Oil shipments, drone makers, and a poisoned code library targeted in recent APT campaigns

Geopolitical pressure drove much of the state-sponsored cyber activity recorded between October 2025 and March 2026, according to ESET’s latest APT Activity Report. Espionage groups aligned with China, North Korea, Russia, and Iran adjusted their targets to match the economic and security concerns of their governments.

Attack sources (Source: ESET)

“In Asia, the campaigns primarily focused on governmental organizations, strategic industries, and advanced technology sectors. In the Middle East, Israel remained the principal focus of Iran-aligned and Iran-linked activities, with targets ranging from organizations affected by espionage intrusions to device manufacturers hit by destructive tooling,” Jean-Ian Boutin, Director of Threat Research at ESET, explained.

China watches oil and strategic technology

China-aligned groups accounted for the largest portion of recorded attack sources during the period. In January 2026, FamousSparrow targeted a Venezuelan government entity responsible for maritime affairs. China buys about half of Venezuela’s oil exports, and ESET assesses the operation aimed to monitor the resilience of Venezuelan oil shipments following the U.S. military intervention there.

SteppeDriver, a group ESET discovered in December 2024, reached a Syrian government network in February 2026. The activity reflects Chinese commercial interest in Syria’s reconstruction and concerns about Uyghur fighters integrating into Syria’s army. A separate group, NegativeGlimmer, compromised government entities in Cambodia and Panama and an AI and robotics company in South Korea. AI and robotics are priority sectors under the Made in China 2025 industrial policy, and ESET assesses the South Korean intrusion sought intellectual property.

North Korea poisons a widely used code library

By the end of March 2026, attackers tied to North Korea’s Lazarus umbrella compromised the axios package on the npm registry, a JavaScript HTTP client with around 100 million weekly downloads. The attackers built a fake Slack workspace and impersonated a company founder to gain the trust of the lead maintainer. During a Microsoft Teams call, they convinced the maintainer to install a trojanized file disguised as a software update, then harvested an npm token and published malicious versions of the library. The packages stayed online for roughly three hours before removal. Researchers Giuseppe Massaro and Google’s GTIG attributed the incident to BlueNoroff.

Andariel resurfaced in South Korea in March 2026, deploying TigerRAT and Rook ransomware at an engineering company that makes equipment for liquid hydrogen handling and the nuclear industry, technologies relevant to Pyongyang’s ballistic and nuclear programs. Operation DreamJob targeted South Korean newspaper and pharmaceutical organizations after earlier hitting European drone makers. ScarCruft compromised sqgame, a gaming platform serving the Yanbian region of China, to collect information on North Korean refugees and defectors.

Russia keeps wiping data in Ukraine and beyond

Ukraine remained the primary focus of Russia-aligned operations. Sednit deployed its Covenant and BeardShell implants against Ukrainian military personnel and drone manufacturers. Sandworm increased destructive activity over the winter, deploying new wiper families including ZeroRays, written in Rust, and NAUGHTYWIPE, which displays a fake Windows update message during the wipe.

A December 2025 data destruction incident hit a Polish energy company. ESET attributes the attack, which used a wiper it named DynoWiper, to Sandworm with medium confidence. The case stands out because it affected critical infrastructure in a NATO member state. Poland helps stabilize Ukraine’s electricity supply, and ESET assesses the operation may have aimed to strain Ukraine’s power grid during winter.

Iran activity shifts to proxies and unattributed groups

A war in Iran that began in late February 2026 coincided with a drop in activity from established Iran-aligned APT groups in ESET telemetry. Internet restrictions imposed by the Iranian regime limited their operations. Pro-Iranian proxy and hacktivist groups stepped up attacks on Israel and the United States.

ESET documented three unattributed clusters with Iranian characteristics. Rusty Boots used a bootkit-style wiper against Israeli device manufacturers. MoKhargosh compromised more than 130 systems with a backdoor called GoKhargosh, retaining destructive options for possible later use. MOØN Badr ran a small espionage campaign against three Israeli victims.

Other tracked activity included a browser-in-the-browser phishing attack against a Japanese think tank, Android spyware named Asin aimed at Arabic-speaking users, and the compromise of a UAE defense company through a SmartOffice CRM server.

Webinar: The True State of Security 2026