ESET’s latest APT report reveals a sharp rise in state-sponsored attacks from Russia, China, and North Korea — with critical infrastructure in the crosshairs.
ESET Research has uncovered a troubling escalation in cyber warfare tactics, with Russia-aligned threat actors intensifying attacks on Ukraine and European nations. In its latest APT Activity Report (October 2024–March 2025), ESET details how the notorious Sandworm group has deployed a new destructive malware, ZEROLOT, targeting Ukrainian energy infrastructure.
The report paints a broader picture of coordinated campaigns by Russian APTs — including Gamaredon, Sednit, and RomCom — using advanced exploits, phishing lures, and cloud-based data stealers. Sednit, for instance, was found exploiting a zero-day in MDaemon Email Server (CVE-2024-11182), expanding its Operation RoundPress campaign. Gamaredon introduced a Dropbox-based file stealer dubbed PteroBox, while RomCom deployed zero-days in Firefox and Windows to launch targeted attacks.
“These actors are combining destructive malware with sophisticated delivery mechanisms to target critical infrastructure.” — Jean-Ian Boutin, Director of Threat Research, ESET
“The deployment of ZEROLOT signals a renewed and aggressive push to disrupt Ukraine’s critical infrastructure,” added Boutin.
Beyond Russia, China-aligned groups like Mustang Panda and DigitalRecyclers continued their long-running espionage operations against European governments and maritime firms. Meanwhile, North Korean actors such as DeceptiveDevelopment expanded financially motivated campaigns, using fake job offers to spread the WeaselStore malware — with one incident linked to a $1.5 billion cryptocurrency theft.
ESET warns that this period marks not just persistence but evolution in global APT tactics. The report underscores the growing need for governments and enterprises to proactively defend against both traditional espionage and destructive cyber sabotage.
