The NSFOCUS Fuying Laboratory’s global threat hunting system identified 19 sophisticated Advanced Persistent Threat (APT) attack campaigns, predominantly targeting regions across South Asia, East Asia, Eastern Europe, and South America.
These incursions highlighted a continuation of targeted cyber espionage and sabotage activities, primarily focusing on government agencies, critical infrastructure, and prominent industry sectors through a combination of spear phishing emails, vulnerability exploitation, and watering hole attacks.
The South Asian region experienced heightened APT activity, spearheaded by notorious groups such as Bitter, Patchwork, and Sidewinder.
Their campaigns largely focused on government entities and defense sectors in countries like India, Sri Lanka, and Pakistan.
A hallmark of these attacks was the extensive use of spear phishing emails, comprising approximately 79% of total observed incidents globally.
One notable example involved the Bitter group’s sophisticated spear phishing document tailored to Pakistan’s Ministry of Defense.
This document masqueraded as an official invitation from the German government for a United Nations peacekeeping conference, exemplifying the precision social engineering tactics employed to lure unsuspecting victims.
In East Asia, known APT actors, including the infamous Lazarus group, intensified their operations targeting government agencies, financial institutions, and research organizations.
The Lazarus group notably exploited a file upload vulnerability on a Korean web server, enabling them to deploy subsequent malicious payloads stealthily.
Spear phishing again emerged as a principal intrusion vector, with attackers leveraging culturally relevant lures such as files disguised as Korean military magazines-typical of the APT37 group’s modus operandi.
These carefully crafted baiting techniques demonstrate a deep understanding of the targeted environment and reinforce the persistent threat to corporate and governmental digital assets in the region.
In Eastern Europe, APT campaigns exhibited a shift towards targeting messaging platforms, most notably Signal Messenger users within Ukraine.
Attackers employed deceptive tactics, including fake group invitations and counterfeit security alerts, complemented by the use of malicious QR codes.
These QR codes tricked victims into linking their Signal accounts to attacker-controlled devices without detection, illustrating an advanced and subtle approach to compromising user communications in conflict zones.
Meanwhile, South America witnessed continued activity from the BlindEagle group, targeting Colombian government and judicial institutions by exploiting a variant of the CVE-2024-43451 vulnerability.
This zero-day flaw affects the handling of .url (network shortcut) files in Windows systems, enabling attackers to intercept SMB protocol connections and capture NTLMv2 hashes.
Through this mechanism, attackers can impersonate users and escalate privileges, thereby gaining unauthorized access to sensitive government networks.
The BlindEagle campaigns underscore the evolving exploitation of legacy vulnerabilities in critical infrastructure and judicial bodies in the region.
Among the prominent global incidents, Kaspersky Technologies disclosed the “Operation ForumTroll” attack, which leveraged a zero-day sandbox escape vulnerability (CVE-2025-2783) in Google Chrome.
This exploit allowed attackers to bypass Chrome’s sandbox protections and execute malicious code directly on victim machines running Windows.
Although the responsible APT group remains unidentified, the attack targeted Russian research institutions, showcasing the ongoing risks posed by browser zero-day vulnerabilities.
Concurrently, Lazarus employed a novel “ClickFake Interview” social engineering campaign targeting cryptocurrency professionals worldwide.
In this operation, the threat actors impersonated recruiters and sent fraudulent interview invitations via social media platforms.
The fabricated process required victims to engage with a fake interview website, provide personal information, and attempt to activate webcams under the pretense of interview preparation.
This turned out to be a ruse, as victims encountered error messages while attackers gathered intelligence and maintained persistence.
According to the Report, This campaign highlights the adaptability of APT groups in blending technical exploits with human-centric deception to infiltrate high-value targets in emerging industries.
Overall, the March 2025 APT landscape as observed by NSFOCUS reveals a multifaceted threat environment where spear phishing remains the predominant intrusion vector, complemented by targeted exploitation of vulnerabilities and innovative social engineering techniques.
The focus on government entities, defense sectors, and critical industries across Asia and beyond signals an urgent need for enhanced cybersecurity posture, including vigilant threat intelligence sharing, robust email security, and proactive vulnerability management to mitigate evolving APT risks.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Cybersecurity researchers have unearthed a sophisticated attack leveraging AutoIT, a long-standing scripting language known for…
A disturbing 67% of businesses in eight worldwide markets—the US, UK, Spain, the Netherlands, Germany,…
Critical security vulnerability has been discovered in the Auth0-PHP SDK that could potentially allow unauthorized…
Security researchers at The Shadowserver Foundation have identified active exploitation attempts targeting a critical zero-day…
Alabama man has been sentenced to 14 months in prison for orchestrating a sophisticated SIM…
Security researcher has revealed a robust method for gathering threat intelligence on Cobalt Strike beacons…