Inside the ESET report that redraws the map of cyber risk for 2026
When in 1987 two Slovak programmers, Rudolf Hrubý and Peter Paško, created the first antivirus capable of neutralizing the Vienna virus, they did not imagine that their creation would become one of the privileged observers of the digital wars of the twenty-first century. ESET, from the small city of Bratislava, has grown to now have thirteen research and development centers scattered around the world and telemetry that monitors threats on a planetary scale. It's like having a radar system distributed on every continent, always on, always listening.
Twice a year, ESET publishes its APT Activity Reports, documents that distill months of investigations into Advanced Persistent Threat groups, those state-sponsored cyber formations that operate in the shadows for espionage, sabotage, or profit. The report covering the period from April to September 2025 is not a simple collection of incidents: it is a cartography of the geopolitical tensions of our time, traced through lines of code rather than physical borders. Every documented attack, every new malware analyzed, every victim identified tells a larger story of rivalry between powers, digital proxy wars, and parallel economies based on stolen cryptocurrencies.
But there is an anomaly in this report that deserves special attention, something that until a few months ago would have seemed impossible: the first documented collaboration between two traditionally rival Russian groups. To understand its significance, we must look beyond the technicalities and ask what it tells us about the ongoing changes in the cyberwarfare ecosystem.
The Russian Anomaly: When Gamaredon Meets Turla
ESET researchers observed something unprecedented in September 2025: implants from the Gamaredon group, known for their frantic activity against Ukrainian targets, were used to restart and redeploy backdoors of the Turla group, another Russian actor but with different characteristics and affiliations. In technical terms, tools like PteroGraphin, PteroOdd, and PteroPaste restarted version 3 of Kazuar, Turla's distinctive backdoor, on already compromised machines in Ukrainian territory.
Why is this important? Security analysts are well aware that Russian services are notoriously fragmented and competitive with each other. Gamaredon is generally associated with the FSB (Federal'naja služba bezopasnosti), particularly Center 18, while Turla traditionally answers to Center 16 of the same service. These groups have different objectives, techniques, and toolsets. Gamaredon operates with a "spray and pray" approach, launching massive spearphishing campaigns and continuously updating its arsenal with ever-new variants. Turla is more selective, surgical, and oriented towards high-value intelligence targets.
ESET telemetry shows that the collaboration was not indiscriminate: the Kazuar backdoor was deployed on only a small number of machines compared to the vast compromise carried out by Gamaredon. This suggests a selective deployment on targets considered particularly valuable, where the initial access provided by Gamaredon paved the way for second-stage operations conducted by Turla.
But what led these two groups to collaborate? The report does not speculate, limiting itself to documenting the facts. However, we can make some considerations. The intensity of the conflict in Ukraine may have created such pressure as to make cooperation not only desirable but necessary. When resources are limited and objectives are multiple, even internal rivalries give way to shared priorities. Or perhaps we are witnessing a paradigm shift in the organization of Russian cyberwarfare, where compartmentalization gives way to more fluid and collaborative structures when the stakes are high enough.
During the same period, Gamaredon further intensified its operations. The group incorporated new file stealers into its arsenal and began to exploit tunneling services such as loca.lt, loophole.site, and devtunnels.ms, as well as legitimate cloud storage platforms like Tebi and Wasabi for data exfiltration. It even experimented with exploiting the CVE-2025-8088 vulnerability in WinRAR, the same zero-day that the RomCom group was using at the same time.
RomCom represents another interesting case in the Russian landscape. In mid-July 2025, the group discovered and exploited a zero-day vulnerability in WinRAR that allowed the use of alternate data streams for path traversal. The attack was elegant in its simplicity: an archive seemingly containing a single benign file that, once opened, deployed malicious DLLs in the temporary directory and malicious links in the Windows startup folder. ESET responsibly reported the vulnerability to WinRAR on July 24, and the patch arrived six days later with version 7.13. The targets? Companies in the financial, manufacturing, defense, and logistics sectors in Europe and Canada.
Meanwhile, Sandworm, the Russian group linked to the GRU and specializing in destructive operations, maintained its focus on Ukraine with a different approach: its goal is not espionage but sabotage. The wipers ZEROLOT and Sting were deployed against universities, government agencies, energy companies, and the logistics sector. Particularly significant is the targeting of the Ukrainian grain sector, one of the country's main sources of revenue. What clearer message of the intention to weaken the opponent's war economy?
China Plays on Multiple Fronts
If Russia concentrates its digital energies on Ukraine and its European allies, China demonstrates the ability to operate simultaneously on multiple fronts, reflecting the complexity of its geopolitical priorities. The ESET report identifies 39.8% of the attacks in the period as coming from groups aligned with Beijing, a significant percentage that underscores the level of mobilization of Chinese cyber assets.
The most interesting story concerns FamousSparrow, a group already known for its campaigns but which between June and September 2025 suddenly shifted its focus to Latin America. ESET researchers found traces of the SparrowDoor backdoor on machines belonging to government entities in Argentina, Guatemala, Honduras, Panama, and Ecuador. These are not random incursions: in Guatemala, investigators found evidence of the exploitation of the ProxyLogon vulnerability for initial access, while in Panama the use of atexec-pro, an open-source tool for lateral movement, suggests a well-planned operation.
Why now? Why these countries specifically? The geopolitical context offers important clues. The Trump administration has renewed American interest in Latin America, pushing to reduce the Chinese financial footprint around the Panama Canal and initiating a rapprochement with Ecuador, where Beijing's influence had grown in previous years. In February 2025, Secretary of State Marco Rubio visited Panama, leading President Mulino to announce the country's withdrawal from the Belt and Road Initiative. In the case of Honduras and Guatemala, the activities could be related to these countries' relations with Taiwan.
It is reasonable to assume that FamousSparrow's operations are an attempt by Beijing to understand the real intentions of these governments in a rapidly evolving diplomatic landscape. We do not know what they were looking for exactly, what documents they exfiltrated, what conversations they intercepted. But the concentration of efforts suggests that Latin America was the group's main priority during these months.
While FamousSparrow was scouting Latin American chancelleries, other Chinese groups demonstrated a growing use of the adversary-in-the-middle technique. ESET is currently tracking ten active groups using this technique, both for initial access and for lateral movement. It is a sophisticated approach that requires strategic positioning capabilities in the network, but the results can be devastating.
SinisterEye, also known as LuoYu or CASCADE PANDA, is an emblematic example. The group operates mainly against targets within China, but it hits both domestic entities and the offices of foreign companies. With probable access to the internet backbone infrastructure, SinisterEye intercepts and manipulates software updates to deploy WinDealer on Windows or SpyDealer on Android. Between May and September 2025, it targeted the Chinese offices of a Taiwanese company in the aerospace defense sector, also involved in the semiconductor industry. In August, it moved on to representatives of an American trade organization in Beijing, likely interested in lobbying activities to ease American tariffs against Asian countries. In September, even an Ecuadorian government entity was targeted.
PlushDaemon uses a different but equally effective approach: it compromises network devices such as routers and deploys EdgeStepper, a tool that redirects DNS traffic to servers controlled by the attackers. These servers respond to queries for domains associated with software update infrastructures with the IP addresses of malicious web servers, which ultimately serve SlowStepper, the group's distinctive backdoor. In June, PlushDaemon hit the Cambodian offices of a Japanese company and a multinational heavily involved in projects related to the Belt and Road Initiative in the oil and gas sector. The timing is significant: in April 2025, a major partnership between Chinese companies and Cambodia was announced to build the largest oil refinery in the country, a $3.5 billion project.
Other Chinese groups have maintained consistent operations in their traditional areas of expertise. Mustang Panda remained active in Southeast Asia, the United States, and Europe, focusing on government, engineering, and maritime transport sectors. Flax Typhoon continued to exploit public web servers in Taiwan by deploying webshells, maintaining its SoftEther VPN infrastructure, and introducing the use of BUUT, an open-source proxy. Speccom targeted the energy sector in Central Asia, a crucial region for China's ambition to reduce dependence on maritime imports, using spearphishing with strategically named malicious documents like "UzGasTrade 26.06.2025.doc".
Iran, North Korea, and the Others
If Russia and China quantitatively dominate the threat landscape, other state actors demonstrate creativity and persistence in their operations. The ESET report pays particular attention to two ecosystems: the Iranian and the North Korean.
MuddyWater, a group aligned with Iran, distinguished itself with a counterintuitive tactical innovation: internal spearphishing. The technique is simple but effective: after compromising an email account within a target organization, the operators use that account to send phishing messages to many employees of the same company. The results? A remarkably high success rate. The reason is both psychological and technological: security tools and SOC analysts are calibrated to detect malicious external emails, not internal communications. A message arriving from a colleague on the floor above bypasses filters and lowers the recipient's cognitive defenses.
MuddyWater operated in Africa, Asia, Europe, the Middle East, and North America during this period, using both links to download remote monitoring and management tools and VBScript droppers that load custom backdoors into memory. It is a frantic activity that requires considerable coordination and resources.
GalaxyGato, another Iranian group also known as C5, Smoke Sandstorm, TA455, or UNC1549, targeted the Greek shipping sector from July 2025 with an improved version of the C5 backdoor, heavily obfuscated with ConfuserEx. But the most interesting twist is a DLL search-order hijack in the Windows Defender directory that allows for credential theft every time a user enters them. The malware writes the credentials to a file that the group can then exfiltrate for lateral movement and privilege escalation. Elegant in its simplicity, devastating in its effectiveness.
North Korea maintains its focus on two primary objectives: strategic espionage and revenue generation for the regime. North Korean groups have expanded operations into Uzbekistan, a country not previously observed in their scope. The cryptocurrency sector remains Pyongyang's preferred ATM.
DeceptiveDevelopment, a group specializing in fake recruiter profiles that provide developers with trojanized codebases as part of fake selection processes, has shown intense activity. ESET researchers documented surprising similarities between Akdoor, a backdoor used by Lazarus in 2018, and AkdoorTea, a new backdoor from DeceptiveDevelopment in August 2025. They also identified overlaps with IT worker fraud operations conducted by groups UNC5267 and Jasper Sleet. This is not an isolated case: the US Department of Justice announced in June 2025 coordinated actions against the North Korean IT worker ecosystem, with search operations against 29 laptop farms and indictments for 10 individuals identified as co-conspirators.
Lazarus demonstrated its versatility with attacks ranging from healthcare to the aerospace sector. In April, after deploying the ThreatNeedleTea backdoor in a hospital and gaining full control of the system, it executed a variant of the Qilin ransomware displaying an extortion message. In September, it compromised the network of an Italian aerospace company using various droppers and loaders that extracted the final stages from their alternate data streams, culminating in the ImprudentCook downloader and the ScoringMathTea backdoor. The targeting of the European aerospace sector, also documented in the recent Operation DreamJob campaign affecting UAV companies, suggests Pyongyang's growing interest in these technologies.
ScarCruft carried out supply-chain attacks against South Korean vendors, trojanizing installers for ERP and CCTV software available on the vendors' official websites. In both cases, the malicious code downloaded RokRAT, the group's signature backdoor.
Kimsuky experimented with the ClickFix technique against diplomatic entities, think tanks, and South Korean academics. Konni, on the other hand, did something unusual: in September 2025, it launched a campaign targeting macOS, an operating system rarely in North Korea's sights. The malicious AppleScript script used social engineering to obtain user credentials, validate them, and download a final payload that turned out to be a modified version of the EggShell backdoor, previously linked to an unidentified North Korean group.
In addition to these major actors, the report documents activities of smaller or unattributed groups. FrostyNeighbor exploited CVE-2024-42009, a XSS vulnerability in Roundcube that allows arbitrary JavaScript to be loaded in the context of the webmail client. Interestingly, ESET identified at least two separate clusters exploiting the same vulnerability, one attributed to Winter Vivern and an unattributed one that targeted Polish and Lithuanian companies with spearphishing emails impersonating Polish businesses. These emails contained a distinctive use of emojis and bullet points, a structure reminiscent of AI-generated content, suggesting a possible use of artificial intelligence tools in the campaign.
Finally, there is Wibag, a previously unknown Android spyware family discovered in Iraq. Masquerading as a YouTube app, Wibag is capable of keylogging on specific apps like Telegram, WhatsApp, Instagram, Facebook Messenger, and Snapchat, audio recording via microphone, exfiltration of SMS, call logs, location data, contacts, screen recording, and even recording of WhatsApp and regular phone calls. The admin panel login page displays the logo of the Iraqi National Security Service, suggesting a possible operation conducted by the INSS, although it cannot be ruled out that an unrelated group used the logo to cover its tracks.
Reading the Future in Patterns: 2026 Scenarios
What can we deduce from these six months of cyber activity to project into 2026? The ESET report provides data, not a crystal ball, but the patterns are significant and allow for some reasoned considerations about possible developments.
The FrostyNeighbor case and the AI-like structure of the emails raise a fundamental question: how much is artificial intelligence already changing the threat landscape? Industry experts are unanimous in predicting a strong increase in the use of AI in phishing for 2026. ChatGPT and other large language models can already generate grammatically perfect and highly personalized phishing emails, easily bypassing guardrails with the appropriate language. This makes detection techniques based on grammatical errors or suspicious syntax obsolete. But it's not just phishing that is evolving: according to Google's predictions, 2026 will see AI normalized in daily attack and defense activities, with adversaries using automation to scale operations and autonomous AI that can probe networks, identify weaknesses, and exploit vulnerabilities with minimal human supervision.
The Gamaredon-Turla collaboration raises questions about the future of cooperative models between APTs. Was it a situational anomaly, dictated by the pressure of the Ukrainian conflict, or does it represent a template that can be replicated in other contexts? If the answer is the latter, we might see other unexpected partnerships in 2026 between groups that share state sponsors but have historically operated in separate silos. This further complicates attribution, already a significant challenge in the cyber landscape, and could allow for more sophisticated operations that combine the specializations of different actors.
The sectoral targeting documented in the report offers clues on where to focus defenses. The healthcare sector in Taiwan, energy in Central Asia, logistics and grain in Ukraine, cryptocurrency globally, aerospace in Europe: these are not random choices but reflect precise geopolitical priorities. We can expect these trends to intensify in 2026. China's focus on semiconductors, for example, is set to grow as the technological competition between the United States and China sharpens. North Korean attacks on the crypto sector will likely increase, as international sanctions force the regime to seek alternative sources of revenue. Russian destructive operations against the Ukrainian economy could expand to sectors that have been less affected so far.
Are zero-day vulnerabilities becoming a commodity exchanged between APT groups? The shared use of CVE-2025-8088 between RomCom and Gamaredon is suggestive. If different Russian groups have access to the same zero-days, it implies a level of coordination or intelligence sharing that goes beyond a single operational collaboration. This could create problems for defenders: a vulnerability discovered and patched after exploitation by one group might already be known and used by others. The lifecycle of zero-days could shorten, with simultaneous exploitation by multiple actors before a patch is available.
The growing use of legitimate cloud services for command and control and exfiltration, as documented for Gamaredon with Tebi and Wasabi, is a trend that is set to consolidate. From the attackers' perspective, the advantages are obvious: traffic to legitimate cloud services is difficult to distinguish from benign traffic, providers offer excellent reliability and bandwidth, and the cost is minimal. For defenders, this means that the old approach of blocking malicious domains and IPs is becoming less and less effective. Detection must shift towards behavioral analysis: not where the access occurs, but how and why.
The issue of AI also raises questions of defense. Predictions for 2026 converge on the fact that identity, no longer the network perimeter, will become the main battlefield. Attacks will no longer be about "getting in" through firewalls but "logging in" with legitimate or compromised credentials. MuddyWater's techniques for internal spearphishing are a preview of this future. As remote and cloud-based work become further normalized, authentication processes will be increasingly targeted. Voice cloning, deepfakes, and AI-generated personas will make it incredibly difficult to distinguish genuine requests from malicious ones.
A final consideration concerns the gap between detection and attribution. The ESET report is valuable precisely because it provides reliable attribution based on extensive telemetry and deep analysis. But how many attacks are detected without being able to be attributed with certainty? How many operations go completely unnoticed? The signal-to-noise ratio in the world of threat intelligence is destined to worsen in 2026. APT groups learn from public disclosures and modify TTPs to avoid detection. The use of open-source tools and techniques common to multiple actors makes it increasingly difficult to distinguish separate campaigns or link activity to the right threat actor. For organizations that need to defend themselves, this means they cannot rely solely on indicators of compromise or group-specific threat intelligence, but must build robust defenses against generic techniques and behaviors.
What this means for us
It's easy to read reports like ESET's and feel overwhelmed by the vastness and sophistication of the threats. But a more productive approach is to ask: who wins and who loses from these dynamics? And what can we concretely do to navigate this landscape?
European companies find themselves in a delicate position. The report documents that non-Ukrainian targets hit by Russian groups often show strategic or operational ties to Ukraine. This means that companies in Italy, Germany, France, or other EU countries that have commercial partnerships, joint projects, or simply supply relationships with Ukrainian entities could find themselves in the crosshairs not for what they are but for who they know. It's a risk calculation that many CFOs and CISOs are probably not yet making systematically. Should they?
Strategic sectors continue to be the most exposed. Defense, energy, cryptocurrency, technology, healthcare, transport: if your organization operates in one of these areas, the threat level is structurally higher. It's not paranoia, it's a statistical reality documented by years of APT activity. This should translate into proportional security budgets, not the hope of being too small to be noticed. ESET telemetry shows that state actors do not distinguish between multinationals and small companies if the latter have access to strategically valuable information or systems.
The gap between detection and attribution raises an important organizational question: how much does it matter to know who attacked you? For intelligence agencies, a great deal. For a CISO who must protect the company's infrastructure, perhaps less than one might think. Knowing whether the attacker is Gamaredon or Lazarus is academically interesting, but the practical mitigations are often the same: network segmentation, least privilege, strong authentication, anomaly monitoring, offline backups, incident response drills. Perhaps the true value of ESET reports is not in the precise attribution but in documenting techniques, patterns, and in validating that certain attacks are real and not theoretical hypotheses.
There is also a broader geopolitical dimension worth considering. The concentration of cyber activities on the US-China competition, the war in Ukraine, the confrontation with Iran, is not accidental. We live in an era of great power rivalry that manifests itself as much in the digital space as in the physical one. For smaller countries or multinational companies operating globally, this creates a minefield where neutrality is difficult to maintain. Every strategic decision, every partnership, every market entry carries with it cyber implications that need to be evaluated.
The role of threat intelligence firms like ESET becomes increasingly crucial in this context. Not only because they provide detection and protection tools, but because they create the shared knowledge base that allows the security community to understand and respond to threats. Every zero-day identified and responsibly disclosed, every new malware analyzed and documented, every TTP mapped contributes to the collective defense. It is an ecosystem that works on transparency and sharing, values that are not a given in a sector where many companies prefer to remain silent about incidents for fear of reputational damage.
Finally, a reflection on what we don't know. The ESET report covers six months and documents dozens of campaigns. But how many escaped the telemetry? How many APT groups operate under the radar, not yet identified or tracked? How many operations are so well executed that they leave insufficient traces for analysis? Cyber intelligence, like any form of intelligence, suffers from the problem of known unknowns versus unknown unknowns. We can prepare for threats we know and understand, but how do we defend against those we have not yet discovered?
The pragmatic answer is to build resilience, not just protection. Assume that breaches are inevitable and design systems that can continue to operate even when compromised. This requires a change in mindset: from "how do I prevent the attack" to "how do I limit the damage when the attack succeeds." It is the difference between building ever-higher walls and accepting that someone might climb them, and therefore preparing plans to contain, isolate, and respond quickly.
The ESET report for the second and third quarters of 2025 is not just a catalog of threats. It is a mirror that reflects the tensions of our time, translated into spearphishing campaigns, zero-day exploits, and silent backdoors. It shows us a world where war is fought not only with kinetic weapons but with lines of code, where intelligence agencies mobilize entire cyber units for objectives ranging from the theft of intellectual property to the disruption of critical infrastructure, where the line between cybercrime and cyberespionage becomes increasingly blurred.
In 2026, these trends will likely intensify. AI will make attacks more scalable and sophisticated. Collaborations between APT groups may become more common. Strategic sectors will see increasing pressure. Zero-days will circulate faster among adversaries. Identity will become the new perimeter to defend. But knowing this in advance is already an advantage. As the old saying goes: forewarned is forearmed. The rest depends on how seriously we take the warning.