ESET specialists focus on Sandworm’s new knowledge wiper, relentless campaigns by UnsolicitedBooker, attribution challenges amid tool-sharing, and different key findings from the most recent APT Exercise Report
01 Jul 2025
•
,
2 min. learn
Within the newest episode of the ESET Analysis Podcast, ESET Distinguished Researcher Aryeh Goretsky is joined by ESET Safety Consciousness Specialist Rene Holt to dissect the important thing findings from ESET’s APT Exercise Report.
The primary actor that steps into the limelight is UnsolicitedBooker, a China-aligned APT group that has demonstrated a degree of persistence that actually places the “P” in APT. This group focused the identical group 3 times over a number of years, making an attempt to deploy its signature backdoor, MarsSnake. This instance highlights the relentless focus of sure teams that can cease at nothing to attain their goals.
The dialog then shifts to the challenges of attribution, notably with the rising pattern of tool-sharing, primarily amongst China-aligned actors equivalent to Worok. Their tactic is to muddy the waters by utilizing overlapping toolsets sourced from digital quartermasters, intertwining their actions with these of different teams equivalent to LuckyMouse and TA428.
Turning to Russia-aligned actors, the dialogue focuses on teams like Sednit, Gamaredon, and Sandworm. Sednit’s newest exercise revolves round Operation RoundPress, which initially focused the favored webmail service Roundcube however has not too long ago expanded to different platforms equivalent to Horde, MDaemon, and Zimbra. Sednit has been utilizing focused emails, exploiting flaws in these providers, and using cross-site scripting to assault protection corporations situated in Bulgaria and Ukraine.
Gamaredon stays one of the vital lively APTs in Ukraine, continually tweaking its obfuscation strategies to remain forward of detection. In the meantime, Sandworm has intensified its use of data-wiping malware, deploying a brand new wiper known as ZEROLOT a number of instances prior to now six months. This wiper operates with surgical precision, erasing particular information and directories with out instantly taking down all the system—an strategy that ensures the malware can full its damaging mission.
Aryeh and Rene additionally delve into the actions of North Korea-aligned and Iran-aligned teams. If you happen to’re eager about extra particulars, make sure to take heed to this episode of the ESET Analysis Podcast or obtain the most recent ESET APT Exercise Report.
Mentioned matters:
UnsolicitedBooker (MarsSnake) 1:45
Worok (and its digital quartermasters) 4:50
Sednit (Operation RoundCube) 9:55
Gamaredon 13:55
Sandworm (ZEROLOT wiper) 16:15
DeceptiveDevelopment (WeaselStore, ClickFix) 24:10
MuddyWater vs Lyceum 29:40
