According to a new report from cybersecurity firm ESET, hacking groups aligned with the Chinese state are exploiting geopolitical tensions in the Middle East to launch targeted cyber-espionage campaigns. The report details how Advanced Persistent Threat (APT) groups are focusing on the maritime, energy, and government sectors in the Gulf region and beyond to gather intelligence that aligns with Beijing's strategic interests. The research, covering October 2025 to March 2026, highlights specific campaigns by China-aligned groups such as FamousSparrow and SteppeDriver. Their activities, which include targeting governmental and commercial entities in regions like the Middle East, South America, and Asia, appear directly linked to China's geopolitical goals and economic policies, such as the 'Made in China 2025' initiative.
The report highlights several specific campaigns that illustrate the broader strategy:
T1003 - OS Credential Dumping).While specific TTPs were not detailed in the summary, these campaigns typically involve sophisticated phishing attacks (T1566 - Phishing) for initial access, deployment of custom backdoors for persistence (T1053 - Scheduled Task/Job), and living-off-the-land techniques to move laterally and exfiltrate data (T1048 - Exfiltration Over Alternative Protocol).
The impact of these state-sponsored espionage campaigns is strategic and long-term.
No specific technical Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were provided in the source articles.
Organizations in the targeted sectors should hunt for signs of APT activity:
powershell -enclsass.exelsass.exe process memory, a common technique for credential dumping.M1017 - User Training).M1030 - Network Segmentation).M1032 - Multi-factor Authentication).CrowdStrike reports China-nexus APTs, including MURKY PANDA and MUSTANG PANDA, are intensifying AI espionage against the tech sector, stealing IP for China's AI dominance.
A new CrowdStrike report reveals China-nexus APTs, such as MURKY PANDA and MUSTANG PANDA, are responsible for over 58% of state-sponsored attacks on the technology sector. These groups are aggressively targeting AI capabilities and intellectual property to support China's goal of global AI supremacy. New TTPs include widespread password spraying. The report also highlights North Korean adversaries using fraudulent IT worker schemes and eCrime actors leveraging AI for attacks, indicating a broader, escalating threat landscape.
Start of the period covered by the ESET APT Activity Report.
End of the period covered by the ESET APT Activity Report.
ESET publishes its report on APT activity.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.