IoCs are available in our GitHub repo: github.com/eset/malware... 6/6

The code inside the maliciously patched HandyPay appears to have been developed with the assistance of #AI, as the logs contain emoji that are typical of AI-generated text, although definitive proof remains elusive. 5/6

We found two NGate samples being used in the campaign: one distributed via a website impersonating a 🇧🇷 lottery, the other via a fake Google Play page for a supposed card protection app. The trojanized HandyPay has never been available on the official Google Play store. 4/6

Since HandyPay is significantly cheaper compared to paying for established #MaaS offerings with similar NFC relay functionality, the threat actors most probably decided on trojanizing the app as a cost-cutting measure. 3/6

HandyPay is an Android app that enables relaying #NFC data from one device to another. Using the trojanized version, attackers can transfer victim’s payment card data to their own device and use it for unauthorized payments. The code can also capture payment card PINs. 2/6

#ESETresearch discovered a new #NGate malware variant that abuses the legitimate #HandyPay app, which has been patched with possibly AI-generated malicious code. The campaign is ongoing and targets Android users in Brazil. www.welivesecurity.com/en/eset-rese... 1/6

5D3CF785A440133A899412B800742716287D0B06 (msimg32.dll)

A3BDB419703A70157F2B7BD1DC2E4C9227DD9FE8 (0th3r_av5.exe) 6/6

Additional IoCs: 127B50C8185986A52AE66BF6E7E67A6FD787C4FC (version.dll)

22640D48F2E2A56C7A0708356B2B6990676B58B3 (version.dll)

3030DF03F36EC4C96B36B2E328FE3D7D9082811A (0th3r_av5.exe)

52D0358FF84295D231BC180CEDFDAF96631D67B4 (rtworkq.dll) 5/6

Beyond msimg32.dll mentioned in the Talos‘ blog, VX Crypt also names the payloads rtworkq.dll and version.dll, all abusing DLL side-loading for evasion. We’ve also observed an EXE variant in the wild, named 0th3r_av5.exe blog.talosintelligence.com/qilin-edr-ki... 4/6

Inside Shanya, a packer-as-a-service fueling modern attacks The ransomware scene gains another would-be EDR killer

The packer (identified as VX Crypt by Sophos) is not unique to this killer; it’s a PaaS used with other malware like #BumbleBee. But it is the single choice for the killer’s developer; unprotected samples were used only in 2025-02 www.sophos.com/en-us/blog/i... 3/6

While we didn’t obtain direct evidence, we strongly believe that CardSpaceKiller is offered as a product on the darknet for reasons covered in the blog. We’ve detected it used by #Akira, #Medusa, and #MedusaLocker affiliates too. 2/6

EDR killers explained: Beyond the drivers ESET researchers dive deeper into the EDR killer ecosystem, disclosing how attackers abuse vulnerable drivers.

Cisco Talos recently published an analysis of an EDR killer used by the #Qilin #ransomware gang. #ESETresearch tracks this threat as #CardSpaceKiller and we recently provided additional insights in our blog www.welivesecurity.com/en/eset-rese... 1/6

We recovered 5K+ C2 messages (activity since 2023‑11), mapped tools (LaxGopher, RatGopher, BoxOfFriends, JabGopher, FriendDelivery, CompactGopher, SSLORDoor), and saw exfil via file.io, presentation will provide defender tips. Full research will be later released on WeLiveSecurity.com 3/3

New China‑aligned APT GopherWhisper: first seen in 2025 deploying backdoor LaxGopher inside a Mongolian government institution. The group’s backdoors abuse legit services for C2 (Slack, Discord, Microsoft Graph). Hardcoded tokens let us peek into ops and post‑compromise activity. 2/3

#ESETresearch's Eric Howard will be presenting at Botconf. Join him in Reims, France to hear about “GopherWhisper, Uncovering an APT’s secrets through its own words” on Apr 15 at 17.15 CEST. For more information, check out www.botconf.eu/botconf-2026... 1/3

IoCs: 9B484760D563B3768EAA93802AFD4EA9C3F92780 (win.exe)
akirad2pbdhjlczfbunj4jbbv7ox4ixdti3xq35mqxsl3yzjqhg3lmqd[.]onion 5/5

Aside from the encryptor, the threat actor utilized Mimikatz and exfiltrated sensitive data using rclone. Copycat attempts like this one are rare, but not unheard of. Victims should never trust threat actors based solely on their claims. 4/5

The ransom note also references the official Akira leak sites (Dedicated Leak Sites - DLSs), but plants a custom Tor link for the ransom payment negotiation. The link is currently not working. Notably, Akira itself warns about potential copycats on their DLS. 3/5

The ransom note is almost identical to Akira’s with some parts omitted. The crucial difference is the planted Tor link that is not under Akira’s control. The ransom note is also named ___________akira_readme.txt (the leading underscores is another difference to real Akira). 2/5

#ESETresearch has identified an Akira lookalike ransomware campaign targeting South America. The threat actor is using a Babukbased encryptor that appends the .akira extension and drops a ransom note that mimics Akira both in Tor URLs and the overall content. 1/5

Note that even though ESET observes the most activity in Japan, Silver Fox also currently operates in Taiwan, India, Indonesia, Australia, the United Kingdom, and Brazil. IoCs available in our GitHub repo: github.com/eset/malware... 8/8

Opening the malicious files drops ValleyRAT, a remote access trojan that Silver Fox has used across multiple campaigns. Once deployed, it enables the actor to take remote control of the machine and harvest sensitive information. ESET products detect this malware as Win64/Valley. 7/8

The following are examples of observed emails and lures ⬇️ 6/8

The emails typically contain either a malicious attachment or a link leading to a malicious file. The files are named to resemble common HR, financial, or tax-related documents, such as ⬇️ 5/8

The sender fields often impersonate employees at the targeted companies. This indicates Silver Fox performs reconnaissance before attacking. Using names that the targets are likely to recognize, makes it more difficult to distinguish the messages from real internal notifications. 4/8

Examples of subjects observed in this campaign include ⬇️ 3/8

In this operation, Silver Fox sends tailored spearphishing emails crafted to look like one of such communication. To make the emails appear authentic, the attackers often include the name of the targeted company directly in the subject line. 2/8

A cunning predator: How Silver Fox preys on Japanese firms this tax season Silver Fox is back in Japan, spoofing tax and HR emails timed to the one season when many people don’t think twice about opening them

#ESETresearch has identified a Silver Fox campaign that actively takes advantage of the current annual tax filing and organizational change season in Japan, a period when companies generate a high volume of legitimate financial and HRrelated comms. www.welivesecurity.com/en/business-...
1/8

... survey-tennessee-blind-corners.trycloudflare[.]com
dvd-diagnostic-oakland-signals.trycloudflare[.]com
practitioners-ons-boom-utc.trycloudflare[.]com
donnellykilbakk[.]cc
PowerShell SystemBC C&C:
91.99.97[.]247
ConnectWise C&C:
partyglacierhip[.]top 8/8

IoCs:
Interlock RAT
CEB69DFDD768AA08B86F1D5628BD3A38C1FE8C1F
Interlock RAT C&Cs:
172.86.68[.]64
23.227.203[.]123
77.42.75[.]119
NodeSnake C&Cs:
deserve-coordinated-fairy-tier.trycloudflare[.]com ... 7/8