New Insights into The Devilstongue Spyware Impacting Journalists, Human Rights Defenders and Politicians


ESET has released its T2 2021 Threat Report highlighting several concerning trends that were recorded by ESET telemetry, including increasingly aggressive ransomware tactics, intensifying brute-force attacks, and deceptive phishing campaigns. That is those targeting people working from home who have gotten used to performing many administrative tasks remotely.

Ransomware, showing three major detection spikes during T2, saw the largest ransom demands to date. The attack shutting down the operations of Colonial Pipeline. That is the largest pipeline company in the US. As well as the supply-chain attack leveraging a vulnerability in the Kaseya VSA IT management software, sent shockwaves that were felt far beyond the cybersecurity industry.

Both cases appeared to pursue financial gain rather than cyberespionage, with the perpetrators of the Kaseya attack setting a USD 70 million ultimatum. That is the heftiest known ransom demand so far.

“Ransomware gangs may have overdone it this time: the involvement of law enforcement in these high-impact incidents forced several gangs to leave the field. The same can’t be said for TrickBot, which appears to have bounced back from last year’s disruption efforts, doubling in our detections and boasting new features,” explains Roman Kováč, chief research officer at ESET. On the other hand, the final shutdown of Emotet at the end of April 2021 saw downloader detections down by half compared to T1 2021 and a reshuffling of the whole threat landscape.

Password-guessing attacks, which often serve as a gateway for ransomware, saw further growth in T2. Between May and August 2021, ESET detected 55 billion new brute-force attacks (+104% compared to T1 2021) against public-facing Remote Desktop Protocol services. ESET telemetry also saw an impressive increase in the average number of daily attacks per unique client, which doubled from 1,392 attempts per machine per day in T1 2021 to 2,756 in T2 2021.

The report also found highly targeted was DevilsTongue spyware (see page 12&13 of the report). It is used to spy on human rights defenders, dissidents, journalists, activists, and politicians; and a new spear phishing campaign by the Dukes APT group, which remains a prime threat to Western diplomats, NGOs, and think tanks. A separate section describes new tools employed by the highly active Gamaredon threat group targeting governmental organizations in Ukraine.

You can read the full report here.