China-aligned APT Groups Target Global Maritime and Tech Sectors Amid Geopolitical Tensions

Severity: High (Score: 75.5)

Sources: Markets.Businessinsider, www.globenewswire.com, Feeds2.Feedburner, Welivesecurity

Published: 2026-05-28 · Updated: 2026-05-28

Keywords: eset, activity, report, groups, october, march, shipments

Severity indicators: apt

Summary

ESET's latest APT Activity Report reveals that from October 2025 to March 2026, China-aligned threat actors engaged in extensive espionage campaigns, particularly in Venezuela and the Gulf region. Following U.S. military operations, groups like FamousSparrow targeted Venezuelan maritime entities to monitor oil shipment resilience. Additionally, UNC5221's SPAWN malware was noted targeting governmental systems in Cambodia and Panama, as well as an AI and robotics firm in South Korea, aligning with China's strategic technology interests. Concurrently, North Korea-aligned groups like Andariel attacked the nuclear power sector, while Iran-aligned activities fluctuated due to internet restrictions amid ongoing conflict. ESET documented new clusters of activity against Israeli targets, indicating a rise in espionage and destructive capabilities. The report emphasizes the evolving nature of state-sponsored cyber threats in response to geopolitical developments. Key Points: • China-aligned APT groups targeted maritime and tech sectors in response to geopolitical events. • FamousSparrow and UNC5221 were involved in espionage campaigns against Venezuela and South Korea. • Iran-aligned activities decreased due to internet restrictions amid the ongoing war in Iran.

Detailed Analysis

**Impact** China-aligned APT groups targeted governmental entities and strategic industries across Venezuela, Syria, Cambodia, Panama, South Korea, and the Gulf region, focusing on maritime affairs, energy, AI, robotics, and political developments. North Korea-aligned actors attacked nuclear power and liquid hydrogen-related engineering firms in South Korea. Iran-aligned groups and proxies concentrated on Israel and the US, with destructive attacks including bootkit-style wipers. The affected sectors include maritime logistics, advanced technology manufacturing, energy infrastructure, and government networks across Asia, the Middle East, and Latin America. **Technical Details** Attack vectors include espionage malware families such as SPAWN (UNC5221), TigerRAT, Rook ransomware, and bootkit-style wipers. UNC5221’s SPAWN toolset targeted Ivanti VPN appliances, and the NegativeGlimmer subgroup compromised AI and robotics firms. Andariel deployed TigerRAT and ransomware against nuclear-related engineering companies. Lazarus campaigns exploited the widely used JavaScript library axios. Kill chain stages observed include initial access via social engineering and supply chain compromise, lateral movement, and data exfiltration. Specific CVEs were not detailed in the sources. **Recommended Response** Prioritize patching Ivanti VPN appliances and monitoring for SPAWN malware indicators. Deploy detections for TigerRAT, Rook ransomware, and bootkit-style wipers, focusing on lateral movement and persistence behaviors. Harden defenses around AI, robotics, maritime, and energy sector assets, including enhanced network segmentation and anomaly detection. Monitor for suspicious activity linked to known China-aligned and North Korea-aligned APT infrastructure. No additional specific CVE mitigations were provided.

Source articles (4)

Oil shipments, drone makers, and a poisoned code library targeted in recent APT campaigns — Feeds2.Feedburner · 2026-05-28
Geopolitical pressure drove much of the state- cyber activity recorded between October 2025 and March 2026, according to ESET’s latest APT Activity Report. Espionage groups aligned with China, North K…
ESET APT Activity Report Q4 2025–Q1 2026 — Welivesecurity · 2026-05-28
ESET APT Activity Report Q4 2025–Q1 2026 summarizes notable activities of selected advanced persistent threat (APT) groups documented by ESET researchers from October 2025 through March 2026. The oper…
ESET Research APT Report: China-aligned groups spy in Venezuela and the Gulf, target AI ... — Markets.Businessinsider · 2026-05-28
BRATISLAVA, Montreal, May 28, 2026 (GLOBE NEWSWIRE) -- ESET Research has released its latest APT Activity Report, which highlights activities of select APT groups that were documented by ESET research…
ESET APT Reports — www.globenewswire.com · 2026-05-28
Anticipate and outsmart global threats using ESET Threat Intelligence, built on curated data, deep APT research and hands-on expert insight. Visibility into global and emerging threats ESET’s unique t…

Timeline

2025-10-01 — Monitoring period begins: ESET researchers began tracking APT activities, focusing on geopolitical influences on cyber operations.
2026-02-28 — War in Iran begins: The conflict initiated significant changes in cyber activity from Iran-aligned groups due to internet restrictions.
2026-03-01 — FamousSparrow targets Venezuelan entity: FamousSparrow conducted espionage against a Venezuelan governmental entity related to maritime affairs.
2026-03-15 — UNC5221 targets South Korean tech: UNC5221's SPAWN malware targeted an AI and robotics company in South Korea, reflecting strategic interests.
2026-05-28 — ESET APT Activity Report published: ESET released findings on APT activities from late 2025 to early 2026, highlighting geopolitical impacts on cyber threats.
2026-05-28 — Increased activity against Israel: ESET documented a spike in cyber activity against Israeli targets, including new, unattributed threat clusters.

Related entities

Andariel (Apt Group)
Apt28 (Apt Group)
Apt29 (Apt Group)
Apt36 (Apt Group)
Blue Callisto (Apt Group)
BlueCharlie (Apt Group)
Callisto (Apt Group)
ColdRiver (Apt Group)
Cozy Bear (Apt Group)
DeceptiveDevelopment (Apt Group)
EmberBear (Apt Group)
FamousSparrow (Apt Group)
Fancy Bear (Apt Group)
Forest Blizzard (Apt Group)
GRU (Apt Group)
InvisiMole (Apt Group)
Kimsuky (Apt Group)
Konni (Apt Group)
Lazarus (Apt Group)
Lorec53 (Apt Group)
LorecBear (Apt Group)
MoKhargosh (Apt Group)
MOØN Badr (Apt Group)
NegativeGlimmer (Apt Group)
Nobelium (Apt Group)
Rusty Boots (Apt Group)
Sandworm (Apt Group)
ScarCruft (Apt Group)
Seaborgium (Apt Group)
Sednit (Apt Group)
Sofacy (Apt Group)
Star Blizzard (Apt Group)
SteppeDriver (Apt Group)
Storm-0978 (Apt Group)
Ta471 (Apt Group)
Tropical Scorpius (Apt Group)
Turla (Apt Group)
Unc2589 (Apt Group)
Unc2596 (Apt Group)
Unc5221 (Apt Group)
Zebrocy (Apt Group)
Snake (Malware)
Asin (Malware)
BeardShell (Malware)
Industroyer (Malware)
Olympic Destroyer (Malware)
Spawn (Malware)
TigerRAT (Malware)
Whispergate (Malware)
Cobalt Strike (Malware)
Lonepage (Malware)
Malware (Attack Type)
Phishing (Attack Type)
Ransomware (Attack Type)
Supply Chain Attack (Attack Type)
Operation DangerousPassword (Campaign)
Operation DreamJob (Campaign)
Operation Texonto (Campaign)
Democratic National Committee (Company)
TV5Monde (Company)
World Anti-Doping Agency (Company)
Armenia (Country)
Belarus (Country)
Cambodia (Country)
China (Country)
Georgia (Country)
Greece (Country)
Iran (Country)
Israel (Country)
Japan (Country)
Lithuania (Country)
North Korea (Country)
Panama (Country)
Poland (Country)
Russia (Country)
Serbia (Country)
Slovakia (Country)
South Korea (Country)
Syria (Country)
Türkiye (Country)
Ukraine (Country)
United Arab Emirates (Country)
United States (Country)
Venezuela (Country)
Vietnam (Country)
Cuba (Country)
CWE-287 - Improper Authentication (Cwe)
Cwe-79 - Cross-site Scripting (xss) (Cwe)
welivesecurity.com (Domain)
Energy (Industry)
Financial (Industry)
Government (Industry)
Technology (Industry)
Transportation (Industry)
Covenant (Tool)
Reverse Proxy Tools (Tool)
Spawn Toolset (Tool)
T1059.001 - PowerShell (Mitre Attack)
T1078 - Valid Accounts (Mitre Attack)
T1566 - Phishing (Mitre Attack)
Android (Platform)
Axios (Platform)
Ivanti VPN Appliances (Platform)
Npm Registry (Platform)
Windows (Platform)
Tor (Platform)
Rook (Ransomware Group)