Russian APT Groups Escalate Attacks in Europe Utilizing Zero-Day Exploits

The end of 2024 and the onset of 2025 witnessed a notable escalation in malicious cyber activities conducted by Russian-aligned hacking groups, as reported by ESET.

In its APT Activity Report for Q4 2024–Q1 2025, ESET Research cataloged the actions of several major advanced persistent threat (APT) groups from various nations, including China, North Korea, Iran, and Russia, during the period from October 2024 to March 2025. The findings indicated a significant increase in attacks by Russian APT groups directed towards Ukraine and European Union countries, characterized by the exploitation of zero-day vulnerabilities and the deployment of sophisticated wipers.

Within the Asian sector, China-aligned actors, responsible for a substantial 40.1% of APT campaigns, continued their espionage efforts, primarily focusing on government entities and the maritime industry in the EU. Concurrently, North Korean threat actors expanded their operations aimed at financial gain for the regime, utilizing deceptive job advertisements and social engineering tactics.

Iranian APT groups maintained their attentiveness to the Middle East, significantly targeting governmental organizations as well as the manufacturing and engineering sectors in Israel. The report published on May 19 provides a snapshot of intelligence for ESET customers, derived from ESET’s products and corroborated by its research efforts.

Russian Threat Actors: Fancy Bear, Gamaredon, and Sandworm

During the designated observation period, notable Russian-aligned groups such as Fancy Bear, Gamaredon, and Sandworm intensified their campaigns, predominantly targeting Ukraine and EU nations. Ukraine, in particular, endured a wave of cyber-attacks aimed at its essential infrastructure and government institutions.

Gamaredon, a hacking unit believed to be linked to Russia’s Federal Security Service (FSB), emerged as a highly active player targeting Ukraine. The group, also known as Primitive Bear, UNC530, and Aqua Blizzard, enhanced its malware obfuscation toolkit and introduced PteroBox, a file stealer utilizing Dropbox for data exfiltration.

Fancy Bear (APT28), associated with the Russian military intelligence agency (GRU), advanced its exploitation techniques surrounding cross-site scripting (XSS) vulnerabilities in webmail services, extending its Operation RoundPress across multiple email platforms. The group effectively leveraged a zero-day vulnerability (CVE-2024-11182) in the MDaemon Email Server against Ukrainian firms.

Sandworm (APT44), another group affiliated with the GRU, prioritized the compromise of Ukrainian energy infrastructure, employing weaknesses within Active Directory Group Policy to launch ZEROLOT, a new wiper tool. Other Russian-aligned units, such as RomCom, showcased their advanced capabilities by deploying zero-day exploits against widely used software, including vulnerabilities in Mozilla Firefox (CVE-2024-9680) and Microsoft Windows (CVE-2024-49039).

Additional Key APT Campaigns Observed

The report delineated other significant findings, including:

– Mustang Panda emerged as the most active China-backed APT group, targeting governmental institutions and maritime transportation firms utilizing malware such as Korplug and malicious USB drives.
– PerplexedGoblin, another Chinese-aligned group, deployed a new espionage backdoor, termed NanoSlate, against a Central European government entity.
– The North Korean group DeceptiveDevelopment significantly broadened its targeting efforts, using false job advertisements primarily in the cryptocurrency and finance sectors to deploy the multiplatform WeaselStore malware.
– Kimsuky and Konni resumed their activities in early 2025, reorienting their targeting focus from English-speaking think tanks and NGOs toward South Korean entities and diplomatic figures.
– North Korean group Andariel re-emerged after a year of dormancy, executing a sophisticated attack against a South Korean industrial software company.

Moreover, on February 28, 2025, a VHDX file containing a malicious shortcut and an encrypted downloader referred to as RadialAgent was uploaded to VirusTotal from Japan, pointing to the activities of APT-C-60, a cyber espionage group associated with South Korea.

Jean-Ian Boutin, the ESET Director of Threat Research, emphasized that the highlighted operations reflect broader trends within the threat landscape observed during this period, illustrating key developments and changes in the cybersecurity realm. This accounts for merely a fraction of the comprehensive cybersecurity intelligence data provided to ESET customers through its APT reports.