2026-05-28
ESET
ESET APT Activity Report Q4 2025–Q1 2026
#Andariel
#DangerousPassword
#DeceptiveDevelopment
#DreamJob
#Rook
#ScarCruft
Rook Ransomware
#Rook
- Reported: 2026-03
- Locations: Korea, Republic of
- Motivations: #FinancialGain
- Sectors: #Manufacturing
Summary
In March 2026, ESET observed Andariel deploy TigerRAT on a host at a South Korean engineering company and attempt to spread Rook ransomware variants across multiple network endpoints — the first Andariel-attributed activity in ESET telemetry in two years. The victim manufactures high-end industrial equipment reportedly used in liquid hydrogen handling (a known rocket fuel) and the nuclear industry, both of clear interest to the DPRK's ballistic and nuclear programs. ESET assesses the primary objective was strategic technology theft, with Rook likely deployed as a secondary component to distract defenders and opportunistically generate revenue to fund operations.