Russian APT Groups Intensify Attacks in Europe with Zero-Day Exploits

The end of 2024 and the start of 2025 were marked by the strengthened intensity of malicious cyber activity by Russian-aligned hacking groups, according to ESET.

In its APT Activity Report Q4 2024–Q1 2025, ESET Research documented the activity of some of the major advanced persistent threat (APT) groups from China, North Korea, Iran, Russia and a few other countries between October 2024 and March 2025.

The research team observed that Russian APT groups intensified attacks against Ukraine and the EU during that period, exploiting zero-day vulnerabilities and deploying new wipers.

In Asia, China-aligned actors, responsible for the most APT campaigns (40.1%), continued their espionage campaigns, primarily targeting the EU government and the maritime sector.

Meanwhile, North Korea-backed groups expanded their campaigns aimed at making money for the regime using fake job listings and social engineering.

Iranian APT groups maintained their primary focus on the Middle East region, predominantly targeting governmental organizations and entities within the manufacturing and engineering sectors in Israel.

The report, published on May 19, is a snapshot of data available for ESET customers, collected through ESET products and shared intelligence verified by ESET researchers.

Fancy Bear, Gamaredon and Sandworm at the Russian Forefront

During the monitored period, Russia-aligned threat actors, notably Fancy Bear, Gamaredon and Sandworm continued their aggressive campaigns, primarily targeting Ukraine and EU countries. Ukraine faced the most intense cyber-attacks against its critical infrastructure and government institutions.

Gamaredon, a hacking unit believed to be affiliated with Russia’s Federal Security Service (FSB), remained the most prolific actor targeting Ukraine. Notably, the group, also known as Primitive Bear, UNC530 and Aqua Blizzard, improved its malware obfuscation toolset and introduced PteroBox, a file stealer that leverages Dropbox.

Fancy Bear (APT28), a group associated with the Russian military intelligence agency (GRU), refined its exploitation of cross-site scripting (XSS) vulnerabilities in webmail services, expanding its Operation RoundPress to include multiple email services. The group, also known as Sednit, Pawn Storm, Forest Blizzard and Sofacy Group, successfully leveraged a zero-day vulnerability in MDaemon Email Server (CVE-2024-11182) against Ukrainian companies.

Read more: Russian Espionage Operation Targets Organizations Linked to Ukraine War

Sandworm (APT44), another group associated with the GRU, primarily concentrated on compromising Ukrainian energy infrastructure. The group, also known as Voodoo Bear, Iron Viking, Telebots and Seashell Blizzard, leveraged weaknesses in Active Directory Group Policy to deploy ZEROLOT, a new wiper.

Other Russia-aligned groups, such as RomCom, demonstrated advanced capabilities by deploying zero-day exploits against prominent software, including Mozilla Firefox (CVE-2024-9680) and Microsoft Windows (CVE-2024-49039).

Other Key APT Campaigns Observed by ESET

Other key takeaways from the report included:

• Mustang Panda remained the most active China-backed APT group, targeting governmental institutions and maritime transportation companies via Korplug loaders and malicious USB drives
• PerplexedGoblin, another Chinese-aligned group, distributed a new espionage backdoor, which ESET named NanoSlate, against a Central European government entity
• North Korea-aligned threat group DeceptiveDevelopment significantly broadened its targeting, using fake job listings primarily within the cryptocurrency, blockchain and finance sectors to distribute the multiplatform WeaselStore malwar.
• Kimsuky and Konni returned to their usual activity levels in early 2025 after a noticeable decline at the end of 2024, shifting their targeting away from English-speaking think tanks, NGOs and North Korea experts to focus primarily on South Korean entities and diplomatic personnel
• North Korean group Andariel resurfaced after a year of inactivity with a sophisticated attack against a South Korean industrial software company

Interestingly, ESET also observed that on February 28, 2025, a VHDX file containing a malicious shortcut and an encrypted downloader, which the firm referred to as RadialAgent, was uploaded to VirusTotal from Japan by APT-C-60, a cyber espionage group aligned with South Korea.

Jean-Ian Boutin, the ESET Director of Threat Research, said, “The highlighted operations are representative of the broader threat landscape that we investigated during this period. They illustrate the key trends and development and contain only a small fraction of the cybersecurity intelligence data provided to customers of ESET APT reports.”