Full Report
An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2025 and Q1 2026
Analysis Summary
Based on the ESET APT Activity Report for Q4 2025–Q1 2026, here is the structured summary of the featured threat actors.
***
# Threat Actor: Lazarus Group (and sub-groups)
## Attribution & Identity
- **Actor Identity:** North Korea-aligned (DPRK).
- **Associated Groups:** DeceptiveDevelopment (tracked as a related entity), Andariel, Kimsuky, Konni, ScarCruft.
## Activity Summary
- **Operation DreamJob:** Targeting European drone manufacturers for espionage and intellectual property theft.
- **Operation DangerousPassword:** A major supply-chain attack involving the compromise of the **axios** JavaScript library.
- **Financial/Crypto Targeting:** Continued social engineering schemes targeting developers and the cryptocurrency ecosystem.
## Tactics, Techniques & Procedures
- **Supply Chain Compromise:** Gained access to the npm registry via the lead maintainer's compromised credentials to publish malicious versions of a library.
- **Trojan Injection:** Injected trojanized code into the `axios` library (MITRE ATT&CK T1195.001).
- **Social Engineering:** Long-term relationship building with high-value targets via social platforms (MITRE ATT&CK T1566).
- **Ransomware Deployment:** Attempted deployment of Rook ransomware via the Andariel sub-group.
## Targeting
- **Sectors:** Aerospace/Drones, Finance/Cryptocurrency, Defense, Engineering, Nuclear, Liquid Hydrogen, Gaming platforms.
- **Geography:** Europe, South Korea, China (Yanbian region).
- **Victims:** A European drone manufacturer; an engineering company in South Korea; users of the `axios` npm library (global).
## Tools & Infrastructure
- **Malware:** TigerRAT, Rook ransomware.
- **Infected Assets:** `axios` JavaScript library (npm).
## Implications
Lazarus has demonstrated a shift toward high-impact supply chain attacks. The compromise of a library with 100 million weekly downloads indicates an intent to achieve massive, indiscriminate reach across web and mobile applications globally.
## Mitigations
- Enforce Multi-Factor Authentication (MFA) for all software maintainers and developers with registry access (npm, GitHub).
- Implement Software Bill of Materials (SBOM) and automated dependency scanning to detect unauthorized changes in third-party libraries.
***
# Threat Actor: Sandworm
## Attribution & Identity
- **Actor Identity:** Russia-aligned.
- **Known Associations:** Part of the Russian GRU.
## Activity Summary
- Intensified destructive operations in Ukraine during the winter months.
- Conducted a rare destructive attack against critical infrastructure in a NATO member state (Poland) in December 2025.
## Tactics, Techniques & Procedures
- **Data Destruction:** Deployment of multiple new wiper variants (MITRE ATT&CK T1485).
- **Critical Infrastructure Disruption:** Targeting energy grids to strain power supplies.
## Targeting
- **Sectors:** Energy, Government, Private Sector.
- **Geography:** Ukraine, Poland (NATO).
- **Victims:** A Polish energy company.
## Tools & Infrastructure
- **Malware:** Several new (unnamed) wiper families.
## Implications
The attack on a Polish energy company marks a significant escalation in the willingness of Russia-aligned actors to conduct destructive operations against targets within NATO borders.
***
# Threat Actor: China-Aligned Groups (FamousSparrow, SteppeDriver, NegativeGlimmer)
## Attribution & Identity
- **FamousSparrow:** China-aligned.
- **SteppeDriver:** China-aligned.
- **NegativeGlimmer:** China-aligned.
- **UNC5221:** Associated with the "SPAWN" toolset.
## Activity Summary
- **FamousSparrow:** Targeted Venezuelan maritime/oil interests following US intervention.
- **SteppeDriver:** Compromised Syrian governmental networks.
- **NegativeGlimmer:** Targeted strategic technology (AI/Robotics) and governmental entities.
## Tactics, Techniques & Procedures
- **Exploitation of Edge Devices:** Exploiting Ivanti VPN appliances.
- **Custom Implants:** Deployment of the SPAWN toolset and PhiliKit.
## Targeting
- **Sectors:** Government, Maritime, Energy, AI & Robotics, Oil/Gas.
- **Geography:** Venezuela, Syria, Cambodia, Panama, South Korea.
## Tools & Infrastructure
- **Malware:** PhiliKit (implant), SPAWN toolset.
- **Vulnerabilities:** Ivanti VPN appliance vulnerabilities.
***
# Threat Actor: Unattributed / Emerging Groups
## MoKhargosh & Rusty Boots
- **Activity:** Unusual spike in attacks against Israel.
- **Capabilities:** Espionage and destructive potential (deployment of a bootkit-style wiper).
## MOØN Badr
- **Activity:** Targeted espionage against Israel.
## Asin (Spyware)
- **Activity:** Targets Arabic-speaking users via malicious Android apps claiming to be "conflict-trackers."