An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2025 and Q1 2026
28 May 2026
•
,
4 min. read
ESET APT Activity Report Q4 2025–Q1 2026 summarizes notable activities of selected advanced persistent threat (APT) groups documented by ESET researchers from October 2025 through March 2026. The operations highlighted here are representative of the broader threat landscape we investigated during this period, illustrating key trends and developments, and contain only a fraction of the cybersecurity intelligence data provided to customers of ESET Threat Intelligence APT Reports.
During the monitored time frame, China-aligned threat actors remained highly active worldwide, conducting espionage campaigns shaped in part by geopolitical developments affecting Beijing’s economic and security interests. Following the US military operation in Venezuela and amid continuing instability in the Gulf region, we spotted signs that China-aligned groups were being mobilized to improve Beijing’s visibility into maritime, energy, and political developments abroad. In one notable case, FamousSparrow targeted a Venezuelan governmental entity connected to maritime affairs, likely to monitor the resilience of oil shipments after the US intervention. We also noticed SteppeDriver targeting a Syrian governmental network, activity that may reflect both Chinese commercial interest in Syria’s reconstruction projects and security concerns surrounding Uyghur fighters present in that country. On VirusTotal we found PhiliKit, a new implant that we assess to be part of UNC5221’s SPAWN toolset targeting Ivanti VPN appliances, while our tracking of NegativeGlimmer revealed the group compromising governmental entities in Cambodia and Panama, as well as an AI and robotics company in South Korea. The latter targeting in South Korea aligns with Beijing’s enduring interest in strategic technologies prioritized under the Made in China 2025 industrial development policy.
The war in Iran that began in late February 2026 was the defining event for Iran-aligned activity during this period. Paradoxically, the conflict coincided with a decline in activity from established Iran-aligned APT groups in our telemetry, most likely because internet restrictions imposed by the Iranian regime hindered their ability to operate effectively. At the same time, this environment appears to have favored the mobilization of proxy and hacktivist actors targeting Israel, the United States, and other states seen as hostile to Tehran. We also documented an unusual spike in activity against Israeli targets that we could not confidently link to previously known groups. Two unattributed activity clusters, Rusty Boots and MoKhargosh, demonstrated both espionage capabilities and destructive potential – including deployment of a bootkit-style wiper and retaining destructive tooling for later use – whereas a third, MOØN Badr, appears to have been limited to targeted espionage.
North Korea-aligned threat actors remained active on several fronts. Multiple groups continued targeting developers and the cryptocurrency ecosystem with social engineering schemes that can yield both direct financial gain and opportunities for software supply-chain compromise. Lazarus and DeceptiveDevelopment continued to invest in long-term relationship building with high-value targets, while Kimsuky and Konni favored quicker, more opportunistic attacks. We also uncovered the reemergence of Andariel in South Korea, where the group deployed TigerRAT and attempted to spread Rook ransomware within an engineering company that appears to manufacture equipment relevant to liquid hydrogen handling and the nuclear industry – technologies that are obviously of interest to Pyongyang’s ballistic and nuclear ambitions.
We also tracked the continuing evolution of Lazarus campaigns, including Operation DreamJob and Operation DangerousPassword. The former targeted European drone manufacturers; the latter led to the compromise of the widely used JavaScript library axios, which has over 100 million weekly downloads on the npm registry and is critical to web and mobile applications worldwide. Attackers exploited the lead maintainer’s compromised credentials to publish malicious versions of the library that injected trojanized code into affected systems, before being detected and removed. In parallel, ScarCruft compromised a gaming platform serving the Yanbian region in China, likely to collect intelligence on individuals of interest to the North Korean regime, including refugees and defectors.
Russia-aligned threat actors continued to focus overwhelmingly on Ukraine and entities connected to the country’s defense efforts. Sednit deployed its Covenant and BeardShell implants against Ukrainian military personnel, drone manufacturers, and organizations involved in drone research and development, while also targeting logistics and transportation companies outside Ukraine. Sandworm intensified destructive activity over the winter, deploying several new wipers in Ukraine against governmental and private sector targets. Particularly notable was a December 2025 data destruction incident affecting a Polish energy company, which we attribute to Sandworm with medium confidence. Although destructive attacks by Russia-aligned actors outside Ukraine remain rare, this case stands out because it affected critical infrastructure in a NATO member state. Given Poland’s role in helping stabilize Ukraine’s electricity supply, it is possible that the operation was intended to strain Ukraine’s power grid during the winter.
We also tracked several noteworthy campaigns from lesser-known and unattributed clusters. These include a browser-in-the-browser phishing attack against a Japanese think tank, Android spyware we named Asin that targets Arabic-speaking users via apps claiming to offer conflict-tracking features, and the compromise of a defense company in the United Arab Emirates through a SmartOffice CRM server, followed by the deployment of custom post-exploitation and reverse proxy tools.
ESET products protect our customers’ systems from the malicious activities described in this report. Intelligence shared here is based mostly on proprietary ESET telemetry data and has been verified by ESET researchers.
ESET APT Activity Reports contain only a fraction of the cybersecurity intelligence data provided in ESET Threat Intelligence APT Reports. For more information, visit the ESET Threat Intelligence website.