ESET APT Activity Report Q4 2024–Q1 2025
Contents
ESET APT Activity Report Q4 2024–Q1 2025 summarizes notable activities of selected advanced persistent threat (APT) groups that were documented by ESET researchers from October 2024 until the end of March 2025. The highlighted operations are representative of the broader landscape of threats we investigated during this period, illustrating the key trends and developments, and contain only a fraction of the cybersecurity intelligence data provided to customers of ESET’s private APT reports.
During the monitored period, China-aligned threat actors continued engaging in persistent espionage campaigns with a focus on European organizations. Mustang Panda remained the most active, targeting governmental institutions and maritime transportation companies via Korplug loaders and malicious USB drives. DigitalRecyclers continued targeting EU governmental entities, employing the KMA VPN anonymization network and deploying the RClient, HydroRShell, and GiftBox backdoors. PerplexedGoblin used its new espionage backdoor, which we named NanoSlate, against a Central European government entity, while Webworm targeted a …
During the monitored period, China-aligned threat actors continued engaging in persistent espionage campaigns with a focus on European organizations. Mustang Panda remained the most active, targeting governmental institutions and maritime transportation companies via Korplug loaders and malicious USB drives. DigitalRecyclers continued targeting EU governmental entities, employing the KMA VPN anonymization network and deploying the RClient, HydroRShell, and GiftBox backdoors. PerplexedGoblin used its new espionage backdoor, which we named NanoSlate, against a Central European government entity, while Webworm targeted a …