NSFOCUS Monthly APT Insights – October 2025 - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.

NSFOCUS Monthly APT Insights – October 2025

novembro 28, 2025 | NSFOCUS

Regional APT Threat Situation

In October 2025, the global threat hunting system of Fuying Lab detected a total of 31 APT attack activities. These activities were primarily concentrated in regions including South Asia, East Asia, with a smaller portion also found in Eastern Europe and Western Asia, as shown in the figure below.

Regarding the activity levels of different organizations, the most active APT groups in this month were Sidewinder and APT36 from South Asia, while other relatively active groups included Kimsuky and Lazarus from East Asia, and Sidecopy from South Asia.

The most prevalent intrusion method in this month’s incidents was spear-phishing email attacks, accounting for 91% of all attack events. A small number of threat actors also utilized watering hole attacks (3%) and vulnerability exploitations (3%) for infiltration.

In October 2025, the primary target industries for APT groups were government agencies, accounting for 52%, followed by organizations or individuals accounting for 16%. Other attack targets included military institutions, and financial institutions sectors.

South Asia

This month, APT activities in South Asia were primarily launched by known APT groups, targeting entities such as government departments, military institutions, and individuals or organizations in India, as well as government and military institutions in Pakistan and Bangladesh. In terms of attack tactics, the APT activities in South Asia this month mainly involved spear-phishing email attacks.

Subscribe NSFOCUS Threat Intelligence for full details of APT attack decoys.

East Asia

This month, APT activities in East Asia were primarily launched by known APT groups, targeting entities such as South Korean government departments, South Korean organizations or individuals, and South Korean financial institutions. In terms of attack tactics, all APT activities in East Asia this month were conducted via spear-phishing email attacks.

Subscribe NSFOCUS Threat Intelligence for full details of APT attack decoys.

Eastern Europe

This month, APT activities in Eastern Europe were primarily launched by known APT groups, targeting entities such as the Ukrainian Presidential Office and other Ukrainian government agencies. In terms of attack tactics, spear-phishing email attacks dominated the APT activities in Eastern Europe this month.

Subscribe NSFOCUS Threat Intelligence for full details of APT attack decoys.

Global Key APT Events

Event Name	Related Groups
APT Group ForumTroll’s Cyber Attack Campaign Exploiting a Zero-Day Vulnerability in the Chrome Browser	ForumTroll
Nation-State APT Group’s Cyber Attack Campaign Against F5 Networks	Unconfirmed

Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.

Interpretation of Key APT Events

APT Group ForumTroll’s Cyber Attack Campaign Exploiting a Zero-Day Vulnerability in the Chrome Browser

he APT group ForumTroll planned and launched multiple spear-phishing email attacks targeting government agencies, media, universities, research institutions, and financial institutions in Russia and other countries in mid-March 2025. This campaign was named “Operation ForumTroll.” ForumTroll utilized highly complex and novel attack methods combined with zero-day exploits as attack tools. The primary objective of this operation was to conduct cyber espionage and steal intelligence.

The typical attack process of the ForumTroll group includes the following steps:

The ForumTroll group sent a……
After the victim clicked the link, they were redirected to…..

After passing the verification, the malicious website executed……

Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.

National-Level APT Group’s Cyberattack on F5 Networks

A national-level APT group launched a cyberattack against cybersecurity company F5 Networks in 2025, successfully infiltrating F5’s internal core systems and achieving long-term persistence. The primary objective of this attack was cyber espionage, aiming to steal F5’s core intellectual property and unpublicized vulnerability intelligence.

The investigation confirmed that the APT threat actors had breached F5’s internal systems before August 9, 2025.

After F5 released the incident announcement, the security community quickly linked this event to the 2020 SolarWinds incident, with security researchers noting that the two events were remarkably similar in terms of threat actors, victims, scope of impact, and potential infiltration methods.

On December 13, 2020, an APT group named UNC2452 infiltrated the IT management software company SolarWinds and exploited its SolarWinds Orion software to conduct a supply chain attack. The threat actors implanted a malicious backdoor into the update packages of the SolarWinds Orion software (versions 2019.4–2020.2.1) released via official links. From March to June 2020, they used the SolarWinds update channel to attack over 30,000 SolarWinds customers, with approximately 18,000 of them installing the compromised Orion software. Most of these SolarWinds customers were large enterprises or institutions, making the ultimate damage of this incident difficult to estimate.

Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.