The report highlights the intensification of espionage and sabotage activities by groups linked to Russia, China and North Korea, with attacks targeting critical infrastructure and institutions in Ukraine, the EU and Asia. Techniques include: zero-day exploits, spearphishing and social engineering
ESET, a global European leader in the cybersecurity market, has published the latest APT Activity Report, which analyzes the activities of some APT groups documented by ESET researchers between October 2024 and March 2025. Over the period observed, groups linked to Russia – in particular Sednit and Gamaredon – conducted aggressive campaigns, mainly targeting Ukraine and European Union countries.
Ukraine has suffered the greatest number of cyber attacks, with particular intensity targeting critical infrastructure and state institutions. The Russia-affiliated Sandworm group has stepped up destructive operations against Ukrainian energy companies, deploying a new wiper called ZEROLOT. However, groups linked to China continued their espionage campaigns targeting European organisations.
Gamaredon confirmed itself as the most active group against Ukraine, improving malware obfuscation techniques and introducing PteroBox, a file stealer that exploits Dropbox.
"The infamous Sandworm group has focused heavily on compromising Ukrainian energy infrastructure. In some recent cases they deployed the ZEROLOT wiper, exploiting Active Directory Group Policies within affected organizations," explains Jean-Ian Boutin, Director of Threat Research at ESET.
Sednit has perfected the exploitation of cross-site scripting vulnerabilities in webmail services, extending the RoundPress operation from Roundcube to Horde, MDaemon and Zimbra. ESET discovered that the group successfully used a zero-day vulnerability in MDaemon Email Server (CVE-2024-11182) against Ukrainian companies. Several attacks conducted by Sednit against defense companies in Bulgaria and Ukraine were based on spearphishing campaigns.
Another Russian-affiliated group, RomCom, demonstrated a high technical level by exploiting zero-day vulnerabilities in Mozilla Firefox (CVE-2024-9680) and Microsoft Windows (CVE-2024-49039).
In Asia, China-affiliated APT groups continued to target government and academic institutions. At the same time, North Korea-linked groups have stepped up operations against South Korea, targeting individuals, private companies, embassies and diplomatic personnel.
Mustang Panda remained the most active group, targeting government bodies and companies in the shipping sector through Korplug loaders and infected USB sticks. DigitalRecyclers continued attacks against European government entities, using the KMA VPN anonymization network and deploying the RClient, HydroRShell, and GiftBox backdoors.
PerplexedGoblin used the new NanoSlate spy backdoor against a Central European government agency, while Webworm targeted a Serbian government organization, using SoftEther VPN, a tool confirming its popularity among pro-China groups.
In Asia, North Korean groups have stood out for their financial campaigns. DeceptiveDevelopment has significantly expanded its reach, using fake job offers specifically targeting the cryptocurrency, blockchain and finance sectors. The group employed advanced social engineering techniques to distribute the cross-platform WeaselStore malware. The cryptocurrency theft from the Bybit platform, attributed by the FBI to the TraderTraitor group, involved an attack on the supply chain via Safe{Wallet}, with an estimated damage of approximately $1.5 billion.
Meanwhile, other North Korean groups have seen changes in activity levels: in early 2025, Kimsuky and Konni returned to usual levels after a decline in activity in late 2024, shifting focus from English-speaking think tanks, NGOs and North Korea experts towards South Korean entities and diplomatic personnel. Andariel, which had been dormant for a year, resurfaced with a sophisticated attack against a South Korean company specializing in industrial software.
Iran-affiliated groups have maintained their primary focus on the Middle East, primarily targeting government entities and companies in the manufacturing and engineering sectors in Israel.
Additionally, ESET has detected a significant global increase in cyberattacks against technology companies, largely due to increased DeceptiveDevelopment activity.
"The highlighted operations represent a summary of the threat landscape analyzed during the period under review. They reflect key trends and developments and constitute only a small part of the intelligence data provided to ESET APT reporting customers," concludes Boutin.
The information contained in the confidential reports is mainly based on proprietary data collected through ESET telemetry and is verified by the company's researchers, who prepare in-depth technical analyzes and regular updates on the activities of individual APT groups.
These analyses, available as ESET APT Reports PREMIUM, support organizations in protecting citizens, critical infrastructure and high-value assets from cyberattacks initiated by cybercriminals or state actors.
