How can organizations protect themselves against the threats identified in the report?

Organizations should implement comprehensive security measures, including regular threat assessments, employee training on social engineering tactics, robust network defenses, and staying informed about evolving cyber threats to effectively mitigate risks posed by APT groups.

ESET APT Activity Report Q4 2025–Q1 2026: Key Cyber Threats Unveiled

Explore ESET's latest findings on Advanced Persistent Threat activities from October 2025 to March 2026, revealing evolving cyber threats and the imperative for enhanced security measures.

Published: May 29, 2026

Share this on:

Executive Summary

Between October 2025 and March 2026, ESET researchers observed significant activities from various Advanced Persistent Threat (APT) groups. China-aligned actors conducted espionage campaigns targeting maritime, energy, and political sectors, notably in Venezuela and Syria. Iran-aligned groups experienced a decline in activity due to domestic internet restrictions, while proxy and hacktivist actors increased attacks on Israel and the United States. North Korea-aligned groups focused on developers and the cryptocurrency ecosystem, employing social engineering tactics for financial gain and potential supply-chain compromises. Russia-aligned actors intensified operations against Ukraine, deploying new wipers and targeting critical infrastructure, with notable incidents extending to NATO member states like Poland. Lesser-known clusters also emerged, including browser-in-the-browser phishing attacks and Android spyware targeting Arabic-speaking users. This period underscores the evolving tactics of APT groups and the necessity for robust cybersecurity measures to counteract these sophisticated threats.

Why This Matters Now

The observed activities highlight the dynamic nature of cyber threats, with state-aligned actors adapting their strategies in response to geopolitical developments. Organizations must remain vigilant and proactive in implementing comprehensive security measures to mitigate the risks posed by these evolving threats.

Attack Path Analysis

The attack began with the exploitation of vulnerabilities in Ivanti VPN appliances, leading to unauthorized access. The attackers then escalated privileges by deploying the PhiliKit implant, enabling deeper system control. Subsequently, they moved laterally within the network to compromise additional systems. Establishing command and control channels allowed them to maintain persistent access. Sensitive data was exfiltrated to external servers. Finally, the attackers deployed a bootkit-style wiper to destroy critical data and disrupt operations.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

Medium

Impact

High

Initial Compromise

Description

Exploitation of vulnerabilities in Ivanti VPN appliances to gain unauthorized access.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1078

Valid Accounts

Initial Access

T1566

Phishing

Initial Access

T1190

Exploit Public-Facing Application

Execution

T1059

Command and Scripting Interpreter

Command and Control

T1071

Application Layer Protocol

Defense Evasion

T1562

Impair Defenses

Impact

T1485

Data Destruction

Exfiltration

T1567

Exfiltration Over Web Service

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

Control ID: 6.2

The exploitation of vulnerabilities in public-facing applications indicates a failure to apply timely security patches, violating the requirement to protect systems from known vulnerabilities.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incidents involving phishing and unauthorized access suggest deficiencies in the organization's cybersecurity policies and procedures, as required by NYDFS regulations.

DORA – ICT Risk Management Framework

Control ID: Article 5

The successful attacks exploiting public-facing applications and phishing indicate inadequate ICT risk management practices, contravening DORA's requirements for a comprehensive risk management framework.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

The use of valid accounts by attackers points to weaknesses in identity and access management controls, which are critical components of a Zero Trust Architecture.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incidents demonstrate a lack of effective cybersecurity risk management measures, as required by the NIS2 Directive, to prevent unauthorized access and data breaches.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Government Administration

State-sponsored APT groups targeting governmental entities in Venezuela, Syria, Cambodia, and Panama for maritime affairs, political intelligence, and strategic espionage operations.

Oil/Energy/Solar/Greentech

China-aligned FamousSparrow targeting Venezuelan maritime-connected entities to monitor oil shipment resilience, plus destructive attacks against Polish energy infrastructure affecting critical systems.

Defense/Space

Multiple APT groups targeting defense companies, drone manufacturers, military personnel, and nuclear-relevant engineering firms for strategic technology acquisition and operational intelligence gathering.

Information Technology/IT

Sophisticated supply-chain attacks compromising widely-used JavaScript libraries, VPN appliances, and cloud infrastructure requiring enhanced zero-trust segmentation and egress security controls.

Sources

ESET APT Activity Report Q4 2025–Q1 2026https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q4-2025-q1-2026/
Verified

ESET APT Activity Report Q4 2025–Q1 2026 (PDF)https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2025-q1-2026.pdf

Verified

Frequently Asked Questions

The report highlights significant activities from various APT groups, including China-aligned actors targeting maritime and energy sectors, Iran-aligned groups experiencing a decline due to domestic restrictions, North Korea-aligned groups focusing on developers and cryptocurrency, and Russia-aligned actors intensifying operations against Ukraine and extending to NATO member states.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While Aviatrix CNSF may not prevent initial unauthorized access, it would likely limit the attacker's ability to exploit further vulnerabilities within the network.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Zero Trust Segmentation would likely limit the attacker's ability to escalate privileges by restricting access to sensitive systems.

Lateral Movement

Control: East-West Traffic Security

Mitigation: East-West Traffic Security would likely limit the attacker's ability to move laterally by enforcing strict communication policies between workloads.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Multicloud Visibility & Control would likely limit the attacker's ability to establish command and control channels by monitoring and controlling outbound communications.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate data by enforcing strict outbound data transfer policies.

Impact (Mitigations)

While Aviatrix CNSF may not prevent the deployment of destructive tools, it would likely limit the blast radius by containing the attacker's access to segmented workloads.

Impact at a Glance

Affected Business Functions

Government Operations
Maritime Logistics
Energy Sector Management
Technology Development

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Sensitive governmental communications, maritime shipment schedules, energy infrastructure details, proprietary technology designs.

Recommended Actions

• Implement East-West Traffic Security to monitor and control lateral movement within the network.
• Deploy Zero Trust Segmentation to enforce least privilege access and limit the spread of attacks.
• Utilize Multicloud Visibility & Control to detect and respond to command and control activities.
• Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
• Apply Inline IPS (Suricata) to detect and block exploitation attempts targeting known vulnerabilities.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

ESET APT Activity Report Q4 2025–Q1 2026: Key Cyber Threats Unveiled

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Valid Accounts

Phishing

Exploit Public-Facing Application

Command and Scripting Interpreter

Application Layer Protocol

Impair Defenses

Data Destruction

Exfiltration Over Web Service

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Government Administration

Oil/Energy/Solar/Greentech

Defense/Space

Information Technology/IT

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads