Back

Geopolitical APT Campaigns Target Key Industries Amid Rising Tensions

Severity: High (Score: 73.0)

Sources: Welivesecurity, www.eset.com, Feeds2.Feedburner

Published: 2026-05-28 · Updated: 2026-05-28

Keywords: eset, activity, report, groups, october, march, shipments

Severity indicators: apt

Summary

ESET's APT Activity Report for Q4 2025 to Q1 2026 reveals intensified espionage activities by state-aligned threat actors from China, North Korea, Iran, and Russia. Notable incidents include China's FamousSparrow targeting Venezuelan maritime entities and SteppeDriver compromising Syrian governmental networks. North Korean groups continued attacks on cryptocurrency sectors. The report highlights a decline in Iranian APT activity due to internet restrictions amid the ongoing war in Iran, while hacktivist groups increased targeting of Israel and the U.S. The report also mentions the emergence of new tools like PhiliKit, aimed at Ivanti VPN appliances. Overall, the geopolitical landscape significantly influenced the focus and methods of these cyber operations. Key Points: • China-aligned groups targeted Venezuelan and Syrian governmental entities. • Iran-aligned APT activity declined due to internet restrictions during the Iran war. • New malware PhiliKit identified targeting Ivanti VPN appliances.

Detailed Analysis

**Impact** Governmental entities in Venezuela, Syria, Cambodia, Panama, and Israel were targeted, along with strategic industries such as maritime, energy, advanced technology, and drone manufacturing sectors across Asia, the Middle East, and Europe. The cryptocurrency ecosystem and software supply chains were also affected, including the compromise of the widely used JavaScript library axios with over 100 million weekly downloads. Data at risk includes espionage-related intelligence, industrial secrets, and potentially destructive payloads capable of disrupting operations in oil shipments, nuclear-related engineering, and AI/robotics development. **Technical Details** Attack vectors included social engineering, exploitation of Ivanti VPN appliances via the PhiliKit implant, and supply chain compromise through the axios JavaScript library. Malware and tools observed include bootkit-style wipers, TigerRAT, Rook ransomware, and implants associated with groups such as FamousSparrow, SteppeDriver, UNC5221, Lazarus, and newly identified clusters Rusty Boots, MoKhargosh, and MOØN Badr. The campaigns involved espionage, destructive payload deployment, and long-term relationship building, with infrastructure spanning multiple countries and targeting both governmental and commercial networks. **Recommended Response** Apply patches to Ivanti VPN appliances and monitor for indicators related to PhiliKit and other known malware families such as TigerRAT and Rook ransomware. Deploy detections for unusual bootkit activity and monitor network traffic for signs of supply chain compromise, especially involving JavaScript libraries like axios. Harden configurations on critical infrastructure in maritime, energy, and advanced technology sectors, and increase monitoring of proxy and hacktivist activity targeting geopolitical hotspots. Further specific IOCs were not provided in the source material.

Source articles (3)

  • Oil shipments, drone makers, and a poisoned code library targeted in recent APT campaigns — Feeds2.Feedburner · 2026-05-28
    Geopolitical pressure drove much of the state- cyber activity recorded between October 2025 and March 2026, according to ESET’s latest APT Activity Report. Espionage groups aligned with China, North K…
  • ESET APT Activity Report Q4 2025–Q1 2026 — Welivesecurity · 2026-05-28
    ESET APT Activity Report Q4 2025–Q1 2026 summarizes notable activities of selected advanced persistent threat (APT) groups documented by ESET researchers from October 2025 through March 2026. The oper…
  • ESET Threat Intelligence — www.eset.com · 2026-05-28
    Anticipate and outsmart global threats using ESET Threat Intelligence, built on curated data, deep APT research and hands-on expert insight. Visibility into global and emerging threats ESET’s unique t…

Timeline

  • 2025-10-01 — ESET APT Activity Report period begins: ESET begins monitoring APT activities from October 2025, focusing on geopolitical influences.
  • 2026-02-28 — War in Iran begins: The conflict in Iran starts, impacting APT operations and internet access for Iranian groups.
  • 2026-05-28 — ESET APT Activity Report published: ESET releases findings on APT activities, highlighting significant geopolitical influences on cyber operations.

Related entities

  • Andariel (Apt Group)
  • Apt28 (Apt Group)
  • Apt29 (Apt Group)
  • Apt36 (Apt Group)
  • Blue Callisto (Apt Group)
  • BlueCharlie (Apt Group)
  • Callisto (Apt Group)
  • ColdRiver (Apt Group)
  • Cozy Bear (Apt Group)
  • DeceptiveDevelopment (Apt Group)
  • EmberBear (Apt Group)
  • FamousSparrow (Apt Group)
  • Fancy Bear (Apt Group)
  • Forest Blizzard (Apt Group)
  • GRU (Apt Group)
  • InvisiMole (Apt Group)
  • Kimsuky (Apt Group)
  • Konni (Apt Group)
  • Lazarus (Apt Group)
  • Lorec53 (Apt Group)
  • LorecBear (Apt Group)
  • MoKhargosh (Apt Group)
  • MOØN Badr (Apt Group)
  • NegativeGlimmer (Apt Group)
  • Nobelium (Apt Group)
  • Rusty Boots (Apt Group)
  • Sandworm (Apt Group)
  • ScarCruft (Apt Group)
  • Seaborgium (Apt Group)
  • Sednit (Apt Group)
  • Sofacy (Apt Group)
  • Star Blizzard (Apt Group)
  • SteppeDriver (Apt Group)
  • Storm-0978 (Apt Group)
  • Ta471 (Apt Group)
  • Tropical Scorpius (Apt Group)
  • Turla (Apt Group)
  • Unc2589 (Apt Group)
  • Unc2596 (Apt Group)
  • Unc5221 (Apt Group)
  • Zebrocy (Apt Group)
  • Snake (Malware)
  • Asin (Malware)
  • Industroyer (Malware)
  • Olympic Destroyer (Malware)
  • TigerRAT (Malware)
  • Whispergate (Malware)
  • BeardShell (Malware)
  • Cobalt Strike (Malware)
  • Lonepage (Malware)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Ransomware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Operation DangerousPassword (Campaign)
  • Operation DreamJob (Campaign)
  • Operation Texonto (Campaign)
  • Democratic National Committee (Company)
  • TV5Monde (Company)
  • World Anti-Doping Agency (Company)
  • Armenia (Country)
  • Belarus (Country)
  • Cambodia (Country)
  • China (Country)
  • Georgia (Country)
  • Greece (Country)
  • Iran (Country)
  • Israel (Country)
  • Japan (Country)
  • Lithuania (Country)
  • North Korea (Country)
  • Panama (Country)
  • Poland (Country)
  • Russia (Country)
  • Serbia (Country)
  • Slovakia (Country)
  • South Korea (Country)
  • Syria (Country)
  • Türkiye (Country)
  • Ukraine (Country)
  • United Arab Emirates (Country)
  • United States (Country)
  • Venezuela (Country)
  • Vietnam (Country)
  • Cuba (Country)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-79 - Cross-site Scripting (xss) (Cwe)
  • Financial (Industry)
  • Government (Industry)
  • Technology (Industry)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Axios (Platform)
  • Ivanti VPN Appliances (Platform)
  • Npm Registry (Platform)
  • Windows (Platform)
  • Tor (Platform)
  • Rook (Ransomware Group)
  • Covenant (Tool)
  • Reverse Proxy Tools (Tool)
  • Spawn Toolset (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed