Russian APT Groups Intensify Attacks in Europe with Zero-Day Exploits and Wipers

The end of 2024 and the start of 2025 marked a significant escalation in malicious cyber activity by Russian-aligned hacking groups, according to ESET. In its latest APT Activity Report Q4 2024–Q1 2025, ESET Research documented the activity of some of the major advanced persistent threat (APT) groups from China, North Korea, Iran, Russia and a few other countries between October 2024 and March 2025. The research team observed that Russian APT groups intensified attacks against Ukraine and the EU during this period, exploiting zero-day vulnerabilities and deploying new wipers.

China-aligned actors, responsible for the most APT campaigns (40.1%), continued their espionage campaigns, primarily targeting the EU government and the maritime sector. Meanwhile, North Korea-backed groups expanded their campaigns aimed at making money for the regime using fake job listings and social engineering. Iranian APT groups maintained their primary focus on the Middle East region, predominantly targeting governmental organizations and entities within the manufacturing and engineering sectors in Israel.

The report, published on May 19, is a snapshot of data available for ESET customers, collected through ESET products and shared intelligence verified by ESET researchers. At the Russian forefront, Fancy Bear, Gamaredon, and Sandworm continued their aggressive campaigns, primarily targeting Ukraine and EU countries. Ukraine faced the most intense cyber-attacks against its critical infrastructure and government institutions.

Gamaredon, a hacking unit believed to be affiliated with Russia's Federal Security Service (FSB), remained the most prolific actor targeting Ukraine. Notably, the group, also known as Primitive Bear, UNC530, and Aqua Blizzard, improved its malware obfuscation toolset and introduced PteroBox, a file stealer that leverages Dropbox. Fancy Bear (APT28), a group associated with the Russian military intelligence agency (GRU), refined its exploitation of cross-site scripting (XSS) vulnerabilities in webmail services, expanding its Operation RoundPress to include multiple email services.

The group, also known as Sednit, Pawn Storm, Forest Blizzard, and Sofacy Group, successfully leveraged a zero-day vulnerability in MDaemon Email Server (CVE-2024-11182) against Ukrainian companies. Sandworm (APT44), another group associated with the GRU, primarily concentrated on compromising Ukrainian energy infrastructure. The group, also known as Voodoo Bear, Iron Viking, Telebots, and Seashell Blizzard, leveraged weaknesses in Active Directory Group Policy to deploy ZEROLOT, a new wiper.

Other Russia-aligned groups, such as RomCom, demonstrated advanced capabilities by deploying zero-day exploits against prominent software, including Mozilla Firefox (CVE-2024-9680) and Microsoft Windows (CVE-2024-49039).

Other key takeaways from the report included: Interestingly, ESET also observed that on February 28, 2025, a VHDX file containing a malicious shortcut and an encrypted downloader, which the firm referred to as RadialAgent, was uploaded to VirusTotal from Japan by APT-C-60, a cyber espionage group aligned with South Korea.

"The highlighted operations are representative of the broader threat landscape that we investigated during this period. They illustrate the key trends and development and contain only a small fraction of the cybersecurity intelligence data provided to customers of ESET APT reports," said Jean-Ian Boutin, the ESET Director of Threat Research.