ESET

ESET's APT Activity Report for Q4 2025 and Q1 2026 highlights diverse campaigns by China, Iran, North Korea, and Russia-aligned threat actors, including espionage, supply chain compromise, and destructive attacks.

Fake FIFA World Cup websites are impersonating official ticket and merchandise sales to steal money and personal data from soccer fans through deceptive registration and payment processes.

The APT37 group (ScarCruft) is distributing an Android version of the BirdCall backdoor via a supply-chain attack targeting a Chinese video game platform, sqgame[.]net, to collect sensitive information from users.

Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.

Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.

Analysis of Mac malware from 2016 including KeRanger ransomware, Keydnap backdoor and credential stealer, and the Eleanor PHP-based backdoor, highlighting their infection vectors and persistence mechanisms.

This rule detects a network logon followed by Windows service creation with the same LogonId on a Windows host, which could indicate lateral movement or persistence by adversaries.

Attackers can modify the Windows registry via AppLocker to block the execution of security software, potentially disabling defenses and allowing further malicious activities.

Detection of remote execution of Windows services over RPC by correlating `services.exe` network connections and spawned child processes, potentially indicating lateral movement.