ESET Report Reveals Global Cyber Threats from APT Groups

BRATISLAVA, Slovakia, Nov. 06, 2025 — ESET Research has released its newest APT Activity Report, detailing the activities of select Advanced Persistent Threat (APT) groups from April to September 2025. The report highlights the growing cyber operations aligned with Chinese geopolitical strategies and intensified Russian cyberespionage efforts, particularly against Ukraine.

During this period, ESET researchers observed an increased use of adversary-in-the-middle techniques for initial access and lateral movement. This shift seems to be a response to U.S. policies, particularly the Trump administration’s renewed focus on Latin America amid the ongoing U.S.-China power struggle.

The report outlines significant attacks from the FamousSparrow group, which targeted various governmental entities in Latin America. These attacks represent a concentrated effort in the region, possibly linked to strategic interests influenced by global political dynamics.

In Europe, Russian-aligned APT groups have intensified their cyberespionage operations against governmental entities, especially given the ongoing conflict in Ukraine. Notably, even non-Ukrainian entities targeted by these groups displayed connections to Ukraine, underscoring the country’s importance in Russia’s intelligence agenda.

RomCom exploited a newly found vulnerability in the WinRAR software to deliver various backdoors, targeting sectors such as finance, defense, and logistics in the EU and Canada. In contrast, the Gamaredon and Sandworm groups predominantly employed spearphishing techniques, which are less expensive than zero-day exploits.

Gamaredon remained particularly active against Ukraine, while Sandworm’s operations aimed to destroy rather than spy, specifically focusing on crippling sectors such as energy and grain. This aligns with broader objectives to weaken Ukraine’s economy during ongoing hostilities.

The Belarus-aligned group FrostyNeighbor also engaged in cyber operations by exploiting an XSS vulnerability in Roundcube, sending spearphishing emails to Polish and Lithuanian businesses, reminiscent of AI-generated formats.

“Interestingly, one Russia-aligned threat actor, InedibleOchotense, impersonated ESET in a spearphishing campaign,” said Jean-Ian Boutin, Director of Threat Research at ESET. “The campaign involved emails delivering a trojanized version of ESET’s installer that included the Kalambur backdoor.”

In Asia, APT groups maintained focus on governmental bodies, as well as technology and manufacturing sectors, with North Korea-aligned actors particularly targeting cryptocurrency markets in South Korea.

Boutin noted further, “China-aligned groups continue to operate extensively across Asia, Europe, Latin America, and the U.S., aligning with Beijing’s geopolitical priorities.” This comprehensive activity by FamousSparrow across Latin America indicates a concentrated operational focus, with significant attacks on governmental entities in countries including Argentina, Ecuador, Guatemala, Honduras, and Panama.

ESET’s findings are based on proprietary telemetry data, aiding organizations in protecting critical infrastructure from state-directed cyber threats. For detailed insights, the report is available on WeLiveSecurity.com and offers in-depth analyses and updates on APT group activities.