Back to News
Market Impact: 0.4

ESET APT Activity Report Q4 2024–Q1 2025

Cybersecurity & Data PrivacyGeopolitics & WarTechnology & Innovation
ESET APT Activity Report Q4 2024–Q1 2025

ESET's APT Activity Report for Q4 2024-Q1 2025 highlights persistent espionage campaigns by China-aligned groups targeting European organizations, with Mustang Panda being the most active. Iran-aligned actors, led by MuddyWater, frequently leveraged RMM software, while North Korea-aligned groups, including TraderTraitor, focused on financially motivated campaigns, with the FBI attributing the Bybit cryptocurrency theft of $1.5 billion to them. Russia-aligned threat actors, such as Sednit and Gamaredon, aggressively targeted Ukraine and EU countries, exploiting zero-day vulnerabilities in webmail services and deploying new wiper malware against Ukrainian energy companies.

Analysis

The ESET APT Activity Report for Q4 2024–Q1 2025 underscores a period of intense and sophisticated cyber espionage and financially motivated attacks orchestrated by state-aligned Advanced Persistent Threat (APT) groups. China-aligned actors, notably Mustang Panda, DigitalRecyclers, PerplexedGoblin, and Webworm, persistently targeted European governmental and maritime entities using tools like Korplug loaders, malicious USBs, the KMA VPN network, and new backdoors such as NanoSlate, with some espionage operations potentially involving ransomware deployment for financial gain. Iran-aligned groups, particularly MuddyWater, demonstrated high activity by leveraging Remote Monitoring and Management (RMM) software in spearphishing campaigns and collaborating with subgroups like Lyceum against Israeli manufacturing; BladedFeline revisited a telecom target in Uzbekistan, while CyberToufan executed destructive wiper attacks in Israel. North Korea-aligned actors significantly focused on financially motivated campaigns, with DeceptiveDevelopment broadening its targeting of cryptocurrency, blockchain, and finance sectors using innovative social engineering and the WeaselStore malware, and the FBI attributing a USD 1.5 billion cryptocurrency theft from Bybit to TraderTraitor via a supply-chain compromise of Safe{Wallet}. Other North Korean groups like Kimsuky and Konni refocused on South Korean targets, and Andariel resurfaced targeting South Korean industrial software. Russia-aligned actors, including Sednit and Gamaredon, maintained aggressive campaigns against Ukraine and EU countries, with Sednit exploiting zero-day vulnerabilities in webmail services like MDaemon Email Server (CVE‑2024‑11182) and RomCom deploying zero-days against Mozilla Firefox (CVE‑2024‑9680) and Microsoft Windows (CVE‑2024‑49039). Gamaredon remained highly prolific, enhancing malware obfuscation, while Sandworm intensified destructive operations against Ukrainian energy companies using a new wiper, ZEROLOT. The report also notes activities from lesser-known groups and highlights the widespread use of shared espionage toolsets and sophisticated attack vectors, reflecting a challenging and dynamic threat landscape with significant geopolitical undertones.

AllMind AI Terminal

AI-powered research, real-time alerts, and portfolio analytics for institutional investors.

Request a Demo

Market Sentiment

Overall Sentiment

Negative

Sentiment Score

-0.30

Key Decisions for Investors

  • Given the escalating and sophisticated cyber threats from state-aligned actors detailed in the ESET report, investors should anticipate sustained, heightened demand for advanced cybersecurity solutions, particularly for companies specializing in threat intelligence, zero-day exploit detection, industrial control system security, and cryptocurrency security.
  • The report underscores significant geopolitical risks linked to cyber operations targeting specific sectors such as government, finance, energy, and telecommunications; therefore, rigorous due diligence on the cybersecurity posture, incident response capabilities, and software supply chain integrity of portfolio companies, especially those with operational exposure to frequently targeted regions like Europe, Ukraine, Israel, and South Korea, is crucial.
  • The substantial financial impact of incidents like the documented USD 1.5 billion Bybit cryptocurrency theft emphasizes the critical need for investors to meticulously evaluate the resilience of digital asset platforms and the security measures of companies handling sensitive data or operating critical infrastructure, factoring these risks into valuation and exposure management.