- ESET Research has released its latest APT Activity Report covering October 2025 – March 2026.
- China-aligned threat actors remained highly active, including in geopolitical hotspots like Venezuela, Syria, and the Gulf states, spying on maritime, energy industries, an AI robotics company in South Korea, and governmental targets.
- A defense company in the United Arab Emirates was compromised; possibly aimed at journalists, Arabic-speaking users being targeted with Android spyware. North Korea-aligned Andariel attacked a company that appears to be involved in nuclear industry.
- Russia-aligned threat actors continued to focus overwhelmingly on Ukraine. Sednit deployed implants against Ukrainian military personnel, drone manufacturers, and organizations involved in drone research and development.
BRATISLAVA, MONTREAL — May 28, 2026 — ESET Research has released its latest APT Activity Report, which highlights activities of select APT groups that were documented by ESET researchers from October 2025 through March 2026. During the monitored time frame, China-aligned threat actors remained highly active worldwide, conducting espionage campaigns shaped in part by geopolitical developments affecting Beijing’s economic and security interests. Following the US military operation in Venezuela and amid continuing instability in the Gulf region, ESET spotted signs that China-aligned groups were being mobilized to improve Beijing’s visibility into maritime, energy, and political developments abroad. North Korea-aligned Andariel attacked a company that appears to be involved in the nuclear power industry.
China-aligned FamousSparrow targeted a Venezuelan governmental entity connected to maritime affairs, likely to monitor the resilience of oil shipments after the US intervention. There, ESET also noticed SteppeDriver, another China-aligned APT group targeting a Syrian governmental network, activity that may reflect both Chinese commercial interest in Syria’s reconstruction projects and security concerns surrounding Uyghur fighters present in that country. China-aligned UNC5221’s SPAWN malware family targeted governmental entities in Cambodia and Panama, as well as an AI and robotics company in South Korea. The latter targeting South Korea aligns with Beijing’s enduring interest in strategic technologies prioritized under the Made in China 2025 industrial development policy.
“In Asia, the campaigns primarily focused on governmental organizations, strategic industries, and advanced technology sectors. In the Middle East, Israel remained the principal focus of Iran-aligned and Iran-linked activities, with targets ranging from organizations affected by espionage intrusions to device manufacturers hit by destructive tooling,” says Jean-Ian Boutin, Director of Threat Research at ESET.
The war in Iran that began in late February 2026 was the defining event for Iran-aligned activity during this period. Paradoxically, the conflict coincided with a decline in activity from established Iran-aligned APT groups in ESET telemetry, most likely because internet restrictions imposed by the Iranian regime hindered their ability to operate effectively. At the same time, this environment appears to have favored the mobilization of proxy and hacktivist actors targeting Israel, the United States, and other states seen as hostile to Tehran. ESET Research also documented an unusual spike in activity against Israeli targets that it could not confidently link to previously known groups. Two unattributed activity clusters, Rusty Boots and MoKhargosh, demonstrated both espionage capabilities and destructive potential against Israel – including deployment of a bootkit-style wiper while retaining destructive tooling for later use.
ESET Research also found a defense company in the United Arab Emirates being compromised, and Arabic-speaking users being targeted with Android spyware. It was possibly aimed at journalists or open-source intelligence practitioners since the name of attacker’s Telegram channel was likely inspired by Live Universal Awareness Map (Liveuamap), a legitimate, well-known OSINT platform dedicated to mapping military incidents worldwide.
North Korea-aligned threat actors remained active on several fronts. Multiple groups continued targeting developers and the cryptocurrency ecosystem with social engineering schemes that can yield both direct financial gain and opportunities for software supply-chain compromise. ESET also uncovered the reemergence of the Andariel group in attacks against South Korea, where the group deployed TigerRAT and attempted to spread Rook ransomware within an engineering company that appears to manufacture equipment relevant to liquid hydrogen handling and the nuclear power industry – technologies that are obviously of interest to Pyongyang’s ballistic and nuclear ambitions.
Russia-aligned threat actors continued to focus overwhelmingly on Ukraine and entities connected to that country’s defense efforts. Sednit deployed its Covenant and BeardShell implants against Ukrainian military personnel, drone manufacturers, and organizations involved in drone research and development, while also targeting logistics and transportation companies outside Ukraine. Sandworm intensified destructive activity over the winter, deploying several new wipers in Ukraine against governmental and private sector targets. Particularly notable was a December 2025 data destruction incident affecting a Polish energy company, which ESET attributed to Sandworm with medium confidence.
ESET products protect our customers’ systems from the malicious activities described in this released report. Intelligence shared here is based mostly on proprietary ESET telemetry data and has been verified by ESET researchers, who prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups. These threat intelligence analyses, known as ESET APT Reports, assist organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks.
More information about ESET APT Reports, which deliver high-quality, strategic, actionable, and tactical cybersecurity threat intelligence, is available on the ESET Threat Intelligence page.
For more details about the mentioned and other APT groups’ activities, read the full APT Activity Report, “Conflict-informed espionage: Monitoring oil shipments, targeting drone makers,” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.
About ESET
ESET® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown—securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts, and blogs.