At GISEC, ESET will spotlight its latest innovations across threat intelligence, endpoint protection, extended detection and response (XDR), and cloud-native security. At GISEC 2025, ESET’s experts will demonstrate how its AI-driven, multi-layered security architecture empowers organizations to defend against advanced threats in real time, while also building long-term cyber resilience.

ESET’s participation highlights its dedication to supporting digital transformation across the GCC and broader Middle East region. As governments and enterprises continue to adopt cloud, mobile, and hybrid IT infrastructures, ESET’s solutions are enabling secure growth by providing deep visibility, adaptive threat protection, and operational flexibility. The company is also committed to enabling its regional partners through training, local support, and access to advanced tools designed for modern cybersecurity challenges.

Commenting on their involvement, ESET executives emphasized the strategic importance of GISEC in building stronger cybersecurity alliances. “As cyber threats become more sophisticated, collaboration and knowledge-sharing are key,” they said. “GISEC is a valuable platform for us to connect with regional leaders, share our award-winning technologies, and shape a more secure digital ecosystem.”

To this end, ESET is continuing its integration journey with IBM QRadar SIEM. The integration between the ESET PROTECT Platform and IBM QRadar SIEM leverages ESET’s AI-native cybersecurity platform with QRadar’s security information and event management (SIEM) capabilities. This enables threat data from ESET to be ingested by QRadar SIEM, providing visibility, and actionable insights to enhance enterprise security. In one stroke, this addresses challenges in monitoring endpoint activities and identifying threats across multiple parameters in an organization.

ESET understands that such integrations can reduce complexity, while promoting better cyber hygiene, thus, significantly increasing the level of an organization’s security, and upgrading its threat-hunting and incident-response capabilities. This should help security analysts make fast but satisfactory, security decisions, raising the quality and efficiency of their processes. To that end, ESET is also integrating with Microsoft Sentinel, enabling organizations to ingest ESET threat detection data into MS Sentinel for advanced monitoring, analytics, and incident response.

The data connector, developed by ESET, uses REST API to automate the retrieval of detection logs, providing continuous security insights in a centralized platform. This integration reduces manual intervention by automating data transfer, correlating endpoint data with cloud security, and streamlining incident management, which can often be quite complicated. “As customers consolidate their cybersecurity stacks, and demand seamless integrations, ESET delivers exactly what they need. Our AI-native ESET PROTECT Platform, with its powerful detection engine, seamlessly integrates with major SIEM players, Microsoft Sentinel, and IBM QRadar SIEM, to provide extensive visibility into their environments. These integrations offer actionable rapid detection, shifting the focus from slow remediation and complexity to early prevention and enhanced security efficiency. Ultimately, this ensures our customers achieve a more streamlined, effective, and proactive cybersecurity posture,” said Pavol Balaj, Chief Business Officer at ESET.

At the heart of ESET’s offering is ESET PROTECT Enterprise, a cutting-edge solution that has recently been recognized as a Strategic Leader in the AV-Comparatives Endpoint Prevention and Response (EPR) Comparative Report 2024. This marks the fourth consecutive year that ESET has secured this prestigious ranking, underscoring the company’s continuous innovation and leadership in endpoint protection.

ESET PROTECT Enterprise is equipped with ESET Inspect, an extended detection and response (XDR) solution that delivers comprehensive enterprise-grade security with advanced threat-hunting capabilities, detailed network visibility, and rapid incident response. This powerful combination provides businesses with the tools needed to defend against today’s most sophisticated cyber threats, including ransomware, zero-day attacks, and more. Supporting a wide range of platforms – from Windows and macOS to Linux and mobile (Android and iOS) – the solution offers complete cross-platform coverage for a seamless security experience.

As ESET continues to expand its footprint in the Middle East, Saudi Arabia is increasingly central to its strategic growth in the region. The Kingdom’s growing digital transformation, paired with its ambitious Vision 2030 objectives, creates a pressing need for advanced cybersecurity measures to safeguard businesses and government entities alike.

“Saudi Arabia is an incredibly important market for ESET as we continue to expand our presence in the Middle East,” said Demes Strouthos, General Manager at ESET for the Middle East. “With its rapid digitalization and focus on becoming a global hub for innovation and technology, Saudi Arabia represents both a significant opportunity and responsibility. We’re excited to be here at Black Hat MEA 2024 to highlight our latest solutions and showcase how our advanced security technologies are enabling businesses across the region to stay ahead of evolving cyber threats.”

ESET’s participation at Black Hat MEA 2024 reflects the company’s commitment to providing world-class cybersecurity solutions tailored to the needs of enterprises and government organizations in the Middle East. Senior management from ESET will be available at H1-T118 to engage with industry leaders, security experts, and customers during the event to drive greater awareness around the importance of proactive threat detection and response.

Authentication mechanisms are a vital aspect of cybersecurity deserving adequate protection, but increasing complexity makes them an easier target. Since American computer scientist Fernando José Corbató created the first password-based authentication in the 1960s, passwords have been an integral part of IT security all over the world.

But while the principle of using a string of characters unknown to others remains the same, the world of computing has become exponentially more complex, where an average person now has 168 passwords out of which 87 are business-related. This causes headaches not only for average users but also for IT admins who handle the secure authentication needs of hundreds if not thousands of employees within their companies who work with a number of applications and devices.

Beloved targets
Credentials are among cybercriminals’ most beloved attack vectors. According to the Verizon 2024 Data Breach Investigations Report, 77% of basic web Application Attacks involved stolen credentials, 21% of them were the result of brute force (usually easily guessable passwords), and 13% of those attacks exploited vulnerabilities.

The authors of this report also highlighted the fact that over the past 10 years, stolen credentials have appeared in almost one-third (31%) of all analyzed breaches, making credentials a core component of compromising organizations.

Globally, over 80% of respondents experienced a cyber breach due to authentication vulnerabilities in 2023, and the consequences could be detrimental. In 2023, the FBI received 7,333 complaints about personal data breaches involving a leak or the abuse of personal data. The cumulative loss of these breaches reached over $109,000,000.

There is no surprise that the importance of password security is widely recognized and can be seen, for example, among polled small and medium-sized businesses (SMEs) in the U.S., U.K., and France in JumpCloud’s 2023 Flexibility and Ingenuity Survey. The survey shows that 64% of SMEs use an organization-wide password management tool or software, and 10% plan to implement one this year. For those who don’t use password management, cost is the biggest factor.

When a security practice becomes an attack vector
But there’s also another aspect to password security. Having a robust cybersecurity solution including multi-factor authentication (MFA) is great, but at the same time, it creates new challenges for both users and IT admins. The problem among users is that they can become so irritated by repeating MFA authentication requests that they lose their vigilance. And there are already cases of MFA fatigue attacks proving that.

At the beginning of an MFA fatigue attack or an MFA bombing, attackers need to obtain targets’ credentials via phishing, brute force, password spraying, etc. Once the targets’ credentials are stolen, attackers start to bombard them with 2FA push notifications in the hope that they will click on “accept,” and thus authorize the attackers’ login attempts, at least once.

On the other hand, IT admins, already struggling with portal and alert fatigue, have gained new responsibilities related to MFA system administration, such as update or alert management. That is why, for example, the Canadian Centre for Cyber Security advises balancing overall user experience and security protection to maximise security and minimise disruptions.

Here are some other pieces of advice on improving user experience and reducing the burden on IT resources:

1. Run both an awareness campaign and training to educate users.
2. Allow users the flexibility to use different types of factors, where possible, such as security keys, biometrics, or PIN.
3. Give users the possibility to provide feedback on their MFA experience.
4. Implement MFA with a single sign-on (SSO) application to automatically log authorised users into their connected accounts.
5. Provide users with a backup MFA factor and set up an easy way to reset them on their own in case their primary factor is lost, unavailable, or compromised.
6. Monitor MFA events and check authentication reports to detect anomalous login activities.
7. Allow users the ability to disassociate a lost or stolen device/security key from their account.

Less maintenance, more protection
Secure authentication is a vital aspect of cybersecurity but can also easily get on one’s nerves. Repeated authentication, changing passwords, and doing it on several applications can lead to users’ MFA fatigue and simultaneously drain the IT staff administrating it. And it’s not only about keeping users and IT admins happy but also securing businesses that can be endangered by MFA fatigue. With the right authentication service, businesses can increase automation and reduce maintenance duties for IT admins, thus increasing their resilience against credential-based attacks.

This was achieved by relaying near field communication (NFC) data from the victims’ physical payment cards, via their compromised Android smartphones, by using the NGate Android malware, to the attacker’s device. The attacker then used this data to perform ATM transactions. If this method failed, the attacker had a fallback plan to transfer funds from the victims’ accounts to other bank accounts.

“We haven’t seen this novel NFC relay technique in any previously discovered Android malware. The technique is based on a tool called NFCGate, designed by students at the Technical University of Darmstadt, Germany, to capture, analyze, or alter NFC traffic; therefore, we named this new malware family NGate,” says Lukáš Štefanko, who discovered the novel threat and technique.

Victims downloaded and installed the malware after being deceived into thinking they were communicating with their bank and that their device was compromised. In reality, the victims had unknowingly compromised their own Android devices by previously downloading and installing an app from a link in a deceptive SMS message about a potential tax return. It’s important to note that NGate was never available on the official Google Play store.

NGate Android malware is related to the phishing activities of a threat actor that has operated in Czechia since November 2023. However, ESET believes these activities were put on hold following the arrest of a suspect in March 2024. ESET Research first noticed the threat actor targeting clients of prominent Czech banks starting at the end of November 2023. The malware was delivered via short-lived domains impersonating legitimate banking websites or official mobile banking apps available on the Google Play store. These fraudulent domains were identified through the ESET Brand Intelligence Service, which provides monitoring of threats targeting a client’s brand. During the same month, ESET reported the findings to its clients.

The attackers leveraged the potential of progressive web apps (PWAs), as ESET reported in a previous publication, only to later refine their strategies by employing a more sophisticated version of PWAs known as WebAPKs. Eventually, the operation culminated in the deployment of NGate malware. In March 2024, ESET Research discovered that NGate Android malware became available on the same distribution domains that were previously used to facilitate phishing campaigns delivering malicious PWAs and WebAPKs. After being installed and opened, NGate displays a fake website that asks for the user’s banking information, which is then sent to the attacker’s server.

In addition to its phishing capabilities, NGate malware also comes with a tool called NFCGate, which is misused to relay NFC data between two devices – the device of a victim and the device of the perpetrator. Some of these features only work on rooted devices; however, in this case, relaying NFC traffic is possible from non-rooted devices as well. NGate also prompts its victims to enter sensitive information like their banking client ID, date of birth, and the PIN code for their banking card. It also asks them to turn on the NFC feature on their smartphones. Then, victims are instructed to place their payment card at the back of their smartphone until the malicious app recognizes the card.

In addition to the technique used by the NGate malware, an attacker with physical access to payment cards can potentially copy and emulate them. This technique could be employed by an attacker attempting to read cards through unattended purses, wallets, backpacks, or smartphone cases that hold cards, particularly in public and crowded places. This scenario, however, is generally limited to making small contactless payments at terminal points.

“Ensuring protection from such complex attacks requires the use of certain proactive steps against tactics like phishing, social engineering, and Android malware. This means checking URLs of websites, downloading apps from official stores, keeping PIN codes secret, using security apps on smartphones, turning off the NFC function when it is not needed, using protective cases, or using virtual cards protected by authentication,” advises Štefanko.

The phishing websites targeting iOS instruct victims to add a Progressive Web Application (PWA) to their home screens, while on Android, the PWA is installed after confirming custom pop-ups in the browser. At this point, on both operating systems, these phishing apps are largely indistinguishable from the real banking apps that they mimic. PWAs are essentially websites bundled into what feels like a stand-alone application, with this feeling being enhanced by the use of native system prompts. PWAs, just like websites, are cross-platform, which explains how these PWA phishing campaigns can target both iOS and Android users. The novel technique was observed in Czechia by ESET analysts working on the ESET Brand Intelligence Service, which provides monitoring of threats targeting a client’s brand.

“For iPhone users, such an action might break any ‘walled garden’ assumptions about security,” says ESET researcher Jakub Osmani, who analyzed the threat. ESET analysts’ discovery of a series of phishing campaigns, targeting mobile users, used three different URL delivery mechanisms. These mechanisms include automated voice calls, SMS messages, and social media malvertising. The voice call delivery is done via an automated call that warns the user about an out-of-date banking app and asks the user to select an option on the numerical keyboard.

After the correct button is pressed, a phishing URL is sent via SMS, as was reported in a tweet. Initial delivery by SMS was performed by sending messages indiscriminately to Czech phone numbers. The message sent included a phishing link and text to socially engineer victims into visiting the link. The malicious campaign was spread via registered advertisements on Meta platforms like Instagram and Facebook. These ads included a call to action, like a limited offer for users who “download an update below.”

After opening the URL delivered in the first stage, Android victims are presented with two distinct campaigns, either a high-quality phishing page imitating the official Google Play store page for the targeted banking application, or a copycat website for that application. From here, victims are asked to install a “new version” of the banking app.

The phishing campaign and method are possible only because of the technology of progressive web applications. In short, PWAs are applications built using traditional web application technologies that can run on multiple platforms and devices. WebAPKs could be considered an upgraded version of progressive web apps, as the Chrome browser generates a native Android application from a PWA: in other words, an APK. These WebAPKs look like regular native apps. Furthermore, installing a WebAPK does not produce any of the “installation from an untrusted source” warnings. The app will even be installed if installation from third-party sources is not allowed.

One group used a Telegram bot to log all entered information into a Telegram group chat via the official Telegram API, while another used a traditional Command & Control (C&C) server with an administrative panel. “Based on the fact that the campaigns used two distinct C&C infrastructures, we have determined that two separate groups were operating the PWA/WebAPK phishing campaigns against several banks,” concludes Osmani. Most of the known cases have taken place in Czechia, with only two phishing applications appearing outside of the country (specifically in Hungary and Georgia).

The malware introduces more vulnerabilities and leaves the system open to even more dangerous threats. An attacker with a non-privileged account could leverage the vulnerable driver to obtain SYSTEM privileges or inject libraries into remote processes to cause further damage, all while using a legitimate and signed driver. At the end of 2023, ESET researchers stumbled upon an installer named “HotPage.exe” that deploys a driver capable of injecting code into remote processes, and two libraries capable of intercepting and tampering with browsers’ network traffic. The installer was detected by most security products as an adware component.

What stood out to ESET researchers was the embedded driver signed by Microsoft. According to its signature, it was developed by a Chinese company named Hubei Dunwang Network Technology Co., Ltd. “The lack of information about the company was intriguing. The distribution method is still unclear, but according to our research, this software was advertised as an internet café security solution aimed at Chinese-speaking individuals. It purports to improve the web browsing experience by blocking ads and malicious websites, but the reality is quite different — it leverages its browser traffic interception and filtering capabilities to display game-related ads. It also sends some information about the computer to the company’s server, most likely to gather installation statistics,” explains ESET researcher Romain Dumont, who discovered the threat.

According to available information, the business scope of the company includes technology-related activities such as development, services, and consulting – but also advertising activities. The principal shareholder is currently Wuhan Yishun Baishun Culture Media Co., Ltd., a very small company that specialises in advertising and marketing. Due to the level of privileges needed to install the driver, the malware might have been bundled with other software packages or advertised as a security product.

Using Windows’ notification callbacks, the driver component monitors new browsers or tabs being opened. Under certain conditions, the adware will use various techniques to inject shellcode into browser processes to load its network-tampering libraries. Using Microsoft’s Detours hooking library, the injected code filters HTTP(S) requests and responses. The malware can replace the content of the current page, redirect the user, or simply open a new tab to a website full of gaming ads. On top of its obvious mischievous behaviour, this kernel component leaves the door open for other threats to run code at the highest privilege level available in the Windows operating system: the SYSTEM account.

Due to improper access restrictions to this kernel component, any process can communicate with it and leverage its code injection capability to target any non-protected processes. “The HotPage driver reminds us that abusing Extended Verification certificates is still a thing. As a lot of security models are at some point based on trust, threat actors are inclined to play along the line between legitimate and shady. Whether such software is advertised as a security solution or simply bundled with other software, the capabilities granted thanks to this trust expose users to security risks,” adds Romain.

ESET reported this driver to Microsoft in March 2024 and followed their coordinated vulnerability disclosure process. ESET technologies detect this threat — which Microsoft removed from the Windows Server Catalog on May 1, 2024 — as Win{32|64}/HotPage.A and Win{32|64}/HotPage.B.

One particularly worrying trend involves infostealing malware masquerading as popular generative AI tools. ESET researchers observed malware like Rilide Stealer exploiting names like OpenAI’s Sora and Google’s Gemini to lure unsuspecting victims. Another campaign used a fake Windows desktop app for the AI image generator Midjourney to hide the Vidar infostealer. ESET predicts this tactic of leveraging the AI theme will continue. Infostealing malware can now be found impersonating generative AI tools, and new mobile malware GoldPickaxe is capable of stealing facial recognition data to create deepfake videos used by the malware’s operators to authenticate fraudulent financial transactions.

“GoldPickaxe has both Android and iOS versions and has been targeting victims in Southeast Asia through localized malicious apps. As ESET researchers investigated this malware family, they discovered that an older Android sibling of GoldPickaxe, called GoldDiggerPlus, has also tunnelled its way to Latin America and South Africa by actively targeting victims in these regions,” explains Jiří Kropáč, Director of ESET Threat Detection.

The report also raises the alarm for gamers venturing outside official channels. Cracked video games and cheating tools for online multiplayer games were found to distribute info stealers like Lumma Stealer and RedLine Stealer. RedLine Stealer saw a significant surge in detections during the first half of 2024, surpassing the previous six months by a third.

The report acknowledges the disruption of the LockBit ransomware gang by law enforcement in February 2024. However, ESET telemetry indicates that two recent LockBit campaigns were carried out by separate groups using the leaked LockBit builder.

Finally, the report delves into ESET’s ongoing investigation of the Ebury group, a sophisticated server-side malware campaign targeting Linux, FreeBSD, and OpenBSD servers. As of late 2023, over 100,000 servers remained compromised by Ebury malware, highlighting the long-term threat posed by such campaigns.

Unlike other vendor offerings and typical generative AI assistants that focus on soft features like administration or device management, ESET AI Advisor seamlessly integrates into the day-to-day operations of security analysts, conducting in-depth analysis. Building on over two decades of ESET’s expertise in AI-driven endpoint protection, the offering provides detailed incident data and SOC team-level advisory. This is a game-changer for companies with limited IT resources who want to utilize the advantages of advanced Extended Detection and Response (XDR) solutions and threat intelligence feeds.

“As cybersecurity threats become increasingly sophisticated, ESET remains committed to providing cutting-edge solutions that address these challenges. The ESET AI Advisor module represents a significant leap forward in our mission to close the cybersecurity skills gap and empower organizations to safeguard their digital assets effectively,” said Juraj Malcho, Chief Technology Officer at ESET.

One of the primary benefits of this new solution is closing the cybersecurity skills gap. Security analysts of all skill levels can use ESET AI Advisor to conduct interactive risk identification, analysis, and response capabilities, which are provided in an easily understandable format. The user-friendly interface makes sophisticated threat data actionable even for less experienced IT and security professionals.

The ESET AI Advisor also excels in facilitating faster decision-making for critical incidents. Security analysts can simply consult the ESET AI Advisor to understand the specific threats their environment faces. Leveraging extensive XDR collected data, the ESET AI Advisor identifies and analyzes potential malware threats, providing intuitive insights into their behaviour and impact. It assists in recognizing phishing attempts and advising users on how to avoid falling victim to fraudulent emails or websites. By monitoring network traffic, the ESET AI Advisor can flag unusual or suspicious behaviour, helping security teams take appropriate action. Its ability to automate repetitive tasks is an additional advantage. Managing routine processes such as data collection, extraction, and basic threat detection, allows security teams to focus on more strategic initiatives.

In ESET Threat Intelligence, the new module will help researchers analyze vast quantities of unique APT reports and understand latest developments in world of cyber threats. With its conversational prompts and interactive dialogue, ESET AI Advisor empowers organizations to analyze and mitigate threats effortlessly and fortify their cybersecurity posture.

Back in 2014, LEGO fans started noticing that some new reddish-brown bricks were brittle and more susceptible to breaking. The issue, known as “brittle brown,” was quite clear — even one faulty brick could spoil the whole impression of a finished build. Being known for maintaining top-quality standards globally, the LEGO Group announced that they fixed the issue a few years later.

In the Managed Service Providers (MSP) market, just like with a building set, every brick matters. It’s not only about IT, cybersecurity, human resources, supply chain, or marketing; all these things need to be put in place to create a successful MSP business.

Being a global leader in cybersecurity, ESET understands that MSPs are like a complicated building structure in which all bricks support one another. That is why the ESET MSP program is designed to be flexible while covering various MSP business needs to maintain a long, fruitful partnership.

A lesson on success from LEGO: Persistence
Some key aspects of LEGO’s success is their persistence in delivering high-quality products to a market that was heavily affected by the rise of computer games and increasingly sophisticated toys, along with LEGO’s partnerships with other recognizable brands.

With ongoing cloudification, outsourcing, compliance issues, and evolution of the cyber-threat landscape, it is no surprise that the Managed Services market is growing. For example, the Datto Global State of the MSP Report: Trends and Forecasts for 2024 found that 68% of MSPs in North America experienced a revenue increase in 2023.

According to Kaseya’s 2024 MSP Benchmark Report, 73% of MSP respondents stated that cybersecurity is a top revenue driver for their businesses, and at the same time, 78% of respondents consider cybersecurity a top IT challenge for their customers.
This MSP business success and the dynamic market growth require being on top of the latest threats, increased competition, or hiring complications. Further, MSPs deal with the question of how to make their growing and increasingly complicated businesses easier to operate.

Sticking together
Keeping all these aspects of the MSP business in mind, ESET created an MSP program and ecosystem that minimizes daily operations and enables users to provide trusted, top-rated security to their customers.

“What we see with ESET is a really low volume of tickets that require human involvement. The ESET solution is super lightweight. I like to think ESET was born and built by gamers who didn’t want pop-ups to interrupt their games many years ago. As the solutions evolved over the years, additional layers of security have all been built on top, but the actual product installed on the device is still incredibly lightweight,” said Andrew Owens, Head of Sales, Risc IT Solutions.

The main pillars of the ESET MSP program:
Leading cybersecurity technology –ESET Protect offers multilayered security technology combining machine learning, AI, a cloud reputation system, and human expertise. With ESET PROTECT, MSPs can offer flexible subscription solutions, providing security for all major platforms.

• Flexibility – With daily billing and monthly invoicing, customers pay for what they really use: no flat rates, with no long-term commitment. Flexible management allows users to upgrade subscriptions and adjust seat counts on their own.
• Unified ecosystem – With ESET’s cloud-first ESET PROTECT platform, users have a complete overview of all their clients from a single pane of glass, allowing them to see and manage clients in one place.
• Automation – ESET PROTECT Platform automation features, such as Dynamic Groups, were designed to save IT admins time and help them avoid portal fatigue.
• Integrations – ESET actively cooperates with the major Remote Monitoring and Management (RMM) and Professional Services Automation (PSA)players to create best-of-breed, in-depth integrations.

Grow with ESET
It is always a pleasure seeing a LEGO set grow in front of the builder’s eyes. The same is true for ESET seeing its partners progress and succeed. ESET sees MSPs as a whole, tailoring its solutions to meet market needs and making sure that every aspect of this business is covered. As a partner, ESET can make sure that all your bricks are supporting one another.