ESET Q2–Q3 2025 APT Report: China Groups Target Latin America, Iran Ups Internal Spearphishing, North Korea Expands to Uzbekistan
ESET's latest APT activity report reveals China-aligned groups increasingly using adversary-in-the-middle techniques and targeting Latin America, while Iran's MuddyWater boosts internal spearphishing and North Korea expands operations to Uzbekistan.
ESET Research has released its APT Activity Report covering Q2 and Q3 of 2025, detailing the operations of advanced persistent threat groups aligned with China, Iran, North Korea, and Russia. The report, published on November 6, 2025, highlights a significant shift in tactics and targets, with China-aligned groups increasingly employing adversary-in-the-middle (AitM) techniques for both initial access and lateral movement. Groups such as PlushDaemon, SinisterEye, Evasive Panda, and TheWizards have adopted this approach, reflecting a broader trend in state-sponsored cyber espionage.
A notable development is the expansion of China-aligned operations into Latin America, likely in response to the Trump administration's strategic interest in the region and the ongoing US-China power struggle. FamousSparrow has targeted multiple governmental entities across Latin America, while Mustang Panda remains highly active in Southeast Asia, the United States, and Europe, focusing on government, engineering, and maritime transport sectors. Flax Typhoon targeted the healthcare sector in Taiwan by exploiting public-facing web servers and deploying webshells, maintaining its SoftEther VPN infrastructure and adopting the open-source proxy BUUT. Meanwhile, Speccom targeted the energy sector in Central Asia, aiming to gain visibility into Chinese-funded operations and reduce China's dependency on maritime imports. The BLOODALCHEMY backdoor, used by Speccom, appears to be favored by several China-aligned threat actors.
Iran-aligned groups have also evolved their tactics. MuddyWater has increased spearphishing activities, notably sending emails from compromised inboxes within target organizations, achieving a high success rate. Other Iran-aligned groups, including BladedFeline and GalaxyGato, have deployed new infrastructure and backdoors. GalaxyGato introduced an improved C5 backdoor and leveraged DLL-search-order hijacking to steal credentials, adding a novel twist to its campaigns.
North Korea-aligned threat actors have expanded their operations to Uzbekistan, a country not previously observed in their scope. Groups such as DeceptiveDevelopment, Lazarus, Kimsuky, and Konni have launched new campaigns targeting the cryptocurrency sector for revenue generation and espionage. Kimsuky experimented with the ClickFix technique to target diplomatic entities and South Korean think tanks, while Konni used social engineering with an unusual focus on macOS systems.
Russia-aligned groups maintained their focus on Ukraine and countries with strategic ties, while expanding to European entities. RomCom exploited a zero-day vulnerability in WinRAR to deploy malicious DLLs and backdoors, targeting the financial, manufacturing, defense, and logistics sectors in the EU and Canada. ESET reported the vulnerability to WinRAR, which promptly patched it. Gamaredon remained the most active APT group targeting Ukraine, with increased intensity and a rare instance of cooperation with Turla, deploying one of Turla's backdoors. Sandworm focused on destructive operations in Ukraine, deploying data wipers ZEROLOT and Sting against governmental entities and the grain sector to weaken the Ukrainian economy. Another Russia-aligned actor, InedibleOchotense, conducted a spearphishing campaign impersonating ESET, delivering a trojanized installer that downloads a legitimate ESET product along with the Kalambur backdoor.
The report also highlights lesser-known groups, including FrostyNeighbor, which exploited an XSS vulnerability in Roundcube to target Polish and Lithuanian companies. The campaign used AI-generated content, indicated by distinctive bullet points and emojis, delivering credential and email stealers. Additionally, ESET identified a previously unknown Android spyware family named Wibag in Iraq, masquerading as a YouTube app and targeting messaging platforms like Telegram and WhatsApp. Wibag's capabilities include keylogging and exfiltration of SMS messages, call logs, location data, and recordings of WhatsApp calls. The spyware's admin panel login page displays the logo of the Iraqi National Security Service, suggesting state involvement.