“Many years ago, there used to be quite a clear distinction: the APTs were the sophisticated and advanced ones, and the cybercriminals were going after the low-hanging fruit. But today, that’s no longer the case. The financially motivated groups have learned from the more sophisticated APTs, and in many cases even surpass them.
“What that means for the targets of these attacks is that the defenses have to step up.”
In an exclusive interview with Expert Insights at ESET World 2025 in Las Vegas, Robert Lipovsky and Jakub Souček discuss the latest threat research and intelligence from ESET, what it tells us about the adversaries that organizations are currently facing, and how security teams can use that information to prevent breaches.
Note: This interview has been edited for clarity.
You can also listen to this conversation over on the Expert Insights Podcast:
Q. ESET’s latest threat research provides a unique window into adversary tactics. What are some of the most concerning trends you’re seeing in cyber threats today?
Lipovsky: For a long time, we’ve had the nation-state sponsored APT groups doing cyber espionage—sometimes cyber sabotage—, and then on the other end of the spectrum we have cyber criminals that are financially motivated. There are other motivations as well, but I would say these are these are probably the main ones.
Many years ago, there used to be quite a clear distinction: the APTs were the sophisticated and advanced ones, and the cybercriminal were mass spreading, going after the low-hanging fruit. But today, that’s no longer the case. So that’s the trend, in my opinion; the financially motivated groups have learned from the more sophisticated APTs, and in many cases even surpass them.
What that means for the targets of these attacks is that the defenses have to step up. Another thing is that, in the past, the financially motivated threats worried everyone because they were indiscriminate, going anywhere where the money was. And the big APTs were going after critical infrastructure, the largest of enterprises and government organizations. But with these boundaries between those motivations diminishing and overlapping, a lot of these attackers are going after smaller companies. So, SMBs are not “safe” from those groups that maybe a decade or two ago didn’t really go after them.
Q. The research that ESET has released this week really exemplifies those points, particularly around the Ransomware-as-a-Service gang RansomHub, and the FamousSparrow Group. I’d like to focus on RansomHub first—Jakub, could you tell us a little bit about your findings that linked multiple ransomware gangs, and what that tells us about the current ransomware ecosystem?
Souček: RansomHub were, unfortunately, very successful in attracting a lot of “affiliates”, as we call them in the Ransomware-as-a-Service ecosystem, to work with them and to form a sort of alliance. This happened very quickly since they emerged in February. They’ve also targeted a significant number of victims since then, at a constantly rising rate.
More established gangs, like the ones that we were able to find the links to, such as BianLian or Play, actually saw an opportunity to… I don’t really want to say work with, but kind of utilize the tooling that RansomHub offers their affiliates in their own attacks.
The reason why I don’t want to say work with is because organizations like BianLian and Play operate under what we refer to as a “closed” Ransomware-as-a-Service model. The difference between this and the typical Ransomware-as-a-Service model is that the closed groups don’t look to expand. So, they don’t have these public forum advertisements where they offer a percentage to new affiliates to lure them and expand the operation. Instead, they are basing the relations that they have within the group on long-term trust. And these closed groups are not really expected to be working with the open ones.
The fact that affiliates work for multiple open Ransomware-as-a-Service groups is very common knowledge, that is nothing new. So, the fact that we found connections to these closed groups is interesting.
In the case of BianLian, they were utilizing an EDR killer, which is a malware designed to somehow disrupt the security solution. We saw this being deployed very shortly before an encryption. The weird thing is that BianLian focuses on extortion only attacks, so they don’t really encrypt; they only steal the data.
In terms of Play, they are a long-known gang and they go as far as to publicly state on their site that they are not working as Ransomware-as-a-Service and never were. But our discovery draws some shadows over that and sheds some interesting light on some of their connections.
Q. ESET’s research team also discovered that the FamousSparrow APT Group has been conducting cyberespionage attacks on the US financial sector. These attacks constituted considerable progress over previous iterations—what does this tell us threat actors’ tools and techniques?
Lipovsky: I’m sure you’ve heard about the Salt Typhoon telco hacks that have been all over the news—especially here in the US—since the news broke in September. In one of those early articles, it was claimed that ESET tracks Salt Typhoon as Famous Sparrow, and that this group is also what Kaspersky tracks as Ghost Emperor. But the problem is that no indicators or clues were published to prove those links. Based on the data that we have, we track Ghost Emperor and Famous Sparrow separately, but there may be some loose links between these. So, we’re not saying that Famous Sparrow is Salt Typhoon, but it appears that there is some connection.
The group is conducting cyber espionage and they carefully choose their targets. When we saw the first activity by Famous Sparrow in 2019, they had a quite diverse target group, both geographically and in terms of industry verticals. It seemed like they were going after organizations with sensitive data, for example about their customers. In that sense, Salt Typhoon targeting the telcos aligns nicely, because of the metadata, call records, and other sensitive data they could access. The technical indicators to prove those connections just haven’t been made public, so we can’t confirm or deny them. Over the years, Famous Sparrow significantly improved their arsenal. When we compare their tooling, we’re clustering the activity around their main signature backdoor, which we’re calling “Sparrow Door.” The versions that we’ve seen in this latest incident are clearly based on those earlier versions, but they have been improved in various different ways. There are actually two different versions being developed simultaneously! One is geared more towards efficiency; the other one geared more towards stealth.
A lot of this research is investigative, like detective work. That’s why I keep talking about those missing technical indicators, because that’s what we go on when we make these attribution claims. We look at the activity clusters and we attribute them to the APT groups that we’re tracking.
Q. Threat intelligence such as this is a crucial component of cybersecurity strategy, but many teams struggle when it comes to actually applying it. How can organizations effectively translate threat intelligence into actionable defenses?
Lipovsky: That’s a really good question. It really depends on the organization, how large they are, which types of threats are relevant to them, and whether they have the ability to ingest and then take action on those indicators that we push in.
So, what we try to do is tailor the solution to the needs of the organization.
It doesn’t make sense for a small SMB to ingest these types of things if they’re not able to turn it into something useful. And not every small company can run their own SOC. For those organizations, we offer MDR services.
Q. Another challenge that security teams struggle with is information overload. With so many threats and alerts to track, how can teams prioritize the most critical risks?
Lipovsky: When specifically focusing on EDR, information overload can manifest itself in being flooded with a bunch of alerts and leading to “alert fatigue”. We have something that we call “incident creator” that’s augmented by AI, which clusters the intrusions and just gives you one incident notification to address. Then, if you want to go into more granular detail, you can.
But when it comes to the threat intelligence that we’re sharing, we really try hard to separate the wheat from the shaft. We make sure that the indicators are active, and we focus more on the quality of the data rather than the quantity.
Souček: In the reports themselves, even in the wording, we focus on making it very easy to quickly understand what the main point of that specific report is, and why we think it’s dangerous. We also try to offer very brief and straightforward advice. This means the ones who are interested in more detail can access that, but the ones who either are not that interested in the details or simply don’t have the time to go through all that, still get the key, relevant information.
Q. Looking ahead, and based on what we’ve been discussing today, what key security trends do you predict will define the cybersecurity landscape in the next 2 years?
Lipovsky: Going back to what I said at the beginning about the boundaries blurring and organizations of all sizes being targeted by various threats—even threats that they have not been targeted by in the past—, I expect that to continue.
We are definitely going to see improvements in in the ways that various threats and malware are spreading.
And—this is nothing new—phishing, spear phishing, and social engineering attacks will continue to be much more prevalent than sophisticated software vulnerability exploits. And those are going to be much more improved by AI, by large language models. In the last two years, phishing has evolved to be on a whole other level than it was five years ago. And moving forward, it’s going to continue improving, particularly with deep fakes.
These are going to be the main challenges for the near future.
Q. Finally, what proactive strategies do you recommend for security teams that want to stay ahead of emerging threats?
Lipovsky: It sounds like a cliche, but education is key. And that applies universally to individuals, consumers, organizations, and employees. And of course, the standard stuff always applies, implementing 2FA and backups, and so on. I’m really not inventing the wheel here, but just follow the advice that we’ve been repeating all along.
Souček: Building on top of that, I think that sometimes when companies try to design their defenses, they think, “Okay, so it’s all zero days, it’s all high sophisticated attacks,” but this is not the reality. The vast majority of the cyber threat field, as Robert mentioned in the beginning, are not super highly skilled threat actors; they are the mediocre ones, and they may even go for vulnerabilities that were patched several years ago. So, just having the proper patch management in place may save you against a huge portion of those threats.
It’s not nothing or everything; anything that you do helps! Don’t be the low-hanging fruit.
Thank you to Robert Lipovsky And Jakub Souček for taking part in this interview. You can find out more about ESET’s threat intelligence services via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.
For more interviews with industry experts, visit our podcast page here.
