“intensified destructive activity,” ESET warned — a phrase the firm used to describe a spike in wiper attacks tied to Russia even as other nation‑state actors exploited the Middle East conflict to expand espionage and influence operations.
Chinese-aligned groups probe Gulf maritime and energy firms
Cybersecurity researchers at ESET reported on May 28 that hacking groups linked to China have moved to exploit the war in the Middle East by attempting to compromise maritime and energy companies in the region. According to the ESET APT Activity Report, nation-state backed APT groups were ‘‘actively targeting geopolitical hotpots, especially the Gulf region,’’ following US military operations against Iran. ESET said these operations were intended to improve Beijing’s visibility into maritime, energy and political developments in the region.
Probing Syria and reconstruction-linked targets: SteppeDriver
China-linked activity was not limited to Gulf energy firms. ESET flagged operations against Syria, noting that the group SteppeDriver targeted Syrian government networks. Researchers connected that activity to Chinese commercial interest in Syria’s reconstruction projects and to security concerns relating to Uyghur fighters present in Syria, tying espionage objectives to both economic and political priorities described in the report.
Central and South America operations: FamousSparrow and UNC5221
During the report’s coverage period — October 2025 to March 2026 — ESET said Chinese espionage groups also focused on Central and South America. Notably, China‑aligned APT FamousSparrow targeted a Venezuelan governmental entity connected to maritime affairs. ESET researchers stated the likely aim was to monitor the resilience of oil shipments to Venezuela following the US military strike in January. Separately, the China‑linked group UNC5221 ran a malware campaign that hit entities in Cambodia and Panama and also targeted an AI and robotics company in South Korea.
Technology theft tied to industrial policy: Made in China 2025
ESET highlighted the South Korea intrusion as consistent with priorities Beijing has set for strategic technologies. The researchers linked the attempted espionage against an AI and robotics company to the Chinese Communist Party’s interests under the ‘‘Made in China 2025’’ industrial development policy, framing that operation as aligned with long‑term technological and commercial goals.
Russian destructive operations and continued focus on Ukraine
The report described a parallel picture of sustained Russian activity. ESET said Russia‑aligned threat actors continued to focus on Ukraine, particularly on organizations and individuals connected to the military and defense sectors. The researchers observed heavy targeting of drone manufacturers and organizations involved in drone research and development, and attacks against logistics and transportation companies outside Ukraine ‘‘in an effort to disrupt Ukrainian defensive efforts against the Russian invasion.’’
ESET also emphasized what it called ‘‘intensified destructive activity’’ by Sandworm, the unit linked to Russia’s military intelligence service, which deployed wiper malware against infrastructure and services in Ukraine. The firm additionally noted that it had previously attributed an attack against the Polish energy sector in December 2025 to Sandworm activity.
Iranian-aligned activity falls while proxies and hacktivists rise
On the Iranian side, ESET reported a decline in activity by established Iran‑aligned APT groups. The researchers attributed much of that decline to internet restrictions placed on the Iranian population by the Iranian regime, which hindered the operational capabilities of established hacking groups. At the same time, ESET observed a spike in activity by proxy groups and hacktivists that appear to support Iranian interests. Those campaigns have targeted nations viewed as hostile to the regime, including the US and Israel. In the Middle East, ESET said Israel remained the principal focus of Iran‑aligned and Iran‑linked activities, with targets ranging from organizations subject to espionage intrusions to device manufacturers hit by destructive tooling.
What this means for maritime operators, AI/robotics firms, and energy officials
- Maritime operators and officials in Venezuela and the Gulf should regard espionage of maritime-affairs entities as part of a wider intelligence push, given ESET’s finding that FamousSparrow and other groups sought visibility into oil shipment resilience after January’s US strike.
- AI and robotics companies should note ESET’s link between the UNC5221 intrusion and the ‘‘Made in China 2025’’ policy, which the report identifies as a motivating framework for targeted technology espionage.
- Energy-sector officials and operators in Europe and Ukraine should take seriously ESET’s attribution of destructive wiper activity to Sandworm, and the firm’s previous linkage of a December 2025 attack on the Polish energy sector to that same unit.
The ESET report sketches a global pattern: Chinese‑linked espionage sharpening its focus where geopolitical instability offers commercial and political returns, Russian actors leaning into destructive cyberwarfare tied to military objectives, and Iran‑linked activity shifting from established APTs to proxies and hacktivists as domestic internet controls bite. Each thread is grounded in the actors and incidents ESET documented between October 2025 and March 2026 — and together they underline how kinetic conflict and state policy are reshaping cyberspace into a theater of competing economic and security intelligence collection.




