ESET Research has released its latest APT Activity Report, which highlights the activities of select APT groups documented by ESET researchers from October 2025 through March 2026. During the monitored time frame, China-aligned threat actors remained highly active worldwide, conducting espionage campaigns shaped in part by geopolitical developments affecting Beijing’s economic and security interests.
Following the US military operation in Venezuela and amid continuing instability in the Gulf region, ESET spotted signs that China-aligned groups were being mobilized to improve Beijing’s visibility into maritime, energy, and political developments abroad. North Korea-aligned Andariel attacked a company that appears to be involved in the nuclear power industry.
China-aligned FamousSparrow targeted a Venezuelan government entity involved in maritime affairs, likely to monitor the resilience of oil shipments following the US intervention. There, ESET also noticed activity by SteppeDriver, another China-aligned APT group targeting a Syrian governmental network, which may reflect both Chinese commercial interest in Syria’s reconstruction projects and security concerns surrounding Uyghur fighters present in that country. China-aligned UNC5221’s SPAWN malware family targeted governmental entities in Cambodia and Panama, as well as an AI and robotics company in South Korea. The latter targeting South Korea aligns with Beijing’s enduring interest in strategic technologies prioritized under the Made in China 2025 industrial development policy.
“In Asia, the campaigns primarily focused on governmental organizations, strategic industries, and advanced technology sectors. In the Middle East, Israel remained the principal focus of Iran-aligned and Iran-linked activities, with targets ranging from organizations affected by espionage intrusions to device manufacturers hit by destructive tooling,” says Jean-Ian Boutin, Director of Threat Research at ESET.
The war in Iran that began in late February 2026 was the defining event for Iran-aligned activity during this period. Paradoxically, the conflict coincided with a decline in activity from established Iran-aligned APT groups in ESET telemetry, most likely because internet restrictions imposed by the Iranian regime hindered their ability to operate effectively. At the same time, this environment appears to have favored the mobilization of proxy and hacktivist actors targeting Israel, the United States, and other states seen as hostile to Tehran. ESET Research also documented an unusual spike in activity against Israeli targets that it could not confidently link to previously known groups. Two unattributed activity clusters, Rusty Boots and MoKhargosh, demonstrated both espionage capabilities and destructive potential against Israel – including deployment of a bootkit-style wiper while retaining destructive tooling for later use.
ESET Research also found a defense company in the United Arab Emirates being compromised, and Arabic-speaking users being targeted with Android spyware. It was possibly aimed at journalists or open-source intelligence practitioners since the name of attacker’s Telegram channel was likely inspired by Live Universal Awareness Map (Liveuamap), a legitimate, well-known OSINT platform dedicated to mapping military incidents worldwide.
North Korea-aligned threat actors remained active on several fronts. Multiple groups continued targeting developers and the cryptocurrency ecosystem with social engineering schemes that can yield both direct financial gain and opportunities for software supply-chain compromise. ESET also uncovered the reemergence of the Andariel group in attacks against South Korea, where the group deployed TigerRAT and attempted to spread Rook ransomware within an engineering company that appears to manufacture equipment relevant to liquid hydrogen handling and the nuclear power industry – technologies that are obviously of interest to Pyongyang’s ballistic and nuclear ambitions.
Russia-aligned threat actors continued to focus overwhelmingly on Ukraine and entities connected to that country’s defense efforts. Sednit deployed its Covenant and BeardShell implants against Ukrainian military personnel, drone manufacturers, and organizations involved in drone research and development, while also targeting logistics and transportation companies outside Ukraine. Sandworm intensified destructive activity over the winter, deploying several new wipers in Ukraine against governmental and private sector targets. Particularly notable was a December 2025 data destruction incident affecting a Polish energy company, which ESET attributed to Sandworm with medium confidence.
ESET products protect our customers’ systems from the malicious activities described in this released report. Intelligence shared here is based mostly on proprietary ESET telemetry data and has been verified by ESET researchers, who prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups. These threat intelligence analyses, known as ESET APT Reports, assist organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks.
