White Papers

This paper looks under the hood of scams that leverage Telekopye, a toolkit that ESET Research discovered in 2023 and that can turn online marketplace scams into an organized illicit business. Dozens of groups with up to thousands of members each use Telekopye every day to steal millions from their victims. The paper also includes findings about the latest scam scenarios and how Telekopye groups have expanded their targeting to popular accommodation booking platforms, such as Booking.com and Airbnb.

In 2023, ESET researchers observed several campaigns that targeted governmental institutions in Thailand and were carried out by a China-aligned cyberespionage group that ESET calls CeranaKeeper. This paper describes the different methods that CeranaKeeper uses to gain access and move laterally to further compromise the entire network of a target. Also, it discusses the single-use tools CeranaKeeper has delivered to backdoored systems and used to exfiltrate gigabytes of data. Finally, with the knowledge gathered, we provide our take on attributing this series of attacks.

This white paper provides a technical analysis of the toolset used by the Gamaredon APT group to conduct its cyberespionage activities in 2022 and 2023, or since the war in Ukraine escalated in February 2022. This Russia-aligned group has been active since at least 2013 and is currently the most active threat actor in Ukraine, focusing mainly on the country’s governmental institutions, as evidenced over time by ESET telemetry, in several reports from CERT-UA, and from other official Ukrainian bodies.

ESET Research publishes a deep-dive investigation into one of the most advanced server-side malware campaigns, which is still growing and has seen hundreds of thousands of compromised servers in its at least 15-year-long operation. Among the activities of the infamous Ebury group and botnet over the years has been the spread of spam, web traffic redirections, and credential stealing. In recent years it has diversified to credit card and cryptocurrency theft. Additionally, Ebury has been deployed as a backdoor to compromise almost 400,000 Linux, FreeBSD, and OpenBSD servers; more than 100,000 were still compromised as of late 2023.

ESET researchers have found that core routers, the kind that are likely to be found in corporate networks, are often not wiped clean before they are decommissioned and offered for resale. This leaves critical and sensitive configuration data from the original owner or operator accessible to the purchaser and open to abuse.

In the past few years, ESET has seen a rising number of incidents in which attackers connected to Windows servers over the internet using RDP and logged on as administrators. This paper looks at how attacks misusing Remote Desktop Protocol (RDP) progressed throughout 2020 and 2021 and how organizations can defend themselves against RDP-borne attacks.

ESET researchers recently described Wslink, a unique and previously undocumented malicious loader that runs as a server and that features a virtual-machine-based obfuscator. In this white paper we describe the structure of the virtual machine used in samples of Wslink and suggest a possible approach to see through the obfuscation techniques used in the analyzed samples. We demonstrate our approach on chunks of code of the protected sample. We were not motivated to fully deobfuscate the code, because we discovered a non-obfuscated sample.

This white paper describes how malware frameworks targeting air-gapped networks operate and provides a side-by-side comparison of their most important TTPs. ESET researchers also propose a series of detection and mitigation techniques to protect air-gapped networks from the main techniques used by all the malicious frameworks publicly known to date.

ESET researchers have uncovered a previously unknown malware family that uses custom and well-designed modules to target Linux. Modules used by this malware family, which we dubbed FontOnLake, are constantly under development and provide remote access to the operators, collect login credentials, and serve as a proxy server.