Hacking groups linked to China have exploited the war in the Middle East in attempts to compromise maritime and energy companies in the region, cybersecurity researchers at ESET have warned.
Published on May 28, the latest ESET APT Activity Report warned that nation-state backed APT groups are actively targeting geopolitical hotpots, especially the Gulf region, following US military operations against Iran.
Chinese espionage and hacking operations also continue to target organizations around the world, in line with Beijing’s interests.
This included targeting of government organizations in Central America and an attempted espionage campaign against an AI and robotics company in South Korea.
ESET noted that the latter aligns with the Chinese Communist Party’s (CCP) interest in strategic technologies prioritized under its ‘Made in China 2025’ industrial development policy.
Hacks in Line With China’s Economic Interests
China has actively attempted to exploit instability in the Middle East, and ESET said that it has seen evidence of that China-aligned groups were being mobilized to improve Beijing’s visibility into maritime, energy and political developments in the region.
The report noted that China’s interest in the Middle East wasn’t limited to the Gulf, but that cyber operations have also actively targeted Syria. SteppeDriver, a China-linked APT group has targeted Syrian government networks.
ESET researchers suggest that this activity is linked to Chinese commercial interest in Syria’s reconstruction projects, as well as Beijing’s security concerns surrounding Uyghur fighters present in Syria.
The report also noted that during the coverage period of October 2025 to March 2026, Chinese espionage and hacking groups also took a significant interest in central and south America.
This included an operation by China-aligned APT FamousSparrow, which targeted a Venezuelan governmental entity connected to maritime affairs. Researchers noted that the aim of this activity was likely to monitor the resilience of oil shipments to the country following the US military strike in January.
Other activity in the region included a malware campaign by China-aligned group UNC5221, which targeted entities in Cambodia and Panama. It was also UNC5221 which targeted the AI and robotics company in South Korea.
Russian Hacking Campaigns
According to the ESET, Russia-aligned threat actors continued to focus their activity on Ukraine, especially against organizations and individuals connected to the military and defense.
Russian APT groups also heavily targeted drone manufacturers, and organizations involved in drone research and development. They also directed cyber-attacks against logistics and transportation companies outside Ukraine in an effort to disrupt Ukrainian defensive efforts against the Russian invasion.
The period also saw what ESET described as “intensified destructive activity” by Sandworm, the cyberwarfare unit linked to Russia’s military intelligence service, which deployed wiper malware against infrastructure and services in Ukraine.
ESET has also previously attributed an attack against the Polish energy sector in December 2025 to Sandworm activity.
Iranian APT Activity
ESET noted that the US war against Iran has coincided with a decline in activity by established Iran-aligned APT groups, likely linked to restrictions on internet usage placed on the population by the Iranian regime. The internet outage has hindered the ability of Iranian hacking groups to operate effectively.
However, the report also noted that there has been a spike in activity by proxy-groups and hacktivists operations, which appear to support Iranian interests by targeting nations viewed as hostile to the regime, including the US and Israel.
In the Middle East, Israel remained the principal focus of Iran-aligned and Iran-linked activities. Targets range from organizations affected by espionage intrusions to device manufacturers hit by destructive tooling.
