ESET Denies Breach After Wiper Malware Campaign Leveraged its Infrastructure
ESET has refuted allegations of a breach in its systems following claims made by cybersecurity expert Kevin Beaumont about a wiper campaign that appeared to leverage ESET’s infrastructure.
According to Beaumont’s blog, an employee of an Israeli company fell victim to malware after opening a link in an email purportedly sent by the ESET Advanced Threat Defense team in Israel. The email successfully passed DKIM and SPF validation for ESET’s domain, yet Google Workspace flagged it as dangerous.
The attack, recorded on October 8, targeted cybersecurity professionals in Israel. The malicious file was distributed via ESET’s servers, with recipients being warned that the attack was carried out by a “state-sponsored” actor. Victims were also invited to participate in the ESET Unleashed program, which in reality does not exist as a separate initiative, though it was referenced in the company’s branding.
The researcher discovered several ESET DLL libraries and a malicious setup.exe in the downloaded file. Beaumont described the program as fake ransomware mimicking the well-known Yanluowang malware. He also noted that the files on the affected devices were unrecoverable, as the malware was indeed a wiper.
During execution, the malicious code referenced an organization associated with Iron Swords War Day, dedicated to commemorating the victims of the October 7, 2023, attack. The evidence suggests the possible involvement of hacktivists.
ESET has denied Beaumont’s claims of a breach at its Israeli office. The company emphasized that the incident impacted a partner organization in Israel, and the malicious campaign was blocked within 10 minutes. ESET assured that it had successfully neutralized the threat and that its clients were safe. The company also confirmed that it is working closely with its partner to investigate the incident and continues to monitor the situation.
The source of the malicious activity remains unidentified, but the tactics used in the attack are reminiscent of the methods employed by the pro-Palestinian group Handala. Researchers from Trellix previously reported that Handala has been actively deploying wipers in attacks against Israeli organizations, with hundreds of incidents recorded in July alone.
