Tag ESET

RTM Locker: A Rising Cybercrime Collective Targeting Enterprises with Ransomware

April 13, 2023
Ransomware / Cyber Attack

Cybersecurity experts have revealed insights into the tactics of a burgeoning cybercriminal organization known as “Read The Manual” (RTM) Locker. This group operates as a private ransomware-as-a-service (RaaS) provider, executing opportunistic attacks to illicitly generate profits. According to a report from cybersecurity firm Trellix shared with The Hacker News, “The RTM Locker gang employs affiliates to extort victims, all of whom must adhere to the gang’s stringent rules.” The structured nature of the group, where affiliates are expected to remain active or inform the gang of their departure, highlights its organizational maturity, akin to that seen in other sophisticated groups like Conti. Originally documented by ESET in February 2017, RTM began in 2015 as a banking malware targeting businesses in Russia through methods such as drive-by downloads, spam, and phishing emails. The group’s attack strategies have since evolved to include ransomware deployment.

RTM Locker: A Rising Cybercriminal Threat Targeting Businesses with Ransomware April 13, 2023 Recent insights from cybersecurity researchers have illuminated the operations of an emerging cybercrime group known as “Read The Manual” (RTM) Locker. This gang functions as a ransomware-as-a-service (RaaS) provider, engaging in opportunistic attacks aimed at businesses to…

Read More

RTM Locker: A Rising Cybercrime Collective Targeting Enterprises with Ransomware

April 13, 2023
Ransomware / Cyber Attack

Cybersecurity experts have revealed insights into the tactics of a burgeoning cybercriminal organization known as “Read The Manual” (RTM) Locker. This group operates as a private ransomware-as-a-service (RaaS) provider, executing opportunistic attacks to illicitly generate profits. According to a report from cybersecurity firm Trellix shared with The Hacker News, “The RTM Locker gang employs affiliates to extort victims, all of whom must adhere to the gang’s stringent rules.” The structured nature of the group, where affiliates are expected to remain active or inform the gang of their departure, highlights its organizational maturity, akin to that seen in other sophisticated groups like Conti. Originally documented by ESET in February 2017, RTM began in 2015 as a banking malware targeting businesses in Russia through methods such as drive-by downloads, spam, and phishing emails. The group’s attack strategies have since evolved to include ransomware deployment.

MirrorFace Targets Japan and Taiwan with ROAMINGMOUSE and Enhanced ANEL Malware

May 08, 2025
Malware / Cyber Espionage

The nation-state threat group MirrorFace has been detected deploying malware named ROAMINGMOUSE in a cyber espionage operation aimed at government agencies and public institutions in Japan and Taiwan. This activity, identified by Trend Micro in March 2025, involved the use of spear-phishing tactics to deliver an upgraded version of a backdoor known as ANEL. “The ANEL file from the 2025 campaign introduced a new command for executing BOF (Beacon Object File) in memory,” noted security researcher Hara Hiroaki. “Additionally, this campaign may have utilized SharpHide to initiate the second-stage backdoor, NOOPDOOR.” MirrorFace, also identified as Earth Kasha, is believed to be a subgroup of APT10. In March 2025, ESET detailed a campaign named Operation AkaiRyū, which targeted a diplomatic organization within the European Union in August 2024 using the ANEL malware (also referred to as UPPERCUT).

MirrorFace Cyber Espionage Campaign Targets Government Entities in Japan and Taiwan May 8, 2025 – In a concerning trend in cyber warfare, the nation-state threat actor known as MirrorFace has been detected deploying a sophisticated malware variant named ROAMINGMOUSE. This campaign appears to be primarily focused on government bodies and…

Read More

MirrorFace Targets Japan and Taiwan with ROAMINGMOUSE and Enhanced ANEL Malware

May 08, 2025
Malware / Cyber Espionage

The nation-state threat group MirrorFace has been detected deploying malware named ROAMINGMOUSE in a cyber espionage operation aimed at government agencies and public institutions in Japan and Taiwan. This activity, identified by Trend Micro in March 2025, involved the use of spear-phishing tactics to deliver an upgraded version of a backdoor known as ANEL. “The ANEL file from the 2025 campaign introduced a new command for executing BOF (Beacon Object File) in memory,” noted security researcher Hara Hiroaki. “Additionally, this campaign may have utilized SharpHide to initiate the second-stage backdoor, NOOPDOOR.” MirrorFace, also identified as Earth Kasha, is believed to be a subgroup of APT10. In March 2025, ESET detailed a campaign named Operation AkaiRyū, which targeted a diplomatic organization within the European Union in August 2024 using the ANEL malware (also referred to as UPPERCUT).

THN Cybersecurity Weekly Recap: Key Threats, Tools, and Trends (October 7 – October 13)

Posted on October 14, 2024
Category: Cybersecurity Recap

Get ready for your weekly update on the latest in cybersecurity! This week, we’re diving into everything from zero-day vulnerabilities and rogue AI to the FBI stepping into the crypto game—you won’t want to miss this! Let’s get started so we can beat the FOMO! ⚡

🔒 Threat Spotlight: GoldenJackal’s Air-Gapped Infiltration
Introducing GoldenJackal, the hacking group that’s been flying under your radar. They’ve developed a method to breach highly secure, air-gapped systems using stealthy worms distributed via infected USB drives (yes, you read that right!). ESET researchers have identified their operations targeting notable victims, including a South Asian embassy in Belarus and a European Union government entity.

🔔 Top Headlines
Mozilla has released a patch for a critical Firefox zero-day vulnerability…

THN Cybersecurity Recap: Key Threats and Developments (October 7 – October 13) October 14, 2024 As we delve into this week’s cybersecurity landscape, numerous developments highlight the urgency and complexity of the current threats. Among them is the emergence of GoldenJackal, a previously obscure hacking group that has made headlines…

Read More

THN Cybersecurity Weekly Recap: Key Threats, Tools, and Trends (October 7 – October 13)

Posted on October 14, 2024
Category: Cybersecurity Recap

Get ready for your weekly update on the latest in cybersecurity! This week, we’re diving into everything from zero-day vulnerabilities and rogue AI to the FBI stepping into the crypto game—you won’t want to miss this! Let’s get started so we can beat the FOMO! ⚡

🔒 Threat Spotlight: GoldenJackal’s Air-Gapped Infiltration
Introducing GoldenJackal, the hacking group that’s been flying under your radar. They’ve developed a method to breach highly secure, air-gapped systems using stealthy worms distributed via infected USB drives (yes, you read that right!). ESET researchers have identified their operations targeting notable victims, including a South Asian embassy in Belarus and a European Union government entity.

🔔 Top Headlines
Mozilla has released a patch for a critical Firefox zero-day vulnerability…

Russian Hackers Take Advantage of WinRAR Zero-Day Vulnerability

Cyberwarfare / Nation-State Attacks, Fraud Management & Cybercrime RomCom Group Deploys SnipBot, RustyClaw, and Mythic Agent Variants Akshaya Asokan (@asokan_akshaya) • August 12, 2025 Image: WinRAR/Shutterstock/ISMG A Russian-speaking hacking collective has been observed exploiting a zero-day vulnerability in WinRAR, signaling a notable transition from traditional cybercrime to more sophisticated cyberespionage…

Read MoreRussian Hackers Take Advantage of WinRAR Zero-Day Vulnerability

Critical WinRAR 0-Day Vulnerability Exploited for Weeks by Two Groups

In recent reports, cybersecurity firm BI.ZONE disclosed that the threat actor known as Paper Werewolf has launched a series of attacks leveraging exploits delivered via email attachments. These emails masqueraded as communications from employees at the All-Russian Research Institute, with the malicious aim of installing malware to gain unauthorized access…

Read MoreCritical WinRAR 0-Day Vulnerability Exploited for Weeks by Two Groups

China-Aligned MirrorFace Hackers Lure EU Diplomats with World Expo 2025 Scheme

Date: Nov 07, 2024
Category: Threat Intelligence / Cyber Espionage

The China-aligned hacking group MirrorFace has recently targeted a diplomatic organization within the European Union for the first time. According to ESET’s APT Activity Report for April to September 2024, the attackers exploited the upcoming World Expo 2025 in Osaka, Japan, as bait. This incident illustrates that while their geographic focus is shifting, MirrorFace continues to emphasize connections to Japan and related events. Also known as Earth Kasha, MirrorFace is part of a broader group, APT10, which includes other clusters like Earth Tengshe and Bronze Starlight. The group has been actively cyber-spying on Japanese organizations since at least 2019, with a recent expansion in 2023 that included targets in Taiwan and India. Over time, their malware tools have significantly advanced, showcasing their persistent threat landscape.

China-Aligned MirrorFace Hackers Target EU Diplomats with World Expo 2025 Bait On November 7, 2024, cybersecurity experts from ESET reported a significant development in cyber espionage, revealing that the China-aligned hacking group known as MirrorFace has set its sights on a diplomatic organization within the European Union. This marks a…

Read More

China-Aligned MirrorFace Hackers Lure EU Diplomats with World Expo 2025 Scheme

Date: Nov 07, 2024
Category: Threat Intelligence / Cyber Espionage

The China-aligned hacking group MirrorFace has recently targeted a diplomatic organization within the European Union for the first time. According to ESET’s APT Activity Report for April to September 2024, the attackers exploited the upcoming World Expo 2025 in Osaka, Japan, as bait. This incident illustrates that while their geographic focus is shifting, MirrorFace continues to emphasize connections to Japan and related events. Also known as Earth Kasha, MirrorFace is part of a broader group, APT10, which includes other clusters like Earth Tengshe and Bronze Starlight. The group has been actively cyber-spying on Japanese organizations since at least 2019, with a recent expansion in 2023 that included targets in Taiwan and India. Over time, their malware tools have significantly advanced, showcasing their persistent threat landscape.

New Variants of SparrowDoor Backdoor Discovered in Cyberattacks on U.S. and Mexican Organizations

March 26, 2025
Malware / Vulnerability

The Chinese threat actor known as FamousSparrow has been implicated in a cyberattack targeting a U.S. trade group and a research institute in Mexico, leveraging its primary backdoor, SparrowDoor, along with ShadowPad. This activity, observed in July 2024, marks the first deployment of ShadowPad by the group, a malware commonly associated with Chinese state-sponsored attackers. ESET reported that “FamousSparrow introduced two new, undocumented versions of the SparrowDoor backdoor, one of which is modular.” These iterations show significant advancements, including the ability to execute commands in parallel. FamousSparrow was first identified by the Slovak cybersecurity firm in September 2021 during a series of attacks against hotels, governments, engineering firms, and law practices, utilizing the exclusive SparrowDoor implant. Subsequent reports have highlighted the adversarial group’s expanding footprint…

New Variants of SparrowDoor Backdoor Discovered in Cyberattacks on U.S. and Mexican Entities March 26, 2025 A notable cyber incident has linked the Chinese threat actor known as FamousSparrow to an attack on a U.S.-based trade organization and a research institute in Mexico. The attack, which occurred in July 2024,…

Read More

New Variants of SparrowDoor Backdoor Discovered in Cyberattacks on U.S. and Mexican Organizations

March 26, 2025
Malware / Vulnerability

The Chinese threat actor known as FamousSparrow has been implicated in a cyberattack targeting a U.S. trade group and a research institute in Mexico, leveraging its primary backdoor, SparrowDoor, along with ShadowPad. This activity, observed in July 2024, marks the first deployment of ShadowPad by the group, a malware commonly associated with Chinese state-sponsored attackers. ESET reported that “FamousSparrow introduced two new, undocumented versions of the SparrowDoor backdoor, one of which is modular.” These iterations show significant advancements, including the ability to execute commands in parallel. FamousSparrow was first identified by the Slovak cybersecurity firm in September 2021 during a series of attacks against hotels, governments, engineering firms, and law practices, utilizing the exclusive SparrowDoor implant. Subsequent reports have highlighted the adversarial group’s expanding footprint…

Honor Among Thieves: The M&S Hacking Group Sparks Turf War

Cybercriminal Landscape Shifting as DragonForce Targets RansomHub Affiliates Recent developments in the cybercrime realm have emerged, with the hacking group DragonForce reportedly targeting affiliates of RansomHub in a move that raises concerns over the stability within the ransomware ecosystem. Genevieve Stark, head of cybercrime analysis at Google Threat Intelligence Group,…

Read MoreHonor Among Thieves: The M&S Hacking Group Sparks Turf War