ESET APT Activity Report Published (April to September 2025)
ESET Research has released its latest APT Activity Report, highlighting the operations of selected APT groups documented by ESET researchers between April and September 2025. During the period monitored, China-linked APT groups continued to advance Beijing’s geopolitical objectives. ESET observed that the FamousSparrow group increasingly used an adversary-in-the-middle technique for both initial access and lateral movement, as a response to the Trump administration’s renewed strategic interest in Latin America and likely influenced by the ongoing US-China power struggle. FamousSparrow launched an offensive in Latin America and targeted multiple government institutions across the region. Across Europe, government entities remained the main focus of cyber espionage as Russia-linked APT groups intensified operations against Ukraine and several EU member states.
Russia-Linked APT Groups: Operations Intensify in Ukraine and Europe
In particular, even targets outside Ukraine displayed strategic or operational links to Ukraine, reinforcing the view that the country remains at the center of Russia’s intelligence efforts. RomCom exploited a zero-day vulnerability in WinRAR to deliver malicious DLLs and deployed various backdoors targeting the finance, manufacturing, defense, and logistics sectors in the EU and Canada. Because zero-day exploits are costly, both Gamaredon and Sandworm used the much cheaper spearphishing technique as their primary attack method. Gamaredon remained the most active APT group targeting Ukraine, with a notable increase in both the intensity and frequency of its operations. Similarly, Sandworm also focused on Ukraine, but unlike Gamaredon’s cyber espionage activity, its operations were destructive in nature. It largely targeted the government, energy, logistics, and grain sectors, with the likely aim of weakening Ukraine’s economy.
Belarus-Linked FrostyNeighbor: XSS Exploit and Suspected AI-Assisted Spearphishing
The Belarus-linked FrostyNeighbor group exploited an XSS vulnerability in Roundcube. Companies in Poland and Lithuania were targeted with spearphishing emails impersonating Polish companies. The emails featured a structure that resembled AI-generated content, with distinctive and combined use of bullet points and emojis. This suggests that AI may have been used in the campaign. The delivered payloads included a credential stealer and an email message stealer.
ESET-Impersonation Attack: InedibleOchotense and the Kalambur Backdoor
ESET Director of Threat Research Jean-Ian Boutin stated: “Interestingly, InedibleOchotense, a Russia-linked threat actor, ran a spearphishing campaign impersonating ESET. The campaign included emails and Signal messages containing a trojanized ESET installer which led to the download of a legitimate ESET product along with the Kalambur backdoor. China-linked groups remain highly active, with campaigns recently observed by ESET researchers in Asia, Europe, Latin America, and the United States. This global reach shows that China-linked threat actors continue to be mobilized to support Beijing’s current geopolitical priorities.”
Targets in Asia: Government Institutions, Technology, and Cryptocurrency-Focused Operations
In Asia, APT groups continued to target government institutions, as well as the technology, engineering, and manufacturing sectors, as in the previous reporting period. North Korea-linked threat actors remained highly active in operations targeting South Korea and the technology sector, particularly cryptocurrency, which is a key revenue source for the regime.
FamousSparrow’s “Latin America Tour”: Government Institutions in Focus
ESET also observed that between June and September, FamousSparrow conducted multiple operations in Latin America, primarily targeting government institutions. These activities represent a significant portion of the group’s operations attributed by ESET during this period and indicate that the region has been the group’s main operational focus in recent months. These activities may be partly linked to the renewed interest of the Trump administration in Latin America and the ongoing US-China power struggle in the region. Overall, victims observed during FamousSparrow’s “Latin America tour” included multiple government institutions in Argentina, a government institution in Ecuador, a government institution in Guatemala, multiple government institutions in Honduras, and a government institution in Panama.
ESET Threat Intelligence and the Purpose of the Reports
ESET products protect customers’ systems from the malicious activity described in this report. The intelligence shared here is primarily based on ESET’s proprietary telemetry data. It has also been validated by ESET researchers who produce in-depth technical reports detailing the operations of specific APT groups, as well as frequent activity updates. These threat intelligence analyses, known as ESET APT Reports, help organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from cyberattacks conducted by criminals and state actors.
Further Information
For more information about ESET APT Reports and ESET’s high-quality, actionable tactical and strategic cybersecurity threat intelligence, please visit the ESET Threat Intelligence page.
https://antivirus.com.tr/eset-apt-faaliyet-raporu-2025-2-ve-3-ceyrek/
