ESET has released its semi-annual APT Activity Report covering Q4 2022 and Q1 2023, which summarizes the activities of selected advanced persistent threat (APT) groups that were observed, investigated, and analyzed by ESET researchers from October 2022 until the end of March 2023.

Key highlights of the APT Activity Report include:

    1. China-aligned threat actors Ke3chang and Mustang Panda focused on European organisations.
    2. North Korea-aligned groups continued to focus on South Korean and South Korea-related entities.
    3. Lazarus targeted employees of a defence contractor in Poland with a fake Boeing-themed job offer and also shifted its focus from its usual target verticals to a data management company in India.
    4. Similarities with the newly discovered Linux malware by Lazarus corroborate the theory that the infamous North Korea–aligned group is behind the 3CX supply-chain attack.
    5. Russia-aligned APT groups were especially active in Ukraine and EU countries.
    6. Sandworm deployed wipers (including a new one we call SwiftSlicer).
    7. Intelligence shared in the report is based mostly on proprietary ESET telemetry data and has been verified by ESET researchers.

During this period, several China-aligned threat actors such as Ke3chang and Mustang Panda focused on European organisations. In Israel, Iran-aligned group OilRig deployed a new custom backdoor. North Korea-aligned groups continued to focus on South Korean and South Korea-related entities. Russia-aligned APT groups were especially active in Ukraine and EU countries, with Sandworm deploying wipers.

Malicious activities described in the ESET APT Activity Report are detected by ESET technology. “ESET products protect our customers’ systems from the malicious activities described in this report. The intelligence shared here is based mostly on proprietary ESET telemetry data and has been verified by ESET researchers,” says Director of ESET Threat Research Jean-Ian Boutin.

China-aligned Ke3chang employed tactics such as the deployment of a new Ketrican variant, and Mustang Panda used two new backdoors. MirrorFace targeted Japan and implemented new malware delivery approaches, while Operation ChattyGoblin compromised a gambling company in the Philippines by targeting its support agents. India-aligned groups SideWinder and Donot Team continued to target governmental institutions in South Asia with the former targeting the education sector in China, and the latter continuing to develop its infamous yty framework, but also deploying the commercially available Remcos RAT. Also in South Asia, ESET Research detected a high number of Zimbra webmail phishing attempts. 

In addition to targeting the employees of a defence contractor in Poland with a fake Boeing-themed job offer, North Korea-aligned group Lazarus also shifted its focus from its usual target verticals to a data management company in India, utilising an Accenture-themed lure. ESET also identified a piece of Linux malware being leveraged in one of their campaigns. Similarities with this newly discovered malware corroborate the theory that the infamous North Korea–aligned group is behind the 3CX supply-chain attack.

Russia-aligned APT groups were especially active in Ukraine and EU countries, with Sandworm deploying wipers (including a new one ESET calls SwiftSlicer), and Gamaredon, Sednit, and the Dukes utilising spearphishing emails that, in the case of the Dukes, led to the execution of a red team implant known as Brute Ratel. Finally, ESET detected that the previously mentioned Zimbra email platform was also exploited by Winter Vivern, a group particularly active in Europe, and researchers noted a significant drop in the activity of SturgeonPhisher, a group targeting government staff of Central Asian countries with spearphishing emails, leading to our belief that the group is currently retooling.