Regional APT Threat Situation

Overview

In April 2025, the global threat hunting system of Fuying Lab discovered a total of 20 APT attack activities. These activities are mainly distributed in East Asia, South Asia, Middle East and Eastern Europe, as shown in the following figure.

In terms of group activity, the most active APT group this month is Kimsuky and Konni in the East Asian direction, while other more active groups include Sidewinder in the South Asian direction.

The most popular intrusion method for this month’s events is spear phishing email attack, which accounts for 70% of the total attack incidents. There are also a few attack groups that use vulnerability, and watering hole attack for intrusion.

In April 2025, the primary targets of APT groups are government agencies, accounting for 55%, followed by organizations and individuals which account for 15%. Other attack targets include national defense forces, research institutions, and financial institutions, etc.

This month, APT activities in East Asia were mainly initiated by known APT groups, with victims including the government agencies, financial institutions, and research institutions.

In terms of attack tactics, APT activities in East Asia this month mainly focused on using spear phishing email, followed by vulnerability exploitation and watering hole attack.

In terms of spear phishing, typical baits include the dialogue about the trilateral cooperation between the US, Australia, and New Zealand used by Kimsuky. This type of baiting which uses topics relevant to the target of the attack is a common attack tactic used by the group.

This month also saw the discovery of an incident in which the Lazarus group exploited vulnerabilities to attack six South Korean companies.

This month, APT activities in South Asia were mainly initiated by known APT groups, with victims including Governments of Sri Lanka, Pakistan Navy and China’s government agencies.

In terms of attack tactics, this month’s APT activities in South Asia was dominated by spear phishing email attacks. Typical baits include a decoy document with the name “Sri Lanka Customs National Imports Tariff Guide 2025.docx”, which is displayed as a Sri Lanka Customs Department document after execution. The subject of the decoy document is “National Import Tariff Guide.” Given the document’s title and content, we determined that the target was a Sri Lankan government department responsible for import and export trade management. Additionally, since the document appeared to be signed by Sri Lanka Customs, we concluded that the attacker specifically targeted the Sri Lankan Customs department in this incident.

This month also saw SideCopy’s spear phishing email attack against the Indian Army. The bait includes a pdf of Allegations of Misconduct Against Senior Army Officers, with the subtitle “General Staff of the Indian Army Headquarters”. This type of baiting which uses topics relevant to the target of the attack is a common attack tactic used by the group.

This month, APT activities in Eastern Europe were mainly initiated by known APT groups, targeting European governments and diplomats.

The Russian APT group APT29 impersonated the European Ministry of Foreign Affairs, sending emails with malicious links. These links, when clicked, would download subsequent malicious files. The goal was to attack European governments and individuals associated with European diplomats.

Global Key APT Events

Analysis of Key APT Events

1. Lazarus launched SyncHole attack on South Korean companies

The North Korean APT group Lazarus launched the “SyncHole” operation[1] between November 2024 and early 2025, targeting multiple industries in South Korea. The operation exploited both watering hole attacks and software vulnerabilities, compromising at least six South Korean organizations. It affected industries such as software, IT, finance, semiconductor manufacturing, and telecommunications in South Korea. Given the widespread use of the targeted software, the actual number of victim organizations could be even larger.

The intrusion process of Lazarus is divided into multiple phases. In the initial intrusion phase, the infection occurs when a user of the target system visits a specific Korean online media site. The attacker has already set up a malicious website that is disguised as a software vendor’s website. When a user visits the media site, a server-side script identifies the target user and redirects them to the malicious website. This malicious website exploits a potential vulnerability in the legitimate security software Cross EX and injects Lazarus’ special Trojan, ThreatNeedle, into the legitimate SyncHost.exe process to complete the intrusion.

In the lateral movement phase, the Lazarus group exploited a 1 day vulnerability in another legitimate software, the Innorix Agent, which is widely used for financial and administrative tasks in South Korea. The malware developed by the attackers leveraged this vulnerability to expand the scope of the attack by spoofing legitimate traffic and spreading malware to internal hosts.

Lazarus used two sets of attack payloads in this operation. The first set included the ThreatNeedle Trojan, the ThreatNeedle loader, and the modular Trojan wAgent. The second set comprised different versions of the SIGNBT Trojan and the COPPERHEDGE remote access Trojan.

Threat Group Card

Insights

In this operation, Lazarus employed a rare and highly stealthy watering-hole phishing tactic, which is more sophisticated than typical watering-hole attacks. Instead of altering the main content of a legitimate Korean online media website after gaining control, Lazarus screened the visitor’s IP address and redirected only the target IPs to a malicious website they had set up for the attack. The attack payload was then delivered through this malicious site. This approach ensured that visitors outside the targeted IP range remained unaware of any changes to the media site. The only way to detect the issue was through auditing the web code, which significantly reduced the exposure risk of Lazarus’ attack.

Another issue that warrants attention is the security risks present in commonly used security software. In South Korea’s online environment, online banking and government websites require users to install specific security software to achieve functions such as anti-keylogging and certificate-based digital signatures. This software run in the background and interacts with web browsers. In this incident, Cross EX—a tool widely used in South Korea for such security software across multiple browser environments—was exploited by Lazarus. The group discovered a vulnerability in Cross EX and leveraged its large user base to conduct large-scale secret-stealing attacks. South Korean authorities have issued security advisories warning of the risks associated with Cross EX vulnerabilities. However, due to the low maintenance efficiency of the software, South Korea has been unable to address these threats in a timely manner.

Additionally, it is worth noting that Lazarus exploited the one-day vulnerability in Innorix Agent. Lazarus took advantage of an arbitrary file download vulnerability in version 9.2.18.496 of Innorix Agent. They sent malicious traffic to hosts with this version installed, prompting the Innorix Agent program to download a Trojan from a specified location based on the content of the malicious traffic.

File transfer tools like Innorix Agent, once compromised, can easily serve as an entry point for APT attackers to move laterally within a network.

2. APT29 launched phishing attack on European diplomats

Since January 2025, the Russian APT group APT29 has launched a wave of targeted phishing attacks[2] against European governments and diplomats. In their phishing baits, the group impersonates major European Ministries of Foreign Affairs, distributing fake invitations to diplomatic events and delivering a new Trojan called GRAPELOADER, as well as a variant of the known Trojan WINELOADER.

By sending phishing emails to European diplomats, APT29 trick victims into visiting specific malicious links to download the group’s attack payload. These links are designed to trigger the download only under certain conditions (e.g., a specific time of day or geographic location). Otherwise, they redirect to the official Ministry of Foreign Affairs website.

Threat Group Card

Insights

The most notable aspect of this campaign was the way APT29 used watering-hole sites. These sites were set up to validate visitor information and only deliver malicious payloads when the access time was during regular European working hours and the visitor’s IP was in a specific geographic location. This IP filtering mechanism helps to hide attack traces and makes it harder for security analysts to trace the attacks.

The Lazarus group’s watering-hole site filtering mechanism mentioned in the previous section is very similar to that of the APT29. This reflects a recent trend among APT groups, focusing on hiding the attack code on watering-hole sites. Such tactics can interfere with the investigation and traceability of APT activities. Security researchers should therefore design appropriate detection strategies to identify and defend against this threat in current web security products.

[1] https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/

[2] https://research.checkpoint.com/2025/apt29-phishing-campaign/

The post NSFOCUS APT Monthly Briefing – April 2025 appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

*** This is a Security Bloggers Network syndicated blog from NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. authored by NSFOCUS. Read the original post at: https://nsfocusglobal.com/nsfocus-apt-monthly-briefing-april-2025/