ESET APT Report
Q4 2025 – Q1 2026
A comprehensive overview of Global APT activity, uncovered through ESET telemetry and expert analysis from ESET’s leading threat researchers.
Key APT Activity
China-aligned groups spy in Venezuela and the Gulf, target AI robotics in South Korea
China-linked groups targeted Venezuela, Syria, Cambodia, Panama, Gulf states and South Korea, focusing on maritime monitoring, reconstruction interests, and strategic technologies - including AI and robotics - aligned with Beijing’s long-term economic and security priorities.
Iran-aligned activity shifts during 2026 conflict
Amid Iran’s 2026 war, Iran-aligned APT activity declined due to internet limits, while proxies surged. ESET saw attacks on Israel, including wipers. In UAE defense company was compromised and Android spyware targeted Arabic-speaking users.
North Korea-aligned APT targets nuclear industry
North Korea-aligned groups targeted developers and cryptocurrency through social engineering. ESET also saw an Andariel attack in South Korea, deploying TigerRAT and attempting to deploy ransomware against an engineering firm tied to hydrogen and nuclear sectors.
Russia-aligned activity centers on Ukraine
Russia-aligned actors focused on Ukraine again, with Sednit targeting military, drone, and logistics sectors, while Sandworm intensified destructive attacks, deploying new wipers and striking a Polish energy company. Activity also extended to regional support networks aiding Ukraine’s defense.
Be In The Know.
Read the ESET APT Activity Report.
Related resources
Latest ESET Threat Report
Threat Intelligence Best Practice Report
ESET Research
Podcast
Explore our service
Actionable Threat Intelligence For Your SOC Teams
Enrich your cyber threat intelligence strategy (CTI) with actionable insights to fortify your organization's defense systems effectively.
Frequently asked questions
What can I learn from the ESET APT Activity Report?
The ESET APT Activity Report provides an expert-led analysis of notable activities conducted by advanced persistent threat (APT) groups. It offers a snapshot of the global threat landscape, based on ESET telemetry and original research.
How often is the ESET APT Activity Report published?
The report is published biannually, providing insights into APT activity and trends across two distinct six-month periods each year.
What regions does the ESET APT Activity Report cover?
The report highlights APT campaigns and threat activity affecting regions around the globe, with a focus on key geopolitical hot spots. Coverage reflects where ESET researchers observed significant operations during the reporting period.
How does ESET collect the data represented in the reports?
The findings are based on proprietary ESET telemetry, expert analysis, and real-world investigations conducted by ESET’s global network of threat researchers. Other sources used in the reports’ analyses may include honeypots and external security feeds as well as data from other cybersecurity vendors. All intelligence shared is carefully verified before publication.
What is unique about ESET APT Activity Reports when compared with those of other cybersecurity providers?
ESET APT Activity Reports offer in-depth analyses of the global threat landscape, enriched with comments and recommendations by ESET’s diverse team of cybersecurity specialists – many of whom are frequent speakers at prestigious industry conferences, like RSA, Black Hat, and Virus Bulletin, and renowned for their expertise.
With ESET’s R&D centers spanning Europe, Asia, and North America, ESET’s analysts provide around-the-clock coverage, leveraging diverse time zones and locations to address the evolving threat landscape.
How does the ESET APT Activity Report differ from the ESET Threat Report?
ESET APT Activity Reports provide an overview of activities of selected advanced persistent threat (APT) groups investigated and analyzed by ESET Research within the reporting period. APT groups are typically highly sophisticated threat actors, often backed by nation states, engaging in targeted cyberattacks and espionage. In contrast, the threat reports focus on widespread cyberthreats – so-called crimeware – that typically aren’t targeted in nature, and thus, can affect anyone.
What kind of threat activity is included?
The report focuses on documented campaigns by threat actors in key geopolitical hot spots around the globe. It includes espionage campaigns, financially motivated attacks, destructive operations, and exploitation of zero-day vulnerabilities.
Who is this report intended for?
Cybersecurity professionals, threat analysts, decision-makers in IT and security, and anyone interested in understanding the evolving tactics, techniques, and procedures (TTPs) of global threat actors.