Research from the leading EU cybersecurity company, ESET, examines the latest APT Activity covering the eventful period October 2025 to March 2026. The findings show that China-aligned threat actors remained highly active, with operations shaped by events such as the US military action in Venezuela and ongoing instability in the Gulf region.[1]
Notable events and participants over the 6-month period include:
- FamousSparrow targeted a Venezuelan government entity linked to maritime affairs, apparently to assess the resilience of oil shipments after the intervention.
- SteppeDriver struck a Syrian governmental network, an action that appears connected to Chinese commercial opportunities in reconstruction and worries over Uyghur fighters in the area.
- NegativeGlimmer, another China-aligned group, compromised an AI and robotics company in South Korea, matching Beijing’s focus on strategic technologies under the Made in China 2025 policy. The same cluster also hit governmental bodies in Cambodia and Panama.
Iran Proxies Deploy Destructive Tools on Israel - The war in Iran that started in late February 2026 marked a turning point for Iran-aligned operations. Internet limits inside the country reduced activity from established groups, yet proxy and hacktivist efforts rose against Israel and other perceived opponents. Two unattributed clusters, Rusty Boots and MoKhargosh, showed both spying skills and destructive power. They deployed a boot kit-style wiper against Israeli targets while keeping additional destructive tools ready.
Jean-Ian Boutin, Director of Threat Research at ESET, noted: “In Asia, the campaigns primarily focused on governmental organizations, strategic industries, and advanced technology sectors. In the Middle East, Israel remained the principal focus of Iran-aligned and Iran-linked activities, with targets ranging from organizations affected by espionage intrusions to device manufacturers hit by destructive tooling.”
- North Korea & Russia Maintain Pressure - North Korea-aligned Andariel reappeared in South Korea, using TigerRAT and trying to push Rook ransomware into an engineering firm involved in liquid hydrogen equipment and nuclear-related work, technologies tied to Pyongyang’s ambitions. Russia-aligned actors kept their main effort on Ukraine. Sednit planted Covenant and BeardShell implants in military staff, drone makers, and research bodies. Sandworm increased wiper uses over winter and carried out a data destruction attack on a Polish energy firm in December 2025, attributed with medium confidence.
ESET's report underscores how nation-state groups adapt quickly to global events, ranging from energy monitoring to technology theft and wartime disruption. Companies in the maritime, energy, defense, and technology sectors face particular attention. ESET advises ongoing vigilance and prompt patching, especially for remote access to tools and supply chains.
The firm has entered a strategic partnership with NATO to improve cyber resilience. Its researchers continue to monitor these threats and share findings to help organizations prepare. With hybrid threats blending espionage, ransomware, and destruction, the six-month window captured in the document offers a clear view of current priorities among state-linked actors. Businesses and governments are urged to review exposures in line with these patterns.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/7855487668891299929
[1] https://www.cybersecurityintelligence.com/blog/international-espionage-tracks-shifting-geopolitics-9425.html
Comments