Nation-state APTs ramp up attacks on Ukraine and the EU

Russian APT groups intensified attacks against Ukraine and the EU, exploiting zero-day vulnerabilities and deploying wipers, according to ESET.

Ukraine faces rising cyber threats

The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT.

Gamaredon remained the most prolific actor targeting Ukraine, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox.

“The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organizations,” says ESET Director of Threat Research Jean-Ian Boutin.

Sednit refined its exploitation of cross-site scripting vulnerabilities in webmail services, expanding Operation RoundPress from Roundcube to include Horde, MDaemon, and Zimbra. ESET discovered that the group successfully leveraged a zero-day vulnerability in MDaemon Email Server (CVE-2024-11182) against Ukrainian companies.

Several Sednit attacks against defense companies located in Bulgaria and Ukraine used spearphishing email campaigns as a lure. Another Russia-aligned group, RomCom, demonstrated advanced capabilities by deploying zero-day exploits against Mozilla Firefox (CVE-2024-9680) and Microsoft Windows (CVE-2024-49039).

China and North Korea expand attack campaigns

In Asia, China-aligned APT groups continued their campaigns against governmental and academic institutions. Mustang Panda remained the most active, targeting governmental institutions and maritime transportation companies via Korplug loaders and malicious USB drives.

DigitalRecyclers continued targeting EU governmental entities, employing the KMA VPN anonymization network and deploying the RClient, HydroRShell, and GiftBox backdoors. PerplexedGoblin used its new espionage backdoor, which ESET named NanoSlate, against a Central European government entity, while Webworm targeted a Serbian government organization using SoftEther VPN, emphasizing the continued popularity of this tool among China-aligned groups.

Elsewhere in Asia, North Korea-aligned threat actors were particularly active in financially motivated campaigns. DeceptiveDevelopment significantly broadened its targeting, using fake job listings primarily within the cryptocurrency, blockchain, and finance sectors. The group employed innovative social engineering techniques to distribute the multiplatform WeaselStore malware.

The Bybit cryptocurrency theft, attributed by the FBI to TraderTraitor APT group, involved a supply-chain compromise of Safe{Wallet} that caused losses of approximately USD 1.5 billion.

Meanwhile, other North Korea-aligned groups saw fluctuations in their operational tempo: In early 2025, Kimsuky and Konni returned to their usual activity levels after a noticeable decline at the end of 2024, shifting their targeting away from English-speaking think tanks, NGOs, and North Korea experts to focus primarily on South Korean entities and diplomatic personnel; and Andariel resurfaced, after a year of inactivity, with a sophisticated attack against a South Korean industrial software company.