it ‘EvilVideo.’ The vulnerability was responsibly disclosed to Telegram by ESET researcher Lukas Stefanko on June 26 and again on July 4, 2024. Telegram responded on July 4, indicating that they were investigating the report. 

Subsequently, they patched the vulnerability in version 10.14.5, released on July 11, 2024. This timeline suggests that threat actors had at least five weeks to exploit the zero-day vulnerability before it was patched. While it remains unclear if the flaw was actively exploited in attacks, ESET shared a command and control server (C2) used by the payloads at ‘infinityhackscharan.ddns[.]net.’ BleepingComputer identified two malicious APK files using that C2 on VirusTotal that masqueraded as Avast Antivirus and an ‘xHamster Premium Mod.’ 

The EvilVideo zero-day exploit specifically targeted Telegram for Android. It allowed attackers to create specially crafted APK files that, when sent to other users on Telegram, appeared as embedded videos. ESET believes the exploit used the Telegram API to programmatically create a message showing a 30-second video preview. The channel participants received the payload on their devices once they opened the conversation. 

For users who had disabled the auto-download feature, a single tap on the video preview was enough to initiate the file download. When users attempted to play the fake video, Telegram suggested using an external player, which could lead recipients to tap the “Open” button, executing the payload. Despite the threat actor’s claim that the exploit was “one-click,” the multiple clicks, steps, and specific settings required for a successful attack significantly reduced the risk. ESET tested the exploit on Telegram’s web client and Telegram Desktop and found that it didn’t work on these platforms, as the payload was treated as an MP4 video file. 

Telegram’s fix in version 10.14.5 now correctly displays the APK file in the preview, preventing recipients from being deceived by files masquerading as videos. Users who recently received video files requesting an external app to play via Telegram are advised to perform a filesystem scan using a mobile security suite to locate and remove any malicious payloads.
Read more »
WhatsApp
BingeChat ESET ESET Research GravityRAT malware SpaceCobra WhatsApp

GravityRAT: ESET Researchers Discover New Android Malware Campaign


ESET researchers have recently discovered a new Android malware campaign, apparently infecting devices with an updated version of GravityRAT, distributed via messaging apps BingeChat and Chitaco. The campaign has been active since August 2022.

According to ESET researcher Lukas Stenfanko who examined a sample after getting a tip from MalwareHunterTeam, it was found that one of the noteworthy new features seen in the most recent GravityRAT version is the ability to collect WhatsApp backup files.

GravtiRAT

A remote access tool called GravityRAT has been used in targeted cyberattacks on India since at least 2015 and is known to be in use. There are versions for Windows, Android, and macOS, as previously reported by Cisco Talos, Kaspersky, and Cyble. However it is still unknown who is the actor behind GravityRAT, the group has been internally defined as SpaceCobra.

Although GravityRAT has been active since at least 2015, it only began specifically focusing on Android in 2020. Its operators, 'SpaceCobra,' only employ the malware in specific targeting tasks.

Current Android Campaign

According to ESET, the app is delivered via “bingechat[.]net” and other domains or distribution channels, however, the downloads require invites, entering valid login information, or creating a new account.

While registrations are currently closed, this method only enables the threat actors to distribute the malware to targeted users. Additionally, accessing a copy for analysis becomes more difficult for researchers. 

Upon installation on the target's smartphone, the BingeChat app makes dangerous requests for access to contacts, location, phone, SMS, storage, call records, camera, and microphone.

Since these are some typical permissions asked of the users for any instant messaging apps, the malicious app goes unsuspected.

The program provides call records, contact lists, SMS messages, device location, and basic device information to the threat actor's command and control (C2) server before the user registers on BingeChat.

Along with the aforementioned records, files, and document files of jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, ppt, pptx, docx, opus, crypt14, crypt12, crypt13, crypt18, and crypt32 types, have also been compromised.

While SpaceCobra’s malware campaign is mainly targeting India, all Android users are advised to refrain from downloading APKs anywhere other than Google Play and be very careful with potentially risky permission requests while installing any app.

Read more »
Subscribe to: Comments (Atom)