This means the same T2Bot infection could be used to steal browser passwords on Tuesday and move laterally across a network to deploy ransomware on Wednesday, simply by pushing different modules.
The is a modular, multi-stage backdoor that ESET researchers first identified targeting organizations in Southeast Asia . Attributed to a suspected Chinese-speaking group, this malware is notable for its stealthy communication methods and its ability to exfiltrate sensitive data while remaining persistent on a system. Overview of T2Bot eset t2bot
Recent variants of ESET T2Bot have moved away from disk-based persistence. Instead, they embed their payload in the repository. Every 60-90 seconds, a WMI subscription triggers the payload to run from the registry, leaving no executable file for traditional scanners to find. This means the same T2Bot infection could be
If ESET detects T2Bot but cannot clean it, it means the rootkit component is active. Overview of T2Bot Recent variants of ESET T2Bot
As of 2024-2025, ESET’s LiveGrid telemetry shows that classic T2Bot campaigns have declined, but the code has been repurposed. New variants combine T2Bot’s web-injection engine with ransomware modules (dubbed T2Lock by researchers). The underlying techniques—fileless WMI, SOCKS proxying, and MitB injection—are now standard features in modern crimeware kits.