ESET APT Activity Report: China-aligned groups campaign against EU targets; prime target of Russia-aligned groups remains Ukraine

Next story
  • The latest APT Activity Report contains activities of selected APT groups from April 2023 to September 2023.
  • It highlights China-aligned groups’ persistent campaigns in the EU and the evolution of Russia’s cyberwar in Ukraine from sabotage to espionage.
  • Various groups exploited vulnerabilities in WinRAR, Microsoft Exchange servers, and IIS servers.
  • The prime target of Russia-aligned groups remained Ukraine; Telegram users were targeted for data collection.
  • Among the newly discovered China-aligned groups, DigitalRecyclers repeatedly compromised a governmental organization in the EU, TheWizards conducted adversary-in-the-middle attacks, and PerplexedGoblin targeted another governmental organization in the EU.

BRATISLAVA — October 26, 2023 — ESET released its latest report about the activities of selected advanced persistent threat (APT) groups that were observed, investigated, and analyzed by ESET researchers from April 2023 until the end of September 2023. Notably, ESET Research observed various APT groups exploiting known vulnerabilities to exfiltrate data from governmental entities or related organizations. Handpicked findings were presented exclusively to selected journalists during a press event. The presentation and the report explore China-aligned groups’ persistent campaigns in the European Union and the evolution of Russia’s cyberwar in Ukraine from sabotage to espionage.

Russia-aligned Sednit and Sandworm, North Korea-aligned Konni, and geographically unattributed Winter Vivern and SturgeonPhisher seized the opportunity to exploit vulnerabilities in WinRAR (Sednit, SturgeonPhisher, and Konni), Roundcube (Sednit and Winter Vivern), Zimbra (Winter Vivern), and Outlook for Windows (Sednit) to target various governmental organizations, not only in Ukraine but also in Europe and Central Asia. Regarding China-aligned threat actors, GALLIUM probably exploited weaknesses in Microsoft Exchange servers or IIS servers, extending its targeting from telecommunications operators to governmental organizations around the world; MirrorFace probably exploited vulnerabilities in the Proself online storage service; and TA410 probably exploited flaws in the Adobe ColdFusion application server.

Iran- and Middle East-aligned groups continued to operate at high volume, primarily focusing on espionage and data theft from organizations in Israel. Notably, Iran-aligned MuddyWater also targeted an unidentified entity in Saudi Arabia, deploying a payload that suggests the possibility of this threat actor serving as an access development team for a more advanced group.

The prime target of Russia-aligned groups remained Ukraine, where we discovered new versions of the known wipers RoarBat and NikoWiper and a new wiper we named SharpNikoWiper, all deployed by Sandworm. Interestingly, while other groups – such as Gamaredon, GREF, and SturgeonPhisher – target Telegram users to try to exfiltrate information, or at least some Telegram-related metadata, Sandworm actively uses this service for active measure purposes, advertising its cybersabotage operations. However, the most active group in Ukraine continued to be Gamaredon, which significantly enhanced its data-collecting capabilities by redeveloping existing tools and deploying new ones.

North Korea-aligned groups continued to focus on Japan, South Korea, and South Korea-focused entities, employing carefully crafted spear phishing emails. The most active Lazarus scheme observed was Operation DreamJob, luring targets with fake job offers for lucrative positions. This group consistently demonstrated its capability to create malware for all major desktop platforms.

Finally, our researchers uncovered the operations of three previously unidentified China-aligned groups: DigitalRecyclers, repeatedly compromising a governmental organization in the EU; TheWizards, conducting adversary-in-the-middle attacks; and PerplexedGoblin, targeting another governmental organization in the EU.

ESET APT Activity Reports contain only a fraction of the cybersecurity intelligence data provided to customers of ESET’s private APT reports. ESET researchers prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups, in the form of ESET APT Reports PREMIUM, to help organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. Comprehensive descriptions of activities described in this document were therefore previously provided exclusively to our premium customers. More information about ESET APT Reports PREMIUM, which delivers high-quality, strategic, actionable, and tactical cybersecurity threat intelligence, is available on the ESET Threat Intelligence website.

For more technical information, check the full ESET APT Activity Report on WeLiveSecurity. Make sure to follow ESET Research on Twitter (now known as X) for the latest news from ESET Research.

About ESET

For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit or follow us on LinkedIn, Facebook, and X (Twitter).