Inside ESET’s APT Report: Tool Sharing, Wipers, Exploits

ESET’s latest APT Activity Report for Q4 2024 to Q1 2025—discussed by Distinguished Researcher Aryeh Goretsky and Security Awareness Specialist Rene Holt on the ESET Research Podcast—spotlights rising tool sharing, targeted webmail exploits, and increasingly precise data-wiping campaigns.

China-aligned activity

• UnsolicitedBooker’s persistence: targeted the same organization three times over several years to deploy its MarsSnake backdoor—an object lesson in long-haul APT operations.
• Attribution headwinds from tool sharing: groups such as Worok lean on shared “digital quartermaster” toolsets, blurring lines with activity tied to LuckyMouse and TA428.

Russia-aligned activity

• Sednit’s Operation RoundPress expands beyond Roundcube to Horde, MDaemon, and Zimbra, using targeted emails, exploited flaws, and cross-site scripting to strike defense companies in Bulgaria and Ukraine.
• Gamaredon remains one of the most active APTs in Ukraine, constantly revising obfuscation to dodge detection.
• Sandworm deploys ZEROLOT, a surgical wiper used multiple times in the past six months to erase specific files and directories while keeping systems up long enough to finish its mission.

North Korea– and Iran–aligned activity

• The report and podcast also cover additional campaigns from these actors, with insights into evolving tradecraft, targeting, and objectives.

Why this matters

• Shared toolchains complicate attribution and accelerate capability reuse.
• Webmail platforms remain high-value entry points for targeted intrusions.
• Modern wipers emphasize precision and persistence to maximize damage.

For deeper details, listen to the ESET Research Podcast episode or download the full report.

Source: WeLiveSecurity