Detailed analysis of Sednit’s modern toolkits is available at www.welivesecurity.com/en/eset-rese... 5/5
10.03.2026 14:28
👍 2
🔁 0
💬 0
📌 0
Detailed analysis of Sednit’s modern toolkits is available at www.welivesecurity.com/en/eset-rese... 5/5
Across 2025–2026, Sednit paired BeardShell with Covenant, the final block of its modern toolkit – a heavily reworked open-source implant built for long‑term espionage with a new protocol riding on another legitimate cloud provider. 4/5
Sednit also deployed BeardShell, an implant that executes PowerShell commands via a legitimate cloud service and uses a distinctive obfuscation technique also found in Xtunnel, Sednit’s network pivoting tool from the 2010s. 3/5
ESET researchers tied Sednit’s advanced implant team reboot to a 2024 case in Ukraine, where SlimAgent emerged – a keylogger built on the codebase of the infamous Xagent, Sednit’s flagship 2010-era backdoor. 2/5
#ESETresearch has analyzed the resurgence of Sednit – one of the most long‑running Russia‑aligned APT groups – now using a modern toolkit built around paired implants, BeardShell and Covenant, each using a different cloud provider for resilience. www.welivesecurity.com/en/eset-rese... 1/5
IoCs available in our GitHub repo: github.com/eset/malware... 6/6
The analyzed samples are available on VirusTotal and seem to be used in a real campaign targeting users in 🇦🇷, though we can’t rule out them being a part of a proof-of-concept. At the same time, the analyzed malware samples point toward PromptSpy being developed in a Chinese-speaking environment. 5/6
PromptSpy abuses Accessibility Services to deploy a #VNC module on victim devices, so attackers can see the screen and perform actions remotely, as well as block the victim from manually uninstalling the malicious app (which uses invisible overlays, here marked in red). 4/6
Since Android malware often relies on hardcoded UI navigation, employing generative AI enables the threat actors to adapt to more or less any device, layout, or OS version, which can greatly increase the number of potential victims. 3/6
Gemini is used to analyze the current screen and provide PromptSpy with step-by-step instructions to ensure that the malicious app remains pinned in the recent apps list, preventing it from being easily swiped away or killed by the system. 2/6
#BREAKING #ESETresearch has discovered the first known Android malware to use generative AI in its execution flow; we have named it #PromptSpy. The malware abuses Google’s #Gemini to achieve persistence on the compromised device. www.welivesecurity.com/en/eset-rese... 1/6
IoCs available in our GitHub repo: github.com/eset/malware... 5/5
ZOV is destructive malware that we detected being deployed against a financial institution in Ukraine in Nov 2025. When the ZOV wiper runs, it destroys files by overwriting them with the string ZOV changes the desktop wallpaper. Z, O, and V are symbols used by the Russian military in Ukraine. 4/5
#ESETresearch attributes the attack to the Russia‑aligned #Sandworm with medium confidence, based on strong overlaps in behavior & TTPs with multiple earlier Sandworm attacks. Specifically, DynoWiper operates in a broadly similar fashion to ZOV wiper attributed to Sandworm with high confidence. 3/5
@CERT_Polska_en did an excellent job investigating the incident and published a detailed analysis in a report:
cert.pl/en/posts/202... 2/5
#BREAKING #ESETresearch provides technical details on #DynoWiper, a data‑wiping malware used in a data‑destruction incident on December 29, 2025, affecting a company in Poland’s energy sector. www.welivesecurity.com/en/eset-rese... 1/5
IoCs available in our GitHub repo: github.com/eset/malware...
Read the full analysis on WeLiveSecurity: www.welivesecurity.com/en/eset-rese... 9/9
The operation blends mobile spyware, social engineering, and desktop exploitation, targeting users in 🇵🇰 Pakistan. Despite its specific targeting, there are insufficient similarities in TTPs to attribute this campaign to any known threat actor at this point. 8/9
The same domain (buildthenations[.]info), also used to impersonate the Ministry of Defence website, mimics Pakistan’s Emergency Response Team and delivers a payload via #ClickFix, targeting desktop devices. 7/9
The GhostChat campaign is part of a broader, multiplatform, spy operation. In related activity, victims are lured into scanning QR codes on websites impersonating Pakistan’s Ministry of Defence, thereby giving the threat actors access to private #WhatsApp communications. 6/9
Upon installation, GhostChat immediately requests permissions and begins exfiltrating data – even before login. It continuously monitors new images, scans for documents every five minutes, and exfiltrates sensitive information from the device. 5/9
This impression of personalization and exclusive access is rarely seen in mobile threat campaigns and suggests a highly targeted social engineering effort. Under its façade lies the true purpose of the app: data exfiltration. 4/9
The credentials and codes are not processed by any server and are hardcoded in the app, implying that they are probably distributed along with the app by the threat actor. 3/9
The spyware used in the campaign, which we named #GhostChat, uses the icon of a legitimate chat app. After installation from unknown sources, login credentials and unlock codes are required to access the app and individual chat profiles, respectively. 2/9
#ESETresearch has uncovered a new #Android spyware campaign using novel romance scam tactics to target individuals in 🇵🇰 Pakistan, with an added social engineering element previously unseen in similar schemes. www.welivesecurity.com/en/eset-rese... 1/9
We continue to investigate the incident and broader implications. As new evidence or links to additional Sandworm activity emerge, we will share further updates to help defenders protect critical sectors. 5/5
#ESET detects DynoWiper as Win32/KillFiles.NMO. Customers of our private ESET Threat Intelligence APT reports have already received additional technical details and IOCs to support rapid detection and response. IoC: 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6 4/5
The attack struck during peak winter and the 10‑year anniversary of Sandworm’s 2015 attack on 🇺🇦 Ukraine’s power grid - the first malware-driven blackout, leaving ~230,000 people without electricity. 3/5
#ESETresearch attributes the attack to the Russia‑aligned #Sandworm APT group with medium confidence, based on strong overlaps in behavior and TTPs with multiple earlier Sandworm-linked wiper operations investigated by our team. 2/5
#BREAKING #ESETresearch identified the wiper #DynoWiper used in an attempted disruptive cyberattack against the Polish energy sector on Dec 29, 2025. At this point, no successful disruption is known, but the malware’s design clearly indicates destructive intent. 1/5