NSFOCUS Fuying Laboratory’s global threat hunting system identified 19 Advanced Persistent Threat (APT) attack campaigns primarily targeting entities across South Asia, East Asia, Eastern Europe, and South America.
These campaigns predominantly leveraged spear phishing emails, which accounted for 79% of all recorded incidents, alongside select operations exploiting software vulnerabilities and watering hole attacks.
APT groups Bitter, Patchwork, and Sidewinder emerged as the most active threat actors focusing on South Asia, with notable targets including government agencies in India, Sri Lanka, and Pakistan.
A prominent example involved Bitter targeting Pakistan’s Ministry of Defense using a spear phishing document disguised as an official invitation letter from the German government regarding a United Nations peacekeeping conference.
According to the Report, this illustrates the attackers’ reliance on socially engineered, contextually relevant bait to maximize success.
In East Asia, spear phishing campaigns and vulnerability exploitation against company servers dominated the threat landscape.
The notorious APT37 group employed spear phishing lures disguised as Korean military magazine files to infiltrate government, financial, and research institutions.
A significant incident this month involved the Lazarus group exploiting a file upload vulnerability on a Korean web server, enabling unauthorized payload deployment.
Lazarus also executed a separate operation called “ClickFake Interview” targeting professionals in the cryptocurrency sector by masquerading as recruiters on social media to harvest sensitive information via fake interview websites.
Evolving Attack Techniques in Eastern Europe and South America
APT activity in Eastern Europe focused on compromising Signal Messenger users in Ukraine through sophisticated social engineering.
Attackers impersonated legitimate group invitations and security alerts, deploying malicious QR codes to hijack Signal accounts without the victims’ knowledge, demonstrating an advanced fusion of phishing and technical manipulation.
In South America, the BlindEagle group concentrated attacks against Colombian government and judicial institutions by exploiting a variant of the CVE-2024-43451 vulnerability, related to how Windows systems handle SMB protocol requests embedded in .url files.
By tricking users into interacting with these specially crafted shortcut files, attackers captured NTLMv2 hashes, enabling subsequent credential-based attacks and unauthorized access to sensitive systems.
Among critical global events, the “Operation ForumTroll” attack surfaced on March 25, exploiting CVE-2025-2783-a zero-day Chrome sandbox vulnerability.
This attack, disclosed by Kaspersky, allowed an unknown APT actor to bypass Chrome’s sandbox defenses and execute malicious payloads directly on Windows hosts, highlighting persistent risks in widely adopted software platforms.
The BlindEagle group’s multi-month campaign exploiting CVE-2024-43451 against Colombian institutions demonstrated how zero-day vulnerabilities can be weaponized to target government sectors beyond their region of origin, amplifying the risk of cross-regional cyber intrusions.
NSFOCUS’s findings underscore that government entities remain the primary targets of APT campaigns, representing 47% of attacks globally in March 2025, followed by organizations and individuals at 16%.
Given the prevalent use of spear phishing combined with strategic exploitation of software vulnerabilities, organizations especially in Asia must strengthen email security, patch management, and user awareness programs to mitigate emerging advanced threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
