ESET Research APT Report: Russian cyberattacks in Ukraine intensify; Sandworm unleashes new destructive wiper
Russian APT groups intensified attacks against Ukraine and the EU, exploiting zero-day vulnerabilities and deploying wipers.
China-aligned groups like Mustang Panda and DigitalRecyclers continued their espionage campaigns targeting the EU government and maritime sectors.
North Korea-aligned groups expanded their financially motivated campaigns using fake job listings and social engineering.
ESET Research has released its latest APT Activity Report, which highlights activities of select APT groups that were documented by ESET researchers from October 2024 through March 2025. During the monitored period, Russia-aligned threat actors, notably Sednit and Gamaredon, maintained aggressive campaigns primarily targeting Ukraine and EU countries. Ukraine was subjected to the greatest intensity of cyberattacks against the country's critical infrastructure and governmental institutions. The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT. China-aligned threat actors continued engaging in persistent espionage campaigns with a focus on European organizations.
Gamaredon remained the most prolific actor targeting Ukraine, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. 'The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organizations,' says ESET Director of Threat Research Jean-Ian Boutin.
Sednit refined its exploitation of cross-site scripting vulnerabilities in webmail services, expanding Operation RoundPress from Roundcube to include Horde, MDaemon, and Zimbra. ESET discovered that the group successfully leveraged a zero-day vulnerability in MDaemon Email Server (CVE-2024-11182) against Ukrainian companies. Several Sednit attacks against defense companies located in Bulgaria and Ukraine used spearphishing email campaigns as a lure. Another Russia-aligned group, RomCom, demonstrated advanced capabilities by deploying zero-day exploits against Mozilla Firefox (CVE 2024 9680) and Microsoft Windows (CVE 2024 49039).
In Asia, China-aligned APT groups continued their campaigns against governmental and academic institutions. At the same time, North Korea-aligned threat actors significantly increased their operations directed at South Korea, placing particular emphasis on individuals, private companies, embassies, and diplomatic personnel. Mustang Panda remained the most active, targeting governmental institutions and maritime transportation companies via Korplug loaders and malicious USB drives. DigitalRecyclers continued targeting EU governmental entities, employing the KMA VPN anonymization network and deploying the RClient, HydroRShell, and GiftBox backdoors. PerplexedGoblin used its new espionage backdoor, which ESET named NanoSlate, against a Central European government entity, while Webworm targeted a Serbian government organization using SoftEther VPN, emphasizing the continued popularity of this tool among China-aligned groups.
Elsewhere in Asia, North Korea-aligned threat actors were particularly active in financially motivated campaigns. DeceptiveDevelopment significantly broadened its targeting, using fake job listings primarily within the cryptocurrency, blockchain, and finance sectors. The group employed innovative social engineering techniques to distribute the multiplatform WeaselStore malware. The Bybit cryptocurrency theft, attributed by the FBI to TraderTraitor APT group, involved a supply-chain compromise of Safe{Wallet} that caused losses of approximately USD 1.5 billion. Meanwhile, other North Korea-aligned groups saw fluctuations in their operational tempo: In early 2025, Kimsuky and Konni returned to their usual activity levels after a noticeable decline at the end of 2024, shifting their targeting away from English-speaking think tanks, NGOs, and North Korea experts to focus primarily on South Korean entities and diplomatic personnel; and Andariel resurfaced, after a year of inactivity, with a sophisticated attack against a South Korean industrial software company.
Iran-aligned APT groups maintained their primary focus on the Middle East region, predominantly targeting governmental organizations and entities within the manufacturing and engineering sectors in Israel. Additionally, ESET observed a significant global uptick in cyberattacks against technology companies, largely attributed to increased activity by North Korea-aligned DeceptiveDevelopment.
'The highlighted operations are representative of the broader threat landscape that we investigated during this period. They illustrate the key trends and developments, and contain only a small fraction of the cybersecurity intelligence data provided to customers of ESET APT reports,' adds Boutin.
Intelligence shared in the private reports is primarily based on proprietary ESET telemetry data and has been verified by ESET researchers, who prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups. These threat intelligence analyses, known as ESET APT Reports PREMIUM, assist organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. More information about ESET APT Reports PREMIUM and its delivery of high-quality, actionable tactical and strategic cybersecurity threat intelligence is available at the ESET Threat Intelligence page.
Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.
About ESET
ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown— securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts and blogs.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Mid East Info
9 hours ago
- Mid East Info
The hidden risks of browser extensions – and how to stay safe - Middle East Business News and Information
Phil Muncaster, guest writer at ESET, explains that n ot all browser add-ons are handy helpers – some may contain far more than you have bargained for What would we do without the web browser? For most of us, it's our gateway to the digital world. But browsers are such a familiar tool today that we're in danger of giving them a free ride. In fact, there are plenty of rogue extensions masquerading as legitimate ad blockers, AI assistants, or even security tools that are designed to steal our data, send us to malicious sites and flood our screen with popups. For example, earlier this year, a malicious campaign was uncovered that may have impacted dozens of extensions and compromised nearly three million users. Next time you're thinking about downloading a web browser add-on, think through the following risks. Why extensions matter Browser extensions are an increasingly popular vehicle for threat actors. They give attackers access to a vast amount of sensitive information, with people often trusting these add-ons, especially if they're downloaded from official sources. Also, extensions provide multiple avenues for monetization and malicious activity and generally give attacks a better chance of success and are a threat also in corporate settings, where they may often stay under the radars of security teams and tools. However, by installing and granting an extension permissions, you could unwittingly be enabling malicious actors to access your most sensitive data – everything from browsing history to saved logins and session cookies, which could be abused to hijack your accounts. When browsers go bad A 2023 risk assessment of 300,000 browser extensions and third-party OAuth applications used in corporate environments revealed that half (51%) of the former were high risk and could potentially have caused 'extensive damage.' So how could they end up on your machine? Malware may be hidden in legitimate-looking browser extensions like those purporting to be ad blockers or PDF converters or even security enhancements. They could be packaged up and placed on browser stores for unwitting users to download, bundled with other software, shared through deceptive links or uploaded to platforms outside your official web store, where hackers rely on users 'sideloading' in order to target them. Sideloading is particularly dangerous because third-party stores don't feature the kind of security reviews and other checks that official marketplaces have in place. That means they're more likely to feature harmful add ons spoofed to appear as if legitimate. Alternatively, threat actors could hijack or acquire a legitimate extension and use it to send malicious updates to its entire user base. Sometimes, extensions can seem legitimate, but on activation will be programmed to install new payloads with malicious capabilities. What can malicious extensions do? The nefarious actions run the gamut and include: Stealing data, including usernames and passwords, browsing history, session cookies (which can be used to access your accounts without needing a password) and financial information. This may be sourced from your clipboard, browser or obtained via keylogging as you type it in. The end goal is usually to either sell that data on the dark web, or use it directly to hijack accounts and commit identity fraud. including usernames and passwords, browsing history, session cookies (which can be used to access your accounts without needing a password) and financial information. This may be sourced from your clipboard, browser or obtained via keylogging as you type it in. The end goal is usually to either sell that data on the dark web, or use it directly to hijack accounts and commit identity fraud. Directing you to malicious or risky websites that may harbor malware including infostealers and banking Trojans. Other sites may be spoofed to appear as if a legitimate brand, but are actually designed to harvest your personal and financial information and/or logins. that may harbor malware including infostealers and banking Trojans. Other sites may be spoofed to appear as if a legitimate brand, but are actually designed to harvest your personal and financial information and/or logins. Injecting unwanted ads and possible malware into your browsing experience. Ads could be monetized by threat actors, while malware may be designed to steal credentials or harvest other lucrative personal data for identity fraud. into your browsing experience. Ads could be monetized by threat actors, while malware may be designed to steal credentials or harvest other lucrative personal data for identity fraud. Backdooring your browser so that they can access your machine at any time in the future. so that they can access your machine at any time in the future. Mining for cryptocurrency without your knowledge, something that can slow down or even wear out your machine completely. Staying safe To mitigate these risks, caution is always advised when you're on the hunt for a new extension. First of all, stick to legitimate web stores and closely scrutinize any new add-on. That might include checking the developer's credentials, reading reviews of the product and searching separately for it to see if it has been connected to any suspicious or malicious behavior in the past. Look closely too at its permissions. If it requests any that seem to go beyond what is needed for the product, it should be a red flag. As is the case with, for example, mobile apps, not many extensions should need access to your passwords or browsing data. Additional tips to keep yourself safe include: Keep your browser updated so it's on the latest, more secure version at all times. This means it will be better protected against potential malware. Switch on multi-factor authentication on all your online accounts – that will go a long way toward keeping you safe even if a malicious browser extension does steal your passwords. To make your web browsing experience safer in general, consider using a secured browser mode that is offered together with other security-enhancing features by some security vendors. This mode comes in particularly handy when you perform financial and crypto transactions in your browser. Enhanced Safe Browsing in some common web browsers can also help you steer clear of malicious sites. Importantly, use security software from a reputable vendor, and perform periodic scans to check for anything suspicious running on your computer. It will go a long way towards preventing you downloading malware from third-party sites, or redirecting to a phishing site. Every piece of software we install, no matter how small, comes with an element of trust; indeed, this trust may be particularly significant with browser extensions, as they operate directly within your gateway to the internet. Think carefully about the value or convenience that an extension provides versus the potential risk. Ultimately, the goal is to make informed choices about the add-ons you allow into your digital space. be sure to source your browser extensions and, indeed, all other software from reliable providers.
Al-Ahram Weekly
17 hours ago
- Al-Ahram Weekly
Sanctions or deal - World - Al-Ahram Weekly
The revival of nuclear negotiations between Iran and Europe is intended to avoid imposing sanctions on Tehran again in October, but there are doubts surrounding the outcome. Iran has returned to the negotiating table less than two months after the Israeli-American war targeting its nuclear facilities and other military and civilian sites. On Friday, Iranian officials met officials from Britain, France, Germany and the EU at the Iranian consulate in Istanbul, Turkey. The three European countries, known as E3, along with Russia and China, are the parties that remain in the Joint Comprehensive Plan of Action (JCPOA) signed with Tehran in 2015. The other party to the deal, the US, withdrew unilaterally from the agreement in 2018. According to JCPOA Iran had agreed to curb its nuclear programme in exchange for global sanctions relief. Lifting the UN-imposed sanctions has a deadline of 18 October 2025, unless the E3 trigger what is called a 'snapback' a month before the deadline. In a bid to avoid triggering a snapback by 18 September, negotiations with Iran have been launched. Prior to the Istanbul meeting, the Iranians met with Russian and Chinese representatives in Tehran to discuss the same issue. Though no outcome for these meetings was announced, Moscow and Beijing are believed to side with Iran rather than the West. Before the 12-day war between Israel and Iran in mid-June, the US and Iran held five rounds of indirect talks brokered by the Sultanate of Oman. Negotiations collapsed when Israel started bombing Iran and Iran retaliated by bombing Israel. Later, towards the end of the war, America launched an airforce attack on Iranian nuclear facilities. The European signatories of JCPOA were sidelined during the American-Iranian negotiations. Despite this the E3 want to help revive those negotiations to restore the 2015 deal with the Americans re-joining it, or reach a new deal to stop Iran from enriching uranium to a weapons-grade level. Iran is also keen to reach a deal to avoid suffocating sanctions. A Dubai-based commentator told Al-Ahram Weekly that, despite Iranian statements about its 'strong position', their economy is in dire straits and Tehran cannot afford more sanctions. 'Even basic services are deteriorating. Look at the water shortage in last few days and how high temperatures have forced the government to announce a public holiday to ration water,' he said. But militants in Iran, including hard-line members of parliament, feel that negotiations with the Americans and the West are futile. They do not consider Europeans to be so different from Americans as they collectively support Israeli aggression against Iran. A European representative went to Istanbul ready to offer Iran an extension of the deadline for the re-imposition of international sanctions for six months if it agrees to conditions including resuming talks with Washington and cooperating with UN nuclear inspectors: the International Atomic Energy Agency (IAEA). Iran is asking for guarantees that any negotiation should respect its sovereign right to continue nuclear activity for peaceful purposes, including uranium enrichment. It also wants negotiations to focus mainly on the nuclear issue and sanctions, not extending to its ballistic missile programme. Towards the end of the indirect talks, the Trump administration switched positions and called for a complete halt of uranium enrichment, not enriching to a lower level of producing uranium for power reactors. In response to America's withdrawal from JCPOA seven years ago, Iran had increased its enrichment activity beyond what was agreed in the deal in 2015. The deal stipulated enriching uranium to 3.67 per cent with a limit on produced amount. IAEA later said that Iranian enrichment reached 60 per cent. Israel has been claiming that this level is close to the 90 per cent purity needed to produce a nuclear bomb. Iran has always denied it is seeking to develop nuclear weapons. Nothing concrete came out of the meeting with the E3, except for the agreement to continue talks. The Europeans introduced a deadline to the talks should they not trigger a snapback: end of August. After the meeting in Istanbul, Iranian Deputy Foreign Minister Kazem Gharibabadi posted on X that Iran and the E3 held 'serious, frank, and detailed' talks, exchanging specific proposals on sanctions relief, the nuclear file, and the controversial snapback mechanism. Gharibabadi led the Iranian delegation at the talks. The Europeans also demanded that Iran should provide clarifications for 400 kilogrammes of enriched uranium, whose whereabouts have been unknown since last month's strikes by Israel and the US on Iran's nuclear sites. Iranian Foreign Ministry Spokesperson Esmaeil Baghaei told official news agency IRNA that an IAEA delegation is expected in Tehran soon, but no nuclear site inspections are currently scheduled. Talks will focus on redefining the framework for interaction instead. That was confirmed by IAEA head Rafael Grossi who said on Friday that Iran has indicated it will be ready to restart technical-level discussions on its nuclear programme. He told reporters in Singapore that the IAEA had proposed that Iran should start discussions of 'the modalities as to how to restart or begin [inspections] again. So this is what we are planning to do, perhaps starting on technical details and later moving onto high-level consultations. So this will not include inspections yet,' Grossi added. As Israel started bombing Iran, Tehran suspended cooperation with IAEA. The level of damage to Iran's nuclear programme is not yet clear, even as Trump repeatedly said nuclear targets were destroyed by American bombing. It is not clear if the Europeans will act as a catalyst for the resumption of Iranian-American talks or fail to do so, blaming it on Iranian non-cooperation. If the month's deadline for Tehran to prove positive engagement is not met, escalation is expected. Iran has threatened to withdraw from the Nuclear Non-Proliferation Treaty (NPT). That will be seen by the US and Israel as a clear sign of Tehran heading towards the production of a nuclear bomb. * A version of this article appears in print in the 6 August, 2025 edition of Al-Ahram Weekly Follow us on: Facebook Instagram Whatsapp Short link:
See - Sada Elbalad
18 hours ago
- See - Sada Elbalad
Egypt, Ukraine Deepen Agricultural Cooperation to Boost Grain, Oil Exports
Nada Mustafa On July 30, the Ambassador of Ukraine to the Arab Republic of Egypt, Mykola Nahornyi, held a meeting with the senior management of Egypt's National Agency for Strategic Procurement and Sustainable Development – Mostakbal Misr. During the substantive discussion, both sides reviewed the current state and future prospects of cooperation between the two countries, particularly in the context of increasing Ukrainian agricultural exports to Egypt — notably grain and sunflower oil. A set of specific steps was endorsed for implementation in the near future to achieve the shared ambitious goals. Egypt remains Ukraine's largest trading partner in the Middle East and North Africa (MENA) region. In the first half of 2025, bilateral trade reached USD 947.9 million, including USD 776.5 million in Ukrainian exports — primarily wheat (1.31 million tons), corn (1.06 million tons), and soybeans (0.36 million tons). Ukraine continues to play a vital role in ensuring global food security and reaffirms its commitment to supporting stable deliveries of high-quality agricultural products to the Egyptian market — both through private agribusinesses and in cooperation with governmental institutions, including Mostakbal Misr. The agreed measures aim not only to expand trade volumes, but also to provide the efficiency, timeliness, and transparency of logistical processes. read more CBE: Deposits in Local Currency Hit EGP 5.25 Trillion Morocco Plans to Spend $1 Billion to Mitigate Drought Effect Gov't Approves Final Version of State Ownership Policy Document Egypt's Economy Expected to Grow 5% by the end of 2022/23- Minister Qatar Agrees to Supply Germany with LNG for 15 Years Business Oil Prices Descend amid Anticipation of Additional US Strategic Petroleum Reserves Business Suez Canal Records $704 Million, Historically Highest Monthly Revenue Business Egypt's Stock Exchange Earns EGP 4.9 Billion on Tuesday Business Wheat delivery season commences on April 15 News Israeli-Linked Hadassah Clinic in Moscow Treats Wounded Iranian IRGC Fighters Arts & Culture "Jurassic World Rebirth" Gets Streaming Date News China Launches Largest Ever Aircraft Carrier News Ayat Khaddoura's Final Video Captures Bombardment of Beit Lahia Videos & Features Tragedy Overshadows MC Alger Championship Celebration: One Fan Dead, 11 Injured After Stadium Fall Business Egyptian Pound Undervalued by 30%, Says Goldman Sachs Lifestyle Get to Know 2025 Eid Al Adha Prayer Times in Egypt Arts & Culture South Korean Actress Kang Seo-ha Dies at 31 after Cancer Battle Arts & Culture Lebanese Media: Fayrouz Collapses after Death of Ziad Rahbani Sports Get to Know 2025 WWE Evolution Results
