ESET APT Report
Q2 2025 – Q3 2025
A comprehensive overview of Global APT activity, uncovered through ESET telemetry and expert analysis from ESET’s leading threat researchers.
Key APT Activity
China-aligned espionage pivots to Latin America
Globally, China-linked APT groups continued to advance Beijing’s geopolitical objectives. FamousSparrow hit multiple Latin American governmental entities, while others like Mustang Panda, Flax Typhoon and Speccom targeted several critical sectors worldwide.
Russia-linked ops intensify against Ukraine and EU allies
In Ukraine, Gamaredon drove espionage while Sandworm ran destructive wiper attacks against the government, energy, logistics, and grain sectors. Across the rest of Europe, spearphishing surged.
Evolving methods boost Iran-aligned campaigns
MuddyWater succeeded with internal spearphishing across the globe; other Iran-linked groups upgraded their infrastructure and capabilities, with victims in Israel and Greece as primary targets.
North Korean APT groups expand their reach
North Korea-aligned APTs targeted the cryptocurrency sector and have notably expanded their operations into countries like Uzbekistan. Espionage also remains a major goal for groups like Kimsuky and ScarCruft.
Be In The Know.
Read the ESET APT Activity Report.
Related resources
Latest ESET Threat Report
Threat Intelligence Best Practice Report
ESET Webinars
Explore our service
Actionable Threat Intelligence For Your SOC Teams
Enrich your cyber threat intelligence strategy (CTI) with actionable insights to fortify your organization's defense systems effectively.
Frequently asked questions
What can I learn from the ESET APT Activity Report?
The ESET APT Activity Report provides an expert-led analysis of notable activities conducted by advanced persistent threat (APT) groups. It offers a snapshot of the global threat landscape, based on ESET telemetry and original research.
How often is the ESET APT Activity Report published?
The report is published biannually, providing insights into APT activity and trends across two distinct six-month periods each year.
What regions does the ESET APT Activity Report cover?
The report highlights APT campaigns and threat activity affecting regions around the globe, with a focus on key geopolitical hot spots. Coverage reflects where ESET researchers observed significant operations during the reporting period.
How does ESET collect the data represented in the reports?
The findings are based on proprietary ESET telemetry, expert analysis, and real-world investigations conducted by ESET’s global network of threat researchers. Other sources used in the reports’ analyses may include honeypots and external security feeds as well as data from other cybersecurity vendors. All intelligence shared is carefully verified before publication.
What is unique about ESET APT Activity Reports when compared with those of other cybersecurity providers?
ESET APT Activity Reports offer in-depth analyses of the global threat landscape, enriched with comments and recommendations by ESET’s diverse team of cybersecurity specialists – many of whom are frequent speakers at prestigious industry conferences, like RSA, Black Hat, and Virus Bulletin, and renowned for their expertise.
With ESET’s R&D centers spanning Europe, Asia, and North America, ESET’s analysts provide around-the-clock coverage, leveraging diverse time zones and locations to address the evolving threat landscape.
How does the ESET APT Activity Report differ from the ESET Threat Report?
ESET APT Activity Reports provide an overview of activities of selected advanced persistent threat (APT) groups investigated and analyzed by ESET Research within the reporting period. APT groups are typically highly sophisticated threat actors, often backed by nation states, engaging in targeted cyberattacks and espionage. In contrast, the threat reports focus on widespread cyberthreats – so-called crimeware – that typically aren’t targeted in nature, and thus, can affect anyone.
What kind of threat activity is included?
The report focuses on documented campaigns by threat actors in key geopolitical hot spots around the globe. It includes espionage campaigns, financially motivated attacks, destructive operations, and exploitation of zero-day vulnerabilities.
Who is this report intended for?
Cybersecurity professionals, threat analysts, decision-makers in IT and security, and anyone interested in understanding the evolving tactics, techniques, and procedures (TTPs) of global threat actors.