ESET APT Activity Report Q4 2025–Q1 2026 Highlights Various Threat Actor Campaigns

The ESET APT Activity Report for Q4 2025 and Q1 2026 provides an overview of campaigns conducted by various APT groups. China-aligned actors targeted a Venezuelan governmental entity connected to maritime affairs and a Syrian governmental network, potentially reflecting economic and security interests. They also utilized the PhiliKit implant against Ivanti VPN appliances. Iran-aligned actors experienced a decline in activity, but proxy actors targeted Israel and the US. North Korea-aligned groups, including Lazarus and Andariel, targeted developers, the cryptocurrency ecosystem, and an engineering company in South Korea, attempting to spread Rook ransomware. Lazarus also compromised the axios JavaScript library in a supply chain attack. Russia-aligned actors focused on Ukraine, with Sandworm deploying wipers, including a data destruction incident affecting a Polish energy company. Additionally, lesser-known clusters conducted browser-in-the-browser phishing attacks and distributed Android spyware.

Attack Chain

1. Initial Compromise (Lazarus - axios): Lazarus Group compromised the credentials of the lead maintainer of the axios JavaScript library.
2. Supply Chain Injection (Lazarus - axios): Using the compromised credentials, attackers published malicious versions of the axios library on the npm registry.
3. Malicious Code Distribution (Lazarus - axios): The malicious versions of axios, containing trojanized code, were downloaded by users of the library.
4. Trojan Execution (Lazarus - axios): The trojanized code injected malicious functionality into affected systems.
5. Persistence (Andariel - TigerRAT): Andariel deploys TigerRAT on the compromised system in South Korea.
6. Lateral Movement (Andariel - Rook): Attempt to spread Rook ransomware within an engineering company.
7. Data Exfiltration/Espionage (China-aligned groups): China-aligned actors targeted Venezuelan and Syrian entities to gain visibility into maritime, energy, and political developments.
8. Destructive Activity (Sandworm): Sandworm deploys wipers against governmental and private sector targets in Ukraine and a Polish energy company, aiming to disrupt operations.

Impact

The report highlights espionage, supply chain compromise, and destructive attacks. The compromise of the axios JavaScript library, with over 100 million weekly downloads on npm, could affect a large number of web and mobile applications. Destructive attacks by Sandworm against a Polish energy company, a NATO member, highlights the potential for impacting critical infrastructure. Lazarus targeting European drone manufacturers has potential supply chain implications as well as espionage.

Recommendation

• Monitor npm registry activity for unexpected updates to critical JavaScript libraries, focusing on changes to axios (affected_products).
• Implement integrity monitoring for commonly used JavaScript libraries within your web applications (affected_products, affected_vendors).
• Monitor for network connections to unusual or suspicious destinations originating from systems using Ivanti VPN appliances to detect potential PhiliKit activity (affected_products).
• Deploy the Sigma rule detecting TigerRAT execution to identify Andariel activity (rules).
• Review and harden security practices for maintaining credentials used to publish software packages to public repositories such as npm (affected_vendors).