ESET Threat Report H1 2024

In the first half of 2024, ESET Research reported a rapidly evolving threat landscape particularly focused on mobile banking threats targeting Android users. This period witnessed an influx of malware that sought to compromise victims’ financial information, with new forms of malicious software emerging, such as cryptostealers. Among these, GoldPickaxe was identified as a notable new player capable of retrieving facial recognition data for the creation of deepfake videos, which are then employed by cybercriminals to authenticate fraudulent transactions. GoldPickaxe is operational on both Android and iOS platforms and has predominantly affected Southeast Asian users through localized malicious applications. Furthermore, an older variant named GoldDiggerPlus has gained traction in Latin America and South Africa, indicating the malware’s expanding geographical reach.

Infostealers have also morphed to leverage the zeitgeist of generative AI, with malware like Rilide Stealer mimicking AI assistants, including names like OpenAI’s Sora and Google’s Gemini to deceive users. A separate malicious operation involved the Vidar infostealer masquerading as a legitimate Windows desktop app for the AI image generator Midjourney, which is notable because Midjourney’s AI capabilities are restricted to Discord. This uprising in cybercriminals utilizing AI themes represents a troubling trend that has been escalating since 2023 and shows no signs of abating.

The gaming sector is similarly vulnerable, with infostealer threats infiltrating cracked video games and cheating tools. Recent findings illuminated that games obtained outside of official channels sometimes harbor malware like Lumma Stealer and RedLine Stealer. The latter saw a resurgence in detection spikes in early 2024 due to targeted campaigns in regions such as Spain, Japan, and Germany. Despite experiencing a decline in development the previous year, RedLine Stealer’s activity remains significant, with detection rates surpassing previous periods by substantial margins.

Another concerning development involves the Balada Injector group, which exploits vulnerabilities in WordPress plugins. In just the first half of 2024, this gang compromised over 20,000 websites, garnering more than 400,000 hits in ESET telemetry, thus continuing to pose a serious threat to web security.

In the realm of ransomware, the notorious LockBit group experienced a significant downturn due to Operation Chronos, a coordinated law enforcement initiative that took place in February 2024. Although LockBit carried out two noteworthy operations within this half-year, these attacks were attributed instead to other non-LockBit gangs utilizing leaked resources from LockBit’s builder, suggesting a shift within the underground ransomware ecosystem.

The Ebury botnet, previously highlighted in ESET’s 2014 study, continues to be a formidable threat after a decade of activity. New investigations revealed that Ebury has compromised nearly 400,000 servers since its inception in 2009. Even with its established toolkit, Ebury has expanded its functional capabilities to emphasize monetization strategies, primarily focusing on cryptocurrency and credit card theft.

Overall, the first half of 2024 in cybersecurity showcased an environment marked by emerging threats and evolving tactics among cybercriminals. With both mobile and desktop attacks diversifying and becoming more sophisticated, organizations need to remain vigilant and agile in enhancing their cybersecurity measures. ESET’s insights underscore the importance of continuous monitoring and awareness of the latest trends in threat intelligence to fortify defenses against a pervasive and dynamic threat landscape.