Introduction

Between late 2024 and early 2025, Russian-aligned hacking groups [7], notably Sednit, Gamaredon [1] [2] [3] [5] [6], and Sandworm, significantly increased their cyber activities [7], focusing primarily on Ukraine and European Union countries. This period marked a notable escalation in cyberattacks, particularly targeting critical infrastructure and governmental institutions [2] [3] [6].

Description

At the end of 2024 and the beginning of 2025 [7], Russian-aligned hacking groups [7], particularly Sednit [2] [3] [4] [5] [6], Gamaredon [1] [2] [3] [5] [6], and Sandworm, significantly escalated their malicious cyber activities [7], primarily targeting Ukraine and EU countries [2] [3] [5] [6]. During this period [6] [7], Ukraine experienced the highest volume of cyberattacks aimed at its critical infrastructure and governmental institutions [2] [3] [6]. Gamaredon emerged as the most active group [2] [5] [6], enhancing its malware obfuscation techniques and introducing PteroBox [2] [3] [5] [6], a file stealer that leverages Dropbox for data exfiltration [6], alongside its aggressive campaigns against Ukrainian targets. Sandworm intensified its destructive operations against Ukrainian energy companies [1] [2] [3] [5] [6], deploying a new wiper named ZEROLOT that exploited Active Directory Group Policy [1] [2] [3] [5] [6]. Sednit refined its exploitation of cross-site scripting (XSS) vulnerabilities in webmail services [1] [2] [3] [5] [6], expanding Operation RoundPress to include Horde [1] [3] [5] [6], MDaemon [1] [2] [3] [5] [6], and Zimbra [1] [3] [5] [6], while successfully leveraging a zero-day vulnerability in MDaemon Email Server (CVE-2024-11182) against Ukrainian firms [1] [2] [3] [6]. Additionally, Sednit conducted spearphishing campaigns targeting defense companies in Bulgaria and Ukraine [2] [3] [6]. The RomCom group also showcased advanced capabilities by deploying zero-day exploits against Mozilla Firefox (CVE-2024-9680) and Microsoft Windows (CVE-2024-49039) [1] [2] [3] [5] [6], with all vulnerabilities reported to their respective vendors [5].

The ESET APT Activity Report for this period highlights the sustained operations of these advanced persistent threat (APT) groups, which are often affiliated with nation-states. Their objectives include espionage [4], data destruction [4], and financial gain [4], employing a diverse range of techniques that pose significant implications for security and risk management across various sectors. This report underscores the intensified attacks from these APT groups during the period from October 2024 to March 2025 [7], which involved the exploitation of zero-day vulnerabilities and the deployment of new wipers [7].

Conclusion

The escalation of cyber activities by Russian-aligned hacking groups during this period underscores the growing threat to national and regional security. The exploitation of zero-day vulnerabilities and the deployment of sophisticated malware highlight the need for enhanced cybersecurity measures and international cooperation. Organizations must prioritize the development of robust defense mechanisms and incident response strategies to mitigate potential impacts. Future implications suggest a continued evolution of cyber threats, necessitating ongoing vigilance and adaptation in cybersecurity practices.

References

[1] https://www.globenewswire.com/news-release/2025/05/20/3085225/0/en/ESET-Research-APT-Report-Russian-cyberattacks-in-Ukraine-intensify-Sandworm-unleashes-new-destructive-wiper.html
[2] https://securitymea.com/2025/05/20/eset-research-apt-report-reveals-russian-cyberattacks-in-ukraine-intensify/
[3] https://markets.financialcontent.com/stocks/article/gnwcq-2025-5-20-eset-research-apt-report-russian-cyberattacks-in-ukraine-intensify-sandworm-unleashes-new-destructive-wiper
[4] https://www.welivesecurity.com/en/videos/who-where-how-apt-attacks-q4-2024-q1-2025/
[5] https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q4-2024-q1-2025/
[6] https://www.eset.com/us/about/newsroom/research/eset-research-apt-report-russian-cyberattacks-in-ukraine-intensify-sandworm-unleashes-new-destructive-wiper/
[7] https://www.infosecurity-magazine.com/news/russian-apt-intensify-cyber/