top of page
  • Writer's pictureESET Expert

ESET APT Activity Report Q2–Q3 2023

An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 and Q3 2023

ESET APT Activity Report Q2–Q3 2023 summarizes the activities of selected advanced persistent threat (APT) groups that were observed, investigated, and analyzed by ESET researchers from April 2023 until the end of September 2023. In the monitored timespan, we observed a notable strategy of APT groups utilizing the exploitation of known vulnerabilities to exfiltrate data from governmental entities or related organizations.

Russia-aligned Sednit and Sandworm, North Korea-aligned Konni, and geographically unattributed Winter Vivern and Sturgeon Phisher seized the opportunity to exploit vulnerabilities in WinRAR (Sednit, SturgeonPhisher, and Konni), Roundcube (Sednit and Winter Vivern), Zimbra (Winter Vivern), and Outlook for Windows (Sednit) to target various governmental organization in Ukraine, Europe, and Central Asia. Regarding China-aligned threat actors, GALLIUM probably exploited weaknesses in Microsoft Exchange servers or IIS servers, extending its targeting from telecommunications operators to government organizations around the world; MirrorFace probably exploited vulnerabilities in the Proself online storage service; and TA410 probably exploited flaws in the Adobe ColdFusion application server.

Iran- and Middle East-aligned groups continued to operate at high volume, primarily focusing on espionage and data theft from organizations in Israel. Notably, Iran-aligned MuddyWater also targeted an unidentified entity in Saudi Arabia, deploying a payload that suggests the possibility of this threat actor serving as an access development team for a more advanced group.

The prime target of Russia-aligned groups remained Ukraine, where we discovered new versions of the known wipers RoarBat and NikoWiper, and a new wiper we named SharpNikoWiper, all deployed by Sandworm. Interestingly, while other groups – such as Gamaredon, GREF, and SturgeonPhisher – target Telegram users to try to exfiltrate information or at least some Telegram-related metadata, Sandworm actively uses this service for active measure purposes, advertising its cybersabotage operations. However, the most active group in Ukraine continued to be Gamaredon, which significantly enhanced its data-collecting capabilities by redeveloping existing tools and deploying new ones.

North Korea-aligned groups continued to focus on Japan, South Korea, and South Korea-focused entities, employing carefully crafted spearphishing emails. The most active Lazarus scheme observed was Operation DreamJob, luring targets with fake job offers for lucrative positions. This group consistently demonstrated its capability to create malware for all major desktop platforms. Finally, our researchers uncovered the operations of three previously unidentified China-aligned groups: DigitalRecyclers, repeatedly compromising a governmental organization in the EU; TheWizards, conducting adversary-in-the-middle attacks; and PerplexedGoblin, targeting another government organization in the EU.

Malicious activities described in ESET APT Activity Report Q2–Q3 2023 are detected by ESET products; shared intelligence is based mostly on proprietary ESET telemetry data and has been verified by ESET researchers.

Countries, regions, and verticals affected by the APT groups described in this report include:

Targeted countries and regions




Central Asia



European Union

French Polynesia



Hong Kong








Saudi Arabia



South Korea


Türkiye (aka Turkey)


United Arab Emirates

United States

Uyghurs and other Turkic ethnic minorities

Targeted business vertical

Gambling companies and their customers

Governmental organizations and entities

Hosting providers

Industrial networks

IT companies

Local governments and institutions

Media organizations

Political entities

Private companies

Scholars and journalists specializing in North Korea

Research institutes

Telecommunication operators


Recent Posts

See All


bottom of page