ESET APT Activity Report Q4 2022–Q1 2023 summarizes the activities of selected advanced persistent threat (APT) groups that were observed, investigated, and analyzed by ESET researchers from October 2022 until the end of March 2023. Attentive readers will notice that a small portion of the report also mentions some events previously covered in APT Activity Report T3 2022. This stems from our decision to release this report on a semi-annual basis, with the current issue encompassing Q4 2022 and Q1 2023, while the forthcoming edition will cover Q2 and Q3 2023.

In the monitored timeframe, several China-aligned threat actors focused on European organizations, employing tactics such as the deployment of a new Ketrican variant by Ke3chang, and Mustang Panda’s utilization of two new backdoors. MirrorFace targeted Japan and implemented new malware delivery approaches, while Operation ChattyGoblin compromised a gambling company in the Philippines by targeting its support agents. India-aligned groups SideWinder and Donot Team continued to target governmental institutions in South Asia with the former targeting the education sector in China, and the latter continued to develop its infamous yty framework, but also deployed the commercially available Remcos RAT. Also in South Asia, we detected a high number of Zimbra webmail phishing attempts.

In the Middle East, Iran-aligned group MuddyWater stopped using SimpleHelp during this period to distribute its tools to its victims and shifted to PowerShell scripts. In Israel, OilRig deployed a new custom backdoor we’ve named Mango and the SC5k downloader, while POLONIUM used a modified CreepySnail.

North Korea-aligned groups such as ScarCruft, Andariel, and Kimsuky continued to focus on South Korean and South Korea-related entities using their usual toolsets. In addition to targeting the employees of a defense contractor in Poland with a fake Boeing-themed job offer, Lazarus also shifted its focus from its usual target verticals to a data management company in India, utilizing an Accenture-themed lure. Additionally, we also identified a Linux malware being leveraged in one of their campaigns. Russia-aligned APT groups were especially active in Ukraine and EU countries, with Sandworm deploying wipers (including a new one we call SwiftSlicer), and Gamaredon, Sednit, and the Dukes utilizing spearphishing emails that, in the case of the Dukes, led to the execution of a red team implant known as Brute Ratel. Finally, we detected that the previously mentioned Zimbra email platform was also exploited by Winter Vivern, a group particularly active in Europe, and we noted a significant drop in the activity of SturgeonPhisher, a group targeting government staff of Central Asian countries with spearphishing emails, leading to our belief that the group is currently retooling.

Malicious activities described in ESET APT Activity Report Q4 2022–Q1 2023 are detected by ESET products; shared intelligence is based mostly on proprietary ESET telemetry and has been verified by ESET Research.

Countries, regions and verticals affected by the APT groups described in this report include:

Targeted countries and regions
Australia
Bangladesh
Bulgaria
Central Asia
China
Egypt
Europe
Hong Kong
India
Israel
Japan
Namibia
Nepal
Pakistan
The Philippines
Poland
Saudi Arabia
South Korea
Southwest Asia
Sri Lanka
Sudan
Taiwan
Ukraine
The United Kingdom
The United States

Targeted business verticals
Data management companies
Defense contractors
Diplomats
Educational institutions
Energy sector
Financial services
Gambling companies
Governmental organizations
Healthcare
Hospitality
Media
Research institutes

ESET APT Activity Reports contain only a fraction of the cybersecurity intelligence data provided in ESET APT Reports PREMIUM. For more information, visit the ESET Threat Intelligence website.

Follow ESET research on Twitter for regular updates on key trends and top threats.