Regional APT Threat Situation
In May 2025, the global threat hunting system of Fuying Lab discovered a total of 44 APT attack activities. These activities are mainly distributed in South Asia, Eastern Europe, East Asia, West Asia, Southeast Asia and as shown in the following figure.
In terms of group activity, the most active APT group this month is SideWinder, APT36, and Bitter from South Asia, while other more active groups include Konni and Kimsuky from the East Asia, and APT28 from Eastern Europe.
The most popular intrusion method for this month’s events is spear phishing email attack, which accounts for 84% of the total attack incidents. There are also a few attack groups that use vulnerability, and watering hole attack for intrusion.
In May 2025, the primary targets of APT groups are government agencies, accounting for 34%, followed by national defense forces which account for 23%. Other attack targets include Organization and individual, research institutions, financial institutions, and infrastructures, etc.
South Asia
This month, APT activities in South Asia were mainly initiated by known APT groups, with victims including the Indian Army, Nepalese Army, Prime Minister’s Office of Pakistan, Bangladeshi Armed Forces, and organizations or individuals from China.
This month, we have observed multiple attacks targeting Pakistan carried out by South Asian APT groups. The attack targets included the Prime Minister’s Office, National Disaster Management Authority, the Prime Minister’s Secretariat, telecommunications companies, and others.
In terms of attack tactics, APT activities in South Asia this month mainly focused on….
Subscribe NSFOCUS Threat Intelligence for full details of APT incident Overview.
East Asia
This month, APT activities in East Asia were primarily initiated by known APT groups, targeting government agencies, organizations, individuals, and research institutions.
In terms of attack tactics, APT activities in East Asia this month mainly focused on spear-phishing email attacks. In the case of spear-phishing, a typical lure involved a document titled…
Subscribe NSFOCUS Threat Intelligence for full details of APT incident Overview.
Eastern Europe
This month, APT activities in Eastern Europe were mainly initiated by known APT groups, with victims from Ukraine and NATO member states.
The Russian hacking group Killnet issued a statement claiming to have successfully infiltrated Ukraine’s drone tracking system and released a set of geolocation data, asserting that…
Subscribe NSFOCUS Threat Intelligence for full details of APT incident Overview.
West Asia
This month, APT activities in West Asia were primarily initiated by the APT35 group.
APT35 used spear-phishing emails to deliver attack payloads and employed multi-stage loading techniques to download follow-up attack modules, aiming to steal sensitive information from the target. Analysis indicates that the targets of this incident were military objectives in the Middle East.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident Overview.
Global Key APT Events
| Event Name | Related Groups | Region | Attack Target | Attack Industry | Event Link |
| Long-term infiltration campaign by the Iranian APT group Lemon Sandstorm targeting a critical infrastructure in the Middle East. | Lemon Sandstorm | Middle East | |||
| The Turkish APT group Marbled Dust launched an attack targeting the Kurdish military using a zero-day vulnerability in Output Messenger. | Marbled Dust | Middle East |
Subscribe NSFOCUS Threat Intelligence for full details of APT incident Overview.
Interpretation of Key APT Events – Lemon Sandstorm’s Long-Term Attack on Middle East Critical Infrastructure
Iranian APT group Lemon Sandstorm conducted a long-term infiltration campaign against CNI (Critical National Infrastructure) network in the Middle East. The attack, which began in May 2023 and lasted until early 2025, affected hundreds of servers within the target CNI network. Lemon Sandstorm’s operation consisted of five distinct phases, each with significantly different tactics. The key techniques and tactics (not all are listed here) are outlined below:
Subscribe NSFOCUS Threat Intelligence for full details of APT incident Overview.
Threat Group Card
| Group Name | Lemon Sandstorm, Fox Kitten, Parisite |
| Appear Time | 2017 |
| Attack Target | Australia, Austria, Finland, France, Germany, Hungary, Israel, Italy, Kuwait, Lebanon, Malaysia, Poland, Saudi Arabia, United Arab Emirates, United States |
| Attack Strategy | Spear phishing, Public network device intrusion |
| Attack Technique | |
| Attack Weapon |
Subscribe NSFOCUS Threat Intelligence for full details of APT incident Overview.
The Long-Term Attack Patterns of Lemon Sandstorm
Lemon Sandstorm’s recent operation targeting the Middle East’s CNI network represents a classic long-term APT attack, with its attack strategies reflecting the group’s typical characteristics. Lemon Sandstorm is a group skilled in infiltrating internet infrastructure and maintaining long-term control over devices within the infrastructure. They had already planned an operation targeting the Middle East’s network infrastructure as early as…
Subscribe NSFOCUS Threat Intelligence for full details of APT incident Overview.
Interpretation of Key APT Events – Marbled Dust Targets Kurdish Army via Output Messenger Zero-Day
The suspected Turkish APT group Marbled Dust (also known as Sea Turtle) launched an attack targeting the Kurdish army in the Iraq region in April 2024. The details of this attack were only exposed a year later in April 2025.
In this operation, Marbled Dust exploited a zero-day vulnerability (CVE-2025-27920). The attackers used stolen credentials to log in to the Output Messenger Server Manager program, which was used by the Kurdish army. They then…
Subscribe NSFOCUS Threat Intelligence for full details of APT incident Overview.
Threat Group Card
| Group Name | Marbled Dust, Sea Turtle |
| Appear Time | 2017 |
| Attack Target | Albania, Armenia, Cyprus, Egypt, Greece, Iraq, Jordan, Lebanon, Libya, the Netherlands, Sudan, Sweden, Switzerland, Syria, Turkey, the United Arab Emirates, and the United States |
| Attack Strategy | Spear phishing, Watering hole attack, Public network device intrusion |
| Attack Technique | |
| Attack Weapon |
Subscribe NSFOCUS Threat Intelligence for full details of APT incident Overview.
Zero-Day Vulnerability in Output Messenger (CVE-2025-27920)
Output Messenger is an enterprise communication tool developed by Srimax, renowned for its local deployment mode. Enterprises can install the server-side application of Output Messenger, called Output Messenger Server Manager, on their internal networks. Users connect to the server via the client-side application called Output Messenger Client for internal communication. The Output Messenger Server Manager must be installed in a Windows environment, while the Output Messenger Client supports multiple platforms…
Subscribe NSFOCUS Threat Intelligence for full details of APT incident Overview.
Marbled Dust’s DNS Hijacking Techniques
The initial intrusion operations of Marbled Dust also warrant attention. While the exact method by which Marbled Dust obtained the legitimate credentials of the Output Messenger Server Manager application used by the Kurdish military remains unknown, researchers speculate that…
Subscribe NSFOCUS Threat Intelligence for full details of APT incident Overview.
