From 2024 to the first half of 2025, cyber espionage remains the main motive of active Advanced Persistent Threat (APT) groups in Asia Pacific (APAC) according to global cybersecurity and digital privacy company Kaspersky.
In a presentation during the Kaspersky Cyber Security Weekend 2025 in Da Nang Vietnam, Noushin Shabab, Lead Security Researcher at Kaspersky’s Global Research and Analysis Team (GReAT), unmasked the major cyber espionage groups persistently haunting state secrets, military intelligence, and more from governments across the region.
“Asia Pacific has always been a hotbed of cyber espionage activities due to the region’s tensed geopolitical landscape. This, combined with rapid digital and economic developments create a complex threat landscape being shaped by several active threat actors targeting high profile entities and organizations as well as critical facilities in the region,” says Shabab.
Globally, Kaspersky GReAT researchers are monitoring more than 900+ APT groups and operations.
In APAC, the major groups active in 2024 to present include:
· SideWinder – dubbed as “the most aggressive threat in APAC”, this APT group targets governments, military, and diplomatic entities in the region with spearphishing and sophisticated attack platforms. It has a persistent interest in maritime (Bangladesh, Cambodia, and Vietnam) and logistics (China, India, and Maldives). Just last March, Kaspersky GReAT experts also revealed that the group showed a heightened focus on nuclear power plants and energy facilities across South Asia.
SideWinder adapts its tools quickly to avoid detection, making it a persistent threat. When targeting nuclear infrastructure, the group uses highly tailored spear-phishing emails that seem related to regulations or facility operations. Opening these emails triggers a malware chain, potentially giving attackers access to sensitive operational data, research, and personnel information.
Sri Lanka, Nepal, Myanmar, Indonesia, and the Philippines are also on SideWinder’s target list.
· Spring Dragon aka Lotus Blossom – with particular interest towards Vietnam, Taiwan, and the Philippines, this threat actor utilises spear phishing, exploits and watering hole attacks to infiltrate its victim’s machine. Kaspersky researchers have detected 1,000 malicious samples used over a decade to target government entities in Southeast Asia.
· Tetris Phantom – discovered by Kaspersky GReAT researchers in 2023, this APT group first deployed a highly sophisticated malware targeting a type of secure USB drive. From last year to 2025, it has added two attack toolson its arsenals: BoostPlug, a plugin-based framework and DeviceCync which injects ShadowPad, PhantomNet and Ghost RAT on its victim’s machines.
· HoneyMyte – known for aiming to exfiltrate sensitive political and strategic information from governments and diplomatic entities in Southeast Asia, most notably Myanmar and the Philippines, this threat actor now utilizes ToneShell malware deployed via multiple loaders in different campaigns throughout 2024 to 2025.
· ToddyCat – primarily targeting high profile victims in Malaysia since 2020, this technically-sophisticated group has developed malicious tools based on publicly available code to bypass legitimate security software to evade detection and maintain covert access within targeted environments.
· Lazarus – the group known for the infamous “Bangladesh Bank Heist”, this state-sponsored threat actor continues to be one of the major APT in the region with both espionage and financially-motivated campaigns.
Early this year, Kaspersky GReAT experts uncovered “Operation SyncHole,” a new Lazarus campaign combining a watering hole attack with the exploitation of vulnerabilities in third-party software to target organizations in South Korea. During the research, company experts have also discovered a zero-day vulnerability in Innorix Agent software. At least six South Korean firms in key sectors were targeted, with the actual number of victims potentially higher.
· Mysterious Elephant – first observed by Kaspersky in May 2023, the group deploys novel backdoor families capable of executing commands and handling files stealthily, standing out from, and sometimes overlapping with, the techniques of APTs like Dropping Elephant, Origami Elephant, Bitter, Confucius and Side.
In 2025, Kaspersky experts observe that the group constantly added new tools and new techniques to their arsenal to target victims in Pakistan, Sri Lanka and Bangladesh.
“Unlike conventional cybercriminals driven by financial gain, there is a high likelihood that groups targeting governments, military secrets, and strategic intelligence are state-sponsored. Based on the major APT activities in APAC, it is clear that these campaigns are not just about data theft, they’re about gaining a decisive geopolitical edge. This makes it critical for organizations, especially those in sensitive sectors, to strengthen their cybersecurity posture and invest in threat intelligence to stay ahead of these evolving threats,” Shabab adds.
To defend against Advanced Persistent Threat (APT) attacks, Kaspersky recommends accurate detection, rapid response to known tactics, and prompt remediation of vulnerabilities. Additional advice includes:
· Always keep software updated on all the devices you use to prevent attackers from infiltrating your network by exploiting vulnerabilities.
· Carry out a cybersecurity audit of your networks and assets to reveal gaps and vulnerable systems, and address any weaknesses discovered in the perimeter or inside the network.
· To protect the company against a wide range of threats, use solutions from the Kaspersky Next product line that provide real-time protection, threat visibility, investigation and response capabilities of EDR and XDR for organizations of any size and industry.
· Provide your InfoSec professionals with an in-depth visibility into cyberthreats targeting your organization. The latest Kaspersky Threat Intelligence will provide them with rich and meaningful context across the entire incident management cycle and helps them identify cyber risks in a timely manner.To know more about the latest APT reports, visit https://securelist.com/.