Full Report
Big shifts in the infostealer scene, novel attack vector against iOS and Android, and a massive surge in investment scams on social media
Analysis Summary
# Incident Report: H2 2024 Threat Landscape Shifts (Infostealers, Mobile Vectors, Nomani Scams)
## Executive Summary
The second half of 2024 saw significant turbulence in the cyber threat landscape, highlighted by major shifts in infostealer dominance (Agent Tesla being replaced by Formbook) and successful law enforcement takedowns of malware families like Redline Stealer and Meta Stealer. A novel attack vector emerged targeting both iOS and Android via direct website app installations, alongside a massive surge in HTML/Nomani investment scams spreading across social media platforms.
## Incident Details
- **Discovery Date:** Based on H2 2024 telemetry (Report published Feb 28, 2025)
- **Incident Date:** Primarily H2 2024
- **Affected Organization:** Not specified (General threat landscape report)
- **Sector:** All sectors; High impact on individuals and businesses due to infostealers and financial fraud.
- **Geography:** Global (Based on telemetry data)
## Timeline of Events
### Initial Access
- **Date/Time:** H2 2024
- **Vector:** New Mobile Vector (Direct installation from website links in mobile browsers for both iOS and Android). Various other vectors associated with established infostealers (e.g., phishing, malicious downloads).
- **Details:** Discussion focuses on a novel technique exploiting mobile browser capabilities to install apps directly from websites.
### Lateral Movement
- **Details:** Discussed in context of evolving infostealer capabilities (e.g., Formbook's continued effectiveness).
### Data Exfiltration/Impact
- **Details:** Targeting of credentials, financial information (via Formbook/Lumma Stealer), and financial losses due to investment scams (Nomani). Law enforcement also successfully disrupted operations of previously dominant malware families.
### Detection & Response
- **How it was discovered:** ESET telemetry data collection throughout H2 2024.
- **Response actions taken:** Law enforcement actions leading to the takedown of Redline Stealer and Meta Stealer operations.
## Attack Methodology
| Category | Method |
| :--- | :--- |
| **Initial Access** | Novel mobile app vector (iOS/Android), Phishing/Malicious downloads (Infostealers) |
| **Persistence** | Not detailed, but implied persistence mechanisms for active infostealers like Formbook and Lumma Stealer. |
| **Privilege Escalation** | Not detailed. |
| **Defense Evasion** | Not detailed for specific malware families. |
| **Credential Access** | Primary function of Agent Tesla replacement (Formbook) and Lumma Stealer. |
| **Discovery** | Techniques used by infostealers to map compromised systems. |
| **Lateral Movement** | Implied capabilities within the infostealer ecosystem. |
| **Collection** | Data harvesting by high-ranking infostealers. |
| **Exfiltration** | Standard methods employed by commodity malware. |
| **Impact** | Financial fraud (Nomani scams), data theft (Infostealers). |
## Impact Assessment
- **Financial:** Significant financial losses expected due to the "booming numbers of investment scams on social media" (Nomani). Continued financial impact from credential and financial data theft via infostealers.
- **Data Breach:** Compromise of credentials and sensitive data due to the operational status of Formbook and Lumma Stealer.
- **Operational:** Disruption of criminal operations due to successful law enforcement takedowns of Redline and Meta Stealer.
- **Reputational:** Damage associated with social media investment scams (Nomani).
## Indicators of Compromise
*Note: Specific IoCs were not provided in the summary text, only general malware families.*
- **Network indicators:** Related to Command and Control (C2) infrastructure for Formbook, Lumma Stealer.
- **File indicators:** Binaries associated with Formbook and Lumma Stealer.
- **Behavioral indicators:** Execution of scripts enabling direct application installation on mobile devices via web browsers.
## Response Actions
- **Containment Measures:** Not explicitly detailed for all incidents, but implied ongoing defense against active infostealers.
- **Eradication Steps:** Law enforcement successfully removed Redline Stealer and Meta Stealer infrastructure from operation.
- **Recovery Actions:** Organizations affected by Nomani scams would require consumer awareness and financial remediation efforts.
## Lessons Learned
- The infostealer landscape remains fluid, requiring continuous adaptation as market leaders are replaced (Agent Tesla declining, Formbook rising).
- New operational security flaws exist in mobile platforms, specifically the functionality allowing direct app installation from browser links, presenting a highly attractive attack vector.
- Social engineering focused on financial opportunity (crypto/investment scams) continues to show massive growth and effectiveness (Nomani).
## Recommendations
- **Prevention Measures for Similar Incidents:** Strengthen user awareness training regarding unusual app installation prompts on mobile devices (iOS/Android). Maintain robust endpoint protection capable of detecting commodity infostealers like Formbook and Lumma Stealer. Implement stricter monitoring and fraud detection specifically targeting cryptocurrency/investment schemes on social media platforms.