ESET APT Activity Report Q4 2022–Q1 2023

ESET’s Q4 2022–Q1 2023 APT Activity Report summarizes selected advanced persistent threat group (APT) activity that ESET researchers observed, investigated, and analyzed from October 2022 to the end of March 2023. Attentive readers will note that a small portion of the report also mentions several events previously covered in the Q3 2022 APT Activity Report. This stems from our decision to release this report semi-annually, with the current issue covering Q4 2022 and Q1 2023, while future editions will cover Q2 and Q3 2023.

In the timeframe monitored, several China-aligned threat actors focused on European organizations, employing tactics such as Ke3chang’s deployment of a new Ketrican variant, and Mustang Panda’s use of two new backdoors. MirrorFace targets Japan and adopts a new malware delivery approach, while Operation ChattyGoblin endangers gambling companies in the Philippines by targeting their support agents. The India-aligned SideWinder Group and Donot Team continue to target government institutions in South Asia with the former targeting the education sector in China, and the latter continuing to develop the well-known yty framework, but also using the commercially available Remcos RAT. Also in South Asia, we detected a large number of Zimbra webmail phishing attempts.

In the Middle East, the Iran-aligned MuddyWater group stopped using SimpleHelp during this period to distribute its tools to its victims and turned to PowerShell scripts. In Israel, OilRig implemented a new custom backdoor which we named Mango and the SC5k downloader, while POLONIUM used a modified CreepySnail.

North Korean aligned groups such as ScarCruft, Andariel, and Kimsuky continue to focus on South Korean and South Korean entities using their usual tools. As well as targeting defense contractor employees in Poland with bogus Boeing-themed job offers, Lazarus has also shifted its focus from its usual target vertical to data management companies in India, taking advantage of the Accenture-themed lure. In addition, we also identified Linux malware that was exploited in one of their campaigns. The Russia-aligned APT group is very active in Ukraine and EU countries, with Sandworm spreading wipers (including one we’re newly calling SwiftSlicer), and Gamaredon, Sednit, and Dukes using spearphishing emails that, in Dukes’ case, led to the execution of the implant. the red team known as the Brute Ratel. Finally, we detected that the previously mentioned Zimbra email platform was also being exploited by Winter Vivern, a group very active in Europe, and we noted a significant decrease in the activity of SturgeonPhisher, a group that targets government staff of Central Asian countries with spearphishing emails, leading to our belief that the group is currently retooling.

Malicious activity described in ESET APT Activity Reports Q4 2022–Q1 2023 was detected by ESET products; shared intelligence is largely based on proprietary ESET telemetry and has been verified by ESET Research.

The countries, regions and verticals affected by the APT group described in this report include:

Follow ESET Research on Twitter for regular updates on top trends and top threats.