Regional APT Threat Situation
In June 2025, the global threat hunting system of Fuying Lab detected a total of 33 APT attack activities. These activities were mainly distributed in regions such as South Asia, East Asia, West Asia, Eastern Europe, and South America, as shown in the figure below.
In terms of organizational activity, the most active APT groups this month were TransparentTribe and SideWinder operating in South Asia, while Kimsuky in East Asia also ranked among the more active actors.
This month, spear-phishing emails were the dominant initial-access vector, accounting for 88 % of all documented incidents, while a minority of threat actors opted for vulnerability exploitation and watering-hole attacks.
In June 2025, government agencies were the primary target sector for APT groups, representing 38 % of observed attacks, followed by organizations or individuals at 22 %. The remaining attacks were distributed across national defense forces, research institutions, and infrastructures.
South Asia
This month, South Asian APT activities were primarily initiated by known APT groups, targeting institutions such as the Indian military, Sri Lankan government departments, Pakistani government agencies, and organizations or individuals in Bangladesh.
We identified multiple attacks launched by South Asian APT groups targeting India this month, with victims including the Indian Armed Forces, the Indian Ministry of Defense, and Indian government departments.
East Asia
This month, APT activities in East Asia were primarily initiated by known APT groups, with victims including South Korean government departments, South Korean research institutions, and others.
West Asia
This month, APT activities in West Asia were mainly initiated by known APT groups, with victims including Turkish national defense and military departments.
A new attack campaign was launched by the APT group Stealth Falcon. The attack exploited a zero – day vulnerability (CVE – 2025 – 33053) and executed malware from a WebDAV server controlled by the attackers via a .url file.
Eastern Europe
This month, APT activities in Eastern Europe were primarily initiated by known APT groups, with the main targets being Ukraine’s critical infrastructure.
The primary activities in Eastern Europe were focused on Ukraine, where the APT group Sandworm used a new wiper malware called “PathWiper” to launch a destructive cyberattack against Ukraine’s critical infrastructure.
South America
This month, APT activities in South America were mainly initiated by the APT group known as Blind Eagle.
The Blind Eagle APT group targeted the judicial authorities of Colombia’s public power system using spear-phishing emails. The lure document used in this incident was a court summons related to the Tax Law, which suggests that the target of the attack was the Colombian judiciary.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
Global Key APT Events
| Event Name | Related Groups | Region |
| DarkHotel’s attack activities targeting North Korean foreign trade personnel | DarkHotel | East Asia |
| Stealth Falcon’s zero-day vulnerability attack campaign targeting Turkish defense companies | Stealth Falcon | Middle East |
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
Interpretation of Key APT Events
DarkHotel’s Attack Campaign Targeting North Korean Foreign Trade Personnel
In June 2025, the global threat hunting system of Fuying Lab detected an attack campaign by the South Korean APT group DarkHotel, specifically targeting North Korean foreign trade personnel. This campaign showed some of DarkHotel’s new attack tactics and techniques.
The earliest signs of this attack activity emerged in February 2025, when DarkHotel operators sent phishing emails to several North Korean foreign trade personnel. These emails contained malicious attachments designed to initiate the entire attack chain.
The Threat Intelligence Laboratory has since reconstructed the main attack flow of this campaign.
- Sending phishing emails to victims, with decoy content requesting the victim to install an electronic certificate provided in the attachment.
- The email attachment is a compressed file containing a malicious Windows installer named cert.msi. When executed, this MSI file stealthily extracts and runs a DLL file.
……
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
| Group Name | DarkHotel |
| Appear Time | 2007 |
| Attack Target | Afghanistan, Armenia, Bangladesh, Belgium, China, Ethiopia, Germany, Greece, Hong Kong, India, Indonesia, Ireland, Israel, Italy, Japan, Kazakhstan, Kyrgyzstan, Lebanon, Malaysia, Mexico, Mozambique, North Korea, Pakistan, Philippines, Russia, Saudi Arabia, Serbia, Singapore, South Korea, Taiwan, Tajikistan, Thailand, Turkey, United Arab Emirates, United Kingdom, United States, Vietnam |
| Attack Strategy | Spear phishing, Public network device intrusion |
In the DarkHotel attack campaign, the attackers employed a rare MSI malicious payload hiding technique, which makes it difficult to detect the malicious DLL files embedded in the MSI files, significantly increasing the success rate of the entire attack process.
In simple terms, the DarkHotel attackers achieved implicit invocation of DLL files through the CustomAction table in MSI files, while using special MSI file constructions to hide these DLL files.
The MSI file used in this attack is a hybrid compressed file, containing both CAB-format compressed content and uncompressed binary content. The storage method adheres to the MSI specification:
- Compressed CAB files are stored in the Media table.
- File metadata for compressed source files is stored in the File table.
- Uncompressed binary files are stored in the Binary table.
This structure ensures that the MSI file can normally extract these files during execution.
StealthFalcon’s Zero-Day Vulnerability Attack Campaign Against Turkish Defense Enterprises
The APT group StealthFalcon launched an attack campaign in March 2025 targeting employees of major defense companies in Turkey. The attackers used phishing emails to entice specific Turkish victims into executing a web shortcut file containing a zero-day vulnerability. This action subsequently implanted a specialized backdoor Trojan onto the victims’ devices. Through this backdoor Trojan, different attack components were then run to achieve information gathering and remote control over the victims’ devices.
| Group Name | StealthFalcon |
| Appear Time | 2012 |
| Attack Target | Netherlands、 Saudi Arabia、Thailand、United Arab Emirates、United Kingdom |
| Attack Strategy | Spear Phishing |
The zero – day vulnerability CVE-2025-33053 used by the StealthFalcon is a logical vulnerability in Internet shortcut files. Its principle is very simple and clear: the WorkingDirectory property of an Internet shortcut file can be set to a remote WebDAV server path. The EXE file pointed by the Internet shortcut file will use this remote WebDAV server path as its runtime environment, looking for components there and loading them for execution. Therefore, if an attacker places a malicious program on the WebDAV server and renames it to the filename of a legitimate component, it will be downloaded to the local machine and executed by the EXE file pointed to by the Internet shortcut file.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
