ESET APT Report: China-Aligned Groups Accelerate Global Espionage Following Geopolitical Shifts

ESET Research has released its latest Advanced Persistent Threat (APT) Activity Report, covering the period from October 2025 to March 2026. This report highlights a significant escalation in global espionage activities by China-aligned threat actors, driven by geopolitical events that directly affect China’s economic and security interests.

Escalation of Espionage Activities

The report outlines that following a U.S. military operation in Venezuela and ongoing instability in the Gulf region, China-aligned groups have intensified their efforts to monitor maritime, energy, and political developments abroad. The North Korea-aligned group Andariel has notably targeted a company believed to be involved in the nuclear power sector, illustrating the interconnected nature of these geopolitical tensions.

Another group, FamousSparrow, specifically focused on a Venezuelan government entity responsible for maritime affairs, likely to assess the resilience of oil shipments in light of U.S. interventions. ESET also identified activities by SteppeDriver, which targeted a Syrian governmental network, reflecting both commercial interests in Syria’s reconstruction and security concerns regarding Uyghur fighters in the region.

The UNC5221 group employed its SPAWN malware family to target governmental entities in Cambodia and Panama, as well as an AI and robotics company in South Korea. This targeting aligns with Beijing’s strategic interests in advanced technologies, particularly those outlined in the Made in China 2025 industrial policy.

Regional Focus and Implications

Jean-Ian Boutin, Director of Threat Research at ESET, noted that in Asia, the campaigns primarily targeted governmental organizations, strategic industries, and advanced technology sectors. In the Middle East, Israel has remained the primary focus of Iran-aligned activities, with targets ranging from organizations affected by espionage to device manufacturers subjected to destructive tooling.

The conflict in Iran, which escalated in late February 2026, has significantly influenced Iran-aligned activities during this period. This conflict coincided with a decline in operations from established Iran-aligned APT groups, likely due to internet restrictions imposed by the Iranian regime that hindered their operational capabilities. Conversely, this environment has seemingly favored the rise of proxy and hacktivist actors targeting Israel, the United States, and other nations perceived as adversarial to Tehran.

ESET documented an unusual spike in activity against Israeli targets that could not be definitively linked to known groups. Two unidentified clusters, Rusty Boots and MoKhargosh, exhibited both espionage capabilities and destructive potential, including the deployment of a bootkit-style wiper while retaining destructive tools for future use.

Targeting of Defense and Intelligence Sectors

ESET Research also reported a breach involving a defense company in the United Arab Emirates, alongside targeted attacks against Arabic-speaking users through Android spyware. This spyware was likely aimed at journalists or open-source intelligence practitioners, as suggested by the name of the attacker’s Telegram channel, which appears to be inspired by the Live Universal Awareness Map (Liveuamap), a well-known OSINT platform that maps military incidents globally.

North Korea-aligned threat actors have maintained a robust presence across multiple fronts. Various groups have continued to target developers and the cryptocurrency ecosystem using social engineering tactics that can yield both direct financial gains and opportunities for software supply-chain compromise. The resurgence of the Andariel group has been particularly notable, with attacks against South Korea involving the deployment of TigerRAT and attempts to spread Rook ransomware within an engineering company linked to liquid hydrogen handling and the nuclear power industry—technologies critical to Pyongyang’s ballistic and nuclear ambitions.

Ongoing Threats from Russia-Aligned Actors

Russia-aligned threat actors have predominantly focused their efforts on Ukraine and entities associated with the country’s defense initiatives. The Sednit group deployed its Covenant and BeardShell implants against Ukrainian military personnel, drone manufacturers, and organizations involved in drone research and development, while also targeting logistics and transportation companies outside Ukraine.

Sandworm has intensified its destructive activities, particularly over the winter months, deploying several new wipers against both governmental and private sector targets in Ukraine. A significant incident occurred in December 2025, involving data destruction at a Polish energy company, which ESET attributed to Sandworm with medium confidence.

For ongoing coverage and breaking updates, visit our Latest News section.

Published on 2026-06-01 22:36:00 • By the Editorial Desk