ESET links China-aligned hacks to oil, Syria & tech

ESET has published a report on nation-state-aligned cyber activity between October 2025 and March 2026, identifying sustained operations by China-aligned groups against targets in Venezuela, Syria, South Korea and the Gulf.

Chinese threat actors remained active across maritime, energy, government and advanced technology targets during the period. ESET linked that activity to areas where Beijing has economic and security interests, including oil shipments, Syrian reconstruction and strategic industries in Asia.

One of the most prominent incidents involved FamousSparrow, a China-aligned group that targeted a Venezuelan government entity connected to maritime affairs. ESET assessed the intrusion was likely intended to monitor the resilience of oil shipments after the US military operation in Venezuela.

Another China-aligned group, SteppeDriver, targeted a Syrian government network. The report said the activity may reflect Chinese commercial interest in reconstruction work in Syria, as well as security concerns linked to Uyghur fighters in the country.

Researchers also tracked the China-aligned group UNC5221 targeting government entities in Cambodia and Panama, along with an AI and robotics company in South Korea. ESET said the South Korean target aligns with Beijing's long-running interest in strategic technologies under its Made in China 2025 industrial policy.

Regional focus

The report outlines a broader spread of cyber operations beyond Chinese activity. In the Middle East, Israel remained the main target for Iran-aligned and Iran-linked actors, while in Europe Russia-aligned groups continued to focus heavily on Ukraine and organisations linked to its defence sector.

"In Asia, the campaigns primarily focused on governmental organizations, strategic industries, and advanced technology sectors. In the Middle East, Israel remained the principal focus of Iran-aligned and Iran-linked activities, with targets ranging from organizations affected by espionage intrusions to device manufacturers hit by destructive tooling," said Jean-Ian Boutin, Director of Threat Research at ESET.

The conflict involving Iran during the period coincided with lower activity from established Iran-aligned groups in ESET's telemetry, which the company attributed in part to internet restrictions inside the country. At the same time, it observed increased activity by proxy and hacktivist actors targeting Israel, the United States and other states viewed as hostile to Tehran.

Researchers identified two unattributed clusters, Rusty Boots and MoKhargosh, that targeted Israel and showed both espionage and destructive intent. The operations included use of a bootkit-style wiper, while other destructive tools were held back for later deployment.

The report also described a compromise at a defence company in the United Arab Emirates and a separate campaign using Android spyware against Arabic-speaking users. ESET said that operation may have targeted journalists or open-source intelligence practitioners, based on the apparent branding of an attacker-controlled Telegram channel.

North Korea and Russia

North Korea-aligned groups remained active on several fronts, according to the report. Multiple actors continued to target developers and the cryptocurrency sector through social engineering schemes that can generate both direct financial returns and openings for software supply-chain attacks.

ESET also documented renewed activity by the Andariel group in South Korea. In that case, the group deployed TigerRAT and attempted to spread Rook ransomware within an engineering company that appears to manufacture equipment relevant to liquid hydrogen handling and the nuclear power industry.

Russia-aligned operators, meanwhile, continued to centre their efforts on Ukraine. ESET said the group Sednit deployed Covenant and BeardShell implants against Ukrainian military personnel, drone manufacturers and organisations involved in drone research and development, while also targeting logistics and transport companies outside Ukraine.

Sandworm, another Russia-aligned group, increased destructive activity over the winter, according to the report. ESET attributed a data destruction incident affecting a Polish energy company to Sandworm with medium confidence and said the group used several new wipers against government and private sector targets in Ukraine.

Wider implications

The findings add to growing evidence that cyber espionage and disruptive operations are closely tracking geopolitical flashpoints, from energy supply routes in Latin America to military and industrial supply chains in Eastern Europe and Asia. They also suggest that commercial targets in sectors such as robotics, hydrogen and drone development are increasingly exposed when they overlap with national strategic priorities.

ESET said its analysis was based mainly on its own telemetry and research into advanced persistent threat groups. It framed the report as intelligence for organisations responsible for protecting citizens, critical national infrastructure and other high-value assets from criminal and state-directed cyberattacks.

During the six-month period covered by the report, activity ranged from espionage against government networks to attempts to destroy data and spread ransomware inside industrial environments. The pattern it outlines shows threat actors following conflict zones, supply chains and sensitive technologies, with little sign of the pressure easing.