lazarusholic

Everyday is lazarus.dayβ

ESET APT Activity Report Q4 2025–Q1 2026

2026-05-28, ESET
https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2025-q1-2026.pdf
eset-apt-activity-report-q4-2025-q1-2026.pdf, 1.6 MB
#Andariel #DangerousPassword #DeceptiveDevelopment #DreamJob #Rook #ScarCruft

Contents

APT Activity
Report
CONFLICT-INFORMED ESPIONAGE:
MONITORING OIL SHIPMENTS, TARGETING DRONE MAKERS
October 2025 – March 2026

(eset):research


ESET APT ACTIVITY REPORT

OCTOBER 2025 - MARCH 2026 | 2

Contents
Executive summary3
Attackers and targets5
China 7
SteppeDriver: From Mongolia to Syria8
PhiliKit, a new implant in UNC5221’s SPAWN toolset9
NegativeGlimmer compromises governmental
organizations and an AI and robotics company9

Iran 11

ScarCruft targets Yanbian in a multiplatform
supply-chain attack18

Russia19
Sednit20
Sandworm21
Data-wiping attack against an energy company
in Poland22

Other23

Rusty Boots12

Browser-in-the-browser phishing attack against a
Japanese think tank24

MoKhargosh13

Asin Android spyware25

MOØN Badr13

North Korea 14

SmartOffice CRM abused to compromise a defense
company in the UAE26

Andariel deploys Rook ransomware in South Korea15

About ESET28

Operation DreamJob16
Operation DangerousPassword and the axios
supply-chain attack16
From fake recruiters to trusted code editors:
DeceptiveDevelopment updates its tradecraft17


ESET APT ACTIVITY REPORT

Executive summary

Attackers and targets

China

Iran

North Korea

Russia

Other

About ESET

OCTOBER 2025 - MARCH 2026 | 3

Executive summary
Welcome to the latest issue of the ESET APT Activity Report!
This report summarizes notable activities of selected advanced

SteppeDriver targeting a Syrian governmental network, activity

and hacktivist actors targeting Israel, the United States, and

persistent threat (APT) …

IoC

http://134.209.23.117:8443
http://134.209.23.117:9443
http://167.172.181.173:8443
https://c-pdf.net/c-pdf.apk
http://70.34.203.48:8443
http://pdf-reader.help
http://64.52.80.66:8443
https://syriadefensemap.com/
http://139.84.226.162:80
http://://MACOSX._\
http://govlens.net
http://216.238.99.118:8443
http://167.172.181.173
http://164.92.254.175:8443
http://194.59.31.19:8443
http://live-war-map.com
https://www.facebook.com/
http://139.84.226.162
http://fatimabadr.top
https://t.me/liveuamap_
http://login.sharecloudfiles.
164.92.254.175
64.52.80.66
70.34.203.48
139.84.226.162
216.238.99.118
134.209.23.117
194.59.31.19
167.172.181.173
[email protected]
[email protected]
[email protected]
45DD06206759855BBAFA59D3869FDDED3DA059F9