Full Report
An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 2025 and Q3 2025
Analysis Summary
This summarization extracts information for all mentioned threat actors based on the provided context. Note that for actors only mentioned in passing, the "Historical Activities and Campaigns" section draws upon the context provided for the reporting period (Q2-Q3 2025) rather than extensive historical archives.
***
# Threat Actor: PlushDaemon
## Attribution & Identity
China-aligned APT group.
Aliases: N/A
Associated Groups: Mentioned alongside SinisterEye, Evasive Panda, and TheWizards in the context of using Adversary-in-the-Middle (AiTM).
## Activity Summary
Observed increasing use of adversary-in-the-middle technique for initial access and lateral movement during Q2-Q3 2025.
## Tactics, Techniques & Procedures
- Adversary-in-the-middle (AiTM) technique for initial access and lateral movement.
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: [Not specifically detailed for this actor alone]
- Geography: [Not specifically detailed for this actor alone]
- Victims: [Not specifically detailed for this actor alone]
## Tools & Infrastructure
- [Not specified in the context]
## Implications
Part of a broader trend among China-aligned groups advancing geopolitical objectives through advanced network infiltration techniques.
## Mitigations
- Implement robust defenses against Adversary-in-the-Middle attack vectors.
---
# Threat Actor: SinisterEye
## Attribution & Identity
China-aligned APT group.
Aliases: N/A
Associated Groups: Mentioned alongside PlushDaemon, Evasive Panda, and TheWizards in the context of using AiTM.
## Activity Summary
Observed increasing use of adversary-in-the-middle technique for initial access and lateral movement during Q2-Q3 2025.
## Tactics, Techniques & Procedures
- Adversary-in-the-middle (AiTM) technique for initial access and lateral movement.
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: [Not specifically detailed for this actor alone]
- Geography: [Not specifically detailed for this actor alone]
- Victims: [Not specifically detailed for this actor alone]
## Tools & Infrastructure
- [Not specified in the context]
## Implications
Part of a broader trend among China-aligned groups advancing geopolitical objectives through advanced network infiltration techniques.
## Mitigations
- Implement robust defenses against Adversary-in-the-Middle attack vectors.
---
# Threat Actor: Evasive Panda
## Attribution & Identity
China-aligned APT group.
Aliases: N/A
Associated Groups: Mentioned alongside PlushDaemon, SinisterEye, and TheWizards in the context of using AiTM.
## Activity Summary
Observed increasing use of adversary-in-the-middle technique for initial access and lateral movement during Q2-Q3 2025.
## Tactics, Techniques & Procedures
- Adversary-in-the-middle (AiTM) technique for initial access and lateral movement.
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: [Not specifically detailed for this actor alone]
- Geography: [Not specifically detailed for this actor alone]
- Victims: [Not specifically detailed for this actor alone]
## Tools & Infrastructure
- [Not specified in the context]
## Implications
Part of a broader trend among China-aligned groups advancing geopolitical objectives through advanced network infiltration techniques.
## Mitigations
- Implement robust defenses against Adversary-in-the-Middle attack vectors.
---
# Threat Actor: TheWizards
## Attribution & Identity
China-aligned APT group.
Aliases: N/A
Associated Groups: Mentioned alongside PlushDaemon, SinisterEye, and Evasive Panda in the context of using AiTM.
## Activity Summary
Observed increasing use of adversary-in-the-middle technique for initial access and lateral movement during Q2-Q3 2025.
## Tactics, Techniques & Procedures
- Adversary-in-the-middle (AiTM) technique for initial access and lateral movement.
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: [Not specifically detailed for this actor alone]
- Geography: [Not specifically detailed for this actor alone]
- Victims: [Not specifically detailed for this actor alone]
## Tools & Infrastructure
- [Not specified in the context]
## Implications
Part of a broader trend among China-aligned groups advancing geopolitical objectives through advanced network infiltration techniques.
## Mitigations
- Implement robust defenses against Adversary-in-the-Middle attack vectors.
---
# Threat Actor: FamousSparrow
## Attribution & Identity
China-aligned APT group.
Aliases: N/A
Associated Groups: N/A
## Activity Summary
Embarked on a tour of Latin America during Q2-Q3 2025, targeting multiple governmental entities in the region. This activity appears to be a response to the Trump administration’s strategic interest in Latin America and possibly influenced by the US-China power struggle.
## Tactics, Techniques & Procedures
- [Not explicitly detailed beyond targeted nature of operations]
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: Governmental entities
- Geography: Latin America (multiple countries)
- Victims: [Not specifically detailed]
## Tools & Infrastructure
- [Not specified in the context]
## Implications
Directly involved in executing geopolitical objectives within the Latin American sphere of influence, suggesting increasing focus on nations within that region.
## Mitigations
- Organizations in Latin American governmental sectors should enhance security posture against state-sponsored intrusions.
---
# Threat Actor: Mustang Panda
## Attribution & Identity
China-aligned APT group.
Aliases: N/A
Associated Groups: N/A
## Activity Summary
Remained highly active in Southeast Asia, the United States, and Europe during the reporting period (Q2-Q3 2025).
## Tactics, Techniques & Procedures
- [Not explicitly detailed beyond geographic activity focus]
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: Governmental, engineering, and maritime transport sectors.
- Geography: Southeast Asia, United States, and Europe.
- Victims: [Not specifically detailed]
## Tools & Infrastructure
- [Not specified in the context]
## Implications
Maintains persistent focus on critical infrastructure (maritime transport) and governmental entities across multiple continents.
## Mitigations
- Focus on defense-in-depth strategies for engineering and maritime transport supply chains.
---
# Threat Actor: Flax Typhoon
## Attribution & Identity
China-aligned APT group.
Aliases: N/A
Associated Groups: N/A
## Activity Summary
Specifically targeted the healthcare sector in Taiwan by exploiting public-facing servers and deploying webshells for initial compromise during Q2-Q3 2025.
## Tactics, Techniques & Procedures
- Exploiting public-facing web servers.
- Deploying webshells.
- Frequently maintains SoftEther VPN infrastructure.
- Started using the open-source proxy, BUUT.
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: Healthcare
- Geography: Taiwan
- Victims: Entities within the healthcare sector.
## Tools & Infrastructure
- Webshells
- SoftEther VPN infrastructure
- BUUT (Open-source proxy)
## Implications
Continues to prioritize critical civilian infrastructure (healthcare) in Taiwan using active exploitation of internet-facing services.
## Mitigations
- Immediately patch and secure all publicly facing web servers. Deploy robust defenses against webshell activity.
---
# Threat Actor: Speccom
## Attribution & Identity
China-aligned APT group.
Aliases: N/A
Associated Groups: N/A
## Activity Summary
Targeted the energy sector in Central Asia during Q2-Q3 2025. The presumed aim is to gain greater visibility into Chinese-funded operations and potentially reduce China's dependency on maritime imports.
## Tactics, Techniques & Procedures
- Utilization of the BLOODALCHEMY backdoor, which appears favored by several China-aligned threat actors.
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: Energy sector
- Geography: Central Asia
- Victims: Entities within the energy sector, likely those involved in or related to Chinese investment/operations.
## Tools & Infrastructure
- BLOODALCHEMY (Backdoor)
## Implications
Operations suggest intelligence gathering focused on monitoring or disrupting economic activities tied to Chinese state interests in Central Asia.
## Mitigations
- Implement advanced endpoint detection targeting known backdoors like BLOODALCHEMY. Increased scrutiny on third-party access to energy sector assets in Central Asia.
---
# Threat Actor: MuddyWater
## Attribution & Identity
Iran-aligned APT group.
Aliases: N/A
Associated Groups: N/A
## Activity Summary
Documented a continued increase in spearphishing activities during Q2-Q3 2025. Adopted the technique of sending spearphishing emails internally, originating from compromised inboxes within the target organization, achieving a notably high success rate.
## Tactics, Techniques & Procedures
- Spearphishing.
- Internal spearphishing (sending attacks from already compromised internal accounts).
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: [Not specified, but traditionally broad targets]
- Geography: [Not specified]
- Victims: [Not specified]
## Tools & Infrastructure
- [Not specified in the context]
## Implications
The refinement of spearphishing by using internal compromised mailboxes significantly increases the credibility and success rate of initial access attempts.
## Mitigations
- Enhance email gateway filtering for internal emails triggering alerts upon suspicious content or attachments. Implement stringent DMARC/SPF/DKIM policies.
---
# Threat Actor: BladedFeline
## Attribution & Identity
Iran-aligned APT group.
Aliases: N/A
Associated Groups: Related to MuddyWater and GalaxyGato (all Iran-aligned).
## Activity Summary
Active during Q2-Q3 2025, adopting new infrastructure for its operations.
## Tactics, Techniques & Procedures
- Use of new infrastructure.
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: [Not specified]
- Geography: [Not specified]
- Victims: [Not specified]
## Tools & Infrastructure
- New infrastructure (details unspecified).
## Mitigations
- Monitor for connections to newly registered or suspicious domains/IPs associated with known Iran-aligned actors.
---
# Threat Actor: GalaxyGato
## Attribution & Identity
Iran-aligned APT group.
Aliases: N/A
Associated Groups: Related to MuddyWater and BladedFeline (all Iran-aligned).
## Activity Summary
Deployed an improved C5 backdoor. Introduced an interesting twist to its campaign by leveraging DLL-search-order hijacking to steal credentials during Q2-Q3 2025.
## Tactics, Techniques & Procedures
- Deployment of improved C5 backdoor.
- Credential theft via DLL-search-order hijacking.
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: [Not specified]
- Geography: [Not specified]
- Victims: [Not specified]
## Tools & Infrastructure
- C5 (Improved Backdoor)
## Implications
The deployment of novel lateral movement and persistence techniques (DLL hijacking) demonstrates continued capability development.
## Mitigations
- Harden executables against DLL search-order hijacking, particularly for legacy or custom applications.
---
# Threat Actor: Lazarus Group (and associated NK actors: DeceptiveDevelopment, Kimsuky, Konni)
## Attribution & Identity
North Korea-aligned threat actors (including Lazarus, DeceptiveDevelopment, Kimsuky, and Konni).
Aliases: N/A
Associated Groups: N/A
## Activity Summary
Targeted the cryptocurrency sector and expanded operations to Uzbekistan in recent months. Activities focused on espionage, advancing Pyongyang’s geopolitical priorities, and generating revenue for the regime.
- **Kimsuky:** Experimented with the ClickFix technique targeting diplomatic entities, South Korean think tanks, and academia.
- **Konni:** Used social engineering with an unusual focus on macOS systems.
- **Lazarus/DeceptiveDevelopment:** Conducted campaigns for espionage/revenue generation.
## Tactics, Techniques & Procedures
- Targeting cryptocurrency sector.
- **Kimsuky:** ClickFix technique (T1590 - Ingress Tool Transfer, potentially leveraging T1204 - User Execution).
- **Konni:** Social engineering specifically tailored toward macOS systems.
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: Cryptocurrency sector, diplomatic entities, South Korean think tanks, and academia.
- Geography: Expanded noted scope to include Uzbekistan; generally targets organizations aligned against Pyongyang’s interests.
- Victims: Specific crypto exchanges/platforms (implied) and diplomatic offices.
## Tools & Infrastructure
- [Not specified, other than the techniques mentioned above]
## Implications
The expansion into Uzbekistan signals a geographic broadening of influence/targeting, while the focus on crypto remains a primary revenue stream. The focus on macOS by Konni suggests diversification away from Windows predominance.
## Mitigations
- Implement dedicated security monitoring for macOS endpoints targeted by social engineering. Increase telemetry coverage around cryptocurrency transfer systems.
---
# Threat Actor: RomCom
## Attribution & Identity
Russia-aligned APT group.
Aliases: N/A
Associated Groups: N/A
## Activity Summary
Exploited a zero-day vulnerability in WinRAR to deploy malicious DLLs and deliver backdoors. Activity focused predominantly on the financial, manufacturing, defense, and logistics sectors in the EU and Canada just prior to the vulnerability being reported and patched.
## Tactics, Techniques & Procedures
- Exploitation of a zero-day vulnerability (CVE in WinRAR) to deploy malicious DLLs for backdoor delivery.
- Spearphishing remained a primary compromise method for Russia-aligned groups generally.
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: Financial, manufacturing, defense, and logistics.
- Geography: EU and Canada.
- Victims: Entities within specified critical sectors across the targeted geography.
## Tools & Infrastructure
- Various backdoors (payloads after initial exploitation).
- [Specific DLLs/Backdoors not named besides the resulting payload]
## Implications
Demonstrated capability to leverage potent zero-day vulnerabilities against widely used software (WinRAR) for high-value targeting in NATO-aligned economies.
## Mitigations
- Immediate application of vendor patches for software vulnerabilities is paramount. Focus on application hardening to limit DLL loading exploitation vectors.
---
# Threat Actor: Gamaredon
## Attribution & Identity
Russia-aligned APT group.
Aliases: N/A
Associated Groups: Evidenced cooperation with Turla.
## Activity Summary
Remained the most active APT group targeting Ukraine, showing a noticeable increase in intensity and frequency of operations concurrent with a wider surge in Russian-aligned activity. Showed a rare instance of cooperation by selectively deploying one of Turla’s backdoors.
## Tactics, Techniques & Procedures
- Continual evolution of toolset, incorporating new file stealers and tunneling services.
- Selective use of Turla's backdoor.
- Spearphishing was the primary compromise method shared across Russia-aligned groups.
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: [Implied broad targeting within Ukraine]
- Geography: Ukraine (Primary focus).
- Victims: Broad targeting within Ukraine.
## Tools & Infrastructure
- New file stealers.
- Tunneling services.
- Backdoors sourced from Turla.
## Implications
The surge in activity and demonstrated cooperation with Turla suggest a coordinated, intensified Russian cyber campaign against Ukraine, possibly leveraging shared toolsets for efficiency.
## Mitigations
- Enhanced monitoring for known Turla backdoors and tunneling protocols. Increased volume monitoring for spearphishing lures.
---
# Threat Actor: Turla
## Attribution & Identity
Russia-aligned APT group.
Aliases: N/A
Associated Groups: Cooperated with Gamaredon.
## Activity Summary
A backdoor from Turla’s toolset was selectively deployed by Gamaredon during the reporting period, indicating active collaboration or sharing of tools/techniques within the Russia-aligned ecosystem.
## Tactics, Techniques & Procedures
- Toolset sharing/collaboration evidenced via Gamaredon deployment.
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: [Not specified for Turla directly in this context]
- Geography: [Not specified for Turla directly in this context]
- Victims: [Not specified for Turla directly in this context]
## Tools & Infrastructure
- Backdoors subsequently used by Gamaredon.
## Implications
Indicates a potential pooling of resources or increased interoperability among high-profile Russia-aligned actors.
## Mitigations
- Maintain up-to-date signatures for known Turla backdoors.
---
# Threat Actor: Sandworm
## Attribution & Identity
Russia-aligned APT group.
Aliases: N/A
Associated Groups: N/A
## Activity Summary
Focused on Ukraine during Q2-Q3 2025, but unlike others, its motives were focused on destruction rather than cyberespionage. Deployed data wipers targeting Ukrainian governmental entities, energy companies, logistics firms, and—notably—the grain sector, likely intending to weaken the Ukrainian economy.
## Tactics, Techniques & Procedures
- Deployment of data wipers (ZEROLOT, Sting).
- Spearphishing remained the primary compromise method shared across Russia-aligned groups.
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: Governmental entities, energy, logistics, and the grain sector.
- Geography: Ukraine.
- Victims: Entities aimed at causing economic damage.
## Tools & Infrastructure
- ZEROLOT (Data wiper)
- Sting (Data wiper)
## Implications
Shift in observable objectives from simple espionage toward deliberate destruction of economic capabilities, specifically impacting vital sectors like agriculture.
## Mitigations
- Prioritize immutable backups and robust offline recovery capabilities, especially for critical infrastructure and agricultural data.
---
# Threat Actor: InedibleOchotense
## Attribution & Identity
Russia-aligned APT group.
Aliases: N/A
Associated Groups: N/A
## Activity Summary
Conducted a spearphishing campaign impersonating ESET. The campaign used emails and Signal messages to deliver a trojanized ESET installer, which subsequently downloaded a legitimate ESET product alongside the Kalambur backdoor.
## Tactics, Techniques & Procedures
- Spearphishing campaign utilizing high-trust impersonation (ESET).
- Multi-channel delivery (Email and Signal messages).
- Delivery chain: Trojanized installer $\rightarrow$ Legitimate ESET product + Backdoor.
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: [Not specified]
- Geography: [Not specified]
- Victims: Targets that would recognize and trust an ESET installer prompt.
## Tools & Infrastructure
- Kalambur (Backdoor)
- Trojanized ESET installer.
- Signal messaging for delivery.
## Implications
This demonstrates the use of sophisticated social engineering tactics, leveraging trusted third-party brand names (ESET) and modern communication platforms (Signal) to bypass security controls.
## Mitigations
- Implement application control to restrict the execution of unsigned or unauthorized installers. Train users to verify vendor communications across multiple channels (e.g., comparing details in email/Signal against official communication channels).
---
# Threat Actor: FrostyNeighbor
## Attribution & Identity
Lesser-known group.
Aliases: N/A
Associated Groups: N/A
## Activity Summary
Conducted operations during Q2-Q3 2025 by exploiting an XSS vulnerability in Roundcube. Targeted Polish and Lithuanian companies using spearphishing emails impersonating Polish businesses. The structure of the emails (combination of bullet points and emojis) suggests possible use of AI in campaign generation.
## Tactics, Techniques & Procedures
- Exploiting XSS vulnerability in Roundcube webmail.
- Spearphishing emails impersonating Polish businesses.
- Distinctive use of bullet points and emojis, possibly AI-generated.
- Payload delivery included a credential stealer and an email message stealer.
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: Unspecified commercial entities.
- Geography: Poland and Lithuania.
- Victims: Polish and Lithuanian companies.
## Tools & Infrastructure
- Credential Stealer.
- Email Message Stealer.
## Implications
Indicates targeted, sector-specific cyberespionage operations using novel, potentially AI-assisted social engineering lures, coupled with exploiting common web application vulnerabilities.
## Mitigations
- Immediately patch Roundcube installations against known XSS vulnerabilities. Review user awareness training to flag spearphishing emails exhibiting anomalous stylistic elements (like specific emoji/bullet point combinations).
---
# Threat Actor: Wibag (Previously Unknown)
## Attribution & Identity
Previously unknown threat actor operating in Iraq.
Aliases: N/A
Associated Groups: Unknown, but the login page displays the logo of the Iraqi National Security Service (potentially impersonation or indicator of government compromise/use).
## Activity Summary
A new Android spyware family was identified targeting users in Iraq. It masquerades as the legitimate YouTube application.
## Tactics, Techniques & Procedures
- Masquerading as the YouTube application on Android.
- Capabilities include: keylogging, exfiltration of SMS messages, call logs, contacts, location data, screen recordings, and recordings of WhatsApp calls/regular phone calls.
- Admin login page displays the Iraqi National Security Service logo.
- [TBD - Specific MITRE ATT&CK IDs not provided in the context]
## Targeting
- Sectors: Mobile users.
- Geography: Iraq.
- Victims: End-users utilizing messaging and social media platforms.
## Tools & Infrastructure
- Wibag (Android Spyware).
- Targets: Telegram, WhatsApp, Instagram, Facebook, Snapchat.
## Implications
A significant finding of sophisticated mobile surveillance capabilities in Iraq, potentially linked to state interests given the visual branding of the administrative panel.
## Mitigations
- Strict enforcement of downloading applications only from verified, official app stores. Implement mobile solutions capable of deep packet inspection and detecting keylogging/location exfiltration from non-standard applications.