In a significant development in cybersecurity, the Russian-affiliated group known as Sandworm has deployed a new variant of wiper malware called NikoWiper in an attack against a Ukrainian energy sector company in October 2022. This incident underscores the ongoing cyber threats linked to geopolitical tensions in the region. ESET, a…
Emerging Threat: New Infostealer Program Targets Vulnerable Users with Automated Sextortion Features Recent investigations by cybersecurity firm Proofpoint have uncovered a burgeoning threat in the form of a malicious software known as Stealerium. This program, which masquerades as a legitimate application, allows cybercriminals to access a wide range of personal…
Recent developments in cybersecurity have illuminated a sophisticated backdoor associated with a malware downloader known as Wslink, believed to be utilized by the notorious Lazarus Group, an actor aligned with North Korean interests. The findings, reported by ESET, highlight a payload referred to as WinorDLL64, which acts as a comprehensive…
A recent analysis has unveiled a new custom backdoor, dubbed MQsTTang, employed by the China-aligned hacking group Mustang Panda in a social engineering campaign that began in January 2023. This malware marks a departure from the group’s previously observed tactics, as it appears not to have roots in existing malware…
Published: April 9, 2025
Category: Windows Security / Vulnerability
A Chinese-affiliated threat actor known for cyber-attacks in Asia has been seen exploiting a vulnerability in ESET security software to deploy previously unknown malware dubbed TCESB. According to Kaspersky’s recent analysis, “Previously unseen in ToddyCat attacks, [TCESB] is engineered to stealthily execute payloads, bypassing installed protection and monitoring tools.” The ToddyCat threat activity cluster has targeted various entities across Asia, with operations traced back to at least December 2020. In the prior year, a Russian cybersecurity company detailed the group’s use of multiple tools to maintain persistent access and conduct large-scale data harvesting from organizations in the Asia-Pacific region. Kaspersky’s investigation into ToddyCat incidents in early 2024 revealed a suspicious DLL file…
Newly Discovered TCESB Malware Targets ESET Security Software April 09, 2025 Recent cybersecurity developments have illuminated a new malware strain known as TCESB, which is being actively deployed in ongoing attacks. This malware, linked to a Chinese-affiliated threat actor, exploits vulnerabilities in ESET security software. Analysts at Kaspersky have highlighted…
Published: April 9, 2025
Category: Windows Security / Vulnerability
A Chinese-affiliated threat actor known for cyber-attacks in Asia has been seen exploiting a vulnerability in ESET security software to deploy previously unknown malware dubbed TCESB. According to Kaspersky’s recent analysis, “Previously unseen in ToddyCat attacks, [TCESB] is engineered to stealthily execute payloads, bypassing installed protection and monitoring tools.” The ToddyCat threat activity cluster has targeted various entities across Asia, with operations traced back to at least December 2020. In the prior year, a Russian cybersecurity company detailed the group’s use of multiple tools to maintain persistent access and conduct large-scale data harvesting from organizations in the Asia-Pacific region. Kaspersky’s investigation into ToddyCat incidents in early 2024 revealed a suspicious DLL file…
May 15, 2025
Vulnerability / Email Security
A cyber espionage operation associated with a Russian threat actor is reportedly compromising webmail servers, including Roundcube, Horde, MDaemon, and Zimbra, by exploiting cross-site scripting (XSS) vulnerabilities, notably a zero-day flaw in MDaemon. This activity, coded as Operation RoundPress by ESET, began in 2023 and has been linked with moderate confidence to the state-sponsored hacking group APT28, also known by various names such as BlueDelta, Fancy Bear, and Sednit.
“The primary objective of this operation is to extract sensitive data from targeted email accounts,” stated ESET researcher Matthieu Faou in a report shared with The Hacker News. “While most victims are governmental and defense entities in Eastern Europe, we have also noted targets across Africa, Europe, and beyond.”
Russia-Linked APT28 Exploits MDaemon Zero-Day to Compromise Government Webmail Servers On May 15, 2025, ESET released a report detailing a cyber espionage campaign attributed to a Russia-linked threat actor targeting webmail servers, including Roundcube, Horde, MDaemon, and Zimbra. This operation, dubbed Operation RoundPress, has been under investigation since it commenced…
May 15, 2025
Vulnerability / Email Security
A cyber espionage operation associated with a Russian threat actor is reportedly compromising webmail servers, including Roundcube, Horde, MDaemon, and Zimbra, by exploiting cross-site scripting (XSS) vulnerabilities, notably a zero-day flaw in MDaemon. This activity, coded as Operation RoundPress by ESET, began in 2023 and has been linked with moderate confidence to the state-sponsored hacking group APT28, also known by various names such as BlueDelta, Fancy Bear, and Sednit.
“The primary objective of this operation is to extract sensitive data from targeted email accounts,” stated ESET researcher Matthieu Faou in a report shared with The Hacker News. “While most victims are governmental and defense entities in Eastern Europe, we have also noted targets across Africa, Europe, and beyond.”
Recent findings indicate a concerning shift in the ransomware landscape, signaling potential dangers for businesses. While the use of artificial intelligence (AI) in ransomware development has not yet become widespread, instances of this trend serve as a stark reminder of evolving cyber threats. Allan Liska, a ransomware analyst at Recorded…
RTM Locker: A Rising Cybercrime Collective Targeting Enterprises with Ransomware
April 13, 2023
Ransomware / Cyber Attack
Cybersecurity experts have revealed insights into the tactics of a burgeoning cybercriminal organization known as “Read The Manual” (RTM) Locker. This group operates as a private ransomware-as-a-service (RaaS) provider, executing opportunistic attacks to illicitly generate profits. According to a report from cybersecurity firm Trellix shared with The Hacker News, “The RTM Locker gang employs affiliates to extort victims, all of whom must adhere to the gang’s stringent rules.” The structured nature of the group, where affiliates are expected to remain active or inform the gang of their departure, highlights its organizational maturity, akin to that seen in other sophisticated groups like Conti. Originally documented by ESET in February 2017, RTM began in 2015 as a banking malware targeting businesses in Russia through methods such as drive-by downloads, spam, and phishing emails. The group’s attack strategies have since evolved to include ransomware deployment.
RTM Locker: A Rising Cybercriminal Threat Targeting Businesses with Ransomware April 13, 2023 Recent insights from cybersecurity researchers have illuminated the operations of an emerging cybercrime group known as “Read The Manual” (RTM) Locker. This gang functions as a ransomware-as-a-service (RaaS) provider, engaging in opportunistic attacks aimed at businesses to…
RTM Locker: A Rising Cybercrime Collective Targeting Enterprises with Ransomware
April 13, 2023
Ransomware / Cyber Attack
Cybersecurity experts have revealed insights into the tactics of a burgeoning cybercriminal organization known as “Read The Manual” (RTM) Locker. This group operates as a private ransomware-as-a-service (RaaS) provider, executing opportunistic attacks to illicitly generate profits. According to a report from cybersecurity firm Trellix shared with The Hacker News, “The RTM Locker gang employs affiliates to extort victims, all of whom must adhere to the gang’s stringent rules.” The structured nature of the group, where affiliates are expected to remain active or inform the gang of their departure, highlights its organizational maturity, akin to that seen in other sophisticated groups like Conti. Originally documented by ESET in February 2017, RTM began in 2015 as a banking malware targeting businesses in Russia through methods such as drive-by downloads, spam, and phishing emails. The group’s attack strategies have since evolved to include ransomware deployment.
May 08, 2025
Malware / Cyber Espionage
The nation-state threat group MirrorFace has been detected deploying malware named ROAMINGMOUSE in a cyber espionage operation aimed at government agencies and public institutions in Japan and Taiwan. This activity, identified by Trend Micro in March 2025, involved the use of spear-phishing tactics to deliver an upgraded version of a backdoor known as ANEL. “The ANEL file from the 2025 campaign introduced a new command for executing BOF (Beacon Object File) in memory,” noted security researcher Hara Hiroaki. “Additionally, this campaign may have utilized SharpHide to initiate the second-stage backdoor, NOOPDOOR.” MirrorFace, also identified as Earth Kasha, is believed to be a subgroup of APT10. In March 2025, ESET detailed a campaign named Operation AkaiRyū, which targeted a diplomatic organization within the European Union in August 2024 using the ANEL malware (also referred to as UPPERCUT).
MirrorFace Cyber Espionage Campaign Targets Government Entities in Japan and Taiwan May 8, 2025 – In a concerning trend in cyber warfare, the nation-state threat actor known as MirrorFace has been detected deploying a sophisticated malware variant named ROAMINGMOUSE. This campaign appears to be primarily focused on government bodies and…
May 08, 2025
Malware / Cyber Espionage
The nation-state threat group MirrorFace has been detected deploying malware named ROAMINGMOUSE in a cyber espionage operation aimed at government agencies and public institutions in Japan and Taiwan. This activity, identified by Trend Micro in March 2025, involved the use of spear-phishing tactics to deliver an upgraded version of a backdoor known as ANEL. “The ANEL file from the 2025 campaign introduced a new command for executing BOF (Beacon Object File) in memory,” noted security researcher Hara Hiroaki. “Additionally, this campaign may have utilized SharpHide to initiate the second-stage backdoor, NOOPDOOR.” MirrorFace, also identified as Earth Kasha, is believed to be a subgroup of APT10. In March 2025, ESET detailed a campaign named Operation AkaiRyū, which targeted a diplomatic organization within the European Union in August 2024 using the ANEL malware (also referred to as UPPERCUT).
