Gain deep visibility into attacker techniques, infrastructure and attribution
to stay ahead of stealthy campaigns. Access ESET’s AI Advisor, trained on
decades of research, and consult our experts for hands-on guidance to
strengthen your defenses.
Blind spots in global threat coverage
Most intelligence skews toward US-centric data, leaving gaps in regions where your operations matter most. How do you uncover threats targeting Europe, APAC and high-risk sectors before they strike?
Attribution can be extremely tricky
Sophisticated campaigns blur their origins. Without deep research and context, linking attacks to specific actors or geopolitical motives is guesswork. Can your team confidently attribute advanced threats?
Delayed or generic APT reporting
By the time reports reach you, attackers have moved on. Generic summaries lack actionable detail. How do you get timely, technical insights that actually improve your security posture?
Limited understanding of adversary tactics
Knowing an attack occurred isn’t enough. Without clarity on attacker methods and infrastructure, defenses stay reactive. Do you have the depth to anticipate and disrupt their next move?
SEE WHAT OTHERS MISS
Understand the motivations, targets and tactics of APT groups that are relevant to your organization.
STRENGTHEN DEFENSES BEFORE ATTACKS HIT
Use curated, actionable intelligence to update detection rules, reduce risk to critical assets and refine incident response playbooks.
GAIN VISIBILITY OTHERS MISS
Access non-public insights from ESET’s proprietary research and telemetry, including deep coverage of threat activity linked to China, North Korea, Russia and Iran.
TALK TO THE EXPERTS BEHIND THE RESEARCH
Get direct access to ESET analysts for in-depth discussions, tailored guidance and help resolving critical questions each month.
With Analyst Access, you can consult ESET experts for up to four hours a month for tailored guidance and interpretation, maximizing the value of your APT intelligence.
Bi-weekly Activity Summary keeps security teams up to date on APT activity, with clear insight into campaigns, targets and IoCs. It helps them better protect their networks and understand APT groups’ latest tactics, techniques and procedures (TTPs).
Technical Analysis reveals attacker tooling, techniques and campaign workflows, with practical protection and remediation guidance. Essential for defenders, researchers and responders seeking timely, practical intel against evolving threats.
The Monthly Overview gives an executive snapshot of the APT threat landscape each month, helping CISOs and decision-makers align priorities and support confident decisions.
ESET AI Advisor provides AI-driven summaries and insights from APT reports, helping teams interpret data quickly and support fast, informed decisions.
APT Reports
APT Reports
Advanced
APT Reports
Ultimate
ESET’s research and telemetry uncover the infrastructure,
tactics and campaigns behind global APT activity – from state-sponsored
espionage to region-specific operations.
Meet the
Threat Actors
UNAFFILIATED
RUSSIA-ALIGNED
PAKISTAN-ALIGNED
OTHER MIDDLE EASTERN GROUPS
OTHER EASTERN EUROPEAN GROUPS
OTHER EAST ASIAN GROUPS
IRAN-ALIGNED
INDIA-ALIGNED
CHINA-ALIGNED
CENTRAL ASIA-ALIGNED
Active since at least 2019. The group’s known toolset is used for espionage. It targets government and diplomatic entities in Europe, the Middle East, and South Asia. The group is little known and has only been publicly described by Kaspersky in 2023.
A Russia-aligned threat actor, discovered by ESET researchers. Active since at least 2008. Known for its eponymous cyber espionage platform. The platform is notable for its complex plugin architecture and elaborate network communication, using Tor. The group has compromised users in Lithuania, Russia, Slovakia, Türkiye, the United Arab Emirates, Vietnam, and Ukraine. It specifically targets two types of users: Russian-speaking privacy-concerned users and high-profile organizations in Europe, including diplomatic missions and governmental institutions.
Well known for targeting financial institutions and businesses in Russia. Since late 2015, it has transitioned from a purely criminal group, perpetrating cybercrime for financial gain, to an actor conducting cyber espionage in Eastern Europe and Central Asia. It is believed the group is Russia-aligned because it deployed a zero-day exploit for Windows against a target in Ukraine.
Also known as COLDRIVER, SEABORGIUM, Star Blizzard, Blue Callisto, or BlueCharlie. Cyber espionage group, active since at least 2015. Known to target European and North American government officials, think tanks, and military personnel. It focuses on spearphishing and webmail-credential stealing. In early 2022, the group tried to steal webmail credentials from Ukrainian government officials and people working in Ukrainian state-owned companies. The credentials were likely used by the attackers to read confidential email messages or steal documents from cloud storage services. These actions were most probably part of a cyber espionage operation relating to the current Russia-Ukraine war. In 2023, the UK government sanctioned two members of Callisto and linked the group to the FSB’s 18th Centre for Information Security.
Active since at least 2013. Responsible for many attacks, mostly against Ukrainian governmental institutions, as evidenced in several reports from CERT-UA and other official Ukrainian bodies. The Security Service of Ukraine (SBU) has tied the group to the FSB’s 18th Center of Information Security operating out of occupied Crimea. ESET believes this group collaborates with InvisiMole. We have also documented its collaboration with Turla since early 2025.
Russia-aligned cyber espionage group, operating since at least 2022. Specializes in credential-stealing spearphishing campaigns and stealing email messages via XSS vulnerabilities in Roundcube. Usual targets include governmental and defense-related organizations in Greece, Poland, Serbia, and Ukraine.
Russia-aligned threat group, active since at least 2013. Known for highly targeted cyber espionage attacks against governmental institutions, military entities, and diplomatic missions. Mostly focused on targets in Ukraine, with increased activity since 2021. Has also targeted entities in Armenia, Belarus, Greece, and Russia. ESET believes the group collaborates with the FSB-linked Gamaredon group.
Disinformation/PSYOPS campaign targeting Ukrainians and dissidents in Russia. Additionally, ESET detected spearphishing campaigns targeting a Ukrainian defense company and an EU agency in 2023, with the goal of stealing credentials for Microsoft Office 365 accounts. Operation Texonto is currently not attributed to a specific threat actor. However, given the TTPs, targeting, and the spread of messages, there is a high probability that the campaign was conducted by a group aligned with Russia’s interests.
Also known as Storm-0978, Tropical Scorpius, or UNC2596. A Russia-aligned group that conducts both opportunistic cybercrime operations against selected business verticals and targeted espionage operations, collecting intelligence. Linked with the deployment of so-called ‘Cuba’ ransomware since at least 2022. More recently, has been engaged in targeting the Ukrainian government and defense sector, NATO allies, and multiple governmental organizations in Europe.
Also known as UAC-0056, UNC2589, EmberBear, LorecBear, Lorec53, or TA471. Cyber espionage group that targets Ukraine and Georgia. Active since at least 2021. Believed to be Russia-aligned. Particularly interested in high-profile targets, mainly in the Ukrainian government vertical. Deploys infostealers and backdoors on compromised machines. Observed deploying Cobalt Strike in 2022. Assessed with high confidence as being responsible for the WhisperGate attack in 2022.
Russia-aligned threat group that performs various destructive attacks. Is commonly attributed to Unit 74455 of the Russian Main Intelligence Directorate (GRU). Mostly known for attacks against the Ukrainian energy sector in 2015 and 2016, which resulted in power outages. ESET tracks the group’s activities under various subgroups: the TeleBots subgroup, mostly interested in attacking financial entities in Ukraine; GreyEnergy, known for heavy usage of its eponymous malware against critical infrastructure targets, detected at energy companies in Poland, Ukraine, and Georgia. In 2018, the group launched the Olympic Destroyer data-wiping attack against organizers of the Winter Olympics in PyeongChang. It uses such advanced malware as Industroyer, which is able to communicate with equipment at energy companies via industrial control protocols. In 2020, the US Department of Justice published an indictment against six Russian computer hackers, alleging that they prepared and conducted various attacks by the group.
Also known as APT28, Fancy Bear, Forest Blizzard, or Sofacy. Operating since at least 2004. The US Department of Justice named the group as one of those responsible for the Democratic National Committee (DNC) hack just before the 2016 US elections and linked the group to the GRU. Also presumed to be behind the hacking of global television network TV5Monde, the World Anti-Doping Agency (WADA) email leak, and many other incidents. The group has a diversified set of malware tools in its arsenal, but nowadays primarily runs targeted phishing campaigns. Nevertheless, it has still been observed deploying custom advanced implants.
Also known as APT29, Cozy Bear, or Nobelium. An infamous cyber espionage group, active since at least 2008. According to the NCSC-UK, associated with SVR (Foreign Intelligence Service of the Russian Federation). Known as one of the groups that hacked the US Democratic National Committee in the run-up to the 2016 election. In 2019, ESET exposed its large-scale espionage operation targeting multiple European ministries of foreign affairs. Known for the 2020 supply-chain attack piggybacking on SolarWinds, leading to the compromise of major organizations, including many parts of the US government. Responsible for several spearphishing campaigns in 2021, aimed at diplomats in Europe.
Also known as Snake. A cyber espionage group active since at least 2004, possibly extending back into the late 1990s. It is thought to be part of the FSB. It mainly focuses on high-profile targets, such as governments and diplomatic entities, in Europe, Central Asia, and the Middle East. The group is known for having breached major organizations such as the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.
Cyber espionage group targeting governmental organizations, financial institutions, and media in Ukraine. Active since at least 2022. Based on its targeting, it is believed with medium confidence that the group is aligned with Russian interests. It typically deploys LONEPAGE, a PowerShell downloader named after the presence of the word page in the C&C (command and control) links.
Also known as UAC-0020. Russia-aligned threat group known for cyber espionage attacks on government and military targets in Ukraine. Active since at least 2015. The group is believed to be associated with the so-called Luhansk People’s Republic.
Also known as UAC-0063 or TAG-110. Russia-aligned threat group known for cyber espionage attacks on government, military, and foreign-affairs-related targets in Central Asia and Ukraine. Active since at least 2015. The Zebrocy malware toolkit serves for targeted attack campaigns and contains all the necessary capabilities for espionage, such as keylogging, screenshotting, reconnaissance, file listing and exfiltration, and more. It has been developed in a modular manner, allowing for updates and the execution of new modules delivered by the operators.
Also known as Operation C-Major, Mythic Leopard, ProjectM, APT36, or Earth Karkaddan. Cyber espionage group targeting the Indian Army and related assets in India, as well as activists and civil society in Pakistan. Weak attributions to a Pakistani connection have been made by Trend Micro and others. The group uses social engineering and phishing to deploy malware. Historically, it has deployed backdoors, especially CrimsonRAT, against victims running Windows, with occasional use of the Android backdoor AndroRAT.
Also known as APT-C-23, Desert Falcons, or Two-tailed Scorpion. Cyber espionage group known for targeting countries in the Middle East. Active since at least 2013. Mostly targets Palestinian and Israeli victims, including law enforcement, military, and government, but also activists and students. Deploys a vast malware arsenal for Android, iOS, and Windows platforms, including several custom backdoors. The group is believed to be affiliated with Hamas and operating from the Gaza Strip.
APT group that specializes in cyber espionage. It is believed that its goal is to steal sensitive information. Also referred to as a mercenary group offering hack-for-hire services to a wide range of clients. Typically targets entities and individuals in the Middle East and South Asia with spearphishing messages and fake applications as the initial attack vector.
Hamas-backed hacktivist group. First appeared during the Israel-Hamas War of 2023. The group is known for deploying wipers to Israeli targets, using both Windows and Linux binaries. The group’s initial wiper was discovered by Security Joes in 2023, and another was discovered by ESET and reported the same year.
A Middle Eastern cyber espionage threat group, discovered in 2020. Historically targeted the Kurdish ethnic group of northern Iraq. The group has used both Windows and Android malware to target its victims. In 2021, ESET had described an espionage campaign by the group, distributed via pro-Kurdish content on Facebook, targeting mobile users with the Android backdoors.
Cyber espionage group, first documented in 2022. The group is believed to be based in Lebanon and mostly targets Israeli organizations. Its toolset consists of seven custom backdoors, including the one that abuses OneDrive and Dropbox cloud services for C&C (command and control), and others that utilize Dropbox and Mega file storage services. The group has also used several custom modules to spy on its targets.
A threat group associated with the United Arab Emirates. Active since 2012. Known to target political activists, journalists, and dissidents in the Middle East. First discovered and described by Citizen Lab in its spyware attacks analysis published in 2016. In 2019, Amnesty International concluded that Stealth Falcon and Project Raven, an initiative allegedly employing former NSA operatives, are the same group.
Aka PROMETHIUM or APT-C-41. Cyber espionage group, active since at least 2012. Primarily targets entities located in Turkey, but has operated worldwide. Historically, it has targeted the Windows platform with its eponymous malware. However, in late 2022, two campaigns distributing Trojanized Android apps were also attributed to the group.
A cybercrime group that has been performing cyber espionage operations on the side. First publicly outed in March 2022 after the group targeted European government staff involved in helping Ukrainian refugees, just a few weeks after the start of the Russia-Ukraine war.
Also known as Inception Framework. Cyber espionage group, active since at least 2014. Also believed to be a spin-off from Red October, an older cyber espionage group that was possibly a dual-country collaboration, according to the Chronicle security blog (now part of Google Security Operations). The group mainly targets governments and companies in strategic sectors such as defense in Russia, Europe, and the Caucasus.
Also known as UNC1151, DEV-0257, PUSHCHA, Storm-0257, or TA445. Active since at least 2016. Allegedly operating from Belarus. The majority of the group’s operations have targeted countries neighboring Belarus; a small minority have been observed in other European countries. It conducts influence and disinformation campaigns, but has also compromised a variety of governmental and private sector entities, with a focus on Ukraine, Poland, and Lithuania.
Cyber espionage group first revealed by ESET. Active since at least 2014. Primarily targets foreign embassies in Belarus. Since 2020, the group has most likely been able to perform adversary-in-the-middle attacks at the ISP level, within Belarus, in order to compromise its targets.
Cyber espionage group, first discovered in 2021. Thought to have been active since at least 2020. It targets governments in Europe and Central Asia. The group uses malicious documents, phishing websites, and a custom PowerShell backdoor to compromise its targets. Since 2022, it has also specifically targeted Zimbra and Roundcube email servers. In 2023, ESET observed the group exploiting old XSS vulnerabilities in Roundcube.
Cyber espionage group, active since at least 2011. Known to target government entities such as militaries, ministries of foreign affairs, and state-owned companies in Eastern Europe (including in Russia) and the Balkans. The group uses spearphishing emails to compromise its targets. In 2020, it exploited a vulnerability in Internet Explorer when no proof-of-concept and very little information about it were publicly available. It is likely the group bought this exploit from a broker.
Also known as False Hunter or APT-Q-12. South Korea-aligned cyber espionage group, active since at least 2018. It mainly focuses on high-profile targets such as governments, the trade industries, and think tanks. The group uses potentially interesting events, or its operators pose as students asking for opinions on relevant research topics, to lure its targets. It operates custom downloaders and a modular backdoor delivered via spearphishing emails. Its operations are characterized by the deployment of multiple downloader stages and a custom backdoor capable of loading plugins.
Considered a subgroup of Lazarus (linked to North Korea). Its activities go back to 2009. The group primarily focuses its operations on South Korean targets, including both governmental and military entities, as well as businesses such as banks, cryptocurrency exchanges, and online brokers. Its goals are centered on either cyber espionage or financial gain. Among the group’s publicly disclosed incidents are the attacks against the Seoul International Aerospace & Defense Exhibition (ADEX) in 2015 and India’s Kudankulam Nuclear Power Plant (KKNPP) in 2019.
A North Korea-aligned group, first documented in 2023. Its operators are focused primarily on financial gain, targeting software developers on Windows, Linux, and macOS to steal cryptocurrency, with a possible secondary objective of conducting cyber espionage. The group uses fake recruiter profiles on social media. It reaches out to software developers, often those involved in cryptocurrency projects, providing potential victims with Trojanized codebases that deploy backdoors as part of a faux job interview process.
Cyber espionage group linked to North Korea. Active since at least 2013. The group initially targeted entities related to South Korea; however, over the last few years, it has expanded its activities more broadly, to include the United States and European countries. It targets government entities, research institutes, cryptocurrency companies, and private companies, with the main goal being cyber espionage and intelligence gathering.
A North Korea-aligned threat actor group. First reported on by analysts in 2017. Targets primarily Russian and South Korean political institutions. Often uses spearphishing attacks to gain initial access and relies on the custom Remote Administration Tool (RAT) for persistence and continued access to a victim’s machine. While some security researchers place the group under the ScarCruft (APT37), Lazarus, or Kimsuky umbrella, ESET is unable to corroborate those assertions.
Also known as HIDDEN COBRA. APT group linked to North Korea. Active since at least 2009. Responsible for high-profile incidents such as the Sony Pictures Entertainment hack and cyber heists costing tens of millions of dollars in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, and a long history of disruptive attacks against South Korean public and critical infrastructure since at least 2011. The diversity, number, and eccentricity in the implementation of campaigns define this group, as well as its engagement in all three pillars of cybercriminal activities: cyber espionage, cyber sabotage, and pursuit of financial gain.
ESET’s name for a series of attacks attributed to the group. These attacks have been ongoing since at least 2019, targeting aerospace, military, and defense companies. The operation is notable for using LinkedIn-based spearphishing and employing effective tricks to stay under the radar. As the name In(ter)ception suggests, its main goal appears to be corporate espionage.
Also known as APT37 or Reaper. Suspected of being a North Korean espionage group. Has been operating since at least 2012. It primarily focuses on South Korea, but also targets other Asian countries. The group seems to be interested mainly in government and military organizations, and companies in various industries linked to the North Korean interests. Its toolset contains a broad range of downloaders, exfiltration tools, and backdoors used for espionage.
Cyber sabotage group with a suspected affiliation to Iran. Active since 2020. Has been targeting victims in Israel and the United Arab Emirates. The group initially deployed a wiper disguised as ransomware, but later modified it into full-fledged ransomware. It exploits known vulnerabilities in internet-facing applications to install webshells, then conducts internal reconnaissance before moving laterally.
Previously tracked as APT35 and APT42 (aka Charming Kitten, TA453, or PHOSPHORUS). A suspected Iranian nation-state actor targeting education, government, and healthcare organizations, as well as human rights activists and journalists. Most active in Israel, the Middle East, and the United States. During the pandemic, it targeted COVID-19-related organizations, including the World Health Organization and Gilead Pharmaceuticals, as well as medical research personnel.
Iran-aligned cyber espionage group. Active since at least 2017. First discovered in 2023, targeting Kurdish diplomatic officials with its backdoor. In 2024, it continued targeting those Kurdish officials, along with Iraqi government officials, and a regional telecommunications provider in Uzbekistan. Assessed with high confidence that the group is a subgroup of OilRig – also known as APT34 or Hazel Sandstorm (formerly EUROPIUM) – which shares attributes with BladeHawk and FreshFeline.
A threat actor group known for its cyberattacks targeting Israeli organizations. The group is believed to be based in Türkiye but carries out attacks that align with the Iranian government’s goals. There is a connection between the group and Frankenstein, a group that has historically worked to support the interests of the Palestinian Territories and is also aligned with Iran’s interests. The group has been involved in hack-and-leak operations, data breaches, and data destruction.
A campaign conducted by the APT-C-50 group. In the campaign, the group has been conducting mobile surveillance operations against Iranian citizens since 2016, as reported by Check Point in 2018. In 2019, Trend Micro identified a malicious campaign, possibly connected to Domestic Kitten, targeting the Middle East, naming the campaign Bouncing Golf. Shortly after, in the same year, Qianxin reported a Domestic Kitten campaign targeting Iran again. In 2020, 360 Core Security disclosed surveillance activities by Domestic Kitten targeting anti-government groups in the Middle East. The last publicly available report is from 2021, by Check Point.
Aka MosesStaff. An Iranian cyber espionage group that targets a variety of verticals in Israel, Italy, India, Germany, Chile, Turkey, the UAE, and the US. Active since at least 2021, when it deployed a previously unknown backdoor targeting two companies in Israel. In 2021, it deployed ransomware to victims in Israel. The group targets internet-exposed Microsoft Exchange servers with unpatched, known vulnerabilities as a primary means of entry, followed by lateral movement and deployment of its own custom backdoor.
Also known as C5, Smoke Sandstorm, TA455, or UNC1549. Cyber espionage group aligned with the Iranian government’s interests. Active since at least 2022. The group targets organizations in the Middle East (including, but not limited to, Israel, Oman, and Saudi Arabia) and in the United States in the aerospace, aviation, and defense verticals. Its methods overlap with Tortoiseshell, a group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) Electronic Warfare and Cyber Defense (EWCD) organization, and APT33, which is also linked to the IRGC-EWCD. Typical methods by the group include spearphishing using typosquatting domains, password spraying, and developing and deploying custom backdoors.
Also known as HEXANE or Storm-0133. A subgroup of OilRig, active since at least 2017. The group has been targeting organizations in the Middle East, with special focus on Israeli organizations, including national and local governmental entities and organizations in healthcare. Major tools attributed to the group include various backdoors and a range of downloaders that utilize legitimate cloud services for C&C (command and control) communication.
Cyber espionage group linked to Iran’s Ministry of Intelligence and Security (MOIS). Active since at least 2017. The group targets victims in the Middle East and North America, with a focus on telecommunications, governmental organizations, and the oil and energy industries. Its operators frequently use script-based backdoors like PowerShell. Their preferred method of initial access is spearphishing emails with attachments – often PDFs with links pointing to file storage repositories such as Egnyte and OneHub.
Also known as APT34 or Hazel Sandstorm (formerly EUROPIUM). Cyber espionage group commonly believed to be based in Iran. Active since at least 2014. The group targets Middle Eastern governments and various business sectors, including the chemical, energy, financial, and telecommunications industries. Its notable campaigns include the 2018 and 2019 DNSpionage campaign, targeting victims in Lebanon and the United Arab Emirates; the 2019–2020 HardPass campaign, using LinkedIn to target Middle Eastern victims in the energy and government sectors; the 2020 attack against a telecommunications organization in the Middle East; and the 2023 attacks targeting organizations in the Middle East. Besides these incidents, ESET tracks other OilRig-related activities under separate subgroups: Lyceum, ShroudedSnooper, and BladedFeline.
Also known as Scarred Manticore or Storm-0861. A subgroup of OilRig active since at least 2019. First identified by Microsoft in the 2021-2022 destructive attacks on the Albanian government, having provided initial access to the network for other OilRig subgroups by exploiting public-facing applications. In 2023, the group carried out attacks against governmental, military organizations, and telecommunication companies in the Middle East.
Also known as Crimson Sandstorm, Imperial Kitten, TA456, or Yellow Liderc. Cyber espionage group, active since at least 2019. The group uses social engineering and phishing emails for initial access and relies heavily on Microsoft Office macros and early-stage implants, which are used for system and network reconnaissance. Targets typically include maritime, shipping, and logistics verticals in the US, Europe, and the Middle East.
Cyber espionage group targeting victims in the Middle East in the oil, gas, and engineering sectors. Active since at least 2019. When its first backdoor was discovered. In 2021, the group was observed deploying additional tools.
Also known as APT-C-35 or SectorE02. An India-aligned threat actor operating since at least 2016. A 2021 report by Amnesty International linked the group’s malware to an Indian cybersecurity company that may be selling the spyware or offering a hackers-for-hire service to governments in the region. The group targets organizations in South Asia by using Windows and Android malware, with the majority of victims located in Pakistan, Bangladesh, Sri Lanka, Nepal, and China. Its campaigns focus on espionage, using its signature malware framework, whose main purpose is to collect and exfiltrate data.
The name ESET uses for an APT15 subgroup primarily targeting governmental organizations and telecommunications companies in Africa and the Middle East. Active since at least 2017. In 2022, Bitdefender documented the group’s activities against the telecom industry in the Middle East. In 2023, Unit 42 shared its analysis of the group’s compromise of governmental networks in Iran. In 2021, ESET demonstrated links between the group and what Kaspersky tracks as CloudComputating, a group active since at least 2012. ESET has also observed multiple links with other APT15 subgroups, such as Mirage, Ke3chang, and DigitalRecyclers.
A China-aligned APT group engaging in cyber espionage operations against Chinese and Japanese individuals and companies. Active since at least 2018. In 2020, ESET researchers discovered the group after detecting suspicious files on a system in China. The group’s operators have the capability to conduct adversary-in-the-middle attacks, allowing them to deliver their implant through updates to legitimate software and to hide the location of their C&C (command and control) servers by intercepting traffic generated by the implant.
Also known as Volt Typhoon or Vanguard Panda. China-aligned cyber espionage group, active since at least 2022. Mainly targets the defense industry and critical organizations in the USA. First publicized in 2023, after it was caught attacking critical infrastructure in Guam, a US island territory in the Western Pacific that hosts several US military bases.
China-aligned cyber espionage group, active since at least the beginning of 2022. Targets mainly governmental entities in Southeast Asia. The group is known for its documented components, TONEINS, TONESHELL, and PUBLOAD, usage of publicly available tools, and exfiltration techniques that utilize cloud and file-sharing services. Some of its activities have been attributed to Mustang Panda (also known as Earth Preta or Stately Taurus). However, ESET attributes these activities to a separate group.
A threat actor first publicly reported in 2024; however, ESET telemetry data contains traces of the group’s activity from early 2022. The group conducts cyber espionage operations against governmental organizations and the technology sector in Russia, and think tanks in the United States. Its operations are characterized by spearphishing emails with an archive attached. The group leverages the trident side-loading technique to deliver the group’s main backdoor and to later abuse cloud services like Yandex, OneDrive, or Dropbox to receive commands.
A threat actor discovered by ESET. Active since at least 2018. The group regularly conducts espionage operations against governmental organizations in Europe. It is believed with low confidence that the group is linked to Ke3chang and BackdoorDiplomacy.
Also known as BRONZE HIGHLAND, Daggerfly, and StormBamboo. China-aligned APT group, operating since at least 2012. Its objective is cyber espionage against countries and organizations opposing China’s interests through independence movements such as those in the Tibetan diaspora, religious and academic institutions in Taiwan and in Hong Kong, and supporters of democracy in China. ESET has at times observed its operations extending to countries such as Vietnam, Myanmar, and South Korea. The group has accumulated an impressive list of attack methods, such as supply-chain and watering-hole attacks, and DNS hijacking. It also demonstrates a strong capability for malware development, as showcased in its extensive collection of multi-platform backdoors for Windows, macOS, and Android.
China-aligned cyber espionage group. Believed to have been active since at least 2019. The group was initially known for targeting hotels around the world but has also targeted governments, international organizations, trade groups, engineering companies, and law firms. It is the only known user of the SparrowDoor backdoor. The group is linked to the Earth Estries group, but the exact nature of the link is not fully known. It has also been publicly linked to Salt Typhoon, but, due to the absence of any technical indicators, ESET tracks them as separate entities.
Also known as Earth Lusca, TAG-22, Aquatic Panda, or Red Dev 10. Cyber espionage group believed to be operated by the Chinese contractor I-SOON and falling under the Winnti Group umbrella. ESET published an analysis of the group in early 2020, when it heavily targeted universities in Hong Kong during the civic protests there. We described a global campaign targeting governments, NGOs, and think tanks across Asia, Europe, and the United States. The group is also known to operate watering-hole attacks.
Also known as ETHEREAL PANDA. China-aligned APT group, active since at least 2021. Mostly targets Taiwanese organizations. The group utilizes the China Chopper webshell, the Juicy Potato privilege escalation tool and its multiple variations, as well as Mimikatz. It extensively utilizes living-off-the-land binaries (LOLBins) to evade detection.
China-aligned APT group. ESET researchers chose this name due to the group’s long-running usage (since at least 2022) of fake font files in the C:\Windows\Fonts directory as covert payloads for a specific set of loaders. Predominantly targets government entities in Kyrgyzstan, Uzbekistan, Kazakhstan, and Pakistan.
China-aligned APT group that targets various sectors in Eastern Europe and Central Asia. The group utilizes the Zmm backdoor and the Trochilus RAT. The Zmm backdoor is being developed by the StartupNation group, which also develops the Mikroceen RAT used by the SixLittleMonkeys APT group.
Also known as Soft Cell, Alloy Taurus, Red Moros, or Othorene. China-aligned APT group targeting telecommunications providers and government organizations worldwide. Also known for having targeted the academic sector. Its toolset includes a custom C++ backdoor, an IIS webshell based on China Chopper, various credential stealers based on Mimikatz, and various off-the-shelf tools.
China-aligned cyber espionage group. Active since at least 2014. That year, G DATA published a white paper about Operation TooHash, a campaign whose victims seemed to be located in East Asia based on the documents used in the campaign. The operators used spearphishing with attachments exploiting a then-old vulnerability in Microsoft Office, as well as three components, two of which were signed with a stolen certificate. In 2016, Verint Systems presented at HITCON, where they talked about a new activity of the TooHash operation mentioned two years earlier, still using the same exploit against Microsoft Office.
Active since at least 2023. China-aligned cyber espionage group that focuses on the creation of backdoors and uses legitimate services such as Discord, Slack, and file.io for C&C communications and exfiltration. As of 2025, ESET telemetry shows that the group has been targeting governmental institutions in Mongolia.
China-aligned cyber espionage group, active since at least 2009. Named for the abundant use of Google references in its code and notable for using drive-by compromises. The group’s arsenal includes malware for Windows, OS X, and Android users. First documented in 2014, when it used an OS X backdoor to target electronics and engineering companies worldwide, as well as NGOs with interests in Asia. In 2020, Lookout discovered four Android backdoors used to target Uyghurs, Tibetans, and Muslim populations around the world, which they attributed to the group based on overlapping network infrastructure. While several sources claim that the group is associated with APT15, ESET researchers do not have sufficient evidence to support this connection and thus continue to track it as a separate group.
Ke3chang (pronounced ke-tri-chang) is the name ESET uses for an APT15 subgroup primarily targeting governmental organizations and diplomatic missions in Europe and Latin America. The name is based on a 2013 Mandiant report on Operation Ke3chang, and we use it for subsequent APT15 activities reported by various organizations between 2016 and 2021. The group’s operations are characterized by the deployment only of simple, first-stage backdoors with limited capabilities, and subsequent reliance on human operators to execute further commands manually, leveraging built-in and publicly available utilities for reconnaissance.
Also known as SuperJumper. Operational relay box (ORB) network running on virtual private servers (VPSes) all around the world. Active since at least 2023. Multiple China-aligned threat actors, including DigitalRecyclers and BackdoorDiplomacy, use this covert network to anonymize their network traffic and hide their true origin.
China-aligned APT group discovered by ESET in 2024. It targets governmental entities in Malaysia with the goal of conducting cyber espionage. The group deploys unique custom malware to gather victims’ browser histories and decide where to deploy a backdoor that leverages the Microsoft OneDrive cloud service. Additionally, it utilizes the Group Policy of Active Directory to deploy its malware and perform lateral movement. There is a small overlap with the ToddyCat APT group, based on file paths and the use of SoftEther VPN. However, the overall toolsets are different.
Also known as Lotus Panda and Billbug. China-aligned APT group targeting governmental and maritime organizations in Southeast Asia. First uncovered in 2015. It employs the Elsentric backdoor and various additional tools, such as Impacket and the Venom proxy.
Also known as APT27 or Emissary Panda. Cyber espionage group mainly targeting governments, telecommunications companies, and international organizations. Active in Central Asia, the Middle East, Mongolia, Hong Kong, and North America. One of the group’s distinctive techniques is to use DLL side-loading to load its backdoors.
Also known as Earth Kasha. Active since at least 2019. A China-aligned threat actor that primarily targets companies and organizations in Japan, as well as entities elsewhere with ties to Japan. ESET considers it to be a subgroup under the APT10 umbrella. The group has been reported to target media, defense-related companies, think tanks, diplomatic organizations, financial institutions, academic institutions, and manufacturers. It focuses on espionage and the exfiltration of files of interest.
Also known as TA416, RedDelta, PKPLUG, Earth Preta, or Stately Taurus. A cyber espionage group, believed to be based in China. Mainly targets governmental entities and NGOs. Although known for its 2020 campaign targeting the Vatican, its victims are mostly located in East and Southeast Asia, with a focus on Mongolia. In its campaigns, the group frequently uses custom loaders for shared malware.
Also known as APT31. A China-aligned cyber espionage group that mainly targets governmental entities in Europe. It uses a custom implant that can be deployed in various ways, including a DLL side-loading chain and a bring-your-own-vulnerable-software (BYOVS) chain. It is worth noting that the group has a broader arsenal of custom tools, some of which we haven’t yet seen in the wild.
China-aligned threat actor active since at least 2018. The group engages in espionage operations against individuals and entities in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand. It uses a custom backdoor, and its main initial access technique is to hijack legitimate updates by redirecting traffic to attacker-controlled servers through a network implant. Additionally, the group gains access via vulnerabilities in web servers, and it performed a supply-chain attack in 2023.
APT group active since at least 2014. It targets government, defense, and telecommunications sectors in Central Asia, India, and Pakistan. It is believed to be part of the People’s Liberation Army (PLA) Unit 69010. It is one of the groups with access to the ShadowPad backdoor.
China-aligned APT group, active since at least 2008. Conducts cyber espionage and surveillance operations in China targeting national and foreign individuals, companies, educational institutions, and government entities. The group’s activities are a subset of operations attributed to the LuoYu APT (also known as CASCADE PANDA). It uses adversary-in-the-middle, through access to the Chinese internet backbone, to hijack software updates and deliver its implants for Windows and Android.
An APT group that targets entities in East and Southeast Asia. Active since at least 2020. ESET believes it is based in China. The group’s signature tool is a modular malware designed with an emphasis on providing stealthy remote access.
An APT group whose tactics, techniques, and procedures (TTP) partially overlap with APT41 (aka BARIUM). While the group primarily operates in East and Southeast Asia, it also targets organizations across a wide range of sectors worldwide, with a particular focus on academia. It is also one of the groups with access to the ShadowPad backdoor.
Also known as IndigoZebra or SMAC. Active since at least 2013. According to reports, this China-aligned APT group is responsible for attacks on political entities in some Central Asian countries, specifically Afghanistan, Uzbekistan, and Kyrgyzstan. ESET researchers have also observed its attacks in Equatorial Guinea, Russia, Tajikistan, and Israel.
A group responsible for developing and maintaining malware for several China-aligned APT groups. Active since at least 2016. ESET believes that the group provides its software to the China-aligned APT groups we track as SixLittleMonkeys, FourFunkyGorillas, Webworm, Worok, TA428, and TA410. It has developed the HDMan toolset, the Mikroceen RAT (also known as BYEBY), the Zmm backdoor, and the BeRAT backdoor.
China-aligned espionage group operating from the Inner Mongolia Autonomous Region of the People’s Republic of China. ESET discovered the group in 2024 when it targeted a car dealership in France. It has also targeted governmental entities in Mongolia and a law firm in South America. It uses a wide range of tools, most of which are shared across China-aligned groups. The group is also a customer of StartupNation.
A cyber espionage umbrella group known mostly for targeting US-based organizations in the utilities sector and diplomatic organizations in the Middle East and Africa. Active since at least 2018. First publicly revealed in 2019. It is composed of three subgroups ESET has named JollyFrog, LookingFrog, and FlowingFrog. In 2020, the newly discovered and very complex malware family FlowCloud was also attributed to TA410.
Also known as ThunderCats. APT group, active since at least 2014. Targets governments in East Asia, with a particular focus on Mongolia and Russia. ESET believes it operates from Beijing in the People’s Republic of China. The group uses custom backdoors and shared tools. It is one of the groups with access to the ShadowPad backdoor.
China-aligned APT group, active since at least 2021. It engages in cyber espionage operations against individuals, gambling companies, and unknown entities in the Philippines, the United Arab Emirates, and China. ESET researchers discovered this threat actor when a malicious update was downloaded by a popular Chinese application known as Sogou Pinyin. The group has capabilities to conduct adversary-in-the-middle attacks, which enables it to redirect traffic and deliver its custom malware via updates.
Also known as BRONZE BUTLER or REDBALDKNIGHT. APT group suspected of being active since at least 2006. Targets mainly countries in the APAC region. This group is of interest for its cyber espionage operations, which focus on the theft of classified information and intellectual property.
A China-aligned group that uses custom modular malware, which ESET named GrapHop
China-aligned threat actor operating since at least 2023. The group conducts cyber espionage oper Middle East. The group overlaps with Space Pirates and the threat actor that uses the Zardoor backdoor. It has access to various implants and is also a customer of StartupNation.
Aka ToddyCat. Discovered by ESET researchers in 2021 during an investigation of attacks against Microsoft Exchange servers, via abuse of the ProxyLogon vulnerability. Based on that, it is most likely a China-aligned APT group. According to Kaspersky, the group has been active since at least 2020. Its previous targets include organizations in Nepal, Vietnam, Japan, Bangladesh, and Ukraine. The group’s attacks typically combine the use of distinct proprietary malware and publicly available hacking tools.
Cyber espionage group first reported by Symantec in 2022. It is linked to other Chinese-aligned APT groups such as SixMonkeys and FishMonger. The group utilizes well-known malware families. It is also a customer of StartupNation
Active since at least 2012. Known to be based in the Chinese city of Chengdu, Sichuan province. Responsible for high-profile supply-chain attacks against the video game and software industries, leading to the distribution of multiple Trojanized software that are then used to compromise more victims. The group is also known for having compromised various targets in different sectors, such as healthcare and education.
China-aligned cyberespionage group, active since at least 2020. ESET believes it operates from Beijing. The group mostly focuses on targets in Mongolia, but has also targeted entities in Kyrgyzstan, Vietnam, Türkiye, Indonesia, and Namibia. It targets governmental and other organizations in the public sector, as well as private companies. The group uses its custom tools and publicly available tools. It shares additional tools and characteristics with other China-aligned groups, in particular TA428. Notably, it has access to the ShadowPad backdoor and is a customer of the StartupNation software provider group.
Also known as YoroTrooper. Cyber espionage group, active since at least 2021. The group focuses on spearphishing and webmail-credential stealing. It targets government officials, think tanks, and employees of state-owned companies in countries bordering the Caspian Sea, with the Russian Federation being the most heavily targeted country. Given the narrow targeting, the group is likely to operate from a Central Asian country. Based on the victimology and other technical indicators, ESET assesses the group with low confidence as being aligned with the interests of Kazakhstan.
ESET THREAT REPORT H2 2025
An in-depth look at global threat trends, regional APT activity and malware developments observed through ESET telemetry.
APT Activity Summary
Latest insights into active APT campaigns across the globe.
WeLiveSecurity: Top stories and research
Expert analysis and commentary from ESET researchers on the latest cyber threats, discoveries and security trends.
ESET Research Podcast: Exploring the global threat landscape
Join our analysts as they discuss attribution, tooling and global activity shifts
ESET Threat Intelligence APT Reports datasheet
Discover our APT-focused intelligence capabilities.
LET’S CONNECT
Curious to learn more? Share your contact details and we’ll follow up with more information.
We can walk you through a demo, discuss a proof of concept or answer any questions you may have.