ESET APT Activity Report Q4 2025–Q1 2026

The latest ESET APT Activity Report underscores a clear pattern: geopolitical events are driving state‑backed cyber campaigns. After the U.S. military action in Venezuela, China‑aligned groups such as FamousSparrow moved to monitor oil‑shipment resilience, while SteppeDriver focused on Syrian reconstruction interests. These operations illustrate how traditional foreign‑policy objectives are now pursued through digital espionage, expanding the attack surface for governments and multinational corporations alike.

Supply‑chain security emerged as a critical vulnerability, most notably when North Korean actors compromised the npm package axios, a library with over 100 million weekly downloads. By hijacking the maintainer’s credentials, they injected trojanized code that could infiltrate countless web and mobile applications. Similarly, Lazarus’s Operation DreamJob targeted European drone manufacturers, signaling a strategic push to undermine emerging aerospace technologies. These incidents reinforce the need for rigorous code‑signing, dependency monitoring, and rapid incident response capabilities.

Destructive capabilities are no longer confined to traditional ransomware. Russian Sandworm’s deployment of new wipers against a Polish energy firm demonstrates a willingness to strike NATO allies beyond the Ukrainian theater, potentially destabilizing regional power grids. Meanwhile, Iranian‑aligned proxy clusters like Rusty Boots and MoKhargosh introduced bootkit‑style wipers against Israeli targets, blurring the line between espionage and sabotage. Organizations must therefore adopt a layered defense posture, integrating threat‑intel feeds, endpoint detection, and continuous network segmentation to mitigate the evolving threat landscape.