Threat Reports

This issue of the ESET APT Activity Report covers October 2025 through March 2026, a period in which state-aligned cyberespionage operations tracked in part with geopolitical developments. After the US military operation in Venezuela and amid continuing instability in the Gulf region, China-nexus groups were being mobilized to improve Beijing’s visibility into maritime, energy, and political developments abroad. Meanwhile, the war in Iran coincided with a drop in activity from established Iran-aligned groups while proxy and hacktivist actors stepped up operations against Israeli and US targets. North Korea-aligned actors maintained much of their focus on the cryptocurrency ecosystem and software supply chains, while Russia-aligned activity remained centered on Ukraine and its defense efforts.

This issue of the ESET Threat Report breaks down global attack trends and activity from June to November 2025, showing that AI-driven ransomware is now a reality, new malware-as-a-service juggernauts continue to surface and NFC threats on Android almost double. In addition to these and other standout trends shaping the threat environment in the second half of 2025, the report also looks ahead to 2026, offering a clear view of the threats most likely to define the year ahead.

The period spanning April to September 2025 saw relentless offensive activity by the world's most notorious APT groups. Russia-aligned APT collectives continued to zero in on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Campaigns by China-aligned APT groups increasingly used the AiTM technique when targeting various sectors in Asia, Europe, Latin America, and the United States. North Korea-aligned threat actors took aim at the cryptocurrency sector and, notably, expanded their operations to Uzbekistan, while Iran's most active group, MuddyWater, ramped up its spearphishing campaigns targeting Israel. The operations highlighted in the report are representative of the broader landscape of threats observed by ESET researchers in Q2 and Q3 2025.

From novel social engineering techniques to sophisticated mobile threats and yet more chaos on the ransomware scene, the first half of 2025 saw no shortage of interesting developments in various building blocks of the threat landscape. The H1 2025 issue of the ESET Threat Report offers a breakdown of the latest global attack trends and statistics, providing a comprehensive and up-to-date understanding of the threat environment and helping cyber-defenders stay one step ahead of adversaries.

APT groups maintained a high operational tempo against a wide range of targets throughout the period spanning October 2024 to March 2025. China-aligned threat actors continued to focus on European organizations, with Mustang Panda remaining particularly active and hitting mainly governmental institutions and maritime transportation companies. MuddyWater 'led the pack' among Iran-aligned threat actors, frequently leveraging remote monitoring and management (RMM) software in spearphishing attacks, all while Russia-aligned threat actors continued to target primarily Ukraine and EU countries. North Korea-aligned bad actors, for their part, focused on financially motivated campaigns.

Threat actors continued their relentless pursuit of victims in the second half of 2024, exploiting the path of least resistance to achieve their goals. Among other things, the rise in cryptocurrency valuations drove bad actors to go full tilt on targeting cryptocurrencies while Lumma Stealer became a particularly hot commodity for cybercriminals eyeing anything from credit card data to crypto assets. The ransomware landscape was reshaped following the takedown of LockBit, social media became flooded with scam ads promoting fraudulent investment opportunities, all while while a novel attack vector added a new layer of complexity to the mobile threat landscape.

The period from April through September 2024 saw a number of interesting developments that relate to APT groups and were documented by ESET researchers. These include an expansion in targeting by China-aligned MirrorFace that now also targets diplomatic organization in the EU and indications that Iran-aligned groups might be leveraging their cyber-capabilities to support diplomatic espionage and, possibly, kinetic operations. Meanwhile, North Korea-aligned bad actors persisted in their attacks on defense and aerospace companies in Europe and the US, as well as on think tanks, NGOs, and cryptocurrency developers.

In the H1 2024 Threat Report, the ESET research team reviews the main trends and developments shaping the threatscape from December 2023 to May 2024. Infostealers, for example, increasingly impersonated generative AI tools while cracked video games and cheating tools were often laden with RedLine Stealer and Lumma Stealer. The period under review also painted a dynamic landscape of Android financial threats and saw a number of interesting developments on the ransomware scene and in other corners of the threat landscape.

This report looks at notable operations of selected APT groups from October 2023 to March 2024, which are representative of the broader trends and developments on the threat landscape as investigated by ESET researchers in Q4 2023 and Q1 2024. This period saw a significant increase in activity from Iran-aligned threat groups while several China-aligned bad actors exploited vulnerabilities in public-facing appliances and Russia-aligned groups focused on espionage within the European Union and attacks on Ukraine.