Regional APT Threat Situation
In August 2025, the global threat hunting system of Fuying Lab detected a total of 23 APT attack activities. These activities were primarily concentrated in regions including South Asia, East Asia, Eastern Europe, and West Asia, as shown in the following figure.
Regarding the activity levels of different organizations, the most active APT groups in this month were Kimsuky from East Asia, while other relatively active groups included Bitter and TransparentTribe from South Asia, and Sidewinder from South Asia.
The most prevalent intrusion method in this month’s incidents was spear-phishing email attacks, accounting for 87% of all attack events. A small number of threat actors also utilized watering hole attacks and vulnerability exploitation for infiltration.
In August 2025, the primary target industries for APT groups were government agencies, accounting for 35%, followed by military institutions at 18%, and organizations or individuals accounts for 13%. Other attack targets included research institutions and financial institutions sectors.
South Asia
This month, APT activities in South Asia have primarily been initiated by known APT groups, with victims including government agencies in India and Pakistan, the Ministry of Defense of Sri Lanka, the Bangladesh Army, and Chinese enterprises or individuals.
In terms of attack tactics, spear-phishing email attacks have dominated APT activities in the region this month.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
Asia
This month, APT activities in East Asia have primarily been carried out by known APT groups, with all victims being organizations or individuals in South Korea, including diplomats, tax authorities, various institutions, individuals, and financial entities.
In terms of attack tactics, all APT operations in East Asia this month were conducted via spear-phishing email campaigns.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
Eastern Europe
This month, APT activities in Eastern Europe have primarily been conducted by known APT groups, with victims including foreign diplomats stationed in Russia and Ukrainian organizations or individuals.
Notably, the Turla group launched cyberattacks targeting foreign embassies in Moscow.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
Global Key APT Events
| Event Name | Related Groups |
| APT attackers exploited the Apple zero-day vulnerability CVE-2025-43300 to target specific individuals. | Unconfirmed |
| The APT group Turla launched attacks against diplomatic personnel at the U.S. Embassy in Russia using an AiTM phishing strategy combined with the ApolloShadow trojan. | Turla |
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
Interpretation of Key APT Events
APT Exploits Apple Zero-Day Vulnerability CVE-2025-43300 to Target Specific Individuals
On August 20, Apple released a security advisory announcing the patching of a zero-day vulnerability, CVE-2025-43300, in the latest iOS and iPadOS version 18.6.2.
CVE-2025-43300 is an out-of-bounds write vulnerability located in the ImageIO component of the Apple operating system. This flaw allows attackers to write malicious code beyond allocated memory boundaries into the memory space of other processes. When combined with additional vulnerabilities or exploit techniques to bypass security defenses, it can……
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
CVE-2025-43300 is an out-of-bounds write vulnerability caused by a logic error in Apple’s ImageIO framework when processing DNG format images containing lossless JPEG data. The underlying mechanism is relatively straightforward to understand.
The severity of this vulnerability lies in the following aspects:
- Zero Interaction: It is a 0-click exploit, meaning it can be triggered without any action required from the victim.
- Easy to Spread: The vulnerability can be propagated through any social media or messaging application capable of transmitting DNG format images.
- Wide Impact: It affects all iPhone and iPad devices running iOS/iPadOS 18.6.1 and earlier versions, making it broadly exploitable across Apple’s ecosystem.
The campaign employed a highly complex exploit chain composed of multiple zero-day vulnerabilities.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
APT Group Turla Attacks Diplomatic Personnel at the U.S. Embassy in Russia Using AiTM Tactics and the ApolloShadow Trojan
Microsoft recently disclosed a spy-style cyberattack carried out by the APT group Turla.
This attack occurred between 2024 and 2025, primarily targeting diplomatic personnel stationed in Russia and related institutions. Leveraging their control over Russian ISPs and telecommunications providers, Turla employed Adversary-in-the-Middle (AiTM) tactics to intercept and manipulate network traffic. They redirected victims to malicious web pages, tricking them into downloading and executing a file disguised as a Kaspersky installer, which in fact was the installer for the ApolloShadow malware.
Once executed, the ApolloShadow Trojan installs an attacker-controlled root certificate on the victim’s host, enabling interception of HTTPS communications and achieving full network control over the compromised system.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
