ESET APT Report Unveils Intensified Russian Cyberattacks on Ukraine
Gamaredon remained the most prolific actor targeting Ukraine, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. 'The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organizations,' says ESET Director of Threat Research Jean-Ian Boutin.
Sednit refined its exploitation of cross-site scripting vulnerabilities in webmail services, expanding Operation RoundPress from Roundcube to include Horde, MDaemon, and Zimbra. ESET discovered that the group successfully leveraged a zero-day vulnerability in MDaemon Email Server (CVE-2024-11182) against Ukrainian companies. Several Sednit attacks against defense companies located in Bulgaria and Ukraine used spearphishing email campaigns as a lure. Another Russia-aligned group, RomCom, demonstrated advanced capabilities by deploying zero-day exploits against Mozilla Firefox (CVE 2024 9680) and Microsoft Windows (CVE 2024 49039).
In Asia, China-aligned APT groups continued their campaigns against governmental and academic institutions. At the same time, North Korea-aligned threat actors significantly increased their operations directed at South Korea, placing particular emphasis on individuals, private companies, embassies, and diplomatic personnel. Mustang Panda remained the most active, targeting governmental institutions and maritime transportation companies via Korplug loaders and malicious USB drives. DigitalRecyclers continued targeting EU governmental entities, employing the KMA VPN anonymization network and deploying the RClient, HydroRShell, and GiftBox backdoors. PerplexedGoblin used its new espionage backdoor, which ESET named NanoSlate, against a Central European government entity, while Webworm targeted a Serbian government organization using SoftEther VPN, emphasizing the continued popularity of this tool among China-aligned groups.
Elsewhere in Asia, North Korea-aligned threat actors were particularly active in financially motivated campaigns. DeceptiveDevelopment significantly broadened its targeting, using fake job listings primarily within the cryptocurrency, blockchain, and finance sectors. The group employed innovative social engineering techniques to distribute the multiplatform WeaselStore malware. The Bybit cryptocurrency theft, attributed by the FBI to TraderTraitor APT group, involved a supply-chain compromise of Safe{Wallet} that caused losses of approximately USD 1.5 billion. Meanwhile, other North Korea-aligned groups saw fluctuations in their operational tempo: In early 2025, Kimsuky and Konni returned to their usual activity levels after a noticeable decline at the end of 2024, shifting their targeting away from English-speaking think tanks, NGOs, and North Korea experts to focus primarily on South Korean entities and diplomatic personnel; and Andariel resurfaced, after a year of inactivity, with a sophisticated attack against a South Korean industrial software company.
Iran-aligned APT groups maintained their primary focus on the Middle East region, predominantly targeting governmental organizations and entities within the manufacturing and engineering sectors in Israel. Additionally, ESET observed a significant global uptick in cyberattacks against technology companies, largely attributed to increased activity by North Korea-aligned DeceptiveDevelopment.
'The highlighted operations are representative of the broader threat landscape that we investigated during this period. They illustrate the key trends and developments, and contain only a small fraction of the cybersecurity intelligence data provided to customers of ESET APT reports,' adds Boutin.
Intelligence shared in the private reports is primarily based on proprietary ESET telemetry data and has been verified by ESET researchers, who prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups. These threat intelligence analyses, known as ESET APT Reports PREMIUM, assist organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. More information about ESET APT Reports PREMIUM and its delivery of high-quality, actionable tactical and strategic cybersecurity threat intelligence is available at the ESET Threat Intelligence page. 0 0
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Gulf Today
6 hours ago
- Gulf Today
Ukraine hits Russian oil facilities, military airfield
Ukraine's military said on Saturday that it had struck oil facilities inside Russia, including a major refinery as well as a military airfield for drones and an electronics factory. In a statement on Telegram, Ukraine's Unmanned Systems Forces said they had hit the oil refinery in Ryazan, about 180 km southeast of Moscow, causing a fire on its premises. Also hit, the USF said, was the Annanefteprodukt oil storage facility in the Voronezh region that borders on northeastern Ukraine. The statement did not specify how the facilities were hit, but the USF specialises in drone warfare, including long-range strikes. There was no immediate comment from Russia on the reported attacks on its infrastructure sites. Separately, Ukraine's SBU intelligence agency said its drones had hit Russia's Primorsko-Akhtarsk military airfield, which has been used to launch waves of long-range drones at targets in Ukraine. The SBU said it also hit a factory in Penza that it said supplies Russia's military-industrial complex with electronics. At the start of Russia's full-scale invasion in 2022, Ukraine had no response to Moscow's vast long-range strike capacity but it has since built up a fleet of long-range kamikaze drones able to carry explosive warheads for many hundreds of kilometres. Russia's defence ministry said in its daily report that its defence units had downed a total of 338 Ukrainian drones overnight. Its reports do not say how many Ukrainian drones were launched at any given time. For its part, Ukraine's air force said it had downed 45 of 53 Russian drones launched towards its territory overnight. On Ukraine's eastern battlefront, Russia's defence ministry said, Russian forces had captured the village of Oleksandro-Kalynove in the Donetsk region on Saturday. Reuters could not immediately verify the battlefield report. Russian forces now control almost 20% of Ukraine in its east and south after three-and-a-half years of grinding war. Meanwhile, Ukrainian authorities said that they had arrested several politicians in connection with a 'large-scale corruption scheme' in the defence sector, shortly after an uproar over the independence of anti-graft bodies. A law passed at the end of July stripped the National Anti-Corruption Agency (NABU) and the Specialised Anti-Corruption Prosecutor's Office (SAP) of their independence and placed them under the supervision of the Prosecutor General, himself appointed by the head of state. President Volodymyr Zelensky on Thursday backtracked and restored the bodies' independence following an outcry from the country's allies and the first anti-government street demonstrations since the Russian invasion in 2022. The NABU said on Saturday that it and the SAP had exposed 'a scheme for the systematic misappropriation of budget funds allocated by local authorities for the needs of the defence forces, as well as the receipt and provision of unlawful benefits on an especially large scale.' It said the scheme involved inflating prices for electronic warfare and drone equipment, and then funnelling off 30 per cent of the contract amounts. The suspects include a member of parliament, heads of district and city administrations, members of the National Guard, and executives at defence companies. The NABU said it has made four arrests so far but did not identify those detained. The interior ministry said it had suspended the suspected members of the National Guard. Zelensky said in a statement: 'I am grateful to the anti-corruption agencies for their work. 'It is important that anti-corruption institutions operate independently, and the law passed on Thursday guarantees them all the tools necessary for a real fight against corruption.' The president initially said he needed to bring the NABU and the SAP under his control because they were inefficient and under 'Russian influence.' But he did an about-face when confronted with the outcry - first serious political crisis since he took office six years ago. Several cases of corruption - an endemic problem in the country - have been exposed within the armed forces and the defence ministry during the war with Russia. Agencies
Crypto Insight
11 hours ago
- Crypto Insight
China's crypto liquidation plans reveal its grand strategy
Opinion by: Joshua Chu, co-chair of the Hong Kong Web3 Association Last week's announcement of Hong Kong's LEAP Digital Assets Policy Statement 2.0 was made with much anticipation and fanfare. The government of Hong Kong promised a comprehensive regulatory framework that will unify licensing and 'expand the suite of tokenised products.' Yet beneath the hype and visible maneuvers lies a far more consequential move: Beijing's (the world's second largest holder of crypto) announcement of its intention to liquidate confiscated virtual currencies through Hong Kong's licensed exchanges. These events, while seemingly separate, are actually components of a carefully orchestrated strategy by China, designed to position Hong Kong as the dominant virtual asset hub and China's strategic market operator. A strategy of convergence: Hong Kong is poised to become the region's virtual asset hub. Still, it will also serve as the linchpin of China's global ambitions: a crypto hedge, a market price vehicle and a forward command post for PRC-crypto-liquidity. Regulatory foundations On the surface, Hong Kong's LEAP policy appears to be all the headlines. A proper understanding of strategy, however, demands looking beyond the surface. The true power of these policy decisions lies in the liquidity injection that China's crypto-liquidation decision will invariably create. This instrument will simultaneously grant Hong Kong unprecedented influence over global virtual asset markets. The foundation of Hong Kong's regulatory framework can be traced back to 2022 with the passage of the Amendment of the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO), which, after the Securities and Futures Commission had the opportunity to gain sufficient experience under the previous opt-in regime, formally brought virtual asset trading platforms (VATPs) under their remit via the AMLO mandatory licensing regime. This critical move secured alignment with Financial Action Task Force (FATF) standards and became the first cornerstone legislation for virtual assets. The next critical legislation that came about was the Stablecoin Ordinance, set to commence on Aug. 1, 2025, establishing a dedicated licensing regime for fiat-referenced stablecoin issuers. The Hong Kong Monetary Authority (HKMA) oversees this regime, mandating one-to-one reserves, robust redemption mechanisms and rigorous risk controls. In June 2025, introducing the LEAP Digital Assets Policy Statement 2.0 further developed Hong Kong's framework. LEAP unifies licensing, expands the suite of tokenized products and advances use cases of cross-sector collaboration and talent development. Going beyond FATF-directed regulatory tinkering, LEAP aspires to be the architecture that will 'scale Hong Kong to new heights of global digital asset leadership' and signal Hong Kong's readiness to embrace the future of digital assets. Laws and regulations alone cannot, however, command markets. It is liquidity that will decide the day. China's decision to channel confiscated digital assets through Hong Kong's licensed VATP will strategically inject real, tangible liquidity into the ecosystem. This is no longer an FATF compliance checklist exercise — it is a strategic lever. Through enabling controlled liquidation, Hong Kong stands to become a market price vehicle capable of rapidly modulating supply and demand, another key driving factor of virtual asset value. Liquidity as a weapon Liquidity is the lifeblood of any market. Without liquidity, even the most sophisticated market will falter. Just look at the London Stock Exchange. Under China's grand strategy, unlike the United States, which holds a vast Strategic Bitcoin Reserve and is placed under a rigid 'hold-only' policy, liquidity injected into Hong Kong's exchanges will actively convert seized assets into market liquidity. This setup will grant Hong Kong — and by extension China — the ability to influence price, stabilize markets and respond to geopolitical pressures as it sees fit. Just as control of the rare earth metals gave China all the cards in the latest rounds of trade negotiation with the US, so too will control over crypto liquidity, effectively controlling the value of the US's newly minted crypto reserve. This is a subtle, yet profound, shift in the balance of power. The ability of a single nation to control liquidity flows is to control market narratives and outcomes. Implications and countermeasures This grand strategy fundamentally alters the balance of power within the cryptosphere. Hong Kong will have a decisive advantage in absorbing institutional capital and deepening market liquidity, leveraging its unique position as the conduit for the PRC's crypto liquidation moves. At the same time, by scaling 'Hong Kong to new heights of global digital asset leadership,' China will have a powerful geopolitical tool in its hands, able to control global cryptocurrency valuations through calculated market liquidity management. Meanwhile, the US will face a strategic dilemma: Should it continue with a passive crypto stockpile with limited or no market influence? Or should the US consider new mechanisms to counterbalance Hong Kong's growing control over crypto liquidity? Understanding the dynamic in this interplay is important for market participants, lawyers, risk practitioners and lawmakers. After all, compliance frameworks must be adjusted to address increased scrutiny and risks associated with liquidity-driven market movements. In contrast, risk management strategies anticipating volatility stemming from strategic liquidity flows and a keen understanding of how liquidity control will shape the market narratives and outcomes are key. The key to the Web3 markets is therefore liquidity and information. While Hong Kong's LEAP policy garners all the media attention, the true chess move lies in China's crypto liquidation and injection policy. This injection will turn Hong Kong into a dynamic market price vehicle, capable of wielding liquidity as a weapon that few jurisdictions can match. Contrast this with the US, which is constrained by a rigid 'hold-only' reserve policy, and it lacks the flexibility to influence market liquidity or respond effectively to price volatility. Singapore, which, despite a mature regulatory framework, faces limitations in market scale, and Dubai, though ambitious, struggles with fragmented regulatory remits and high operational costs that hinder rapid scaling. Hong Kong 'holds all the cards.' Only this time, China is also making all the liquidity cards. As such, the city's unique combination of mature regulatory framework, direct access to the world's second-largest crypto holdings and the ability to deploy such liquidity strategically at their discretion grants it an unparalleled high ground in the Web3 ecosystem. Hong Kong can modulate global crypto prices in real time, attract institutional capital and foster innovation within a stable, investor-friendly environment. Liquidity is the ultimate leverage in this contest, and Hong Kong holds the switch. Understanding this layered strategy is essential for those who seek to navigate the rapidly evolving digital asset landscape with clarity and foresight. Those who fail will find themselves outmaneuvered. Opinion by: Joshua Chu, co-chair of the Hong Kong Web3 Association. Source:
Zawya
16 hours ago
- Zawya
Kaspersky discovered cyberattacks that sourced information from GitHub, Quora and social networks to target organizations
Kaspersky detected a complex attack sequence that involved retrieving information from legitimate services such as GitHub, Microsoft Learn Challenge, Quora, and social networks. The attackers did this to avoid detection and run an execution chain to launch Cobalt Strike Beacon, a tool to remotely control computers, execute commands, steal data, and maintain persistent access within a network. The attacks were detected in the second half of 2024 in organizations across China, Japan, Malaysia, Peru and Russia, and persisted into 2025. The majority of victims were large to medium-sized businesses. To infiltrate victims' devices, the attackers sent spear phishing emails which were disguised as legitimate communications from major state-owned companies, particularly within the oil and gas sector. The text was phrased to look like there was interest in products and services of the victim organization to convince the recipient to open the malicious attachment. The attachment was an archive with what looked like PDF files containing requirements for the requested products and services – but in fact some of these PDFs were executable EXE and DLL files containing malware. The attackers leveraged DLL highjacking techniques and exploited the legitimate Crash reporting Send Utility which is originally designed to help developers get detailed, real-time crash reports for their applications. To function, the malware also retrieved and downloaded a code that was stored in public profiles on popular legitimate platforms to avoid detection. Kaspersky found this code encrypted inside profiles on GitHub, and links to it (also encrypted) – on other GitHub profiles, Microsoft Learn Challenge, Q&A websites, and even Russian social media platforms. All of these profiles and pages were created specifically for this attack. After the malicious code was executed on victims' machines, Cobalt Strike Beacon was launched, and the victims' systems were compromised. ' While we didn't find any evidence of the attackers using real people's social media profiles, as all the accounts were created specifically for this attack, there's nothing stopping the threat actor from abusing various mechanisms these platforms provide. For instance, malicious content strings could be posted in comments on legitimate users' posts. Threat actors are using increasingly complex methods to conceal long-known tools, and it's important to stay up to date with the latest threat intelligence to be protected from such attacks,' comments Maxim Starodubov, Malware Analyst Team Lead at Kaspersky. The method used to retrieve the download address for the malicious code is similar to what was observed in the EastWind campaign linked to Chinese-speaking actors. Kaspersky recommends that organizations follow these security guidelines to stay safe: Track the status of digital infrastructure and continuously monitor the perimeter. Use proven security solutions to detect and block malware embedded within bulk email. Train staff to increase cybersecurity awareness. Secure corporate devices with a comprehensive system, such as Kaspersky Next, that detects and blocks attacks in the early stages. About Kaspersky Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky's deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure, and governments around the globe. The company's comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and over 200,000 corporate clients protect what matters most to them. Learn more at
