ESET APT Exercise Report This autumn 2024–Q1 2025 summarizes notable actions of chosen superior persistent menace (APT) teams that have been documented by ESET researchers from October 2024 till the top of March 2025. The highlighted operations are consultant of the broader panorama of threats we investigated throughout this era, illustrating the important thing traits and developments, and include solely a fraction of the cybersecurity intelligence information supplied to prospects of ESET’s non-public APT experiences.
In the course of the monitored interval, China-aligned menace actors continued participating in persistent espionage campaigns with a give attention to European organizations. Mustang Panda remained essentially the most energetic, concentrating on governmental establishments and maritime transportation firms by way of Korplug loaders and malicious USB drives. DigitalRecyclers continued concentrating on EU governmental entities, using the KMA VPN anonymization community and deploying the RClient, HydroRShell, and GiftBox backdoors. PerplexedGoblin used its new espionage backdoor, which we named NanoSlate, in opposition to a Central European authorities entity, whereas Webworm focused a Serbian authorities group utilizing SoftEther VPN, emphasizing the continued recognition of this software amongst China-aligned teams. Moreover, we consider {that a} ShadowPad cluster which will sporadically deploy ransomware for monetary acquire is primarily engaged in espionage. We additionally highlighted Worok’s frequent use of shared espionage toolsets resembling HDMan, PhantomNet, and Sonifake, addressing a number of inconsistent third-party attributions of campaigns involving these instruments to different teams.
Iran-aligned menace actors remained extremely energetic, led by MuddyWater, which ceaselessly leveraged distant monitoring and administration (RMM) software program in spearphishing assaults. Notably, MuddyWater collaborated intently with Lyceum, an OilRig subgroup, to focus on an Israeli manufacturing firm. BladedFeline revisited its earlier sufferer, a telecommunications firm in Uzbekistan, coinciding with Iran’s diplomatic outreach. CyberToufan carried out damaging operations, deploying a wiper assault in opposition to a number of organizations in Israel.
North Korea-aligned menace actors have been notably energetic in financially motivated campaigns. DeceptiveDevelopment considerably broadened its concentrating on, utilizing faux job listings primarily throughout the cryptocurrency, blockchain, and finance sectors. The group employed revolutionary social engineering strategies, resembling ClickFix assaults and bogus GitHub challenge posts, to distribute the multiplatform WeaselStore malware. The Bybit cryptocurrency theft, attributed by the FBI to TraderTraitor, concerned a supply-chain compromise of Protected{Pockets}, that brought about losses of roughly USD 1.5 billion. In the meantime, different North Korea-aligned teams noticed fluctuations of their operational tempo: In early 2025, Kimsuky and Konni returned to their common exercise ranges after a noticeable decline on the finish of 2024, shifting their concentrating on away from English-speaking assume tanks, NGOs, and North Korea consultants to focus totally on South Korean entities and diplomatic personnel; and Andariel resurfaced, after a yr of inactivity, with a classy assault in opposition to a South Korean industrial software program firm.
Russia-aligned menace actors, notably Sednit and Gamaredon, maintained aggressive campaigns primarily concentrating on Ukraine and EU international locations. Sednit refined its exploitation of cross-site scripting (XSS) vulnerabilities in webmail providers, increasing Operation RoundPress from Roundcube to incorporate Horde, MDaemon, and Zimbra. We found that the group efficiently leveraged a zero-day vulnerability in MDaemon E mail Server (CVE‑2024‑11182) in opposition to Ukrainian firms, whereas RomCom demonstrated superior capabilities by deploying zero-day exploits in opposition to Mozilla Firefox (CVE‑2024‑9680) and Microsoft Home windows (CVE‑2024‑49039). All of those vulnerabilities have been reported by ESET researchers to respective distributors. Gamaredon remained essentially the most prolific actor concentrating on Ukraine, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox, whereas the notorious Sandworm group intensified damaging operations in opposition to Ukrainian vitality firms, deploying a brand new wiper named ZEROLOT by way of Energetic Listing Group Coverage and using RMM instruments in early compromise levels.
Lastly, notable actions by lesser-known teams included APT‑C‑60 specializing in people in Japan who’re probably linked to North Korea, and a extremely focused phishing marketing campaign, carried out by an as but unidentified menace actor, impersonating the World Financial Discussion board and election web sites, aiming to acquire delicate info from Ukrainian officers and diplomats. As well as, StealthFalcon carried out espionage centered operations in Türkiye and Pakistan.
Malicious actions described in ESET APT Exercise Report This autumn 2024–Q1 2025 are detected by ESET merchandise; shared intelligence is primarily based on proprietary ESET telemetry information and has been verified by ESET researchers.
