Cybersecurity Cloud & Data

ESET Research uncovers new cyberespionage group Worok targeting companies, govts in Asia

ESET researchers recently discovered targeted attacks that used undocumented tools against various high-profile companies and local governments mostly in Asia, but also in the Middle East and Africa. These attacks were conducted by a previously unknown cyberespionage group that ESET has named Worok. According to ESET telemetry, Worok has been active since at least 2020 and continues to be active today. Among the targets were companies from the telecommunications, banking, maritime, energy, military, government, and public sectors. Worok used the infamous ProxyShell vulnerabilities to gain initial access in some cases.

We believe the malware operators are after information from their victims because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities

“We believe the malware operators are after information from their victims because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities,” says ESET researcher Thibaut Passilly who discovered Worok.

Back in late 2020, Worok was targeting governments and companies in multiple countries, specifically:

  • A telecommunications company in East Asia

  • A bank in Central Asia

  • A maritime industry company in Southeast Asia

  • A government entity in the Middle East

  • A private company in southern Africa

There was a significant break in observed operations from May 2021 to January 2022, but Worok activity returned in February 2022, targeting:

  • An energy company in Central Asia

  • A public sector entity in Southeast Asia

Worok is a cyberespionage group that develops its own tools and leverages existing tools to compromise its targets. The group’s custom toolset includes two loaders, CLRLoad and PNGLoad, and a backdoor, PowHeartBeat.

CLRLoad is a first-stage loader that was used in 2021, but in 2022 was replaced, in most cases, by PowHeartBeat. PNGLoad is a second-stage loader that uses steganography to reconstruct malicious payloads hidden in PNG images.


 Read more: The Rise of RaaS: With Conti attacking Costa Rica govt vulnerability is in the limelight


PowHeartBeat is a full-featured backdoor written in PowerShell, obfuscated using various techniques such as  compression, encoding, and encryption. This backdoor has various capabilities, including command/process execution and file manipulation. For example, it is capable of uploading files to and downloading files from compromised machines; returning file information such as the path, length, creation time, access times, and content to the command and control server; and deleting, renaming, and moving files.

“While our visibility at this stage is limited, we hope that putting the spotlight on this group will encourage other researchers to share information about this group,” adds Passilly.

More technical information about Worok is available in the blogpost Worok: the big picture on WeLiveSecurity.

Navanwita Bora Sachdev

Navanwita is the editor of The Tech Panda who also frequently publishes stories in news outlets such as The Indian Express, Entrepreneur India, and The Business Standard

Recent Posts

AI Launches: Cybersecurity, AI Agents, product specs, business operating system, automobile, consumer & MSME lending, cloud, data streaming

The Tech Panda takes a look at recent launches in the superfast field of Artificial…

9 hours ago

As India’s tech sector on track to surpass $300 billion, CEO of Ness shares insights into AI’s important role 

The tech sector in India has been going from strength to strength in recent years.…

13 hours ago

Unknown & uncontrolled machine identities within organizations leading to emergence of new identity security challenges

Experts are saying that organizations are inadvertently creating a new identity-centric attack surface through growing…

13 hours ago

Outbound & inbound: India attracts businesses from US & Singapore while expanding to UAE, Europe & Philippines

The Tech Panda takes a look at how India has been attracting foreign businesses from…

2 days ago

The death of paper records: Will AI-driven EHRs eliminate medical errors?

Patient records have long been a collection of handwritten notes, prescription slips, and test results,…

2 weeks ago

The future of contactless hospitality: Balancing convenience with personalization

The fast pace development of the hospitality industry will result in contactless technology adoption, where…

2 weeks ago