The ESET APT Activity Report Q4 2025–Q1 2026, authored by Jean-Ian Boutin, Director of Threat Research at ESET, documents six months of nation-state intrusion activity from October 2025 through March 2026 — and its central finding is unambiguous: China-aligned threat actors generated the largest share of recorded attacks across the entire period. The outbreak of war in Iran in late February 2026 became the defining geopolitical event of the window, reshaping not only Iranian cyber operations but creating intelligence vacuums in the Gulf energy sector that Beijing's operators moved quickly to fill.
// 01 ESET APT Report: China-Aligned Groups Dominate Q1 2026 Espionage Activity
APT (Advanced Persistent Threat) is an industry term for well-resourced, state-linked hacking groups that conduct long-running intrusion campaigns against strategic targets — as opposed to opportunistic cybercriminals chasing quick profit. The latest ESET APT report catalogues activity across four nation-state clusters: China, North Korea, Russia, and Iran.
China-aligned groups claimed the largest volume of recorded attacks between October 2025 and March 2026. Their targeting follows the logic of Beijing's economic and geopolitical priorities: maritime and energy intelligence, reconstruction opportunity mapping, and the systematic collection of intellectual property tied to the Made in China 2025 industrial policy — the state programme directing China to dominate high-technology sectors including AI, robotics, and advanced manufacturing by 2025 and beyond.
Four distinct China-aligned groups figure prominently in the report:
- FamousSparrow targeted a Venezuelan government body overseeing maritime affairs in January 2026. China purchases approximately 50% of Venezuela's oil exports; ESET assesses the intrusion was designed to monitor the resilience of Venezuelan oil shipments following US military intervention in Venezuela — an operation in direct service of Beijing's energy supply-chain visibility.
- SteppeDriver reached Syrian governmental networks in February 2026, a move ESET links to Chinese commercial interest in Syria's post-conflict reconstruction and concern over Uyghur fighters operating in the region.
- UNC5221 exploited Ivanti VPN (Virtual Private Network) appliances — network edge devices used by enterprises and governments to provide remote access — using a toolkit called SPAWN to gain persistent access to governmental entities in Cambodia and Panama. The SPAWN toolset is a modular implant framework that UNC5221 has deployed specifically against internet-facing Ivanti products, enabling long-term, low-noise access to compromised networks.
- NegativeGlimmer compromised governmental entities in Cambodia and Panama — overlapping geographically with UNC5221 — and separately breached an AI and robotics company in South Korea. The South Korean target is a direct signal of Made in China 2025 IP (intellectual property) collection priorities; advanced robotics and AI research represent exactly the technology domains Beijing's industrial policy seeks to absorb.
China-aligned operators were also active across Gulf states during the period, collecting intelligence on maritime logistics and energy industries — activity that accelerated after the Iranian war began disrupting regional supply chains.
// 02 FamousSparrow and the Maritime Intelligence Playbook
The FamousSparrow intrusion into Venezuela's maritime oversight authority is among the most geopolitically direct examples of intelligence collection in the entire report. Venezuela supplies China with oil under long-term agreements; China represents roughly half of Venezuela's crude export market. When US military forces intervened in Venezuela, Beijing needed immediate visibility into whether those oil flows would be disrupted. Rather than wait for diplomatic channels, FamousSparrow operators moved against the government body responsible for monitoring Venezuelan shipping.
This pattern — using cyber operations to answer specific strategic questions about commodity supply chains — is what ESET researchers describe as "conflict-informed espionage." The timing of each intrusion is not random; it maps to real-world events creating intelligence gaps that Beijing's operators are tasked to fill.
In the Gulf states, China-aligned groups ran parallel operations against maritime and energy sector targets, again following the logic of oil market disruption and supply-chain uncertainty caused by the Iran war. ESET's report links the Gulf activity explicitly to the instability generated by the Iranian conflict — as Iran-aligned cyber operators went partially offline, China-aligned groups moved into the resulting intelligence vacuum.
For defenders in the maritime and energy sectors, this means the threat model is not opportunistic. The TTPs (Tactics, Techniques, and Procedures — the methods attackers use, catalogued in the MITRE ATT&CK framework) deployed by FamousSparrow and NegativeGlimmer are targeted, patient, and shaped by specific questions Beijing needs answered about physical commodity flows.
// 03 North Korea Targets Supply Chains and Drone Manufacturers
North Korea's cyber programme ran three distinct operational tracks during the period, each with a different financial or intelligence objective.
The most technically significant development was the compromise of the axios JavaScript library on npm by the DeceptiveDevelopment cluster (also tracked as Operation DangerousPassword). The npm (Node Package Manager) supply chain refers to the open-source JavaScript package ecosystem that millions of developers pull as dependencies into their applications. Axios is one of the most widely used HTTP client libraries in the world, with approximately 100 million weekly downloads. DeceptiveDevelopment operators used social engineering — specifically targeting developers with trojanized job offers and fake code-review tasks, a TTP documented across multiple DPRK campaigns — to introduce a backdoored update into the axios package. Any project that updated to the poisoned version would silently pull in North Korean malware alongside legitimate code.
This follows a pattern ESET has documented in prior periods and mirrors earlier DPRK npm attacks reported by BleepingComputer across 2024 and 2025.
Andariel, a North Korean sub-group specialising in espionage and revenue generation, deployed TigerRAT — a remote access trojan providing persistent command-and-control over infected hosts — combined with Rook ransomware against a South Korean engineering firm manufacturing liquid hydrogen and nuclear power equipment. The dual-tool approach is characteristic of Andariel: espionage access (TigerRAT) runs in parallel with financial extraction (Rook ransomware), either as simultaneous goals or as a fail-safe revenue stream if the espionage objective is disrupted.
Operation DreamJob — Lazarus Group's long-running campaign offering fake employment opportunities to targeted professionals — pivoted to European drone manufacturers during this period. Targets receive job offers relevant to their field; the lure documents or interview assignments carry malicious payloads. Drone manufacturing expertise is a direct strategic target given the prominence of unmanned aerial systems in the Ukraine conflict.
ScarCruft used a different approach: compromising the Yanbian gaming platform to target North Korean refugees and defectors — a domestic-facing intelligence operation aimed at surveilling diaspora communities rather than collecting foreign IP.
// 04 Russia's Destructive Campaign Expands Beyond Ukraine
Russia's operational picture is defined by Sandworm, the hacking unit of Russia's GRU military intelligence directorate. Sandworm intensified destructive operations against Ukrainian critical infrastructure across the period, deploying three distinct wiper malware families: ZeroRays, NAUGHTYWIPE, and DynoWiper. Wiper malware is specifically designed to destroy data and render systems inoperable — unlike ransomware, which encrypts data for a ransom payment, wipers have no recovery mechanism. Their deployment signals pure destructive intent.
The expansion beyond Ukraine is the critical escalation: in December 2025, Sandworm hit a Polish energy company. Poland is a NATO member. ESET attributes this intrusion with medium confidence to Sandworm — meaning the technical evidence points to Sandworm TTPs and tooling, but without the corroborating human-intelligence confirmation that would raise attribution to high confidence. An attack on NATO energy infrastructure, even at medium-confidence attribution, is a material escalation in Russia's cyber posture.
Sednit (also known as APT28 and Fancy Bear, operated by a separate GRU unit) focused on Ukrainian military targets, drone manufacturers, R&D organisations, and logistics networks — deploying Covenant (an open-source adversary-simulation framework repurposed for real intrusions) and BeardShell, a custom implant providing persistent access. Our earlier coverage of APT28's targeting of Western logistics networks supporting Ukraine documents the sustained operational tempo of this cluster.
// 05 Iran-Linked Actors Hobbled by Regime's Own Internet Restrictions
The outbreak of war in Iran in late February 2026 produced a paradox: Iran-aligned APT groups — which typically maintain sustained intrusion campaigns against Israeli, US, and Gulf targets — saw a drop in recorded activity during and after the conflict's onset. The Iranian regime imposed internet restrictions during the conflict, disrupting the operational infrastructure that Iran-aligned threat actors depend on for command-and-control communications, staging, and coordination.
The operational gap was partially filled by pro-Iranian hacktivist and proxy groups, which escalated attacks on Israeli and US targets — lower-sophistication but higher-volume disruption operations that do not require the same infrastructure as a state APT campaign.
This is a documented intelligence phenomenon: when a nation-state's own internet controls impair its offensive cyber units, proxy groups compensate with noisier, less targeted activity. For defenders, the practical effect is a shift from targeted spearphishing and persistent implants toward DDoS (Distributed Denial-of-Service) attacks, defacement, and disruptive but less technically sophisticated intrusions.
// 06 What Security Teams Should Do Right Now
The ESET APT report for Q4 2025–Q1 2026 translates into concrete defensive actions across several control domains:
- Audit Ivanti VPN appliances immediately. UNC5221's SPAWN toolset has been deployed specifically against Ivanti edge devices. Verify all Ivanti Connect Secure and Policy Secure instances are patched to current versions, review authentication logs for anomalous access patterns, and consider network segmentation to limit lateral movement from the VPN termination point.
- Audit npm dependencies for axios and related packages. Run
npm auditacross all JavaScript projects and verify the installed axios version against the official npm registry. Implement a software bill of materials (SBOM) — a machine-readable inventory of all dependencies — and integrate integrity checks into CI/CD pipelines so trojaned package updates trigger alerts before deployment.
- Hunt for Sandworm wiper indicators on OT and energy infrastructure. Organisations in the energy sector — especially those with any operational technology (OT) or industrial control system (ICS) exposure — should hunt for ZeroRays, NAUGHTYWIPE, and DynoWiper indicators. ESET's published threat intelligence and MITRE ATT&CK entries for Sandworm (G0034) provide starting points for detection rules.
- Treat drone manufacturing and aerospace R&D as high-priority targets for phishing defence. Operation DreamJob is active against European drone manufacturers. Sednit is targeting drone and R&D organisations with Covenant and BeardShell. Security awareness training for engineers in these sectors should specifically address fake job-offer lures delivered via LinkedIn and email.
- Apply geopolitical context to threat modelling. The ESET APT report demonstrates that intrusion timing correlates directly with geopolitical events — oil supply disruptions, military interventions, post-conflict reconstruction windows. Threat intelligence teams at energy, maritime, and governmental organisations should map their threat model to current geopolitical flashpoints, not just the previous quarter's CVE list.
- Monitor for Andariel dual-track indicators. The TigerRAT plus Rook ransomware combination means defenders at engineering and industrial firms in South Korea and allied nations should look for both espionage-grade implant behaviour (low-and-slow C2 beacon traffic) and ransomware staging (volume shadow copy deletion, rapid encryption of file shares) simultaneously — the two goals may be running in parallel on the same network.
// 07 Background: Understanding Conflict-Informed APT Targeting
The ESET APT report introduces a useful analytical frame — "conflict-informed espionage" — that deserves brief unpacking for teams building threat models. Traditional threat intelligence tends to categorise APT activity by sector (targeting energy, targeting defence) or by technique (phishing, supply chain, VPN exploitation). Conflict-informed espionage adds a third dimension: timing.
The FamousSparrow Venezuela intrusion did not happen because Venezuelan maritime authorities became suddenly interesting to China-aligned threat actors. It happened because a specific geopolitical event — US military intervention in Venezuela — created a specific intelligence question Beijing needed answered about oil shipment resilience. The cyber operation is the answer to that question.
This pattern applies across all four clusters in the report: Sandworm's Polish energy attack followed NATO military support decisions; Andariel's targeting of hydrogen and nuclear equipment producers follows North Korea's own energy and weapons priorities; DeceptiveDevelopment's npm supply chain attack follows the DPRK's documented need to generate hard currency through cryptocurrency theft enabled by developer-targeting campaigns. See also our coverage of China-nexus covert network operations and DPRK npm malware dependency attacks for additional context on these operational patterns.
For defenders, the implication is that headline geopolitical events — wars, sanctions, military interventions, major technology-policy announcements — should trigger a review of whether your organisation falls in the new target set those events create. If your company sits in the Gulf energy sector, or manufactures drone components, or handles liquid hydrogen supply chains, the Q4 2025–Q1 2026 period was specifically dangerous for you whether or not you knew it at the time.
// 08 Conclusion
The ESET APT report covering October 2025 through March 2026 documents a period in which China-aligned groups dominated recorded espionage activity, North Korea demonstrated the reach and impact of npm supply-chain attacks, Russia escalated destructive wiper operations into NATO territory, and Iran's own internet restrictions paradoxically degraded its cyber capabilities. Security teams should prioritise Ivanti VPN patching, axios dependency verification, Sandworm wiper hunting, and — most importantly — updating their threat models to reflect the geopolitical events of the past six months.
The full report is available at WeLiveSecurity.
See our related coverage: Shadow Earth 053: China Espionage Across Asia and NATO and APT28 GRU Western Logistics Ukraine Espionage.
For any query contact us at contact@cipherssecurity.com