ESET Research podcast

In H1 2025, a new social engineering technique called ClickFix started reshaping the threat landscape, quickly becoming the latest craze among all kinds of threat actors and rising to #2 in ESET telemetry. In stark contrast to this surge, law enforcement disrupted two major infostealer-as-a-service operations: Lumma Stealer and Danabot. And of course, no threat report would be complete without ransomware—this time highlighted by dramatic, deathmatch-style infighting that brought down several players including the leading RansomHub. For more details, visit Welivesecurity.com and read the latest H1 2025 report – no paywall or registration required. Discussed: ClickFix and FakeCaptcha 1:05 Whack-a-hack, infostealer version 9:20 Ransomware deathmatch 18:40 Host: Aryeh Goretsky, ESET Distinguished Researcher Guest: Ondrej Kubovič, Security Awareness Specialist Read more @WeLiveSecurity.com and @ESETresearch on Twitter ESET Threat Report H1 2025

In the latest ESET Research Podcast, Aryeh Goretsky and Rene Holt dive into key findings from the APT Activity Report. UnsolicitedBooker, a China-aligned group, showcased relentless persistence by repeatedly attempting to compromise the same organization for several years with its MarsSnake backdoor. Meanwhile, tool-sharing among China-aligned actors like Worok continues to blur attribution, with overlapping activities involving groups such as LuckyMouse and TA428. On the Russia-aligned front, Sednit expanded Operation RoundPress to exploit multiple webmail platforms, Gamaredon kept up its relentless obfuscation efforts in Ukraine, and Sandworm unleashed its ZEROLOT wiper again, erasing critical files of its victims. Aryeh and Rene also discuss the financial schemes of North Korea-aligned groups and the noisy yet coordinated efforts of Iran-aligned actors. Listen to the full episode or download the report on WeLiveSecurity.com. Host: Aryeh Goretsky, ESET Distinguished Researcher Guest: René Holt, Security Awareness Specialist Read more at WeLiveSecurity.com and @ESETresearch on Twitter APT Activity Report Q1 2025

In H2 2024, the infostealer scene went through a shakeup leading to a reshaped top 10 with Formbook dethroning Agent Tesla, Lumma Stealer jumping the ranks by using a new tactic for its distribution, and both Redline Stealer and Meta Stealer losing ground after takedown. There’s also a novel attack vector that works for both Android and iOS devices, misusing technologies allowing mobile users to install apps directly from websites from mobile browsers. And let’s not forget the booming numbers of investment scams on social media, detected as HTML/Nomani. Of course, this podcast episode can only cover so much of the latest ESET Threat Report H2 2024. Visit WeLiveSecurity to read about other topics it covers. Host: Aryeh Goretsky, ESET Distinguished Researcher Guest: Ondrej Kubovič, Security Awareness Specialist Read more @WeLiveSecurity.com and @ESETresearch on Twitter ESET Threat Report H2 2024

Neanderthals hunting Mammoths are back. Of course, we’re not talking about some Jurassic-Park-like technology that resurrected them in a remote region. No, this episode of ESET Research Podcast returns to the malicious operation of dozens of cybercriminal groups (Neanderthals) targeting inexperienced users (Mammoths) on online marketplaces, using a malicious Telegram bot known as Telekopye. Discussing the topic, ESET Research Podcast host Aryeh Goretsky, and ESET malware researchers, Radek Jizba and Jakub Soucek, revisit and update the information ESET has gathered about the cybercriminal ecosystem, explain the most frequent scenarios used by the attackers and map out their expanded hunting grounds. For full info, read more in ESET’s recently published white paper on WeLiveSecurity.com. Host Aryeh Goretsky, ESET Distinguished Researcher Guests: Jakub Souček, ESET Senior Malware Researcher Radek Jizba, ESET Senior Malware Researcher Materials: Blogpost Telekopye transitions to targeting tourists via hotel booking scam Whitepaper Marketplace scams: Neanderthals hunting Mammoths with Telekopye

When describing state-backed threat actors, one would probably expect a super sophisticated, stealthy, group that can avoid all alarms and defenses with surgical precision. With Gamaredon, most of that goes out the window as this is one noisy, extremely active Russia-aligned group that does not care if defenders uncover its activities. However, it is also an actor that develops and improves its cyberespionage tools and techniques literally every day. If you want to know more about Gamaredon’s modus operandi, victimology, tooling, or estimated geolocation, then listen to the debate of ESET Researchers Robert Lipovský and Zoltán Rusnák. For full details, read more in ESET’s recently published white paper on WeLiveSecurity.com. Host Aryeh Goretsky, ESET Distinguished Researcher Guests: Robert Lipovský, ESET Principal Malware Researcher Zoltán Rusnák, ESET Senior Malware Researcher Materials: ESET blogpost on Gamaredon activity in 2022 and 2023 ESET white paper on Gamaredon activity in 2022 and 2023 SSU report on activities of Gamaredon

Some cybercriminals are sophisticated, cooperate with other attackers, and do everything to stay under the radar. Then there are threat actors like CosmicBeetle that lack the necessary skills set, yet still manage to compromise systems and even achieve “stealth” by using odd, impractical and overcomplicated techniques. If you want to know more about this crude and clumsy actor, listen to ESET senior malware researcher Jakub Souček talk about his research findings with our host Distinguished Researcher Aryeh Goretsky. For a detailed report on CosmicBeetle visit WeLiveSecurity.com. Host Aryeh Goretsky, ESET Distinguished Researcher Guest: Jakub Souček, ESET senior Malware Researcher Materials: CosmicBeetle steps up: Probation period at RansomHub

Telegram, with nearly a billion monthly users, is a juicy target for cybercriminals, especially if they can exploit a zero-day vulnerability. ESET malware researcher Lukáš Štefanko ran into such an exploit – which ESET named EvilVideo – being sold online. In the discussion with our podcast host ESET Distinguished Researcher Aryeh Goretsky, Štefanko describes the findings of his analysis, including which platforms were affected, what malware can be bundled with EvilVideo, and how Telegram developers reacted when ESET reached out to report the vulnerability. If you want to read more about EvilVideo or our other research findings, head to WeLiveSecurity.com. Host Aryeh Goretsky, ESET Distinguished Researcher Guest: Lukáš Štefanko, ESET Malware Researcher Materials: Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for Android PS: For those of our listeners who are attending the 2024 ESET Technology Conference and playing along with our game of capture the flag, the flag for the CTF challenge named “Radio Broadcast” is: podcasts_are_new_books.

In this episode, ESET Distinguished Researcher Aryeh Goretsky and his guest ESET Principal Threat Intelligence Researcher Robert Lipovsky detail recently discovered unusual adware called HotPage. This trojan caught attention of researchers by using a Microsoft-signed, yet vulnerable, kernel driver to inject and manipulate what victims see in their browsers. With its advanced technical means and targeting of Chinese internet cafes and gamers, it shows that even adware creators can invest extra time and effort to innovate their malicious products.   Host Aryeh Goretsky, ESET Distinguished Researcher Guest: Robert Lipovsky, ESET Principal Threat Intelligence Researcher Materials: HotPage: Story of a signed, vulnerable, ad-injecting driver

The I-SOON data leak has allowed us to identify FishMonger, a group notorious for the cyberattacks against Hong Kong universities back in 2019, as I-SOON. This contractor also developed a platform for tracking gambling activity, linking the group to Operation ChattyGoblin. MustangPanda conducted a series of attacks on cargo shipping companies in Norway, Greece, and the Netherlands, even compromising the ships’ systems. Since the Hamas-led attack on Israel in 2023, Iran-aligned groups have shifted focus to impact attacks. Visit WeLiveSecurity to read about other topics covered in the the latest ESET APT Activity Report. Host: Aryeh Goretsky, ESET Distinguished Researcher Guest: Robert Lipovský, ESET Principal Malware Researcher Read more @WeLiveSecurity.com and @ESETresearch on Twitter ESET Threat Reports and ESET APT Activity Reports

In 2023, ESET detected over 675,000 attempts to access malicious domains abusing the popularity of ChatGPT; some offer bring-your-own-key web apps that can steal OpenAI API keys. Apart from AI, in H2 the Cl0p ransomware gang exploited MOVEit software, causing a staggering $14 billion in damages. The IoT landscape faced the new Pandora botnet, compromising Android devices via malicious firmware updates or pirated content apps. Of course, this podcast episode can only cover so much of the latest ESET Threat Report H2 2023. Visit WeLiveSecurity to read about other topics it covers. Host: Aryeh Goretsky, ESET Distinguished Researcher Guest: René Holt, Security Awareness Specialist Read more @WeLiveSecurity.com and @ESETresearch on Twitter ESET Threat Reports and ESET APT Activity Reports

In this episode, ESET researchers Radek Jizba and Jakub Souček talk about the dynamics within and between various Neanderthal groups, the techniques that this horde of scammers uses to find the best Mammoths, and especially about Neanderthals teaching each other how to wield the cybercriminal tool Telekopye effectively. While this might seem like an odd topic for a podcast about cybersecurity, quite the contrary. Telekopye is the name of a highly automated malicious toolkit implemented as a Telegram bot, that cybercriminals use to deceive unsuspecting users on online marketplaces. If you want to read more before listening, head to the research articles published on WeLiveSecurity.com. Host Aryeh Goretsky, ESET Distinguished Researcher Guest: Radek Jizba, ESET Malware Researcher Jakub Souček, ESET Malware Researcher Materials: Telekopye: Hunting Mammoths using Telegram bot Telekopye: Chamber of Neanderthals’ secrets

In H1 2023, intrusion vectors were closing left and right. This forced many cybercriminals to search for alternative ways to compromise devices of their victims. While some of the attackers tried revisiting old routes such as brute-forcing MS SQL servers or distributing (AI-generated?) sextortion and text-based email messages, others kickstarted several Android apps running usury schemes. But there’s also good news. Emotet botnet went quiet after a month of dwindling and ineffective campaigning, and Redline stealer – a notorious malware-as-a-service – has been disrupted by ESET researchers and their friends at Flare systems. Of course, this podcast episode can only cover so much of the ESET Threat report. If you wish to learn about other topics it covers, visit WeLiveSecurity. Discussed: Sextortion and text-based threats 1:46, brute force attacks on MS SQL servers 7:10, usury Android apps 9:20, Emotet activity 13:25, RedLine Stealer disruption 16:45. Host: Aryeh Goretsky, ESET Distinguished Researcher Guest: Ondrej Kubovic, Security Awareness Specialist Read more @WeLiveSecurity.com and @ESETresearch on Twitter ESET Threat Reports and ESET APT Activity Reports

What do Disco, NightClub, backdoors, espionage, and internet service providers in Belarus all have in common? They all are tied to the same MoustachedBouncer. It sounds like a bad joke, but it sums up some of the key findings of ESET’s latest research focusing on a recently discovered APT group. Listen to ESET Director of Threat Research Jean-Ian Boutin explain the intricacies of this threat actor to our host Aryeh Goretsky - and if that doesn’t satisfy your hunger for further details - then read the full thing on WeLiveSecurity.com. Host: Aryeh Goretsky, ESET Distinguished Researcher Guest: Jean-Ian Boutin, ESET Director of Threat Research Materials: MoustachedBouncer: Espionage against foreign diplomats in Belarus

Towards the end of 2022, an unknown threat actor boasted online that they created a new and powerful UEFI bootkit called BlackLotus. Its most distinctive feature? It could mysteriously bypass UEFI Secure Boot, a feature built into all modern computers to prevent them from running unauthorized software. What at first sounded like a myth turned into reality a few months later when ESET researchers discovered a sample that perfectly matched all the mentioned attributes of a UEFI bootkit known as BlackLotus. Listen to the fascinating story of ESET Malware Researcher Martin Smolár describing his threat hunt to our host ESET Distinguished Researcher Aryeh Goretsky. For more info about this research, read the blogpost on WeLiveSecurity.com. Host: Aryeh Goretsky, ESET Distinguished Researcher Guest: Martin Smolár, ESET Malware Researcher Materials: BlackLotus UEFI bootkit: Myth confirmed

What do you need to break into a corporate network? ESET’s latest research suggests that interest in secondhand computer hardware, a bit of time, and $100 is more than enough. In this episode, ESET Specialized Security Researcher Cameron Camp explains to host Aryeh Goretsky what secrets he found on secondhand routers bought online, what types of companies he would be able to penetrate with that information, and how to securely wipe devices before selling them. Cameron presented the topic at this year’s RSA Conference in San Francisco and published on WeLiveSecurity.com. Host: Aryeh Goretsky, ESET Distinguished Researcher Guests: Cameron Camp, ESET Specialized Security Researcher Materials: Blogpost Discarded, not destroyed: Old routers reveal corporate secrets White paper How I (could’ve) stolen your corporate secrets for $100

Since the Russian invasion on February 24th, 2022, Ukrainians have had to defend their data against an unprecedented number of data-wiping malware variants. While Russian threat actors seem like the obvious culprits, attributing these attacks to specific groups based on evidence is a different beast. In this podcast episode, ESET researchers Anton Cherepanov and Robert Lipovský explain to the host Aryeh Goretsky what pointed them to the crucial samples, how they pinned some of the attacks on the Russian cybergroup probably most notorious for NotPetya and Industroyer. The guests of this episode also offer their recollection of the events of February 23rd, 2022; compare HermeticWiper to its successors; and reveal the range of operating systems that were targeted as well as the level of success achieved by the attacks. Host: Aryeh Goretsky, ESET Distinguished Researcher Guests: Anton Cherepanov, ESET Senior Researcher Robert Lipovský, ESET Principal Researcher Blogposts: A year of wiper attacks in Ukraine Episode from March 2022: Past and present cyberwar in Ukraine  

In the last four months of 2022, Russia-aligned APT groups unleashed several data-destroying malware variants on Ukraine. Android detections grew rapidly, while most of the crimeware scene continued on a downward spiral. In this ESET Research Podcast episode, Aryeh Goretsky and Ondrej Kubovic explore trends in several threat areas, including ransomware, exploits used for initial access, and more. For additional security research topics, visit WeLiveSecurity. Host: Aryeh Goretsky, ESET Distinguished Researcher Guest: Ondrej Kubovic, Security Awareness Specialist Read more @WeLiveSecurity.com and @ESETresearch on Twitter Reports: ESET Threat Report T3 2022 ESET APT Activity Report T3 2022

Let’s say your network access gets shut off from the rest of the world due to a catastrophic event. Whether it is a natural disaster, an armed conflict, a decision of an authoritarian regime or your connection is just squeezed to a trickle by overzealous network restriction and power grid issues; how secure will you be and for how long? In this episode of ESET Research Podcast, Aryeh Goretsky and Cameron Camp look at this scenario and its implications for the cybersecurity of one’s devices. Host: Aryeh Goretsky, ESET Distinguished Researcher Guests: Cameron Camp, ESET Specialized Security Engineer Read more @WeLiveSecurity.com and @ESETresearch Twitter Blogposts:  How long would your tech work in a digital vacuum?  

Looking at the ESET telemetry data from May through August 2022, it seems like the cybercriminal scene has taken taking its foot off the pedal in almost every possible area. But what is the reason for the drop? We expand on the brutal decline in RDP brute-force attacks; changes observed around ransomware messaging and targeting, but we also mention one malware category, where the decline did not apply. Host: Aryeh Goretsky, ESET Distinguished Researcher Guests: Ondrej Kubovic, Security Awareness Specialist Read more @WeLiveSecurity.com and @ESETresearch Twitter Blogposts: ESET Threat Report T2 2022

This is an ESET Research Podcast special, recorded at RSA Conference 2022, the world's largest conference devoted entirely to information security. It is also a double feature: first, ESET’s top machine-learning experts Juraj Jánošík and Filip Mazán discuss the use of artificial intelligence in the industry, and how it compares with the claims presented on the expo floor and in the talks they’ve seen; in the second section, ESET Specialized Researcher Cameron Camp offers his insights into the security of medical devices, another hot topic of this year’s RSAC. Host: Aryeh Goretsky, ESET Distinguished Researcher Guests: Juraj Jánošík, ESET Head of Automated Threat Detection; Filip Mazán, ESET Senior Machine Learning Engineer; Cameron Camp, ESET Specialized Security Engineer; Ondrej Kubovič, ESET Security Awareness Specialist Read more @WeLiveSecurity.com and @ESETresearch Twitter