Cybersecurity firm ESET has released its latest APT Activity Report (October 2025–March 2026), highlighting a sharp rise in state-sponsored cyber espionage campaigns, with China-aligned threat actors leading operations across geopolitical hotspots including Venezuela, Syria, and the Gulf region.
According to ESET Research, Chinese advanced persistent threat (APT) groups intensified surveillance efforts targeting maritime operations, energy infrastructure, and government systems, particularly in regions tied to Beijing’s economic and strategic interests. A Venezuelan government entity linked to maritime affairs was targeted, likely to monitor oil shipment stability following recent U.S. military activity.
“In Asia, the campaigns primarily focused on governmental organizations, strategic industries, and advanced technology sectors. In the Middle East, Israel remained the principal focus of Iran-aligned and Iran-linked activities.”
Jean-Ian Boutin, Director of Threat Research at ESET.
The report also identified cyber intrusions into an AI and robotics company in South Korea, underscoring China’s continued focus on emerging technologies aligned with its Made in China 2025 strategy. Additional campaigns were observed in Cambodia, Panama, and Syria, reflecting both economic and security motivations.
In the Middle East, ESET uncovered a security breach involving a UAE-based defense company, alongside Android spyware campaigns targeting Arabic-speaking users potentially journalists or open-source intelligence (OSINT) professionals.
Meanwhile, North Korea-linked Andariel group resurfaced with attacks on a South Korean engineering firm associated with nuclear and hydrogen technologies, deploying malware such as TigerRAT and attempting ransomware propagation.
The report notes that Russia-aligned threat actors remained heavily focused on Ukraine, with groups like Sednit targeting military personnel, drone developers, and logistics providers. Sandworm, another Russia-linked unit, escalated destructive operations, including a data-wiping attack on a Polish energy company in December 2025.
ESET also observed evolving activity from Iran-linked actors amid the February 2026 conflict, with reduced direct operations but increased involvement of proxy and hacktivist groups targeting Israel and its allies.
ESET emphasized that its intelligence is based on verified telemetry and ongoing research, helping organizations safeguard critical infrastructure, enterprises, and national assets from increasingly sophisticated nation-state cyber threats.
