{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/smartoffice-crm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ivanti VPN appliances","axios","SmartOffice CRM"],"_cs_severities":["high"],"_cs_tags":["apt","espionage","supply-chain","wiper"],"_cs_type":"threat","_cs_vendors":["Ivanti","NPM","ESET"],"content_html":"\u003cp\u003eThe ESET APT Activity Report for Q4 2025 and Q1 2026 provides an overview of campaigns conducted by various APT groups. China-aligned actors targeted a Venezuelan governmental entity connected to maritime affairs and a Syrian governmental network, potentially reflecting economic and security interests. They also utilized the PhiliKit implant against Ivanti VPN appliances. Iran-aligned actors experienced a decline in activity, but proxy actors targeted Israel and the US. North Korea-aligned groups, including Lazarus and Andariel, targeted developers, the cryptocurrency ecosystem, and an engineering company in South Korea, attempting to spread Rook ransomware. Lazarus also compromised the axios JavaScript library in a supply chain attack. Russia-aligned actors focused on Ukraine, with Sandworm deploying wipers, including a data destruction incident affecting a Polish energy company. Additionally, lesser-known clusters conducted browser-in-the-browser phishing attacks and distributed Android spyware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise (Lazarus - axios):\u003c/strong\u003e Lazarus Group compromised the credentials of the lead maintainer of the axios JavaScript library.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSupply Chain Injection (Lazarus - axios):\u003c/strong\u003e Using the compromised credentials, attackers published malicious versions of the axios library on the npm registry.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Code Distribution (Lazarus - axios):\u003c/strong\u003e The malicious versions of axios, containing trojanized code, were downloaded by users of the library.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTrojan Execution (Lazarus - axios):\u003c/strong\u003e The trojanized code injected malicious functionality into affected systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Andariel - TigerRAT):\u003c/strong\u003e Andariel deploys TigerRAT on the compromised system in South Korea.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Andariel - Rook):\u003c/strong\u003e Attempt to spread Rook ransomware within an engineering company.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Espionage (China-aligned groups):\u003c/strong\u003e China-aligned actors targeted Venezuelan and Syrian entities to gain visibility into maritime, energy, and political developments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDestructive Activity (Sandworm):\u003c/strong\u003e Sandworm deploys wipers against governmental and private sector targets in Ukraine and a Polish energy company, aiming to disrupt operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe report highlights espionage, supply chain compromise, and destructive attacks. The compromise of the axios JavaScript library, with over 100 million weekly downloads on npm, could affect a large number of web and mobile applications. Destructive attacks by Sandworm against a Polish energy company, a NATO member, highlights the potential for impacting critical infrastructure. Lazarus targeting European drone manufacturers has potential supply chain implications as well as espionage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm registry activity for unexpected updates to critical JavaScript libraries, focusing on changes to axios (affected_products).\u003c/li\u003e\n\u003cli\u003eImplement integrity monitoring for commonly used JavaScript libraries within your web applications (affected_products, affected_vendors).\u003c/li\u003e\n\u003cli\u003eMonitor for network connections to unusual or suspicious destinations originating from systems using Ivanti VPN appliances to detect potential PhiliKit activity (affected_products).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting TigerRAT execution to identify Andariel activity (rules).\u003c/li\u003e\n\u003cli\u003eReview and harden security practices for maintaining credentials used to publish software packages to public repositories such as npm (affected_vendors).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T06:10:12Z","date_published":"2026-05-29T06:10:12Z","id":"https://feed.craftedsignal.io/briefs/2026-05-eset-apt-q4-2025-q1-2026/","summary":"ESET's APT Activity Report for Q4 2025 and Q1 2026 highlights diverse campaigns by China, Iran, North Korea, and Russia-aligned threat actors, including espionage, supply chain compromise, and destructive attacks.","title":"ESET APT Activity Report Q4 2025–Q1 2026 Highlights Various Threat Actor Campaigns","url":"https://feed.craftedsignal.io/briefs/2026-05-eset-apt-q4-2025-q1-2026/"}],"language":"en","title":"CraftedSignal Threat Feed — SmartOffice CRM","version":"https://jsonfeed.org/version/1.1"}