The global map of cyber espionage changed significantly over the past six months. Unquestionably, distinct threat actors pursued divergent tactical objectives during this period. Some groups monitored oil reserves, maritime routes, and defense innovations. Meanwhile, other adversaries targeted energy grids, cryptocurrency platforms, and software supply chains.
The ESET Telemetry Brief
Consequently, ESET published a comprehensive threat intelligence report documenting these activities. The brief covers the fourth quarter of 2025 and the first quarter of 2026. Jean-Ian Boutin from ESET Research meticulously compiled the underlying data. Specifically, the document analyzes prominent campaigns tracked between October 2025 and March 2026.
Global Operations of Chinese Threat Actors
Chinese-aligned groups maintained an aggressive operational presence across the globe. For example, FamousSparrow targeted a Venezuelan state entity tied to the maritime sector. This campaign likely monitored oil supply stability following a recent US military intervention. Similarly, SteppeDriver compromised a Syrian government network. Analysts attribute this intrusion to Beijing’s strategic interest in Syrian reconstruction and regional security.
Emerging Malware and Varied Targets
Additionally, ESET discovered PhiliKit, a novel malware module within the SPAWN framework. Security teams link this component to UNC5221 and recent exploits against Ivanti VPN appliances. Furthermore, the NegativeGlimmer collective breached government organizations in Cambodia and Panama. The same group subsequently infiltrated a South Korean artificial intelligence and robotics firm.
Geopolitical Friction and Middle Eastern Shifts
The Iranian cyber landscape shifted dramatically following the outbreak of hostilities in late February 2026. Initially, ESET detected a sharp decline in activity from established Iranian APT groups. This reduction likely stems from severe domestic internet restrictions within Iran. However, proxy networks and state-sponsored hacktivists quickly filled the operational vacuum. These factions launched aggressive campaigns against Israel, the United States, and other perceived adversaries.
North Korean Focus on Financial and Supply Chain Targets
Concurrently, North Korean operators continued targeting software developers and the global cryptocurrency sector. Lazarus and DeceptiveDevelopment favored prolonged, intricate social engineering campaigns. Conversely, Kimsuky and Konni relied primarily on swift, highly localized spear-phishing operations. Meanwhile, Andariel re-emerged in South Korea with updated tactical tooling. The group deployed TigerRAT and attempted to distribute Rook ransomware within an engineering firm.
Operation DreamJob and Software Infiltration
Specifically, ESET documented two prominent North Korean initiatives: Operation DreamJob and Operation DangerousPassword. The first campaign explicitly targeted European drone manufacturers to harvest aerospace intelligence. Crucially, the second operation resulted in the devastating compromise of the JavaScript axios library. This popular open-source utility endures over 100 million weekly downloads via the npm registry. The adversaries hijacked a senior maintainer’s account to publish poisoned versions of the software.
Secondary Incursions and Strategic Realities
Furthermore, the report details an intricate phishing campaign targeting a prominent Japanese think tank. Analysts also identified the Asin Android spyware strain tailored specifically for Arabic-speaking demographics. Finally, an intrusion compromised an Emirati defense enterprise via a vulnerable SmartOffice CRM server.
Ultimately, modern cyber operations no longer exist as isolated computer network incidents. Instead, they directly reflect real-world kinetic conflicts, commercial interests, and geopolitical maneuvering. Therefore, contemporary defenders must protect more than standalone enterprise servers. Security teams must now safeguard the delicate digital fabric connecting nations, commerce, and international technology.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
