SECURITY NEWS
Russian cyberattacks in Ukraine intensify; Sandworm unleashes new destructive wiper
ESET Research has released its latest
APT Activity Report, which highlights activities of select APT groups that were documented by ESET researchers from October 2024 through March 2025. During the monitored period, Russia-aligned threat actors, notably Sednit and Gamaredon, maintained aggressive campaigns primarily targeting Ukraine and EU countries.
Ukraine was subjected to the greatest intensity of cyberattacks against the country’ s critical infrastructure and governmental institutions. The Russiaaligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT. China-aligned threat actors continued engaging in persistent espionage campaigns with a focus on European organisations.
Gamaredon remained the most prolific actor targeting Ukraine, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. The infamous Sandworm group concentrated heavily on compromising Ukrainian energy
Ukraine was subjected to the greatest intensity of cyberattacks against the country’ s critical infrastructure.
infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organisations, says ESET Director of Threat Research Jean-Ian Boutin.
Several Sednit attacks against defence companies located in Bulgaria and Ukraine used spear phishing email campaigns as a lure. Another Russia-aligned group, RomCom, demonstrated advanced capabilities by deploying zero-day exploits against Mozilla Firefox, CVE 2024 9680 and Microsoft Windows, CVE 2024 49039.
In Asia, China-aligned APT groups continued their campaigns against governmental and academic institutions. At the same time, North Korea-aligned threat actors significantly increased their operations directed at South Korea, placing particular emphasis on individuals, private companies, embassies, and diplomatic personnel. Mustang Panda remained the most active, targeting governmental institutions and maritime transportation companies via Korplug loaders and malicious USB drives.
Elsewhere in Asia, North Koreaaligned threat actors were particularly active in financially motivated campaigns. DeceptiveDevelopment significantly broadened its targeting, using fake job listings primarily within the cryptocurrency, blockchain, and finance sectors. The group employed innovative social engineering techniques to distribute the multiplatform WeaselStore malware.
The Bybit cryptocurrency theft, attributed by the FBI to TraderTraitor APT group, involved a supply-chain compromise of Safe { Wallet } that caused losses of approximately USD 1.5 billion. Meanwhile, other North Korea-aligned groups saw fluctuations in their operational tempo:
In early 2025, Kimsuky and Konni returned to their usual activity levels after a noticeable decline at the end of 2024, shifting their targeting away from English-speaking think tanks, NGOs, and North Korea experts to focus primarily on South Korean entities and diplomatic personnel; and Andariel resurfaced, after a year of inactivity, with a sophisticated attack against a South Korean industrial software company.
Iran-aligned APT groups maintained their primary focus on the Middle East region, predominantly targeting governmental organisations and entities within the manufacturing and engineering sectors in Israel. Additionally, ESET observed a significant global uptick in cyberattacks against technology companies, largely attributed to increased activity by North Korea-aligned DeceptiveDevelopment. •
INTELLIGENT TECH CHANNELS 13