White Papers

ESET researchers have discovered a previously undocumented China-aligned APT group that we have named GopherWhisper. The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal. In the observed campaign, the threat actors mainly targeted a government entity in Mongolia. During our analysis, we identified multiple Slack and Discord API tokens and were able to use them to extract C&C messages from those services, which gave us invaluable insights into the group's inner workings.

ESET researchers provide a comprehensive technical analysis of the new tools introduced into Gamaredon’s arsenal, as well as a detailed description of numerous significant updates made to its existing tools throughout 2024. Furthermore, the paper documents various methods employed by Gamaredon operators in their ongoing attempts to evade network-based blocking and detection.

This paper looks under the hood of scams that leverage Telekopye, a toolkit that ESET Research discovered in 2023 and that can turn online marketplace scams into an organized illicit business. Dozens of groups with up to thousands of members each use Telekopye every day to steal millions from their victims. The paper also includes findings about the latest scam scenarios and how Telekopye groups have expanded their targeting to popular accommodation booking platforms, such as Booking.com and Airbnb.

In 2023, ESET researchers observed several campaigns that targeted governmental institutions in Thailand and were carried out by a China-aligned cyberespionage group that ESET calls CeranaKeeper. This paper describes the different methods that CeranaKeeper uses to gain access and move laterally to further compromise the entire network of a target. Also, it discusses the single-use tools CeranaKeeper has delivered to backdoored systems and used to exfiltrate gigabytes of data. Finally, with the knowledge gathered, we provide our take on attributing this series of attacks.

This white paper provides a technical analysis of the toolset used by the Gamaredon APT group to conduct its cyberespionage activities in 2022 and 2023, or since the war in Ukraine escalated in February 2022. This Russia-aligned group has been active since at least 2013 and is currently the most active threat actor in Ukraine, focusing mainly on the country’s governmental institutions, as evidenced over time by ESET telemetry, in several reports from CERT-UA, and from other official Ukrainian bodies.

ESET Research publishes a deep-dive investigation into one of the most advanced server-side malware campaigns, which is still growing and has seen hundreds of thousands of compromised servers in its at least 15-year-long operation. Among the activities of the infamous Ebury group and botnet over the years has been the spread of spam, web traffic redirections, and credential stealing. In recent years it has diversified to credit card and cryptocurrency theft. Additionally, Ebury has been deployed as a backdoor to compromise almost 400,000 Linux, FreeBSD, and OpenBSD servers; more than 100,000 were still compromised as of late 2023.

ESET researchers have found that core routers, the kind that are likely to be found in corporate networks, are often not wiped clean before they are decommissioned and offered for resale. This leaves critical and sensitive configuration data from the original owner or operator accessible to the purchaser and open to abuse.

In the past few years, ESET has seen a rising number of incidents in which attackers connected to Windows servers over the internet using RDP and logged on as administrators. This paper looks at how attacks misusing Remote Desktop Protocol (RDP) progressed throughout 2020 and 2021 and how organizations can defend themselves against RDP-borne attacks.

ESET researchers recently described Wslink, a unique and previously undocumented malicious loader that runs as a server and that features a virtual-machine-based obfuscator. In this white paper we describe the structure of the virtual machine used in samples of Wslink and suggest a possible approach to see through the obfuscation techniques used in the analyzed samples. We demonstrate our approach on chunks of code of the protected sample. We were not motivated to fully deobfuscate the code, because we discovered a non-obfuscated sample.