Regional APT Threat Situation
In September 2025, the global threat hunting system of Fuying Lab detected a total of 24 APT attack activities. These activities were primarily concentrated in regions including East Asia, South Asia, as shown in the following figure.
Regarding the activity levels of different groups, the most active APT groups this month were Kimsuky and APT37 from East Asia, while other relatively active groups included Bitter and TransparentTribe from South Asia, and Lazarus from East Asia.
The most prevalent intrusion method in this month’s incidents was spear-phishing email attacks, accounting for 88% of all attack events. A small number of threat actors also utilized watering hole attacks (8%) and vulnerability exploitations (4%) for infiltration.
In September 2025, the primary target industries for APT groups were government agencies, accounting for 36%, followed by organizations or individuals accounting for 32%. Other attack targets included research institutions, military institutions, and financial institutions sectors.
East Asia
This month, APT activities in East Asia have primarily been carried out by known APT groups, with all victims being military institutions, government agencies, research institutions, organizations or individuals, financial institutions, etc.
In terms of attack tactics, all APT operations in East Asia this month were conducted via spear-phishing email campaigns.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
South Asia
This month, APT activities in South Asia were primarily launched by known APT groups, with victims including government departments in India, military institutions in India, government departments in Pakistan, organizations or individuals in Pakistan, etc.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
Global Key APT Events
| Event Name | Related Groups |
|---|---|
| APT group Kimsuky uses Deepfake decoy tactics and ClickFix tactics to conduct phishing attacks. | Kimsuky |
| APT group ArcaneDoor exploits a zero-day vulnerability in the Cisco Adaptive Firewall to launch attacks. | ArcaneDoor |
Subscribe NSFOCUS Threat Intelligence for full details of attack region, target and industry
Interpretation of Key APT Events
APT Group Kimsuky
In the third quarter of 2025, the APT group Kimsuky planned and executed multiple spear-phishing attacks targeting South Korea, employing novel attack strategies. In one incident, Kimsuky impersonated a South Korean defense-related agency.
The reconstructed attack workflow is illustrated below. Kimsuky Group used generative AI (e.g., ChatGPT) to create Deepfake images of South Korean military identification documents as the main decoy. Subsequently, attackers sent spear-phishing emails targeting victims.
In several attacks during the third quarter of 2025, Kimsuky first utilized Deepfake technology to create deceptive information, marking it as the second known APT group to employ Deepfake human images. The Deepfake image generated by Kimsuky is shown in the following figure, depicting a forged image of South Korean military personnel.
In this round of attacks, Kimsuky first employed the ClickFix tactic, using a watering hole site to display a forged reCAPTCHA verification request. It then prompted victims to run scripts delivered by the watering hole site via a pop-up window. Ultimately, this led to the download and execution of a Trojan program.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
APT Group ArcaneDoor Exploits a Zero-Day Vulnerability in Cisco Adaptive Firewalls
In September, CISA and Cisco disclosed a sustained cyberattack targeting global critical network infrastructure, attributed to a nation-state APT group. This attack is linked to the “ArcaneDoor” cyber-espionage campaign exposed in early 2024. The primary targets include Cisco Adaptive Security Appliances (ASA) firewalls and Cisco IOS/IOS XE operating system devices, with victims spanning multiple U.S. federal agencies.
ArcaneDoor Attackers Exploited Three Zero-Day Vulnerabilities in Cisco Devices in 2025:
- CVE-2025-20333 (“Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability”)
CVE-2025-20333 is a remote code execution (RCE) zero-day vulnerability in the VPN web server of Cisco Adaptive Security Appliance (ASA) software and Cisco Firewall Threat Defense (FTD) software. It is an extremely high-risk vulnerability with a rare CVSS score of 9.9. Since this vulnerability was discovered by the Cisco Security Team and quickly intervened by CISA, there are currently no publicly available exploits (EXP) or proof-of-concept (POC) code for this vulnerability on the internet. According to Cisco’s security advisory, this vulnerability is likely triggered by a specific HTTP request
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
