Recent APT campaigns hit oil shipments, drone makers, poisoned code library

Geopolitical tensions directly shaped state-sponsored cyber operations between October 2025 and March 2026, as detailed in ESET’s newest APT Activity Report. Espionage teams tied to China, North Korea, Russia, and Iran recalibrated their focus, hitting everything from oil shipments to drone manufacturers and even poisoning a widely used code library.

Chinese-linked groups, for instance, zeroed in on maritime logistics and energy supply chains, disrupting oil tanker operations and stealing sensitive routing data. North Korean actors, meanwhile, targeted defense contractors producing unmanned aerial vehicles, likely seeking blueprints or manufacturing secrets for their own weapons programs. Russian state hackers intensified attacks on critical infrastructure in Ukraine and NATO allies, while Iranian operatives expanded their reach into Israeli tech firms and Saudi energy assets.

A particularly alarming tactic involved supply chain compromise through a poisoned open-source library. The attackers inserted backdoors into a popular software dependency, affecting hundreds of downstream applications before detection. This incident underscores how APT groups increasingly exploit trust in shared code repositories to achieve widespread access.

ESET researchers noted that spear-phishing and zero-day exploits remained the primary initial access vectors, but the shift toward operational technology and industrial control systems marks a dangerous escalation. The report warns that as geopolitical conflicts persist, these campaigns will likely grow more aggressive, targeting the physical systems that underpin global trade and defense.