Regional APT Threat Situation
In July 2025, the global threat hunting system of Fuying Lab detected a total of 33 APT attack activities. These activities were primarily concentrated in regions including South Asia, East Asia, Southeast Asia, Eastern Europe, and West Asia, as shown in the following figure.
Regarding the activity levels of different organizations, the most active APT groups in this month were Sidewinder, Kimsuky, and TransparentTribe from South Asia, while other relatively active groups included Konni from East Asia.
The most prevalent intrusion method in this month’s incidents was spear-phishing email attacks, accounting for 85% of all attack events. A small number of threat actors also utilized watering hole attacks, supply chain attacks, and vulnerability exploitation for infiltration.
In July 2025, the primary target industries for APT groups were government agencies, accounting for 34%, followed by organizations or individuals at 15%. Other attack targets included military institutions, research institutions, financial institutions, and infrastructure sectors.
South Asia
This month, APT activities in South Asia were primarily initiated by known APT groups, targeting entities including Indian government departments, military institutions in Sri Lanka and Bangladesh, as well as Chinese organizations or individuals.
The attack tactics primarily involved spear-phishing email campaigns, with typical lures including an official memorandum from the Indian Ministry of Defense.
Asia
This month, APT activities in East Asia was primarily carried out by known APT groups, targeting South Korean government agencies, financial institutions, and research institutes, as well as North Korean organizations and individuals.
In terms of attack tactics, this month’s APT activities in East Asia were dominated by spear phishing email attacks. In spear-phishing operations, a representative lure was employed by the Kimsuky group.
Southeast Asia
This month, APT activities in Southeast Asia was chiefly conducted by known APT groups, with Chinese research institutions among the primary targets.
In terms of attack tactics, this month’s APT activities in Southeast Asia were dominated by spear phishing email attacks.
Eastern Europe
This month, APT activities in Eastern Europe was primarily conducted by known APT groups, with Ukrainian government agencies and Ukrainian organizations and individuals among the victims.
The threat actors used spear-phishing e-mails to target Ukrainian government departments.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
Global Key APT Events
Multiple organizations are exploiting the ToolShell vulnerability to attack SharePoint servers.
Interpretation of Key APT Events
On July 17, 2025, ToolShell—an exploit chain targeting Microsoft SharePoint—appeared in the wild.
The ToolShell exploit chain combines CVE-2025-49704 and CVE-2025-49706 to achieve remote code execution against any SharePoint server, posing a critical threat.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
Threat Group Card
| Group Name | Mimo |
| Appear Time | 2022 |
| Attack Target | No specific region |
| Attack Strategy | Public-facing device compromise |
| Group Name | Warlock |
| Appear Time | 2025 |
| Attack Target | No specific region |
| Attack Strategy | Public-facing device compromise |
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
Insights
About SharePoint
SharePoint is an enterprise-grade, web-based collaboration platform and content management system (CMS) launched by Microsoft in 2001. Built on a client/server architecture, it runs on IIS servers and is developed atop the .NET Framework, providing multi-platform access.
SharePoint is installed on Windows Server systems, and roughly 20,000 SharePoint servers are currently exposed to the public Internet. The emergence of the ToolShell exploit chain poses a severe threat to these publicly accessible servers.
Timeline of ToolShell Exploit Chain Attacks
| Time | Event |
| May 16, 2025 | CVE-2025-49704 and CVE-2025-49706 were first demonstrated at the Pwn2Own Berlin competition. |
| July 8, 2025 | … |
| … | … |
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
CVE-2025-49704
CVE-2025-49704 is a SharePoint RCE vulnerability that comprises two components: code injection and data deserialization. It serves as the core of the entire ToolShell exploit chain.
- Code Injection Segment
The vulnerability leverages the SharePoint path “/_layouts/15/ToolPane.aspx”. When a POST request is sent to this endpoint, it carries two URL-encoded parameters.
- Data Deserialization Segment
The malicious payload delivered in the above process is an XML file whose malicious portion leverages the well-known ExpandedWrapper technique to invoke the unsafe deserialization method BinarySerialization.Deserialize within a .NET Framework application, ultimately executing deserialization-based attack code embedded in the XML.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
CVE-2025-49706
While CVE-2025-49704 enables remote code execution against the target SharePoint server, it does not address the platform’s authentication barrier. CVE-2025-49706 precisely supplies the means to overcome this limitation.
CVE-2025-49706 is an authentication vulnerability residing in the PostAuthenticateRequestHandler method of Microsoft.SharePoint.dll.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
