Regional APT Threat Situation
In December 2025, the global threat hunting system of Fuying Lab detected a total of 24 APT attack activities. These activities were primarily concentrated in regions including South Asia, East Asia, with a smaller portion also found in Eastern Europe and South America. Some organizations remain unattributed to known APT groups, as shown in the figure below.
Regarding the activity levels of different groups, the most active APT groups in this month were TransparentTribe and Sidewinder from South Asia, while other relatively active groups included Konni from East Asia, and Gamaredon from Eastern Europe.
The most prevalent intrusion method in this month’s incidents was spear-phishing email attacks, accounting for 83% of all attack events. A small number of threat actors also utilized vulnerability exploitations (9%) for infiltration and watering hole attacks (8%).
In December 2025, the primary target industries for APT groups were government agencies, accounting for 37%, followed by military institutions accounting for 25%. Other attack targets included organizations or individuals, financial institutions, and research institutions.
South Asia
This month, APT activities in South Asia were primarily initiated by known APT groups, targeting entities including the Indian government departments, Indian military institutions, Indian financial institutions, government and military agencies in Pakistan and Bangladesh, as well as government agencies in Romania.
In terms of attack tactics, this month’s APT activities in South Asia mainly focused on spear-phishing email attacks. A typical decoy involved an email targeting the Indian Ministry of Defense, with the subject line “Regarding the forwarding of postings/mobilization requests for ……
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
East Asia
This month, APT activities in East Asia were primarily initiated by known APT groups, targeting entities including South Korean government departments, organizations or individuals in South Korea, and research institutions.
In terms of attack tactics, this month’s APT activities in East Asia mainly involved spear-phishing emails to launch attacks. Additionally, some groups attempted to compromise target hosts through vulnerability exploitation.
Regarding spear-phishing attacks, a typical decoy involved using a tuition fee payment certificate as a lure. Attackers sent phishing emails containing a .lnk file disguised as a PDF file, named……
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
Eastern Europe
This month, APT activities in Eastern Europe were primarily initiated by known APT groups, targeting entities including Ukrainian military institutions, governmental departments, and organizations or individuals in Ukraine.
In terms of attack tactics, this month’s APT activities in Eastern Europe mainly focused on spear-phishing email attacks. The phishing content involved sensitive topics such as tampered military personnel records and denied compensation for fallen soldiers, presented as Ukrainian government documents. The email attachment is a compressed archive that, upon extraction, contains……
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
South America
This month, APT activities in South America were primarily initiated by known APT groups, targeting entities including government departments in Spain and Mexico.
In terms of attack tactics, this month’s APT activities in the South America primarily focused on spear-phishing email attacks. Attackers used SVG files as decoy documents, paired with Spanish-language judicial-themed filenames (e.g., “Demanda por daños y perjuicios – Juzgado 49”) to enhance credibility, luring users to click on download links embedded in the emails.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
Global Key APT Events
| Event Name | Related Groups |
|---|---|
| APT group Lazarus has exploited the React2Shell (CVE-2025-55182) vulnerability to carry out a cyber-attack operation. | Lazarus |
| Unknown attackers have utilized the Gogs zero-day vulnerability to initiate a cyber-attack operation. | Unknown |
Interpretation of Key APT Events
1. APT group Lazarus has exploited the React2Shell (CVE-2025-55182) vulnerability to carry out a cyber-attack operation.
On December 3, 2025, a critical Remote Code Execution (RCE) vulnerability, CVE-2025-55182, also known as React2Shell, was discovered in React Server Components (RSC). This vulnerability is rated as critical severity with a CVSS v3.x score of 10.0. It exists in React server versions 19.0, 19.1.0, 19.1.1, and 19.2.0.
CVE-2025-55182 exploits multiple security flaws within the existing RSC framework. By leveraging a missing validation mechanism in the framework, it pollutes a JavaScript prototype object (Object.prototype) within the framework. Malicious constructors, then methods, and callback functions of the then method are injected into the proto property of this prototype object. This enables direct or indirect RCE through a technique known as prototype chain pollution.
After the public disclosure of CVE-2025-55182, we observed that numerous APT groups, hacker organizations, and individuals rapidly began exploiting the vulnerability for cyberattacks. The Lazarus group was the first to develop an effective exploit payload and launch attacks. Within three days of the vulnerability disclosure, Lazarus created an anti-detection exploit process. On December 5, 2025, the group used this process to spread a Trojan called EtherRAT. In this cyberattack campaign, Lazarus employed a technique called EtherHiding to conceal the attack payload, thereby bypassing WAF (Web Application Firewall) device inspections.
| Group Name | Lazarus |
| Appear Time | 2007 |
| Attack Target | Australia, Bangladesh, Belgium, Brazil, Canada, Chile, China, Ecuador, France, Germany, Guatemala, Hong Kong, India, Israel, Japan, Mexico, Netherlands, Philippines, Poland, Russia, South Africa, South Korea, Taiwan, Thailand, United Kingdom, United States, Vietnam, Italy, Finland |
CVE-2025-55182 is a vulnerability in React Server Components (RSC) that allows unauthenticated attackers to execute remote code by crafting malicious requests. The core issue stems from improper handling of user input, enabling attackers to manipulate the prototype chain, invoke dangerous modules (such as vm or child_process), or achieve indirect code execution through file operations.
Direct RCE:
By calling dangerous modules bundled in webpack (e.g., vm or child_process), attackers can directly execute code. For example, vm.runInThisContext can execute a string passed as JavaScript code.
Indirect RCE:
Even without direct access to dangerous modules, attackers can write malicious files (e.g., .js scripts) using the fs module and then load and execute them via module#_load, achieving a two-step code execution.
PoC Example
| POST / HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chro …… |
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
2. Unknown Attackers Exploit Gogs Zero-Day Vulnerability in Cyber Attacks
On December 10, 2025, security researchers disclosed a zero-day vulnerability in the self-hosted Git service Gogs, CVE-2025-8110. This is a Remote Code Execution (RCE) vulnerability that effectively bypasses the mitigation mechanism of an earlier vulnerability, CVE-2024-55947, with a CVSS v4.0 rating of 8.7.
CVE-2025-8110 originates from a critical security flaw in Gogs’ built-in PutContents API, which lacks checks for symbolic links (symlinks) when processing file paths.
CVE-2025-8110 and CVE-2024-55947 are of the same type of vulnerability. CVE-2025-8110 is a method to bypass the patch for CVE-2024-55947, where the direct path traversal technique used in CVE-2024-55947 was fixed by Gogs. Attackers exploit CVE-2025-8110 by creating a symbolic link to circumvent the patch.
The exploitation of the CVE-2024-55947 vulnerability is very simple. Attackers can access any Git repository through the Gogs service and trigger the vulnerability by sending a request.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
