Full Report
ESET experts discuss Sandworm’s new data wiper, UnsolicitedBooker’s relentless campaigns, attribution challenges amid tool-sharing, and other key findings from the latest APT Activity Report
Analysis Summary
# Threat Actor: Various APT Groups (Summary based on ESET APT Activity Report Q4 2024–Q1 2025)
## Attribution & Identity
The article summarizes findings related to several distinct threat actors:
* **UnsolicitedBooker:** China-aligned APT group.
* **Worok:** China-aligned APT group, noted for employing tool-sharing tactics.
* **LuckyMouse & TA428:** Groups associated with Worok through overlapping/shared toolsets.
* **Sednit:** Russia-aligned group.
* **Gamaredon:** Russia-aligned group.
* **Sandworm:** Russia-aligned group.
* **DeceptiveDevelopment:** Mentioned in the discussion topics.
* **MuddyWater & Lyceum:** Mentioned in the discussion topics regarding attribution challenges.
## Activity Summary
The report detailed activities spanning Q4 2024 to Q1 2025, highlighting:
* **UnsolicitedBooker:** Demonstrated high persistence, targeting the same organization repeatedly over several years to deploy its signature backdoor, MarsSnake.
* **Worok:** Engaging in tool-sharing activities, complicating attribution efforts by overlapping toolsets with groups like LuckyMouse and TA428.
* **Sednit (Operation RoundPress):** Expanded its focus from the Roundcube webmail service to include Horde, MDaemon, and Zimbra. They utilize targeted emails and exploit service vulnerabilities, including cross-site scripting.
* **Gamaredon:** Remained highly active in Ukraine, continuously refining its obfuscation methods.
* **Sandworm:** Intensified the deployment of data-wiping malware, recently using a new wiper named ZEROLOT multiple times. This wiper operates surgically, erasing specific files/directories rather than immediately destroying the entire system, allowing it time to complete its mission.
* General trend noted: Increasing malware sharing among China-aligned actors.
## Tactics, Techniques & Procedures
- Persistent targeting (UnsolicitedBooker).
- Using signature backdoors (MarsSnake by UnsolicitedBooker).
- Overlapping/shared toolsets to obfuscate attribution (Worok).
- Exploiting vulnerabilities in webmail services (Horde, MDaemon, Zimbra, Roundcube) by Sednit.
- Utilizing cross-site scripting (Sednit).
- Sophisticated obfuscation techniques (Gamaredon).
- Deploying surgical data-wiping malware (ZEROLOT by Sandworm).
- *Note: Specific MITRE ATT&CK IDs were not provided in the excerpt.*
## Targeting
* **Sectors:** Defense companies were explicitly targeted by Sednit. General targeting includes organizations using popular webmail platforms (Roundcube, Horde, MDaemon, Zimbra).
* **Geography:** Bulgaria and Ukraine were specifically mentioned as locations hosting targets of Sednit.
* **Victims:** The same organization targeted three times by UnsolicitedBooker; defense companies in Bulgaria and Ukraine targeted by Sednit.
## Tools & Infrastructure
- **Malware families used:**
* MarsSnake (Backdoor, associated with UnsolicitedBooker).
* ZEROLOT (Data-wiper, associated with Sandworm).
* WeaselStore, ClickFix (Associated with DeceptiveDevelopment).
- **Infrastructure (C2, domains, IPs):** No specific domains or IPs were provided in a defangable format in the article excerpt.
## Implications
The activities highlight continued geopolitical conflict influence in cyberspace, exemplified by groups like Sandworm deploying destructive wipers (ZEROLOT). Furthermore, the increasing trend of tool-sharing, particularly among China-aligned actors (Worok), is significantly complicating threat attribution efforts, leading to intertwined operations. Persistence remains a hallmark of certain actors (UnsolicitedBooker).
## Mitigations
- Monitor and secure vulnerable webmail services (Roundcube, Horde, MDaemon, Zimbra) against exploitation and XSS attempts (relevant for Sednit).
- Implement robust backup and recovery strategies to counter data-wiping attacks, ensuring backups are isolated from the primary network (relevant for Sandworm/ZEROLOT).
- Organizations should be aware of the long-term and persistent targeting attempts by actors like UnsolicitedBooker.
- Organizations should be cautious of shared toolsets, as activity might be misattributed due to tool overlap between known groups (Worok, LuckyMouse, TA428).