Threat Research

Top 10 APT Groups in 2025

SocRadar
Top 10 APT Groups in 2025

Advanced Persistent Threat groups from multiple nation-states increased activity in 2025, using social engineering, fileless and registry-based techniques, web shells, living-off-the-land tools, and bespoke malware to target governments, critical infrastructure, and enterprises. Notable incidents include Mustang Panda’s captive-portal delivery of SOGU.SEC and Sandworm’s deployment of wipers like Zerolot, reflecting continued espionage and disruptive objectives. #MustangPanda #Zerolot

Keypoints

  • State-aligned APTs from China, Russia, Iran, and North Korea carried out widespread espionage and disruptive operations across regions in 2025.
  • Mustang Panda (UNC6384) used captive-portal traffic hijacking and a fake Adobe update to deliver SOGU.SEC via signed components.
  • APT40 and other China-linked groups relied on stealthy fileless malware, registry-based loading, and modified commodity tools to maintain persistence and exfiltrate data.
  • Russia-linked actors (APT29, Sandworm) used watering-hole redirects, credential harvesting, and destructive wiper malware (Zerolot, Sting) against Ukraine and other targets.
  • North Korea-linked groups (Lazarus, Andariel) combined large-scale financial theft (Upbit breach) with privilege-escalation and registry tampering using tools like PsExec and JuicyPotato.
  • Region-specific campaigns included APT34 targeting Iraq and Yemen with custom backdoors and APT36 using Linux .desktop lure files and Go-based payloads with WebSocket C2.
  • SOCRadar’s Threat Actor Intelligence emphasizes continuous visibility and mapping of actor TTPs to enable prioritized, context-driven defense.

MITRE Techniques

  • [T1566 ] Phishing – Used for targeted spear-phishing: (‘impersonated Rep. John Moolenaar … in spear-phishing emails’)
  • [T1204 ] User Execution (Social Engineering) – Social engineering employed to trick targets into executing malicious content: (‘relies on social engineering’)
  • [T1189 ] Drive-by Compromise / Watering Hole – Redirected site visits and captive-portal hijacking to deliver malware: (‘captive portal traffic hijacking to deliver a fake Adobe update’)
  • [T1105 ] Ingress Tool Transfer – Transfer of SOGU.SEC and other tools to victims via signed components: (‘deployed SOGU.SEC malware via signed components’)
  • [T1218 ] Signed Binary Proxy Execution – Use of signed components to execute or sideload malicious payloads: (‘deployed SOGU.SEC malware via signed components’)
  • [T1547.001 ] Registry Run Keys / Startup Folder – Registry-based loading techniques used for persistence: (‘registry based loading techniques’)
  • [T1055 ] Process Injection / Fileless Techniques – Fileless methods and process injection approaches to avoid detection: (‘fileless techniques’ / ‘fileless malware’)
  • [T1505.003 ] Web Shell – Pre-positioning and remote access using web shells on compromised hosts: (‘web shells’ used to enable potential disruptive or destructive attacks’)
  • [T1021 ] Remote Services (PsExec) – Lateral movement and SYSTEM access using PsExec: (‘gained SYSTEM access using PsExec’)
  • [T1068 ] Exploitation for Privilege Escalation – Use of JuicyPotato to escalate privileges to SYSTEM: (‘gained SYSTEM access using PsExec and JuicyPotato’)
  • [T1070 ] Indicator Removal on Host – Hiding traces via registry cleanup and artifact removal: (‘hid traces through registry cleanup’)
  • [T1485 ] Data Destruction (Wiper) – Deployment of destructive wiper malware against Ukrainian targets: (‘deployed wiper malware, including Zerolot and Sting’)
  • [T1071.004 ] Application Layer Protocol: Web Protocols (WebSocket) – Use of WebSocket channels for C2 and exfiltration: (‘exfiltrate data via WebSocket C2 channels’)
  • [T1078 ] Valid Accounts / Credential Abuse – Credential harvesting and abuse to maintain access and move laterally: (‘credential harvesting’ / ‘credential abuse’)
  • [T1003 ] Credential Dumping – Techniques targeting LSASS and SAM registry to obtain credentials and escalate privileges: (‘modified the SAM registry’ / ‘monitoring LSASS activity’)

Indicators of Compromise

  • [Malware ] delivery and destructive tools – SOGU.SEC (delivered via fake Adobe update), Zerolot (wiper used by Sandworm), and 1 more (Sting)
  • [Tools / Utilities ] post-exploitation and escalation – PsExec (used to gain SYSTEM access), JuicyPotato (local privilege escalation)
  • [File types / names ] lure and payload artifacts – Linux .desktop files disguised as PDFs (APT36 phishing ZIPs), signed components used to sideload malware
  • [C2 / Protocols ] command-and-control channels – WebSocket C2 channels (used to exfiltrate data by APT36), web shells deployed on compromised servers
  • [Affected Organizations ] targeted entities – Upbit (digital asset theft attributed to Lazarus Group), Government of Samoa (advisory on APT40 activity)

Read more: https://socradar.io/blog/top-10-apt-groups-in-2025/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint