ESET Q4 2025–Q1 2026 APT Report: Lazarus Axios Attack, New Wipers, and Geopolitical Shifts
ESET's latest APT Activity Report reveals Lazarus compromised the axios npm library, Sandworm deployed new wipers against a Polish energy firm, and China-aligned groups shifted targets amid geopolitical upheaval.
ESET Research has released its APT Activity Report covering Q4 2025 and Q1 2026, detailing investigations into advanced persistent threat groups across a period marked by major geopolitical events. The report highlights a significant supply chain attack on the widely used JavaScript library axios, the emergence of destructive wipers targeting critical infrastructure in a NATO member state, and the mobilization of China-aligned groups in response to the US military operation in Venezuela and instability in the Gulf region.
One of the most striking findings is the compromise of the axios library, which has over 100 million weekly downloads on the npm registry and is critical to web and mobile applications worldwide. ESET attributes the attack to the Lazarus Group, which exploited the lead maintainer's compromised credentials to publish malicious versions of the library that injected trojanized code into affected systems. The malicious packages were detected and removed, but the incident underscores the persistent risk of supply chain attacks targeting widely used open-source dependencies.
Russia-aligned threat actors continued to focus overwhelmingly on Ukraine and entities connected to the country's defense efforts. Sednit deployed its Covenant and BeardShell implants against Ukrainian military personnel, drone manufacturers, and organizations involved in drone research and development, while also targeting logistics and transportation companies outside Ukraine. Sandworm intensified destructive activity over the winter, deploying several new wipers in Ukraine against governmental and private sector targets. Particularly notable was a December 2025 data destruction incident affecting a Polish energy company, which ESET attributes to Sandworm with medium confidence. Although destructive attacks by Russia-aligned actors outside Ukraine remain rare, this case stands out because it affected critical infrastructure in a NATO member state. Given Poland's role in helping stabilize Ukraine's electricity supply, it is possible that the operation was intended to strain Ukraine's power grid during the winter.
China-aligned threat actors remained highly active worldwide, conducting espionage campaigns shaped by geopolitical developments affecting Beijing's economic and security interests. Following the US military operation in Venezuela and amid continuing instability in the Gulf region, ESET spotted signs that China-aligned groups were being mobilized to improve Beijing's visibility into maritime, energy, and political developments abroad. In one notable case, FamousSparrow targeted a Venezuelan governmental entity connected to maritime affairs, likely to monitor the resilience of oil shipments after the US intervention. SteppeDriver targeted a Syrian governmental network, activity that may reflect both Chinese commercial interest in Syria's reconstruction projects and security concerns surrounding Uyghur fighters present in that country. On VirusTotal, ESET found PhiliKit, a new implant assessed to be part of UNC5221's SPAWN toolset targeting Ivanti VPN appliances, while tracking of NegativeGlimmer revealed the group compromising governmental entities in Cambodia and Panama, as well as an AI and robotics company in South Korea.
The war in Iran that began in late February 2026 was the defining event for Iran-aligned activity during this period. Paradoxically, the conflict coincided with a decline in activity from established Iran-aligned APT groups in ESET's telemetry, most likely because internet restrictions imposed by the Iranian regime hindered their ability to operate effectively. At the same time, this environment appears to have favored the mobilization of proxy and hacktivist actors targeting Israel, the United States, and other states seen as hostile to Tehran. ESET also documented an unusual spike in activity against Israeli targets that could not be confidently linked to previously known groups. Two unattributed activity clusters, Rusty Boots and MoKhargosh, demonstrated both espionage capabilities and destructive potential – including deployment of a bootkit-style wiper and retaining destructive tooling for later use – whereas a third, MOØN Badr, appears to have been limited to targeted espionage.
North Korea-aligned threat actors remained active on several fronts. Multiple groups continued targeting developers and the cryptocurrency ecosystem with social engineering schemes that can yield both direct financial gain and opportunities for software supply-chain compromise. Lazarus and DeceptiveDevelopment continued to invest in long-term relationship building with high-value targets, while Kimsuky and Konni favored quicker, more opportunistic attacks. ESET also uncovered the reemergence of Andariel in South Korea, where the group deployed TigerRAT and attempted to spread Rook ransomware within an engineering company that appears to manufacture equipment relevant to liquid hydrogen handling and the nuclear industry – technologies that are obviously of interest to Pyongyang's ballistic and nuclear ambitions.
The report also tracked several noteworthy campaigns from lesser-known and unattributed clusters, including a browser-in-the-browser phishing attack against a Japanese think tank and Android spyware named Asin. The full report provides a comprehensive view of the evolving APT landscape, illustrating how geopolitical events continue to shape the targeting and tactics of state-sponsored threat actors.