ESET APT Report: China-Aligned Groups Intensify Global Espionage Amid Geopolitical Tensions

ESET Research has unveiled its latest APT Activity Report, detailing the activities of various Advanced Persistent Threat (APT) groups from October 2025 to March 2026. This period has seen a marked increase in the global espionage efforts of China-aligned threat actors, driven by geopolitical developments that directly impact Beijing’s economic and security interests.

Escalation of Espionage Activities

The report indicates that following a U.S. military operation in Venezuela and ongoing instability in the Gulf region, China-aligned groups have been mobilized to enhance Beijing’s oversight of maritime, energy, and political developments abroad. Notably, the North Korea-aligned group Andariel targeted a company believed to be involved in the nuclear power sector, showcasing the interconnected nature of these geopolitical tensions.

FamousSparrow, another China-aligned group, specifically targeted a Venezuelan government entity responsible for maritime affairs. This action appears to be aimed at monitoring the resilience of oil shipments in the wake of U.S. intervention. Additionally, ESET identified activities by SteppeDriver, which targeted a Syrian governmental network, likely reflecting both commercial interests in Syria’s reconstruction and security concerns regarding Uyghur fighters in the region.

The UNC5221 group utilized its SPAWN malware family to target governmental entities in Cambodia and Panama, as well as an AI and robotics company in South Korea. This targeting aligns with Beijing’s strategic interests in advanced technologies, particularly those prioritized under the Made in China 2025 industrial policy.

Regional Focus and Implications

Jean-Ian Boutin, Director of Threat Research at ESET, noted that in Asia, the campaigns predominantly targeted governmental organizations, strategic industries, and advanced technology sectors. In the Middle East, Israel has remained the primary focus of Iran-aligned activities, with targets ranging from organizations affected by espionage to device manufacturers subjected to destructive tooling.

The conflict in Iran, which escalated in late February 2026, has been a defining factor for Iran-aligned activities during this timeframe. Interestingly, this conflict coincided with a decline in operations from established Iran-aligned APT groups, likely due to internet restrictions imposed by the Iranian regime that hindered their operational capabilities. Conversely, this environment has seemingly favored the rise of proxy and hacktivist actors targeting Israel, the United States, and other nations perceived as adversarial to Tehran.

ESET documented an unusual spike in activity against Israeli targets that could not be definitively linked to known groups. Two unidentified clusters, Rusty Boots and MoKhargosh, exhibited both espionage capabilities and destructive potential, including the deployment of a bootkit-style wiper while retaining destructive tools for future use.

Targeting of Defense and Intelligence Sectors

ESET Research also reported a breach involving a defense company in the United Arab Emirates, alongside targeted attacks against Arabic-speaking users through Android spyware. This spyware was likely aimed at journalists or open-source intelligence practitioners, as suggested by the name of the attacker’s Telegram channel, which appears to be inspired by the Live Universal Awareness Map (Liveuamap), a well-known OSINT platform that maps military incidents globally.

North Korea-aligned threat actors have maintained a robust presence across multiple fronts. Various groups have continued to target developers and the cryptocurrency ecosystem using social engineering tactics that can yield both direct financial gains and opportunities for software supply-chain compromise. The resurgence of the Andariel group has been particularly notable, with attacks against South Korea involving the deployment of TigerRAT and attempts to spread Rook ransomware within an engineering company linked to liquid hydrogen handling and the nuclear power industry—technologies critical to Pyongyang’s ballistic and nuclear ambitions.

Ongoing Threats from Russia-Aligned Actors

Russia-aligned threat actors have predominantly focused their efforts on Ukraine and entities associated with the country’s defense initiatives. The Sednit group deployed its Covenant and BeardShell implants against Ukrainian military personnel, drone manufacturers, and organizations involved in drone research and development, while also targeting logistics and transportation companies outside Ukraine.

Sandworm has intensified its destructive activities, particularly over the winter months, deploying several new wipers against both governmental and private sector targets in Ukraine. A significant incident occurred in December 2025, involving data destruction at a Polish energy company, which ESET attributed to Sandworm with medium confidence.

Conclusion

ESET’s findings underscore the evolving landscape of cyber threats, particularly from state-aligned actors. The intelligence shared in this report is primarily based on proprietary ESET telemetry data, verified by ESET researchers who produce in-depth technical reports and regular updates on specific APT group activities. These analyses, known as ESET APT Reports, are crucial for organizations tasked with safeguarding citizens, critical national infrastructure, and high-value assets from both criminal and nation-state-directed cyberattacks.

For further insights into the evolving cybersecurity landscape, refer to the original report. Source: securitymea.com.

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.