ctipilot.ch

ESET APT Activity Report Q4 2025–Q1 2026

report · report:eset-apt-activity-report-q4-2025-q1-2026-sandworm-lazarus

ESET APT Activity Report Q4 2025–Q1 2026

Coverage timeline
2
first 2026-05-25 → last 2026-05-30
Entries
2
2 distinct days
Sources cited
3
3 hosts
Sections touched
2
research, weekly-annual-reports
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-30ESET APT Activity Report Q4 2025–Q1 2026: Sandworm strikes NATO energy, Lazarus targets EU drone sector, UNC5221 pivots to Ivanti SPAWN toolset
    researchESET APT Activity Report Q4 2025–Q1 2026: Sandworm strikes NATO energy, Lazarus targets EU drone sector, UNC5221 pivots to Ivanti SPAWN toolset
  2. 2026-05-25ESET APT Activity Report Q4 2025–Q1 2026 — three state programmes converging on EU energy, defence and edge appliances
    weekly-annual-reportsESET APT Activity Report Q4 2025–Q1 2026 — three state programmes converging on EU energy, defence and edge appliances

Where this entity is cited

  • weekly-annual-reports1
  • research1

Source distribution

  • cisa.gov1 (33%)
  • infosecurity-magazine.com1 (33%)
  • welivesecurity.com1 (33%)

Entries about ESET APT Activity Report Q4 2025–Q1 2026 (2)

2026-05-30 · view entry permalink →

ESET APT Activity Report Q4 2025–Q1 2026: Sandworm strikes NATO energy, Lazarus targets EU drone sector, UNC5221 pivots to Ivanti SPAWN toolset

high annual-report discovered 2026-05-30 05:00 UTC

ESET published its APT Activity Report covering October 2025 through March 2026 on 28 May 2026 (ESET WeLiveSecurity, 2026-05-28). EU- and NATO-relevant findings for public-sector defenders: Sandworm (Russia/GRU) intensified destructive winter operations against Ukrainian infrastructure and targeted a Polish energy company in December 2025 — a NATO member state critical-infrastructure attack attributed with medium confidence; this represents continued Sandworm willingness to conduct wiper operations beyond Ukraine's borders. Sednit/APT28 deployed Covenant and BeardShell implants against Ukrainian military, drone manufacturers, and logistics companies. Lazarus Group ran Operation DreamJob targeting European drone manufacturers — ESET assesses this as technology acquisition for North Korea's weapons programme. Operation DangerousPassword compromised the axios JavaScript library (100+ million weekly npm downloads), injecting trojanised code and demonstrating ongoing North Korea supply-chain interest in developer ecosystem targeting. UNC5221 (China-nexus) deployed a new implant assessed as part of the SPAWN toolset, specifically targeting Ivanti VPN appliances (Connect Secure, Policy Secure); organisations running unpatched Ivanti VPN should audit for SPAWN toolset artefacts including SPAWNANT installer, SPAWNMOLE tunneller, SPAWNSNAIL SSH backdoor, and SPAWNSLOTH log-tampering utility. The report PDF is available at https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2025-q1-2026.pdf. Key defender actions: (a) confirm Sandworm wiper detection capability (file-destruction followed by MBR/VBR overwrite patterns, VSS deletion); (b) review Ivanti VPN logs for SPAWN footprints per CISA AA24-060A indicators; (c) audit npm dependency trees for axios versions <1.8.0 or 0.x released after the DangerousPassword campaign window.

nation-state espionage supply-chain russia-nexus north-korea-nexus china-nexus europe global

2026-05-25 · view entry permalink →

ESET APT Activity Report Q4 2025–Q1 2026 — three state programmes converging on EU energy, defence and edge appliances

notable annual-report discovered 2026-05-25 05:00 UTC

ESET's APT Activity Report covering Q4 2025–Q1 2026 landed mid-window (first covered 2026-05-30). The daily recapped the headline findings — a rare out-of-Ukraine Sandworm destructive incident (a medium-confidence December 2025 attack on a single Polish energy company), Lazarus targeting the EU drone/defence sector, and UNC5221 pivoting to the Ivanti SPAWN toolset. The synthesis a daily reader could not see from those three bullets is that they are the same story told by three different state programmes: Russia-, North-Korea- and China-nexus operators are independently converging on (a) European energy and defence-industrial-base supply chains as the target set — Sandworm's move against a Polish energy target being notable precisely because the operator rarely acts destructively outside Ukraine — and (b) internet-facing edge appliances (Ivanti) as the entry vector. For a Swiss / European public-sector SOC the implication is a prioritisation argument rather than a new IOC list: edge-appliance patch SLAs and defence-supplier third-party-risk review are where all three programmes are applying pressure simultaneously, so they should outrank generic campaign awareness in the next planning cycle. The report reinforces, with cross-actor telemetry, the structural shift the W21 Verizon DBIR and Rapid7 reports flagged — exploitation of exposed software as the dominant access vector.

nation-state espionage supply-chain russia-nexus north-korea-nexus china-nexus europe global