ESET APT Activity Report Q4 2023 – Q1 2024

ESET research, threat reports

An overview of the activities of selected APT groups researched and analyzed by ESET Research in Q4 2023 and Q1 2024

May 14, 2024
•
,
2 minutes. read

The ESET APT activity report Q4 2023 – Q1 2024 summarizes notable activities of select advanced persistent threat groups (APT) documented by ESET researchers from October 2023 to the end of March 2024. The highlighted operations are representative of the broader landscape of threats we have examined during this period, illustrating key trends and developments, and contain only a fraction of the cybersecurity intelligence data provided to customers through ESET’s private APT reports.

In the monitored time frame, several China-linked threat actors exploited vulnerabilities in public devices, such as VPNs and firewalls, and software, such as Confluence and Microsoft Exchange Server, for initial access to targets across multiple industries. Based on the I-SOON (Anxun) data breach, we can confirm that this Chinese contractor is indeed engaged in cyber espionage. We follow some of the company’s activities under the FishMonger group. In this report, we also introduce a new China-focused APT group, CeranaKeeper, which is distinguished by unique features yet potentially shares a digital quartermaster with the Mustang Panda group.

Following the Hamas-led attack on Israel in October 2023, we have seen a significant increase in the activity of Iran-affiliated threat groups. Specifically, MuddyWater and Agrius have moved from their previous focus on cyber espionage and ransomware, respectively, to more aggressive strategies around access mediation and impact attacks. Meanwhile, OilRig and Ballistic Bobcat operations saw a decline, signaling a strategic shift toward more high-profile, “louder” operations focused on Israel. North Korea-targeted groups continued to target aerospace and defense companies and the cryptocurrency industry, honing their craft by launching supply chain attacks, developing trojanized software installers and new malware strains, and exploiting software vulnerabilities .

Russia-linked groups have focused their activities on espionage within the European Union and attacks on Ukraine. In addition, the Operation Texonto campaign, a disinformation and psychological operation (PSYOP) discovered by ESET researchers, has spread false information about Russian election-related protests and the situation in Kharkiv, Ukraine, fueling insecurity among Ukrainians at home and abroad.

We are also highlighting a campaign in the Middle East run by SturgeonPhisher, a group that we believe aligns with the interests of Kazakhstan. We also discuss a waterhole attack on a regional news website covering Gilgit-Baltistan, a disputed region governed by Pakistan, and finally we describe the exploitation of a zero-day vulnerability in Roundcube by Winter Vivern, a group we believe is in line with interests of Belarus.

Malicious activities described in the ESET APT activity report Q4 2023 – Q1 2024 are detected by ESET products; shared intelligence is largely based on ESET’s proprietary telemetry data and has been verified by ESET researchers.

ESET APT Activity Reports contain only a fraction of the cybersecurity information data offered in ESET APT Reports PREMIUM. For more information, visit the ESET Threat Intelligence website.