● ESET releases its latest Cyber Threat Trends Report, based on data from December 2023 to May 2024.
● Information stealing malware disguises itself as generative AI tools such as Midjourney, Sora, and Gemini.
● New mobile malware GoldPickaxe is capable of stealing facial recognition data to create deepfake videos.
● RedLine Stealer experienced several detection peaks in the first half of 2024, particularly in Spain, Japan and Germany
● Balada Injector, a gang exploiting WordPress plugin vulnerabilities, compromised over 20,000 websites and generated over 400,000 visits in ESET telemetry in the first half of 2024.
Facial recognition data theft
“GoldPickaxe has both Android and iOS versions, and targets victims in Southeast Asia through localized malicious apps. While investigating this malware family, ESET researchers discovered that an older Android version of GoldPickaxe, named GoldDiggerPlus, has also spread to Latin America and South Africa,” explains Jean-Ian BOUTIN, Director of Cyber Threat Intelligence at ESET.
Resurgence of identity theft software
In recent months, infostealer malware has started masquerading as generative AI tools. In 2024, Rilide Stealer misused the names of AI assistants such as OpenAI’s Sora and Google’s Gemini to lure victims. In another malicious campaign, Vidar, an information stealer, posed as a desktop application of AI image generator Midjourney, although Midjourney’s AI model was only accessible through Discord. Since 2023, ESET Research has observed an increase in cybercriminals exploiting the theme of AI, a trend that is expected to continue.
Gamers who left official app stores were targeted by information thieves. Pirated games and cheat tools used in online multiplayer games contained malware like Lumma Stealer and RedLine Stealer. RedLine Stealer saw several detection spikes in the first half of 2024, particularly in Spain, Japan, and Germany, with detections exceeding by a third those in the second half of 2023.
Massive exploitation of WordPress vulnerabilities
Balada Injector, a gang exploiting WordPress plugin vulnerabilities, compromised over 20,000 websites and generated over 400,000 visits according to ESET telemetry in the first half of 2024.
Lockbit Ransomware Group Activity
On the ransomware scene, LockBit was brought down by Operation Chronos, a law enforcement operation that took place in February 2024. The two notable campaigns attributed to LockBit in the first half of 2024 were actually carried out by other gangs using its arsenal.
Linux servers targeted
ESET’s report explores a complex server-targeting malware campaign led by the Ebury group. The group used Ebury as a backdoor to compromise approximately 400,000 Linux, FreeBSD, and OpenBSD servers over the years. As of late 2023, over 100,000 servers remained compromised.
