ESET APT Activity Report Highlights Geopolitical Espionage and Cyber Threats
TL;DR
ESET Research’s report on APT groups from Q4 2025 and Q1 2026 reveals heightened espionage activities by China-aligned and North Korea-aligned actors amid geopolitical tensions. Concurrently, Iran-aligned groups faced operational challenges due to internet restrictions, yet new proxy threats emerged targeting adversaries.
Main Analysis
ESET Research documented significant activity by advanced persistent threat groups during a time characterized by geopolitical shifts. China-aligned actors demonstrated heightened engagement in international espionage, which corresponds to Beijing’s geopolitical interests. Notably, the group known as FamousSparrow targeted a Venezuelan governmental entity, likely aiming to assess the impact of U.S. military actions on maritime oil shipments. Other noteworthy operations included SteppeDriver targeting Syrian governmental networks, aligning with economic interests in reconstruction projects and concerns regarding Uyghur fighters.
In contrast, Iran-aligned groups exhibited reduced activity as Iranian internet restrictions hampered their operations during the ongoing conflict in Iran. However, proxy groups emerged, executing hacking campaigns targeting Israel and the U.S. Notably, two unidentified groups, Rusty Boots and MoKhargosh, exhibited both espionage and destructive capabilities, including using a wiper tool in their attacks.
North Korea-aligned actors continued their multi-faceted approach, particularly in the cryptocurrency domain. Groups such as Lazarus and DeceptiveDevelopment focused on social engineering techniques to compromise valuable targets or enable supply-chain attacks. The resurgence of Andariel was noted, where the group deployed TigerRAT and attempted to introduce ransomware into infrastructure-critical sectors.
Russia-aligned actors maintained their aggressive posture towards Ukraine, with Sednit targeting military and logistics sectors through advanced malware. Sandworm escalated its destructive operations, as demonstrated by a data destruction incident affecting a Polish energy company. Such actions are particularly concerning as they target critical infrastructure, potentially aiming to destabilize support for Ukraine during the winter months.
Defensive Context
Defenders in sectors relating to energy, defense, and critical infrastructure should be vigilant of increased espionage and persistent cyber threats, particularly from state-aligned actors. The geopolitical implications of these threats necessitate attention from organizations operating within or associated with affected regions. Entities connected to maritime oil operations or involved in high-tech manufacturing remain especially relevant targets.
Why This Matters
The analysis underscores the interconnectedness of geopolitical events and cyber activities, revealing how international conflicts can catalyze cyber espionage campaigns. Organizations in sectors likely to concern state actors should understand their elevated risk exposure.
Indicators of Compromise
Specific IOCs were not detailed in the report; thus, organizations should focus on tracking developments related to the described APT activities and adapting responses based on ongoing intelligence.
