Executive Summary

The latest APT Activity Report from ESET, covering the period of April to September 2025, paints a picture of escalating global cyber conflict driven by geopolitical tensions. The report details a marked intensification of operations by state-sponsored groups aligned with Russia and China. Russia-aligned actors, particularly the infamous Sandworm group, have ramped up destructive attacks against Ukraine, deploying data-wiping malware against critical sectors like energy, logistics, and agriculture. In parallel, China-aligned groups such as FamousSparrow have expanded their espionage campaigns, with a new strategic focus on government targets in Latin America. The report underscores a trend where cyber operations are becoming a primary tool for projecting national power and achieving geopolitical objectives.

Threat Overview: Russia-Aligned Activity

Russian state-sponsored groups continue to use Ukraine as a primary theater of operations, with a secondary focus on its European Union allies. The activity is characterized by disruptive and destructive attacks.

• Sandworm's Destructive Campaign: This group, a unit of Russia's GRU, accelerated its use of wiper malware in mid-2025. The targets were strategic and aimed at disrupting Ukraine's economy and infrastructure, including government bodies, energy providers, logistics companies, and the grain sector.
• InedibleOchotense's Stealth Campaign: Another Russia-aligned group conducted a spearphishing campaign distributing a C# backdoor named Kalambur. The malware was cleverly disguised within fake ESET installer packages and used the Tor network for anonymous command and control (C2) communications.

Threat Overview: China-Aligned Activity

China-aligned APT groups have been active in advancing Beijing's interests, with a notable strategic pivot towards Latin America.

• FamousSparrow Targets Governments: This group launched attacks against multiple government entities in Latin America. ESET analysts speculate this may be a reaction to increased strategic interest in the region from the United States.
• Advanced Techniques: These groups are increasingly using Adversary-in-the-Middle (AiTM) techniques. By hijacking sessions and stealing credentials in real-time, they can achieve initial access and move laterally with greater stealth, bypassing traditional authentication controls like MFA.

Other State-Sponsored Activity

• Iran-backed groups expanded their spearphishing operations, continuing their focus on espionage and intelligence gathering.
• North Korean operators, known for their financially motivated campaigns, broadened their cryptocurrency theft activities into new territories, including Central Asia.

Technical Analysis (Illustrative TTPs)

Sandworm (Wiper Attacks)

• Initial Access: Often through spearphishing (T1566) or exploiting public-facing applications (T1190).
• Impact: T1485 - Data Destruction: Deployment of wiper malware to render systems and data unrecoverable. T1561 - Disk Wipe.

InedibleOchotense (Kalambur Backdoor)

• Execution: T1204.002 - Malicious File: User tricked into running a fake ESET installer.
• Command and Control: T1090.003 - Multi-hop Proxy: Use of the Tor network to anonymize C2 traffic.

FamousSparrow (AiTM)

• Initial Access: T1566.002 - Spearphishing Link leading to an AiTM phishing page.
• Credential Access: T1649 - Steal or Forge Authentication Tokens: Intercepting authentication process to steal session cookies.
• Lateral Movement: Using stolen sessions/credentials to access other systems (T1078 - Valid Accounts).

Impact Assessment

The impact varies by campaign. For Ukraine, the attacks are directly destructive, aimed at crippling critical infrastructure and government functions, with tangible effects on the nation's ability to operate. For targets in Latin America, the primary impact is espionage: the theft of sensitive government data, diplomatic communications, and strategic plans, which can undermine national security and give China a significant geopolitical advantage. The expansion of North Korean crypto-theft operations poses a direct financial threat to the global financial ecosystem and individuals in Central Asia.

Detection & Response

• Detecting Wipers: Monitor for large-scale file deletion or modification activity and the execution of suspicious disk-level commands. Have offline backups and a tested recovery plan. D3FEND Technique: D3-PA: Process Analysis.
• Detecting AiTM: Monitor for suspicious login patterns, such as logins from anomalous geographic locations or impossible travel scenarios. Deploy MFA controls that are resistant to phishing, such as FIDO2 hardware keys. D3FEND Technique: D3-UGLPA: User Geolocation Logon Pattern Analysis.
• Detecting Kalambur: Monitor for outbound network traffic to Tor entry nodes from endpoints that should not be using Tor. Use EDR to detect the loading of the malicious C# backdoor. D3FEND Technique: D3-OTF: Outbound Traffic Filtering.

Mitigation and Recommendations

1. Defense-in-Depth: Organizations in targeted sectors (government, energy, logistics) must adopt a defense-in-depth strategy, assuming they are a target. This includes robust endpoint protection, network segmentation, and regular security audits. D3FEND Technique: D3-NI: Network Isolation.
2. Phishing-Resistant MFA: To counter the rise of AiTM, organizations should prioritize the adoption of phishing-resistant MFA methods like FIDO2/WebAuthn. D3FEND Technique: D3-MFA: Multi-factor Authentication.
3. Backup and Recovery: For threats like Sandworm's wipers, having immutable, offline backups is critical. Regularly test disaster recovery and incident response plans to ensure a swift recovery from a destructive attack. D3FEND Technique: D3-FR: File Restoration.
4. Threat Intelligence Integration: Consume and integrate threat intelligence from sources like ESET to understand the TTPs of relevant threat actors and proactively hunt for their activity in your environment.