Regional APT Threat Situation
Overview
In March 2025, the global threat hunting system of NSFOCUS Fuying Laboratory discovered a total of 19 APT attack activities. These activities were mainly distributed in South Asia, East Asia, Eastern Europe, and South America, as shown in the following figure.
In terms of group activity, the most active APT groups this month were Bitter, Patchwork and Sidewinder in the South Asian direction, while other more active groups include Konni in the East Asian direction.
The most popular intrusion method for this month’s events was spear phishing email attack, which account for 79% of the total attack incidents. There were also a few attack groups that used vulnerability, and watering hole attack for intrusion.
In March 2025, the primary targets of APT groups were government agencies, accounting for 47%, followed by organizations and individuals which account for 16%. Other attack targets include national defense forces, scientific research institutions, infrastructure, etc.
East Asia
This month, APT activities in East Asia were mainly initiated by known APT groups, with victims including the government agencies, financial industry, and research institutions.
In terms of attack tactics, APT activities in East Asia this month mainly focused on using spear phishing email and exploiting vulnerability in company’s servers.
In terms of spear phishing, typical baits include files in Korean military magazines used by the APT37 group. This type of baiting which uses topics relevant to the target of the attack is a common attack tactic used by the group.
This month also saw the discovery of an attack in which the Lazarus group used a file upload vulnerability to attack a Korean Web server, which in turn installed a subsequent attack payload.
South Asia
This month, APT activities in South Asia were mainly initiated by known APT groups, with victims including Governments of India and Sri Lanka, and China’s organizations and individuals.
This month, we identified multiple attacks on Pakistan initiated by South Asian APT groups, and the targets included the country’s national defense sectors, energy sectors, etc.
In terms of attack tactics, the APT activities in South Asia this month were dominated by spear phishing email attacks. Typical baits include a phishing document used by the APT group Bitter to target Pakistan’s Ministry of Defense. The document is about United Nations peacekeeping conference, and it is disguised as an official invitation letter from the Government of Germany to Pakistan’s Ministry of Defense.
Eastern Europe
This month, APT activities in Eastern Europe were mainly initiated by known APT groups, and their victims included Signal users in Ukraine.
Attackers from Eastern Europe attempted to compromise Signal Messenger user accounts. These attackers faked legitimate group invitations and security alerts, and used malicious QR codes to trick victims into linking their Signal accounts to devices controlled by the attackers, without the victims realizing it.
South America
In this month, APT activities in South America were mainly initiated by the BlindEagle group. Details of this activity can be found in section 3.2 of this report.
Global Key APT Events
| Event Name | Related Groups | Region | Attack Target | Attack Industry | Event Link |
|---|---|---|---|---|---|
| Unknown APT attacker launched the “Operation ForumTroll” attack exploiting Chrome zero-day vulnerability | Unconfirmed | Unconfirmed | Russia | Research institutions | https://securelist.com/operation-forumtroll/115989/ |
| BlindEagle group exploited a variant of the CVE-2024-43451 vulnerability to attack Colombian government and courts | BlindEagle | South America | Colombia | Government and judicial institutions | https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/ |
| Lazarus used the ClickFix tactic to attack professionals in cryptocurrency industry | Lazarus | East Asia | Global | Cryptocurrency industry | https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/ |
Interpretation of Key APT Events
Unknown APT attacker launched the “Operation ForumTroll” attack exploiting Chrome zero-day vulnerability
On March 25, Kaspersky Technologies disclosed a high-level APT targeting attack called “Operation ForumTroll”[1].
The attack was launched by an unknown APT attacker who exploited the zero-day vulnerability, CVE-2025-2783[2], in Google Chrome’s sandbox. By leveraging a logic flaw in the Chrome browser, the attacker was able to bypass Chrome’s sandbox protection mechanism. This allowed malicious code to open in the browser and run directly on the victim’s Windows host.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
[1] https://securelist.com/operation-forumtroll/115989/
[2] https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html
BlindEagle group exploited a variant of the CVE-2024-43451 vulnerability to attack Colombian government and courts
Between November 2024 and February 2025, the South American APT group BlindEagle used a .url (web shortcut) file exploiting a variant of the CVE-2024-43451 vulnerability to launch several rounds of cyberattacks against Colombian judicial institutions and other government entities[1].
CVE-2024-43451 is an information disclosure zero-day vulnerability that first emerged in a cyberattack operation launched by the Russian APT group UAC-0194 against Ukraine. The vulnerability exploits a logical flaw in how Windows systems handle the SMB protocol in .url (network shortcut) files. Any interaction with the .url file—such as right-clicking, deleting, or dragging—triggers an SMB connection to the specified remote server within the .url file. An attacker can intercept the SMB request on the remote server, capture the NTLMv2 hash, and then use this hash to conduct hash attacks or impersonate the user to carry out malicious operations, such as stealing secrets.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident Overview.
[1] https://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/
| Group Name | BlindEagle (APT-C-36) |
| Appear Time | |
| Attack Target | |
| Attack Strategy | |
| Attack Technique | |
| Attack Weapon |
Subscribe NSFOCUS Threat Intelligence for full details of APT group card and insights.
Lazarus used the ClickFix tactic to attack professionals in cryptocurrency industry
North Korean APT group Lazarus carried out a phishing operation in February 2025 targeting the cryptocurrency industry. Researchers named it as “ClickFake Interview”[1].
In this operation, attackers of Lazarus disguised themselves as recruiters in the cryptocurrency space, sending fake interview invitations to professionals in the cryptocurrency industry via social media, luring victims to a fake interview website.
These attackers would ask victims to fill in personal information and answer questions on a fake interview website, and also require them to turn on their webcams in preparation for the interview. However, when the victims clicked the button to turn on the webcam as instructed, an error message indicating that the webcam was blocked would appear on the page.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident Overview.
[1] https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/
| Group Name | Lazarus |
| Appear Time | |
| Attack Target | |
| Attack Strategy | |
| Attack Technique | |
| Attack Weapon |
Subscribe NSFOCUS Threat Intelligence for full details of APT group card and insights.
Terms Definition
APT
An advanced persistent threat (APT) is a stealthy threat actor, which gains unauthorized access to a computer network and remains undetected for an extended period. It is usually commercially or politically motivated, targeted at a specific group or country, and requires a high level of concealment over a long period of time.
APT Group
APT group refer to hacker groups that carry out advanced persistent threats. Driven by political factors or economic interests, they focus on conducting long – term and continuous cyber – attacks against specific targets.
APT Attack Activity
APT attack activities refer to the behaviors of APT attacks explained by threat intelligence elements such as network resources, attack processes, attack tools, and tactics. They are the basic units in the field of APT behavior analysis.
APT Attack Event
APT attack event refers to the complete APT attack behaviors composed of threat intelligence elements such as network resources, attack processes, attack tools, techniques and tactics, as well as social intelligence elements like attack time, attack targets, and attack impacts. An APT incident can include one or more APT activities.
APT Attack Operation
APT attack operation refers to a series of common attack behaviors launched by APT groups in a long period of time, which is used to summarize the goals and technology stack of APT group stage. An APT operation usually contains several APT events.
Threat Group Card
Located in the chapter on interpreting key APT events, introduce the main characteristics of APT groups involved in the APT event in the form of a table, with the red part representing the new features that emerged in this APT event.
About NSFOCUS Fuying Lab
NSFOCUS NSFOCUS FUYING Lab focuses on the research of security threat monitoring and countermeasures technology, covering emerging fields such as APT advanced threats, Botnet, DDoS countermeasures, popular service vulnerability exploitation, black and gray industry chain threats, and digital assets et al. By mastering existing network threats, identifying and tracking new threats, accurately tracing and countering threats, reducing the impact of risks, and providing decision-making support for threat countermeasures.
