ESET telemetry has discovered a new malware campaign targeting local governments and high-profile organizations in Asia, the Middle East, and Africa.

In the recently discovered targeted attacks, undocumented tools are being used by a lesser-known cyberespionage group identified as Worok discovered by ESET researcher Thibaut Passilly.

This group has been active since 2020, when it targeted governments and organizations in multiple countries, including a telecom firm in East Asia, a bank in Central Asia, and a Southeast Asian maritime sector firm.

Worok is primarily targeting organizations in banking, telecommunication, marine, military, energy, public sectors, and government in its current campaign. The group claims to be a cyberespionage collective that develops its own tools and uses existing tools to compromise the target. Its custom toolset in 2021 included:

  • CLRoad (a first-stage loader).
  • PNGLoad (a second-stage loader).
  • A full-featured PowHeartBeat backdoor written in PowerShell.

The backdoor can command and process execution and perform file manipulation. 

Campaign Details

According to ESET’s research, attackers sometimes exploited the infamous ProxyShell vulnerability (CVE-2021-34523) discovered in 2021 to gain initial access. Malware operators are looking to obtain sensitive information from their targets as their focus has been on “high-profile entities in Asia and Africa,” and they have targeted both public and private sector firms. Besides, they are also focusing on government entities.

After gaining initial access, the operators deploy numerous publicly available tools for further infiltration, including EarthWorm, Mimikatz, NBTscan, and ReGeorg. Then they deploy their custom implants, including a first-stage loader followed by a second-stage .NET loader. The researchers could not identify the final payloads, ESET’s Thibaut Passilly wrote in a blog post.

Worok Hackers Targeting Orgs, Govts in Asia, Middle East and Africa

After observing the Worok group’s activity in 2020, ESET noticed a break between May 2021 and January 2022, and then it resurfaced in February 2020, during which it targeted an energy firm in Central Asia and a public sector organization in Southeast Asia,

“While our visibility at this stage is limited, we hope that putting the spotlight on this group will encourage other researchers to share information about this group.”


  1. Nation-State Hackers Targeted Facebook – Meta
  2. Iranian hackers deface US government & African bank website
  3. Windows, Linux and macOS Hit by Chinese Iron Tiger APT Group
  4. US Warns Firms About North Korean Hackers Posing as IT Workers
  5. Indian APT exposes its Modus Operandi by infecting their own devices