In the first half of 2024, ESET researchers and threat detection experts provided an insightful view of the evolving threat landscape. The focus was on the surge of Android Financial threats, particularly malware targeting mobile banking funds. Among the emerging threats was GoldPickaxe, a new mobile malware capable of stealing facial recognition data to create deepfake videos for fraudulent financial transactions. This malware, with both Android and iOS versions, targeted victims in Southeast Asia through localized malicious apps. Additionally, an older variant called GoldDiggerPlus made its way to Latin America and South Africa.
In a reflection of the ever-changing tactics of cybercriminals, infostealing malware took on a new disguise by impersonating generative AI tools. For instance, Rilide Stealer was observed misusing the names of AI assistants like OpenAI’s Sora and Google’s Gemini to deceive victims. Similarly, the Vidar infostealer posed as a Windows desktop app for the AI image generator Midjourney, even though the legitimate model is only accessible via Discord. This trend of exploiting AI themes for malicious purposes has been on the rise since 2023.
Gaming enthusiasts were not spared from the threat landscape, as cracked video games and cheating tools used in online multiplayer games were found to harbor infostealer malware like Lumma Stealer and RedLine Stealer. The latter saw spikes in detection in H1 2024, driven by campaigns in Spain, Japan, and Germany. Despite facing disruptions in 2023, RedLine Stealer continued to pose a significant threat in the first half of 2024, surpassing detections from the previous period.
The notorious Balada Injector gang, known for exploiting WordPress plugin vulnerabilities, continued its malicious activities in the cyber realm, compromising over 20,000 websites in the first half of 2024. Similarly, the ransomware landscape witnessed a shift with the decline of LockBit, once a prominent player, following Operation Chronos, a global law enforcement operation in February 2024. Although there were still LockBit campaigns recorded in H1 2024, they were attributed to non-LockBit groups utilizing the leaked builder.
The long-standing Ebury botnet, initially explored in ESET’s 2014 white paper “Operation Windigo,” remained a persistent threat, compromising nearly 400,000 servers since 2009. Recent investigations revealed expanded functionalities of the botnet, focusing on cryptocurrency and credit card theft for financial gain.
As the threat landscape continues to evolve, organizations are urged to stay vigilant and leverage threat intelligence to enhance their cybersecurity posture. Follow ESET research on Twitter for updates on key trends and threats, and visit the ESET Threat Intelligence page to learn more about the benefits of threat intelligence for organizations. The insights provided by ESET researchers shed light on the complexities of the modern cybersecurity landscape and the importance of proactive defense mechanisms against emerging threats.