ESET’s latest Threat Report, covering December 2023 through May 2024, paints a concerning picture of evolving threats targeting mobile devices and financial information. The report details a surge in Android financial malware, encompassing both traditional banking trojans and newer cryptostealers designed to pilfer cryptocurrency holdings.

One particularly worrying trend involves infostealing malware masquerading as popular generative AI tools. ESET researchers observed malware like Rilide Stealer exploiting names like OpenAI’s Sora and Google’s Gemini to lure unsuspecting victims. Another campaign used a fake Windows desktop app for the AI image generator Midjourney to hide the Vidar infostealer. ESET predicts this tactic of leveraging the AI theme will continue. Infostealing malware can now be found impersonating generative AI tools, and new mobile malware GoldPickaxe is capable of stealing facial recognition data to create deepfake videos used by the malware’s operators to authenticate fraudulent financial transactions.

“GoldPickaxe has both Android and iOS versions and has been targeting victims in Southeast Asia through localized malicious apps. As ESET researchers investigated this malware family, they discovered that an older Android sibling of GoldPickaxe, called GoldDiggerPlus, has also tunnelled its way to Latin America and South Africa by actively targeting victims in these regions,” explains Jiří Kropáč, Director of ESET Threat Detection.

The report also raises the alarm for gamers venturing outside official channels. Cracked video games and cheating tools for online multiplayer games were found to distribute info stealers like Lumma Stealer and RedLine Stealer. RedLine Stealer saw a significant surge in detections during the first half of 2024, surpassing the previous six months by a third.

The report acknowledges the disruption of the LockBit ransomware gang by law enforcement in February 2024. However, ESET telemetry indicates that two recent LockBit campaigns were carried out by separate groups using the leaked LockBit builder.

Finally, the report delves into ESET’s ongoing investigation of the Ebury group, a sophisticated server-side malware campaign targeting Linux, FreeBSD, and OpenBSD servers. As of late 2023, over 100,000 servers remained compromised by Ebury malware, highlighting the long-term threat posed by such campaigns.