Market Research
North Korea-Linked Group Launches Dolphin Backdoor: ESET Research

ESET researchers analyzed a previously unreported sophisticated backdoor used by the ScarCruft APT group. The backdoor, which ESET named Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices, exfiltrating files of interest, keylogging, taking screenshots, and stealing credentials from browsers. Its functionality is reserved for selected targets, to which the backdoor is deployed after the initial compromise using less advanced malware. Dolphin abuses cloud storage services — specifically Google Drive — for Command and Control communication.
ScarCruft, also known as APT37 or Reaper, is an espionage group that has been operating since at least 2012. It primarily focuses on South Korea, but other Asian countries have also been targeted. ScarCruft seems to be interested mainly in government and military organizations, and companies in various industries linked to the interests of North Korea.
“After being deployed on selected targets, it searches the drives of compromised systems for interesting files and exfiltrates them to Google Drive. One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims’ Google and Gmail accounts to lower their security, presumably to maintain Gmail account access for the threat actors,” says ESET researcher Filip Jurčacko, who analyzed the Dolphin backdoor.
In 2021, ScarCruft conducted a watering-hole attack on a South Korean online newspaper focused on North Korea. The attack consisted of multiple components, including an Internet Explorer exploit and shellcode leading to a backdoor named BLUELIGHT.
“In the previous reports, the BLUELIGHT backdoor was described as the attack’s final payload. However, when analyzing the attack, we discovered through ESET telemetry a second, more sophisticated backdoor deployed on selected victims via this first backdoor. We named this backdoor Dolphin based on a PDB path found in the executable,” explains Jurčacko.
Since the initial discovery of Dolphin in April 2021, ESET researchers have observed multiple versions of the backdoor, in which the threat actors improved the backdoor’s capabilities and made attempts to evade detection.
While the BLUELIGHT backdoor performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against selected victims. Both backdoors are capable of exfiltrating files from a path specified in a command, but Dolphin also actively searches drives and automatically exfiltrates files with interesting extensions.
The backdoor collects basic information about the targeted machine, including the operating system version, malware version, list of installed security products, username, and computer name. By default, Dolphin searches all fixed (HDD) and non-fixed drives (USBs), creates directory listings, and exfiltrates files by extension. Dolphin also searches portable devices, such as smartphones, via the Windows Portable Device API. The backdoor also steals credentials from browsers, and is capable of keylogging and taking screenshots. Finally, it stages this data in encrypted ZIP archives before uploading it to Google Drive.
Cyber Security
ESET Research Uncovers Iran-Aligned BladedFeline Spying on Iraqi, Kurdish Officials

The Iran-aligned threat group BladedFeline has targeted Kurdish and Iraqi government officials in a recent cyber-espionage campaign, according to ESET researchers. The group deployed a range of malicious tools discovered within the compromised systems, indicating a continued effort to maintain and expand access to high-ranking officials and government organizations in Iraq and the Kurdish region. The latest campaign highlights BladedFeline’s evolving capabilities, featuring two tunneling tools (Laret and Pinar), various supplementary tools, and, most notably, a custom backdoor Whisper and a malicious Internet Information Services (IIS) module PrimeCache, both identified and named by ESET.
Whisper logs into a compromised webmail account on a Microsoft Exchange server and uses it to communicate with the attackers via email attachments. PrimeCache also serves as a backdoor: it is a malicious IIS module. PrimeCache also bears similarities to the RDAT backdoor used by OilRig Advanced Persistent Threat (APT) group.
Based on these code similarities, as well as on further evidence presented in this blogpost, ESET assesses that BladedFeline is a very likely subgroup of OilRig, an Iran-aligned APT group going after governments and businesses in the Middle East. The initial implants in the latest campaign can be traced back to OilRig. These tools reflect the group’s strategic focus on persistence and stealth within targeted networks.
BladedFeline has consistently worked to maintain illicit access to Kurdish diplomatic officials, while simultaneously exploiting a regional telecommunications provider in Uzbekistan, and developing and maintaining access to officials in the government of Iraq.
ESET Research assesses that BladedFeline is targeting the Kurdish and Iraqi governments for cyberespionage purposes, with an eye toward maintaining strategic access to the computers of high-ranking officials in both governmental entities. The Kurdish diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned threat actors to spy on and potentially manipulate. In Iraq, these threat actors are most probably trying to counter the influence of Western governments following the US invasion and occupation of the country.
In 2023, ESET Research discovered that BladedFeline targeted Kurdish diplomatic officials with the Shahmaran backdoor, and previously reported on its activities in ESET APT Activity reports. The group has been active since at least 2017, when it compromised officials within the Kurdistan Regional Government, but is not the only subgroup of OilRig that ESET Research is monitoring. ESET has been tracking Lyceum, also known as HEXANE or Storm-0133, as another OilRig subgroup. Lyceum focuses on targeting various Israeli organizations, including governmental and local governmental entities and organizations in healthcare.
ESET expects that BladedFeline will persist with implant development in order to maintain and expand access within its compromised victim set for cyberespionage.
Artificial Intelligence
Cloud Security Trade-Offs Rise: 91% of Leaders Face AI Threats

Gigamon has released its 2025 Hybrid Cloud Security Survey, revealing that hybrid cloud infrastructure is under mounting strain from the growing influence of artificial intelligence (AI). The annual study, now in its third year, surveyed over 1,000 global Security and IT leaders across the globe. As cyberthreats increase in both scale and sophistication, breach rates have surged to 55 percent during the past year, representing a 17 percent year-on-year (YoY) rise, with AI-generated attacks emerging as a key driver of this growth.
Security and IT teams are being pushed to a breaking point, with the economic cost of cybercrime now estimated at $3 trillion worldwide according to the World Economic Forum. As AI-enabled adversaries grow more agile, organizations are challenged with ineffective and inefficient tools, fragmented cloud environments, and limited intelligence.
Key findings highlight how ai is reshaping hybrid cloud security priorities:
- AI’s role in escalating network complexity and accelerating risk is evident. The study reveals that 46 percent of Security and IT leaders say managing AI-generated threats is now their top security priority. One in three organizations report that network data volumes have more than doubled in the past two years due to AI workloads, while nearly half of all respondents (47 percent) are seeing a rise in attacks targeting their organization’s large language model (LLM) deployments. More than half (58 percent) say they’ve seen a surge in AI-powered ransomware—up from 41 percent in 2024 underscoring how adversaries are exploiting AI to outpace and outflank existing defenses.
- Compromises highlight continued trade-offs in foundational areas of hybrid cloud security. Nine out of ten (91 percent) Security and IT leaders concede to making compromises in securing and managing their hybrid cloud infrastructure. The key challenges that create these compromises include the lack of clean, high-quality data to support secure AI workload deployment (46 percent) and lack of comprehensive insight and visibility across their environments, including lateral movement in East-West traffic (47 percent).
- Public cloud risks prompt industry recalibration. Once considered an acceptable risk in the rush to scale post-COVID operations, the public cloud is now coming under increasingly intense scrutiny. Many organizations are rethinking their cloud strategies in the face of their growing exposure, with 70 percent of Security and IT leaders now viewing the public cloud as a greater risk than any other environment. As a result, 70 percent report their organization is actively considering repatriating data from public to private cloud due to security concerns and 54 percent are reluctant to use AI in public cloud environments, citing fears around intellectual property protection.
- Visibility is top of mind for security leaders. As cyberattacks become more sophisticated, the limitations of existing security tools are coming sharply into focus. Organizations are shifting their priorities toward gaining complete visibility into their environments, a capability now seen as crucial for effective threat detection and response. More than half (55 percent) of respondents lack confidence in their current tools’ ability to detect breaches, citing limited visibility as the core issue. As a result, 64 percent say their number one focus for the next 12 months is achieving real-time threat monitoring delivered through having complete visibility into all data in motion.
With AI driving unprecedented traffic volumes, risk, and complexity, nearly nine in 10 (89 percent) Security and IT leaders cite deep observability as fundamental to securing and managing hybrid cloud infrastructure. Executive leadership is taking notice, as boards increasingly prioritize complete visibility into all data in motion, with 83 percent confirming that deep observability is now being discussed at the board level to better protect hybrid cloud environments.
“Security teams are struggling to keep pace with the speed of AI adoption and the growing complexity and vulnerability of public cloud environments,” said Mark Jow, technical evangelist, EMEA, at Gigamon. “Deep observability addresses this challenge by combining MELT data with network-derived telemetry such as packets, flows, and metadata, delivering increased visibility and amore informed view of risk. It enables teams to eliminate visibility gaps, regain control, and act proactively with increased confidence. With 88 percent of Security and IT leaders agreeing it is critical to securing AI deployments, deep observability is fast becoming a strategic imperative.”
“With nearly half of organizations saying attackers are already targeting their large language models, AI security can’t be an afterthought, it needs to be a top priority,” said Mark Walmsley, CISO at Freshfields. “The key to staying ahead? Visibility. When we can clearly see what’s happening across AI systems and data flows, we can cut through the noise and manage risk more effectively. Deep observability helps us spot vulnerabilities early and put the right protections in place before issues arise.”
Cyber Security
Axis Communications Sheds Light on Video Surveillance Industry Perspectives on AI

Axis Communications has published a new report that explores the state of AI in the global video surveillance industry. Titled The State of AI in Video Surveillance, the report examines the key opportunities, challenges and future trends, as well as the responsible practices that are becoming critical for organisations in their use of AI. The report draws insights from qualitative research as well as quantitative data sources, including in-depth interviews with carefully selected experts from the Axis global partner network.
A leading insight featured in the report is the unanimous view among interviewees that interest in the technology has surged over the past few years, with more and more business customers becoming curious and increasingly knowledgeable about its potential applications.

Mats Thulin, Director AI & Analytics Solutions at Axis Communications
“AI is a technology that has the potential to touch every corner and every function of the modern enterprise. That said, any implementations or integrations that aim to drive value come with serious financial and ethical considerations. These considerations should prompt organisations to scrutinise any initiative or investment. Axis’s new report not only shows how AI is transforming the video surveillance landscape, but also how that transformation should ideally be approached,” said Mats Thulin, Director AI & Analytics Solutions at Axis Communications.
According to the Axis report, the move by businesses from on-premise security server systems to hybrid cloud architectures continues at pace, driven by the need for faster processing, improved bandwidth usage and greater scalability. At the same time, cloud-based technology is being combined with edge AI solutions, which play a crucial role by enabling faster, local analytics with minimal latency, a prerequisite for real-time responsiveness in security-related situations.
By moving AI processing closer to the source using edge devices such as cameras, businesses can reduce bandwidth consumption and better support real-time applications like security monitoring. As a result, the hybrid approach is expected to continue to shape the role of AI in security and unlock new business intelligence and operational efficiencies.
A trend that is emerging among businesses is the integration of diverse data for a more comprehensive analysis, transforming safety and security. Experts predict that by integrating additional sensory data, such as audio and contextual environmental factors caught on camera, can lead to enhanced situational awareness and greater actionable insights, offering a more comprehensive understanding of events.
Combining multiple data streams can ultimately lead to improved detection and prediction of potential threats or incidents. For example, in emergency scenarios, pairing visual data with audio analysis can enable security teams to respond more quickly and precisely. This context-aware approach can potentially elevate safety, security and operational efficiency, and reflects how system operators can leverage and process multiple data inputs to make better-informed decisions.
According to the Axis report, interviewees emphasised that responsible AI and ethical considerations are critical priorities in the development and deployment of new systems, raising concerns about decisions potentially based on biased or unreliable AI. Other risks highlighted include those related to privacy violations and how facial and behavioural recognition could have ethical and legal repercussions.
As a result, a recurring theme among interviewees was the importance of embedding responsible AI practices early in the development process. Interviewees also pointed to regulatory frameworks, such as the EU AI Act, as pivotal in shaping responsible use of technology, particularly in high-risk areas. While regulation was broadly acknowledged as necessary to build trust and accountability, several interviewees also stressed the need for balance to safeguard innovation and address privacy and data security concerns.
“The findings of this report reflect how enterprises are viewing the trend of AI holistically, working to have a firm grasp of both how to use the technology effectively and understand the macro implications of its usage. Conversations surrounding privacy and responsibility will continue but so will the pace of innovation and the adoption of technologies that advance the video surveillance industry and lead to new and exciting possibilities,” Thulin added.
-
Cyber Security7 days ago
Beyond Blocklists: How Behavioural Intent Analysis Can Safeguard Middle East Businesses from Rising AI-Driven Bot Threats
-
Cyber Security7 days ago
Honeywell Report Reveals 46% Quarterly Spike in Industrial Ransomware
-
Cyber Security1 week ago
Labubu Doll Craze: How Cybercriminals Are Exploiting the Hype
-
Cyber Security7 days ago
Sophos Boosts Firewall with New Protection and Incident Response Features
-
Cloud4 days ago
SentinelOne Simplifies Secure Cloud Migrations on AWS
-
News4 days ago
Versa and OPSWAT Partner to Strengthen SASE Security with Real-Time Device Defense
-
Cyber Security14 hours ago
ESET Research Uncovers Iran-Aligned BladedFeline Spying on Iraqi, Kurdish Officials
-
News14 hours ago
Axis Intros Next-Gen AI-Powered Dome Cameras