May 2023

ESET APT Activity Report Q4 2022–Q1 2023 summarizes the activities of selected advanced persistent threat (APT) groups that were observed, investigated, and analyzed by ESET researchers from October 2022 until the end of March 2023.

In the Report, you can learn about several APT groups, including China-aligned, India-aligned, Iran-aligned, and North Korea-aligned threat actors. In the case of Russia-aligned APT actors and their operations, these were especially active in Ukraine and EU countries, with Sandworm deploying wipers (including a new one that we call SwiftSlicer), and Gamaredon, Sednit, and the Dukes utilizing spearphishing emails that, in the case of the Dukes, led to the execution of a red team implant known as Brute Ratel.

The selection of countries and regions that were affected by the APT groups described in this Report:

• Australia
• Bulgaria
• China
• Egypt
• India
• Israel
• Namibia
• Poland
• Sudan
• Taiwan
• United Kingdom
• United States
• Ukraine

Targeted business verticals include:

• Data management companies
• Defense contractors
• Diplomats
• Educational institutions
• Energy sector
• Financial services
• Gambling companies
• Governmental organizations
• Healthcare
• Hospitality
• Media
• Research institutes

Note that a small portion of the report also mentions some events previously covered in APT Activity Report T3 2022. This stems from our decision to release this report on a semi-annual basis, with the current issue encompassing Q4 2022 and Q1 2023, while the forthcoming edition will cover Q2 and Q3 2023.

The malicious activities described in ESET APT Activity Report Q4 2022–Q1 2023 are detected by ESET products; shared intelligence is based mostly on proprietary ESET telemetry and has been verified by ESET Research.

ESET APT Activity Reports only contain a fraction of the cybersecurity intelligence data provided in the ESET APT Reports PREMIUM. For more information, visit the ESET Threat Intelligence website.