Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities
Executive Summary
Throughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyber-espionage campaign that was primarily targeting foreign diplomatic...
Razy in search of cryptocurrency
Last year, we discovered malware that installs a malicious browser extension on its victim’s computer or infects an already installed extension. To do so,...
GreyEnergy’s overlap with Zebrocy
In October 2018, ESET published a report describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy...
A Zebrocy Go Downloader
Last year at SAS2018 in Cancun, Mexico, “Masha and these Bears” included discussion of a subset of Sofacy activity and malware that we call...
The world’s southernmost security conference
When asked about his best race, Ayrton Senna replied that it was when he raced karting cars. For him it was the best because...
Remotely controlled EV home chargers – the threats and vulnerabilities
We are now seeing signs of a possible shift in the field of personal transport. Recent events such as the ‘dieselgate’ scandal undermine customer...
Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)
Executive summary
In October 2018, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further...
DarkVishnya: Banks attacked through direct connection to local network
While novice attackers, imitating the protagonists of the U.S. drama Mr. Robot, leave USB flash drives lying around parking lots in the hope that...
APT review of the year
What were the most interesting developments in terms of APT activity throughout the year and what can we learn from them?
Not an easy question...
KoffeyMaker: notebook vs. ATM
Despite CCTV and the risk of being caught by security staff, attacks on ATMs using a direct connection — so-called black box attacks —...
Latest article
Operation Endgame 4.0 – 153,527 breached accounts
On 18 June 2026, the latest phase of Operation Endgame targeted the SocGholish malware operation, a prolific malware distribution network used to compromise systems...
Accelerate security investigations with Kiro CLI
When a security event occurs in your Amazon Web Services (AWS) environment, rapid response is critical. However security teams often struggle with time-consuming, manual...
Close Encounters of the Human Kind
Welcome to this week’s Threat Source newsletter. I love a Spielberg summer. His ability to imbue a sense of wonder, awe, curiosity, and connection means he’s in a...
New iPhone BootROM Vulnerability Exposes Apple SoCs to Full Chain-of-Trust Compromise
A novel BootROM vulnerability, dubbed usbliter8, affects Apple devices powered by A12, S4/S5, and A13 SoCs. The exploit chains a hardware-level bug in the...
