An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 2025 and Q3 2025
06 Nov 2025
•
,
4 min. read
ESET APT Activity Report Q2 2025–Q3 2025 summarizes notable activities of selected advanced persistent threat (APT) groups that were documented by ESET researchers from April through September 2025. The highlighted operations are representative of the broader landscape of threats we investigated during this period. They illustrate the key trends and developments and contain only a small fraction of the cybersecurity intelligence data provided to customers of ESET APT reports.
During the monitored period, China-aligned APT groups continued to advance Beijing’s geopolitical objectives. We observed an increasing use of the adversary-in-the-middle technique for both initial access and lateral movement, employed by groups such as PlushDaemon, SinisterEye, Evasive Panda, and TheWizards. In what appears to be a response to the Trump administration’s strategic interest in Latin America, and possibly also influenced by the ongoing US‑China power struggle, FamousSparrow embarked on a tour of Latin America, targeting multiple governmental entities in the region. Mustang Panda remained highly active in Southeast Asia, the United States, and Europe, focusing on the governmental, engineering, and maritime transport sectors. Flax Typhoon targeted the healthcare sector in Taiwan by exploiting public-facing web servers and deploying webshells to compromise its victims. The group frequently maintains its SoftEther VPN infrastructure, and it also started using an open-source proxy, BUUT. Meanwhile, Speccom targeted the energy sector in Central Asia with the presumed aim of gaining greater visibility into Chinese-funded operations and reducing China’s dependency on maritime imports. One of the backdoors in the group’s toolset, BLOODALCHEMY, appears to be favored by several China-aligned threat actors.
We observed a continued increase in spearphishing activities of the Iran-aligned MuddyWater. The group adopted the technique of sending spearphishing emails internally – from compromised inboxes within the target organization – with a notably high success rate. Other Iran-aligned groups remained active: BladedFeline adopted new infrastructure, while GalaxyGato deployed an improved C5 backdoor. GalaxyGato also introduced an interesting twist to its campaign by leveraging DLL-search-order hijacking to steal credentials.
North Korea-aligned threat actors targeted the cryptocurrency sector and, notably, expanded their operations to Uzbekistan – a country not previously observed in their scope. In recent months, we have documented several new campaigns conducted by DeceptiveDevelopment, Lazarus, Kimsuky, and Konni, with the aim of espionage, advancing Pyongyang’s geopolitical priorities, and generating revenue for the regime. Kimsuky experimented with the ClickFix technique to target diplomatic entities, and South Korean think tanks and academia, while Konni used social engineering with an unusual focus on macOS systems.
Russia-aligned groups maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Spearphishing remained their primary method of compromise. Notably, RomCom exploited a zero-day vulnerability in WinRAR to deploy malicious DLLs and deliver a variety of backdoors. We reported this vulnerability to WinRAR, which promptly patched it. The group’s activity was mostly focused on the financial, manufacturing, defense, and logistics sectors in the EU and Canada. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations. This surge in activity coincided with a rare instance of cooperation between Russia-aligned APT groups, as Gamaredon selectively deployed one of Turla’s backdoors. Gamaredon’s toolset, possibly also spurred by the collaboration, continued to evolve, for example, through the incorporation of new file stealers or tunneling services.
Sandworm, similar to Gamaredon, focused on Ukraine – albeit with motives of destruction rather than cyberespionage. The group deployed data wipers (ZEROLOT, Sting) against governmental entities, companies in the energy and logistics sectors, and, more notably, against the grain sector – the likely objective being the weakening of the Ukrainian economy. Another Russia-aligned threat actor, InedibleOchotense, conducted a spearphishing campaign impersonating ESET. This campaign involved emails and Signal messages delivering a trojanized ESET installer that leads to the download of a legitimate ESET product along with the Kalambur backdoor.
Finally, notable activities by lesser-known groups included FrostyNeighbor exploiting an XSS vulnerability in Roundcube. Polish and Lithuanian companies were targeted by spearphishing emails that impersonated Polish businesses. The emails contained a distinctive use and combination of bullet points and emojis, a structure reminiscent of AI-generated content, suggesting possible use of AI in the campaign. Delivered payloads included a credential stealer and an email message stealer. We also identified a previously unknown Android spyware family in Iraq, which we named Wibag. Masquerading as the YouTube app, Wibag targets messaging platforms such as Telegram and WhatsApp, as well as Instagram, Facebook, and Snapchat. Its capabilities include keylogging and the exfiltration of SMS messages, call logs, location data, contacts, screen recordings, and recordings of WhatsApp calls and regular phone calls. Interestingly, the login page for the spyware’s admin panel displays the logo of the Iraqi National Security Service.
Malicious activities described in ESET APT Activity Report Q2 2025–Q3 2025 are detected by ESET products; shared intelligence is based mostly on proprietary ESET telemetry data and has been verified by ESET researchers.
ESET APT Activity Reports contain only a fraction of the cybersecurity intelligence data provided in ESET Threat Intelligence APT Reports. For more information, visit the ESET Threat Intelligence website.
