ESET Research APT Report: Russian attacks surge in Ukraine and Europe; Chinese groups target Latin American governments

• ESET has released its latest advanced persistent threat (APT) report, covering the period from April through September 2025.
• China-aligned APT groups continued to advance Beijing’s geopolitical objectives, increasing the use of the adversary-in-the-middle technique and targeting governments in several Latin American countries.
• Russia-aligned APT groups intensified their operations against Ukraine and several European Union member states, and expanded their operations.
• One Russia-aligned threat actor, InedibleOchotense, conducted a spearphishing campaign impersonating ESET.

BRATISLAVA, Slovakia, Nov. 06, 2025 (GLOBE NEWSWIRE) -- ESET Research has released its latest APT Activity Report, which highlights activities of select APT groups that were documented by ESET researchers from April through September 2025. During the monitored period, China-aligned APT groups continued to advance Beijing’s geopolitical objectives. ESET observed increasing use of the adversary-in-the-middle technique for both initial access and lateral movement in what appears to be a response to the Trump administration’s strategic interest in Latin America and possibly influenced by the ongoing US-China power struggle. The FamousSparrow group embarked on an attack on Latin America, targeting multiple governmental entities in the region. Across Europe, governmental entities remained a primary focus of cyberespionage by Russia-aligned APT groups as they intensified their operations against Ukraine and several European Union member states.

Notably, even non-Ukrainian targets of Russia-aligned groups exhibited strategic or operational links to Ukraine, reinforcing the notion that the country remains central to Russia’s intelligence efforts. RomCom exploited a zero-day vulnerability in WinRAR to deploy malicious DLLs and deliver a variety of backdoors, mainly focused on the financial, manufacturing, defense, and logistics sectors in the EU and Canada. As zero-day exploits are costly, both the Gamaredon and Sandworm groups used the much less expensive spearphishing technique as their primary method of compromise. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in the intensity and frequency of its operations. Similarly, Sandworm focused on Ukraine — albeit with destruction as its motive rather than Gamaredon’s cyberespionage — largely concentrating on the governmental, energy, logistics, and grain sectors, the likely objective being the weakening of the Ukrainian economy.

The Belarus-aligned group FrostyNeighbor exploited an XSS vulnerability in Roundcube. Polish and Lithuanian companies were targeted by spearphishing emails that impersonated Polish businesses. The emails contained a distinctive use and combination of bullet points and emojis, a structure reminiscent of AI-generated content, suggesting possible use of AI in the campaign. Delivered payloads included a credential stealer and an email message stealer.

“Interestingly, one Russia-aligned threat actor, InedibleOchotense, conducted a spearphishing campaign impersonating ESET. This campaign involved emails and Signal messages delivering a trojanized ESET installer that leads to the download of a legitimate ESET product along with the Kalambur backdoor,” says Jean-Ian Boutin, Director of Threat Research at ESET.

In Asia, APT groups continued targeting governmental entities as well as both the technology and the engineering and manufacturing sectors, a pattern consistent with the previous reporting period. North Korea-aligned threat actors remained highly active in operations directed at South Korea and its technology sector, particularly cryptocurrency, which is a key source of revenue for the regime.

“China-aligned groups remain very active, with campaigns spanning Asia, Europe, Latin America, and the US being observed recently by ESET researchers. This global embrace illustrates that China-aligned threat actors continue to be mobilized to help serve a wide array of Beijing’s current geopolitical priorities,” adds Boutin.

Between June and September, ESET also observed FamousSparrow conducting several operations throughout Latin America, mostly against governmental entities. These represent the bulk of activities that ESET has attributed to the group during this period, suggesting that this region was the group’s main operational focus in recent months. These activities might be partly linked with the current US-China power struggle in the region, resulting from the Trump administration’s renewed interest in Latin America. Overall, the observed victimology of FamousSparrow’s “Latin American tour” includes multiple governmental entities in Argentina, a governmental entity in Ecuador, a governmental entity in Guatemala, multiple governmental entities in Honduras, and a governmental entity in Panama.

ESET products protect our customers’ systems from the malicious activities described in this report. Intelligence shared here is based mostly on proprietary ESET telemetry data and has been verified by ESET researchers, who prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups. These threat intelligence analyses, known as ESET APT Reports, assist organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. More information about ESET APT Reports and its delivery of high-quality, actionable tactical and strategic cybersecurity threat intelligence is available at the ESET Threat Intelligence page.

For more details about the mentioned and other APT groups’ activities, read the full APT Activity Report “Russia-aligned APTs ramp up attacks against Ukraine and its strategic partners” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news.

About ESET
ESET^® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown, securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts and blogs.

Targeted countries and sectors

A photo accompanying this announcement is available at: https://www.globenewswire.com/NewsRoom/AttachmentNg/e60a5453-69b6-46d8-a3f3-00b9ad2d35e5

CONTACT: Media contact:
Jessica Beffa
jessica.beffa@eset.com
720-413-4938