Stealth malware targets European companies


Share post

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have noticed a dramatic increase in so-called AceCryptor attacks via remote access tool (RAT) Rescoms.

Between the first and second half of 2023, the number of detected attacks tripled: 42.000 ESET users worldwide were targeted by cyber criminals and were protected. Companies in Central Europe and Spain were particularly affected. What's new about these attacks: For the first time ever, hackers who used the Rescoms remote access tool (RAT) for attacks resorted to AceCryptor, a camouflage software for malicious programs. The campaigns targeted access data for email and browser accounts from companies in the respective countries, laying the foundation for future attacks.

Stealthy remote access tool attacks

“With this campaign, cybercriminals wanted to gain as much information as possible. To do this, they use 'classic' spam messages, which in many cases were extremely convincing and were even sent from hijacked email accounts,” says ESET researcher Jakub Kaloč, who discovered the latest attack campaign. “Opening attachments from such emails can have serious consequences for companies. We therefore advise you to be careful with emails with attachments and to use reliable security software.”

AceCryptor and Rescoms – Rats with cloaking technology

AceCryptor is a so-called Cryptor-as-a-Service (CaaS). This is software that is intended to protect its payload, usually various malware families, from being identified and combated by security solutions. Various techniques are used for this, e.g. B. Make debugging and analysis by antivirus software more difficult. Last year, ESET looked into AceCryptor and uncovered how the software works.

In the current case, hackers combined the two technologies and sent Rescoms software disguised by AceCryptor to a large number of users in multiple spam email campaigns. Victims who fell for the scam unknowingly installed the remote access software, which the hackers then used to obtain access data. It is unknown whether they collected this data for themselves or sold it to other cybercriminals. What is certain, however, is that a successful compromise opens the door to further attacks, especially ransomware attacks.

Spread via spam emails that look deceptively real

Spam campaigns targeting companies in Poland consisted of emails with very similar subject lines about B2B offers for the victim companies. In order to appear as credible as possible, the attackers researched existing Polish company names in advance as well as the names and contact information of employees and owners, which they provided in their emails. When victims searched for the sender's name online, they found legitimate websites and were more willing to open the malicious attachments.

In parallel to the campaigns in Poland, ESET registered ongoing campaigns in Slovakia, Bulgaria and Serbia. The spam emails here were also written in the local language. In addition, there has also been a wave of spam emails with Rescoms as a payload in Spain.

Hackers' target countries changed throughout 2023

In the first half of 2023, Peru, Mexico, Egypt and Turkey were most affected by malware disguised by AceCryptor. Peru recorded the most attacks with 4.700. The campaign in the second half of the year mainly affected European countries.

AceCryptor samples that ESET examined in the second half of 2023 often contained two malware families as payloads: Rescoms and SmokeLoader, a backdoor that allows cybercriminals to reload additional malware. SmokeLoader was frequently used in cyberattacks in Ukraine. However, in Poland, Slovakia, Bulgaria and Serbia, Rescom's most common payload was AceCryptor.

More at


About ESET

ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit or follow us on LinkedIn, Facebook and Twitter.


Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

HeadCrab 2.0 discovered

The HeadCrab campaign against Redis servers, which has been active since 2021, continues to successfully infect targets with the new version. The criminals' mini-blog ➡ Read more