ESET’s recent report details the activities of various advanced persistent threat (APT) groups from April to September 2024, highlighting key trends and developments observed during this period, including the use of sophisticated techniques such as targeted phishing attacks, malware distribution, and vulnerability exploitation.
Advanced Persistent Threat (APT) groups are notorious for their capacity to compromise vital national infrastructure, government agencies, and private businesses.
China-aligned threat actors, including MirrorFace, Flax Typhoon, Webworm, and GALLIUM, have significantly expanded their targeting scope and tactics. MirrorFace, traditionally focused on Japanese entities, has targeted a European Union diplomatic organization.
These organizations have made SoftEther VPN their primary tool for ensuring that they continue to have access to networks that have been compromised continuously.
Managed Detection and Response Buyer’s Guide – Free Download (PDF)
The shift is evident in Flax Typhoon’s widespread use of SoftEther VPN, Webworm’s transition from a full-featured backdoor to SoftEther VPN Bridges, and GALLIUM’s deployment of SoftEther VPN servers in African telecommunications networks.
Iran-aligned cyber actors have been observed conducting targeted cyberespionage operations against various entities, which have focused on entities in regions of geopolitical interest to Iran, including financial institutions in Africa, government entities in Iraq and Azerbaijan, and critical infrastructure in Israel.
They have also expanded their targeting to include diplomatic missions in France and educational institutions in the United States, suggesting a broader global strategy to gather intelligence and potentially support future kinetic operations.
North Korean threat actors, notably Kimsuky and ScarCruft, persisted in cyberattacks targeting critical sectors.
They exploited legitimate tools like Microsoft Management Console files and leveraged popular cloud services like Google Drive, Microsoft OneDrive, and Zoho to infiltrate systems.
Their primary objectives were to steal funds, both traditional and cryptocurrency, to support the regime’s WMD programs, which posed significant threats to defense, aerospace, cryptocurrency, and other strategic sectors in Europe, the US, and beyond.
The recent cyber threat landscape reveals intensified activity from various nation-state actors. Russia-aligned groups, including Sednit and GreenCube, have exploited XSS vulnerabilities in webmail servers like Roundcube and Zimbra to compromise targets.
According to ESET, Gamaredon has ramped up spearphishing campaigns, while Sandworm has deployed advanced malware like WrongSens, LOADGRIP, and BIASBOAT.
Operation Texonto, a disinformation campaign, has been targeting Ukrainians and Russian dissidents.
At the same time, the Polish Anti-Doping Agency was breached by an initial access broker who shared access with the Belarus-aligned FrostyNeighbor group.
The APT-C-60 group, which is aligned with South Korea, has finally been found to have exploited a remote code execution vulnerability that was found in WPS Office for Windows.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!