Hackers Mimic as ESET to Deliver Wiper Malware

Hackers impersonated the cybersecurity firm ESET to distribute destructive wiper malware. The campaign, which began on October 8, 2024, utilized phishing emails that appeared to originate from ESET’s legitimate domain.

The malicious emails, purportedly from “ESET’s Advanced Threat Defense Team,” warned recipients that state-backed attackers were targeting their devices.

The emails offered a download link for a fictitious “ESET Unleashed” program to combat this alleged threat.

Upon clicking the link, victims were directed to a ZIP file hosted on ESET Israel’s legitimate domain. The archive contained several legitimate ESET DLL files and a malicious Setup.exe, identified as a wiper malware.

Join ANY.RUN's FREE webinar on How to Improve Threat Investigations on Oct 23 - Register Here 

According to the DoublePulsar report, Security researcher Kevin Beaumont, who analyzed the attack, noted that the malware required a physical PC to activate and exhibited evasion techniques.

The wiper was also connected to a legitimate Israeli news organization’s website, possibly to avoid detection.

ESET acknowledged the incident, stating it affected their partner company in Israel, Comsecure.

The company emphasized that their systems were not compromised and that the malicious email campaign was blocked within ten minutes.

The attack targeted cybersecurity personnel within Israeli organizations, suggesting a strategic attempt to disrupt the country’s digital defense.

While the perpetrators remain unidentified, the tactics employed bear similarities to those used by pro-Palestinian groups like Handala, which has been linked to sophisticated attacks against Israeli targets.

It underscores the importance of verifying the authenticity of security-related communications, even when they appear to come from trusted sources.

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide (PDF)