Geopolitical Tension Reflected in Digital Space: ESET Reports Rise in APT Attacks

ESET’s latest APT report reveals China-linked groups intensified Latin America attacks, while Russia-linked groups targeted Ukraine and the EU, increasingly using organized crime tactics in hybrid warfare.

Nov 12, 2025 - 11:36
Updated: 8 months ago
0
Geopolitical Tension Reflected in Digital Space: ESET Reports Rise in APT Attacks

WISE NEWS PRESS / BRATISLAVA, SLOVAKIA — Nov. 12, 2025

ESET, a global leader in cybersecurity, has published its latest Advanced Persistent Threat (APT) report covering the period from April to September 2025. The report reveals that China-linked APT groups intensified their use of the "adversary-in-the-middle" technique to advance Beijing’s geopolitical objectives, specifically targeting governments in several Latin American countries.

Meanwhile, Russia-linked APT groups escalated and expanded their operations targeting Ukraine and several European Union member states, with one threat actor, InedibleOchotense, executing a spearphishing campaign impersonating ESET.

ESET Research highlighted the activities of elite APT groups documented by its researchers between April and September 2025. During the monitoring period, China-linked APT groups continued to advance Beijing's geopolitical goals. ESET observed that the FamousSparrow group increasingly used the "adversary-in-the-middle" technique for both initial access and lateral movement, potentially as a response to the Trump administration’s strategic interest in Latin America and the ongoing US-China power struggle.

FamousSparrow launched an attack in Latin America, targeting multiple government institutions across the region. Across Europe, government institutions remained a primary focus for cyber espionage, as Russia-linked APT groups intensified their operations against Ukraine and several European Union member states.

Russia’s Focus on Ukraine and Economic Sabotage

Notably, even the non-Ukrainian targets of Russia-linked groups exhibited strategic or operational connections to Ukraine, reinforcing the idea that the country remains central to Russia’s intelligence efforts.

  • RomCom exploited a zero-day vulnerability in WinRAR to distribute malicious DLLs, providing various backdoors focused on the finance, manufacturing, defense, and logistics sectors in the EU and Canada.

  • Both the Gamaredon and Sandworm groups utilized the much cheaper spearphishing technique as their primary attack vector, as zero-day exploits are costly.

  • Gamaredon remained the most active APT group targeting Ukraine, showing a marked increase in the intensity and frequency of its operations.

  • Sandworm also focused on Ukraine—but unlike Gamaredon's cyber espionage activities, its goal was destruction. It largely focused on the government, energy, logistics, and grain sectors, likely aiming to undermine the Ukrainian economy.

AI-Generated Content in Cyber Attacks

The Belarus-linked FrostyNeighbor group exploited an XSS vulnerability in Roundcube. Companies in Poland and Lithuania were targeted by spearphishing emails impersonating Polish firms. The emails contained distinct bullet points and emojis, suggesting the use of Artificial Intelligence (AI) to craft the content. The payloads delivered included a credential stealer and an email message stealer.

Jean-Ian Boutin, ESET Director of Threat Research, stated: "Interestingly, a Russia-linked threat actor, InedibleOchotense, executed a spearphishing campaign impersonating ESET. This campaign involved emails and Signal messages containing a trojanized ESET installer, leading to the download of a legitimate ESET product along with the Kalambur backdoor."

China's Global Expansion and Geopolitical Priorities

China-linked groups remain highly active, with campaigns recently observed by ESET researchers across Asia, Europe, Latin America, and the US. This global spread indicates that China-linked threat actors continue to be mobilized to support Beijing’s current geopolitical priorities.

In Asia, APT groups continued to target government institutions, as well as the technology, engineering, and manufacturing sectors. North Korea-linked threat actors remained highly active in operations targeting South Korea and the technology sector, particularly in cryptocurrency, a key source of revenue for the regime.

ESET also observed that FamousSparrow conducted various operations in Latin America, mostly targeting government entities, between June and September. These activities constituted a large portion of the activity ESET attributed to the group during this period, indicating the region has become the group's main operational focus in recent months, partially linked to the ongoing US-China power struggle in the region following the renewed interest from the Trump administration.

www.wisenewspress.com

What's Your Reaction?

Like Like 0
Dislike Dislike 0
Love Love 0
Funny Funny 0
Wow Wow 0
Sad Sad 0
Angry Angry 0
Editor

Editor | Wise News Press — Delivering accurate, timely global news with integrity, insight, and editorial responsibility.

Comments (0)

User