- This ESET APT Activity Report summarizes notable activities of cyberthreat groups that were documented by ESET researchers from October 2023 until the end of March 2024.
- Iran-aligned groups increased their activity against Israel after the Hamas-led attack on Israel in October 2023 and throughout the ongoing war in Gaza.
- Russia-aligned groups focused on espionage within the European Union and continued attacks against Ukraine.
- China-aligned threat actors exploited vulnerabilities in public-facing appliances, such as VPNs and firewalls, and software.
- The main targets of most of the campaigns were government organizations.
ESET has released its latest APT Activity Report, which summarizes notable activities of selected advanced persistent threat (APT) groups that were documented by ESET researchers from October 2023 until the end of March 2024. The highlighted operations are representative of the broader landscape of threats ESET Research has investigated during this period, illustrating key trends and developments. After the Hamas-led attack on Israel in October 2023, and throughout the ongoing war in Gaza, ESET has detected a significant increase in activity from Iran-aligned threat groups. Russia-aligned groups have focused their activities on espionage within the European Union and attacks against Ukraine. On the other hand, several China-aligned threat actors exploited vulnerabilities in public-facing appliances, such as VPNs and firewalls, and software, such as Confluence and Microsoft Exchange Server, for initial access to targets in multiple verticals. North Korea-aligned groups continued to target aerospace and defense companies and the cryptocurrency industry.
“The targets of most of the campaigns were government organizations and certain verticals: for example, those targeted in continued and relentless attacks on Ukrainian infrastructure. Europe experienced a more diverse range of attacks from various threat actors. Russia-aligned groups strengthened their focus on espionage in the European Union, where China-aligned threat actors also maintain a consistent presence, indicating a continued interest in European affairs by both Russia- and China-aligned groups,” says Jean-Ian Boutin, Director of Threat Research at ESET.
Based on the data leak from Chinese security services company I-SOON (Anxun), ESET Research can confirm that this Chinese contractor is indeed engaged in cyberespionage. ESET tracks a part of the company’s activities under the FishMonger group. In this latest report, ESET also introduces a new China-aligned APT group, CeranaKeeper, distinguished by unique traits yet possibly connected by the digital footprint with the Mustang Panda group.
In the case of Iran-aligned threat groups, MuddyWater and Agrius transitioned from their previous focus on cyberespionage and ransomware, respectively, to more aggressive strategies involving access brokering and impact attacks. Meanwhile, OilRig and Ballistic Bobcat activities saw a downturn, suggesting a strategic shift toward more noticeable, “louder” operations aimed at Israel.
Regarding Russia-aligned activity, the Operation Texonto campaign, a disinformation and psychological operation (PSYOP) uncovered by ESET researchers, has been spreading false information about Russian election-related protests and the situation in the eastern Ukrainian metropolis Kharkiv, fostering uncertainty among Ukrainians domestically and abroad.
The report also describes the exploitation of a zero-day vulnerability in Roundcube by Winter Vivern, a group ESET assesses to be aligned with the interests of Belarus. Additionally, ESET spotlights a campaign in the Middle East carried out by SturgeonPhisher, a group ESET researchers believe to be aligned with the interests of Kazakhstan.
ESET products protect our customers’ systems from the malicious activities described in this report. Intelligence shared here is primarily based on proprietary ESET telemetry data and has been verified by ESET researchers, who prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups. These threat intelligence analyses, known as ESET APT Reports PREMIUM, assist organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. This report contains only a fraction of the cybersecurity intelligence data provided to customers of ESET’s private APT reports.
You can read the full ESET APT Activity Report on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.
About ESET
ESET provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyber threats — securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud or mobile protection, its AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multi-factor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter.