Press Center

Malware and antivirus software

News

ESET APT Activity Report: Attacks by China-, North Korea-, and Iran-aligned threat actors; Russia eyes Ukraine and the EU

Created: 2023-05-15 03:52:33

  • ESET has released its APT Activity Report covering Q4 2022 and Q1 2023, which summarizes the activities of selected advanced persistent threat (APT) groups.
  • China-aligned threat actors Ke3chang and Mustang Panda focused on European organizations.
  • North Korea-aligned groups continued to focus on South Korean and South Korea-related entities.
  • Lazarus targeted employees of a defense contractor in Poland with a fake Boeing-themed job offer and also shifted its focus from its usual target verticals to a data management company in India.
  • Similarities with the newly discovered Linux malware by Lazarus corroborate the theory that the infamous North Korea–aligned group is behind the 3CX supply-chain attack.
  • Russia-aligned APT groups were especially active in Ukraine and EU countries.
  • Sandworm deployed wipers (including a new one we call SwiftSlicer).
  • Intelligence shared in the report is based mostly on proprietary ESET telemetry data and has been verified by ESET researchers.

BRATISLAVA — May 9, 2023 — ESET has released its APT Activity Report, which summarizes the activities of selected advanced persistent threat (APT) groups that were observed, investigated, and analyzed by ESET researchers from October 2022 until the end of March 2023. The report is being published on a semi-annual basis. During this period, several China-aligned threat actors such as Ke3chang and Mustang Panda focused on European organizations. In Israel, Iran-aligned group OilRig deployed a new custom backdoor. North Korea-aligned groups continued to focus on South Korean and South Korea-related entities. Russia-aligned APT groups were especially active in Ukraine and EU countries, with Sandworm deploying wipers.

Malicious activities described in the ESET APT Activity Report are detected by ESET technology. “ESET products protect our customers’ systems from the malicious activities described in this report. The intelligence shared here is based mostly on proprietary ESET telemetry data and has been verified by ESET researchers,” says Director of ESET Threat Research Jean-Ian Boutin.

China-aligned Ke3chang employed tactics such as the deployment of a new Ketrican variant, and Mustang Panda used two new backdoors. MirrorFace targeted Japan and implemented new malware delivery approaches, while Operation ChattyGoblin compromised a gambling company in the Philippines by targeting its support agents. India-aligned groups SideWinder and Donot Team continued to target governmental institutions in South Asia with the former targeting the education sector in China, and the latter continuing to develop its infamous yty framework, but also deploying the commercially available Remcos RAT. Also in South Asia, ESET Research detected a high number of Zimbra webmail phishing attempts.

In addition to targeting the employees of a defense contractor in Poland with a fake Boeing-themed job offer, North Korea-aligned group Lazarus also shifted its focus from its usual target verticals to a data management company in India, utilizing an Accenture-themed lure. ESET also identified a piece of Linux malware being leveraged in one of their campaigns. Similarities with this newly discovered malware corroborate the theory that the infamous North Korea–aligned group is behind the 3CX supply-chain attack.

Russia-aligned APT groups were especially active in Ukraine and EU countries, with Sandworm deploying wipers (including a new one ESET calls SwiftSlicer), and Gamaredon, Sednit, and the Dukes utilizing spearphishing emails that, in the case of the Dukes, led to the execution of a red team implant known as Brute Ratel. Finally, ESET detected that the previously mentioned Zimbra email platform was also exploited by Winter Vivern, a group particularly active in Europe, and researchers noted a significant drop in the activity of SturgeonPhisher, a group targeting government staff of Central Asian countries with spearphishing emails, leading to our belief that the group is currently retooling.

For more technical information, check the full “ESET APT Activity Report” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

ESET APT Activity Reports contain only a fraction of the cybersecurity intelligence data provided to customers of ESET’s private APT reports. ESET researchers prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups in the form of ESET APT Reports PREMIUM to help organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. Comprehensive descriptions of activities described in this document were therefore previously provided exclusively to our premium customers. More information about ESET APT Reports PREMIUM that deliver high-quality strategic, actionable, and tactical cybersecurity threat intelligence is available at the ESET Threat Intelligence page.




About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

Why ESET?

ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.