undefined

ESET THREAT RESEARCH


Recognized cybersecurity research & discoveries serving global clients

800+
Cybersecurity researchers and technology experts
11
Research & Development centers worldwide
300k+
Unique, new malware samples detected every day
1 billion+
Individuals and clients protected worldwide

Research has always been central to ESET and its technology since the company's inception. The journey began with a significant discovery in 1987 when ESET co-founders Miroslav Trnka and Peter Paško identified one of the world's first computer viruses, known&nbps;as&nbps;Vienna.
 

Over the years, ESET and its researchers have been recognized for numerous discoveries and have received accolades for their work. In 2018, ESET made a notable discovery with LoJax,
the first UEFI rootkit detected in the wild, used by the infamous Sednit APT group.
 

Our researchers frequently present at prestigious industry conferences, including RSA, Black Hat, Virus Bulletin, and CARO, among others. They are also committed to educating future researchers and security experts by teaching at universities.

Most notable ESET Threat Research

October 2019

Winnti Group arsenal

As part of their extensive tracking of the Winnti Group, ESET researchers revealed updates to the group’s malware arsenal and campaigns.

October 2019

Attor espionage platform

ESET researchers discovered a previously unreported cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions, and privacy-concerned users.

November 2018

3ve disruption
 

ESET Research contributed to international law enforcement operation against 3ve, a major online ad fraud operation.

October 2024

GoldenJackal air-gapped tools

ESET researchers discovered a series of attacks that took place in Europe from May 2022 to March 2024, where the attackers used a toolset capable of targeting air-gapped systems, in a governmental organization of a EU country. ESET attributes the campaign to GoldenJackal, a cyberespionage APT group that targets government and diplomatic entities.

September 2024

Gamaredon
 

ESET Research examined the operations of Gamaredon, a Russia-aligned APT group that has been active since at least 2013 and is currently the most engaged APT group in Ukraine.

August 2024

NGate
 

ESET researchers uncovered a crimeware campaign that targeted clients of three Czech banks. The malware used, which we have named NGate, has the unique ability to relay data from victims’ payment cards, via a malicious app installed on their Android devices, to the attacker’s rooted Android phone.

July 2024

EvilVideo
 

ESET researchers discovered a zero-day exploit, which targets the Telegram app for Android, that appeared for sale for an unspecified price in an underground forum post from June 2024. Attackers used exploit to abuse a vulnerability that ESET named “EvilVideo”.

April 2024

Ebury investigation

ESET Research released its deep-dive investigation into one of the most advanced server-side malware campaigns, which is still growing – the Ebury group with their malware and botnet. Over the years, Ebury has been deployed as a backdoor to compromise almost 400,000 Linux, FreeBSD, and OpenBSD servers.

February 2024

Operation Texonto

A Russian-aligned threat actor spread war-related disinformation and PSYOPs to Ukrainian readers via spam emails. The spearphishing campaign targeted a Ukrainian defense company and an EU agency.

January 2024

Grandoreiro disruption

ESET worked alongside the Federal Police of Brazil in an attempt to disrupt the Grandoreiro botnet. ESET contributed to the project by providing technical analysis, statistical information, and known command and control server domain names and IP addresses.

December 2023

SpyLoan

ESET researchers observed alarming growth in deceptive Android loan apps, which present themselves as legitimate personal loan services, promising quick and easy access to funds. ESET products recognize these apps using the detection name SpyLoan.

November 2023

Mozi kill switch

ESET researchers observed the sudden demise of one of the most prolific IoT botnets: Mozi has been responsible for the exploitation of hundreds of thousands of devices a year since 2019. ESET discovered a kill switch that disabled the malware and stripped the Mozi bots of their functionality.

September 2023

Lazarus in Spain

ESET researchers uncovered a Lazarus attack against an aerospace company in Spain, in which the group deployed several tools. Operators of the North Korea-linked Lazarus group obtained initial access to the company’s network last year after a successful spearphishing campaign, masquerading as a recruiter for Meta.

2023-2024

Telekopye

ESET researchers discovered and analyzed Telekopye, a toolkit that helps less technical people pull off online scams more easily. ESET estimates that Telekopye has been in use since at least 2015. Telekopye capabilities include creating phishing websites, sending phishing SMS and emails, and creating fake screenshots.

August 2023

MoustachedBouncer

ESET Research discovered a new cyberespionage group, MoustachedBouncer. I It s aligned with the interests of the Belarus government. Active since at least 2014, the group targets only foreign embassies, including European ones, in Belarus.

May 2023

iRecorder
 

ESET researchers discovered a trojanized Android app named iRecorder - Screen Recorder. It was available on Google Play as a legitimate app in September 2021, with malicious functionality most likely added in August 2022. During its existence, the app was installed on more than 50,000 devices. The malicious code was added to the clean version of iRecorder.

March 2023

BlackLotus
 

ESET researchers published an analysis of a UEFI bootkit that is capable of bypassing an essential platform security feature – UEFI Secure Boot. The functionality of the bootkit and its individual features make ESET Research believe that it is a threat known as BlackLotus, a UEFI bootkit that has been sold on hacking forums.

February-December 2022

Wiper attacks in Ukraine

Ukraine has been hit by cyberattacks that involved data-wiping malware: HermeticWiper, IsaacWiper, CaddyWiper, and others. The first wave of attacks started with the Russian invasion of Ukraine.

April 2022

Industroyer2
 

Sandworm attackers made an unsuccessful attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine. ESET researchers worked closely with CERT-UA on this discovery.

April 2022

Zloader disruption

ESET has collaborated with Microsoft and others in an attempt to disrupt known Zloader botnets. Zloader started as a banking trojan, but later evolved to become a distributor of several types of malware, especially ransomware.

April 2022

UEFI vulnerabilities

ESET researchers have discovered and analyzed three vulnerabilities affecting various Lenovo consumer laptop models.

 

July 2022

CloudMensis spyware

ESET researchers discovered the macOS backdoor CloudMensis that spies on users of compromised Macs and exclusively uses public cloud storage services to communicate with its operators.

September 2022

Lazarus operations

ESET researchers uncovered and analyzed a set of malicious tools that were used by the infamous Lazarus APT group in attacks during 2021. One was designed to disable various Windows monitoring features.

October 2022

Polonium
 

ESET researchers analyzed previously undocumented custom backdoors and cyberespionage tools deployed in Israel by the POLONIUM APT group.

December 2022

MirrorFace
 

ESET researchers discovered a spearphishing campaign targeting Japanese political entities a few weeks before the House of Councillors elections and uncovered a MirrorFace credential stealer.

 

December 2021

Jumping the air-gap

ESET researchers analyzed all malicious frameworks used to attack air-gapped networks known to date. Air-gapping is used protect the most sensitive networks.

August 2019- December 2021

Latin American banking trojans

ESET Research published a series of blogposts dedicated to demystifying Latin American banking trojans, an evolving threat mainly targeting Brazil, Spain and Mexico.

November 2021

Candiru spyware

Discovery of strategic web compromise attacks against high-profile websites in the Middle East with a strong focus on Yemen. The attacks were linked to spyware-producing company Candiru.

October 2021

UEFI bootkit ESPecter

Discovery of a real-world UEFI bootkit that persists on the EFI System Partition (ESP). The bootkit can bypass Windows Driver Signature Enforcement to load its own unsigned driver for espionage.

August 2021

IIS threat research

ESET Research discovered 10 previously undocumented malware families, implemented as malicious extensions for Internet Information Services (IIS) web server software.

May 2021

Android stalkerware

ESET Research conducted an in-depth analysis of stalkerware and discovered 158 serious security and privacy issues across 58 different applications.

March 2021

ProxyLogon

ESET Research discovered that at least ten different APT groups were exploiting Microsoft Exchange vulnerabilities ProxyLogon to compromise email servers before and shortly after the vulnerability chain was patched.

February 2021

Kobalos

Discovery of Kobalos, complex Linux malware targeting supercomputers. ESET worked with CERN in mitigating these attacks.

June 2020

InvisiMole

Investigating a new campaign by the InvisiMole group, ESET researchers uncovered the group’s updated toolset as well as previously unknown details about its stealthy mode of operation.

February 2020

The KrØØk vulnerability

ESET researchers uncovered a previously unknown security flaw allowing an adversary to decrypt some wireless network packets transmitted by vulnerable devices.

June 2020

Operation In(ter)ception

ESET researchers uncovered targeted attacks against high-profile aerospace and military companies in Europe and the Middle East.

October 2020

TrickBot disruption

ESET has collaborated in a Microsoft-led effort to disrupt the TrickBot botnet, providing technical analysis, statistical information, and known command and control server domain names and IPs.

October 2018

GreyEnergy

Following long-term tracking of the infamous BlackEnergy group targeting critical infrastructure, ESET research discovered its successor: the GreyEnergy group.

October 2019

Operation Ghost

ESET researchers uncovered new activity of the infamous espionage group, the Dukes, including three new malware families.

12345678910

ESET Threat Report

ESET APT Activity Report

All ESET Threat Reports on WeLiveSecurity

Latest news from ESET Research

ESET research papers and blogposts

ESET research repositories

Software vulnerabilities

While ESET Research primarily focuses on malware, some investigations lead to discovering software vulnerabilities.

While respecting legitimate business interests of vendors of hardware, software, and services, our aim is to protect the broad community of users of internet/IT-related products and/or services.

If we believe we have discovered a vulnerability in a third-party product or service, we adhere to principles of responsible disclosure. Along with that, we do our best to reach out to the vendor to inform them about our findings. However, we reserve the option of disclosing the discovery to a trusted third party, such as a national CSIRT.

ESET coordinated vulnerability disclosure policy

Research & development centers

  • Bratislava, Košice and Žilina, Slovakia
  • Prague, Brno and Jablonec nad Nisou, Czech Republic
  • Krakow, Poland
  • Montreal, Canada
  • San Diego, United States
  • Singapore
  • Iasi, Romania
  • Taunton, United Kingdom
© 1992 - 2025 ESET, spol. s r.o. - All rights reserved. Trademarks used therein are trademarks or registered trademarks of ESET, spol. s r.o. or ESET North America. All other names and brands are registered trademarks of their respective companies.