ESET report: APT trends and attacks in Q2–Q3 2025

From April to September 2025, ESET researchers tracked notable advanced persistent threat (APT) operations worldwide. This Q2–Q3 2025 snapshot highlights the most impactful trends, tools, and targets observed across major threat clusters.

Headline trends

• Wider use of adversary-in-the-middle (AITM) for initial access and lateral movement by China-aligned actors
• Spearphishing intensity rising, including internal-from-compromised-account tactics
• Exploitation of zero-days and delivery of destructive wipers alongside evolving backdoors
• Expansion into new regions and sectors, plus increased cross-group tool reuse
• Mobile spyware emergence and likely AI-assisted phishing content

China-aligned activity

• AITM at scale: PlushDaemon, SinisterEye, Evasive Panda, and TheWizards leaned on AITM for both entry and movement.
• Latin America focus: FamousSparrow targeted multiple government entities, likely reflecting shifting geopolitical dynamics in the region.
• Persistent Mustang Panda: Active across Southeast Asia, the United States, and Europe, with interest in government, engineering, and maritime transport.
• Flax Typhoon: Hit Taiwan healthcare by exploiting public-facing servers and deploying webshells; maintained SoftEther VPN infrastructure and adopted the open-source BUUT proxy.
• Speccom: Targeted Central Asia’s energy sector, likely to gain visibility into Chinese-funded operations; BLOODALCHEMY backdoor seen favored by several China-aligned actors.

Iran-aligned activity

• MuddyWater: Marked uptick in spearphishing, often sent internally from compromised inboxes, boosting success rates.
• BladedFeline: Migrated to new infrastructure.
• GalaxyGato: Rolled out an improved C5 backdoor and used DLL search-order hijacking to steal credentials.

North Korea-aligned activity

• New ground and revenue ops: Targeted cryptocurrency and expanded into Uzbekistan.
• Multiple clusters in play: DeceptiveDevelopment, Lazarus, Kimsuky, and Konni ran fresh espionage and monetization campaigns.
• Kimsuky: Experimented with ClickFix against diplomatic targets, South Korean think tanks, and academia.
• Konni: Unusually strong focus on macOS via social engineering.

Russia-aligned activity

• Ongoing pressure on Ukraine and European entities: Spearphishing remained the top entry vector.
• RomCom: Weaponized a WinRAR zero-day to deploy malicious DLLs and multiple backdoors; patched after disclosure. Primary focus on finance, manufacturing, defense, and logistics in the EU and Canada.
• Gamaredon: Most active against Ukraine; operations increased in tempo and sophistication, including selective deployment of a Turla backdoor and new file stealers/tunneling services.
• Sandworm: Destructive operations in Ukraine using ZEROLOT and Sting wipers against government, energy, logistics, and the grain sector—likely to weaken the economy.
• InedibleOchotense: Impersonated ESET via emails and Signal, delivering a trojanized installer that fetched a legitimate ESET product alongside the Kalambur backdoor.

Other notable activity

• FrostyNeighbor: Exploited a Roundcube XSS; spearphished Polish and Lithuanian firms using messages with bullet points and emojis suggestive of AI-generated content. Payloads included a credential stealer and an email stealer.
• Wibag Android spyware (Iraq): Disguised as YouTube, targeting Telegram, WhatsApp, Instagram, Facebook, and Snapchat. Features keylogging and exfiltration of SMS, call logs, location, contacts, screen recordings, and WhatsApp/phone call recordings. The admin login page displays the Iraqi National Security Service logo.

Methodology and scope

• All described activity was detected by ESET products and validated via proprietary telemetry and researcher analysis.
• This public report captures only a fraction of the intelligence included in ESET Threat Intelligence APT Reports. The original publication also outlines targeted countries/sectors and attack sources.

Source: WeLiveSecurity