Top 10 APT Groups in 2025

Advanced Persistent Threats, known as APTs, represent some of the most capable cyber adversaries. These groups are often state-backed or part of well funded organizations and their primary goals include espionage, long term data collection, and disruption. They rely on advanced tactics, techniques, and procedures to compromise governments, critical infrastructure, and large enterprises.

APTs conduct targeted and planned operations. They use custom malware, zero day vulnerabilities, and social engineering to gain access to sensitive networks. Persistence is a defining trait of these actors. They often remain undetected for extended periods, which increases the impact of their operations and the difficulty of defense.

The year 2025 saw intense activity from many state-sponsored groups worldwide. Below are summaries of notable APT actors and their campaigns in 2025, based on recent threat intelligence reports.

China-Aligned APT Groups

Mustang Panda (APT27):

MUSTANG PANDA is a China-linked APT group active since at least 2017. It mainly targets NGOs and think tanks, with a strong focus on Mongolia. The group rapidly adopts new exploits and relies on social engineering, fileless techniques, and common malware such as PlugX, Poison Ivy, and Cobalt Strike.

Activity in 2025

A sophisticated cyber campaign connected to UNC6384, a threat actor with ties to China, was identified by Google Threat Intelligence Group in March 2025. According to Google, the action supported cyber espionage goals related to the People’s Republic of China’s strategic objectives. The operation targeted organizations in various regions as well as diplomats in Southeast Asia.

The research claims that in order to transmit a downloader (STATICPLUGIN) that seemed authentic due to its digital signature, the attackers redirected the victims’ browser traffic. As a result, a backdoor known as PlugX (SOGU.SEC) was deployed in-memory. In order to get around security measures, the campaign used techniques like valid code signing certificates, an adversary-in-the-middle (AitM) attack, and indirect execution tactics.

APT40 (Leviathan):

APT40, also known as TEMP.Periscope, Leviathan, and many other aliases, is a Chinese cyber-espionage group attributed to the Chinese Ministry of State Security (MSS). Numerous cybersecurity organizations and authorities, such as the Australian Cyber Security Centre (ACSC) and the Cybersecurity and Infrastructure Security Agency (CISA), support this attribution. Together, these organizations have determined that the group’s Tactics, Techniques, and Procedures (TTPs) align with those employed by Chinese state-sponsored actors. Active since at least 2009, APT40 has been implicated in numerous high-profile cyber-espionage campaigns targeting a variety of sectors, particularly focusing on maritime, defense, aviation, and technology. The group’s activities are aligned with China’s strategic objectives, including the modernization of its military and expansion of its maritime influence.

Activity in 2025

Samoa connected a number of cyberattacks to APT40, a threat actor supported by the Chinese government.

APT40 is conducting targeted espionage activities targeting government and critical infrastructure networks around the Blue Pacific, according to a warning from Samoa’s National Computer Emergency Response Team. Citing a joint advise from multiple Western and Asian nations, the advisory characterizes the group as state-sponsored and connects its operations to the PRC Ministry of State Security.

The document outlines APT40’s use of malware for long term network access, command and control, and data exfiltration, while avoiding detection. According to Australian officials, the advice underscores the continued regional support efforts as well as the growing cyber threat to the Pacific.

APT41

APT41 (also known as Double Dragon) is a well-known cyber threat group that carries out Chinese state-sponsored espionage as well as financially motivated operations that may be outside the authority of the Chinese government. Explicit financial motivation is uncommon among Chinese state-sponsored threat groups, and evidence implies that APT41 has been involved in both cyber-crime and cyber-espionage operations since 2014. The name “Double Dragon” comes from the fact that they are involved in both espionage and individual financial gain. The equipment they utilize is typically used for intelligence gathering by governments.

Activity in 2025

An advisory warning of a continuing wave of targeted cyber espionage activity connected to the People’s Republic of China was issued by the House Select Committee on China. The warning is issued at a time when trade negotiations between the United States and China are becoming more tense.

The committee claims that in spear-phishing emails, suspected China-affiliated threat actors pretended to be Republican Congressman John Robert Moolenaar. The messages were intended to trick recipients into opening malicious files or links. Unauthorized access to systems and sensitive data would have been made possible by a successful interaction with these messages.

According to the study, emails purporting to be from Moolenaar were received by several trade associations, law firms, and U.S. government agencies.

The attack is thought to have been carried out by APT41, a well-known threat actor group that targets various industries and regions for cyber espionage.

Volt Typhoon

Volt Typhoon is a China-linked APT group active since at least 2021. It targets US critical infrastructure, including Guam, and focuses on stealthy pre-positioning through living-off-the-land techniques, web shells, and credential abuse to enable potential disruptive or destructive attacks. With a strong interest in both the public and private sectors, the group’s main focus is information gathering. The group is one of the most formidable cyber adversaries today because of their operations, which are distinguished by careful preparation, custom malware deployments, and covert infiltration techniques.

In addition to giving them access to advanced resources, their alleged support from a nation-state potentially aligns their objectives with geopolitical aims, increasing the threat they pose.

Activity in 2025

During a meeting with US officials in Geneva in December, China privately acknowledged carrying out Volt Typhoon cyberattacks against US infrastructure, according to The Wall Street Journal. The remarks were seen by US authorities as an attempt to prevent US involvement in a possible conflict between China and Taiwan, and they linked the attacks to US backing for Taiwan.

Volt Typhoon used cutting-edge methods and zero-day exploits to target vital US infrastructure. Energy, utilities, communications, government, transportation, and manufacturing were among the industries impacted. For over 300 days in 2023, the actors allegedly kept access to a portion of the US electrical infrastructure.

Russia-Aligned APT Groups

APT29 (Cozy Bear, Midnight Blizzard):

APT29, also known as Cozy Bear, is a Russian cyber-espionage APT group associated with Russia’s Foreign Intelligence Service (SVR). The group’s sophisticated capabilities allow them to undertake highly targeted attacks, such as supply-chain hacks on SolarWinds where trojanized software updates have been used to infect the MSSP customers. APT29 has been active since at least 2008 and is known for targeting governments, diplomatic entities, and critical industries across the United States and Europe.

Activity in 2025

APT29, a Russian-affiliated threat actor connected to the SVR, launched a watering hole campaign, but Amazon’s threat intelligence team stopped it. The campaign used compromised websites to redirect a small portion of visitors to fake verification pages that abused Microsoft’s device code authentication flow. The action is a reflection of APT29’s effort to expand intelligence gathering and credential harvesting.

The effort is consistent with previous APT29 activities, such as credential-focused phishing revealed by Google in 2025 and AWS-themed phishing in 2024. Website compromise, obfuscated JavaScript, quick infrastructure upgrades, and a switch from client-side to server-side redirects were some of the strategies used. Amazon used infrastructure analytics to identify the behavior, collaborated with partners to disrupt cloud assets and domains, and shared information with Microsoft. There were no compromised AWS systems.

Sandworm (Armageddon, APT44):

Sandworm, also known as ELECTRUM, Black Energy, and VOODOO BEAR, is a Russia-linked APT group tied to GRU Unit 74455 and active since at least 2009. Since at least 2009, they have actively participated in cyberspace for Russia’s geopolitical advantages, carrying out numerous major attacks against numerous nations and causing damage worth billions of dollars. To spread malware and take advantage of zero days, they primarily use spear phishing. The group is well-known for its extensive operations, which include disruptive campaigns against significant international events and institutions, the NotPetya outbreak, power grid attacks in Ukraine, and election involvement.

Activity in 2025

According to ESET, throughout the second and third quarters of 2025, Sandworm used data wiper software against Ukrainian organizations. The attacks targeted government agencies and businesses in the energy, logistics, and grain industries using wipers like Zerolot and Sting. According to ESET, the action was intended to undermine Ukraine’s economy.

Iran-Aligned APT Groups

APT34 (OilRig):

OilRig, also known as APT34, is a state-sponsored Advanced Persistent Threat (APT) group with strong ties to Iranian intelligence. Known for its sophisticated cyber-espionage campaigns, OilRig primarily targets government, energy, financial, and telecommunications sectors across the Middle East and beyond. Leveraging advanced spear-phishing techniques and custom malware, the group has cemented its reputation as a persistent and highly adaptive threat actor in the global cyber landscape. The group is also known by other aliases, including APT34, Helix Kitten, and Earth Simnavaz.

Activity in 2025

APT34, a threat group with ties to Iran, has carried out cyberespionage activities against Yemeni and Iraqi institutions. They used phishing emails and custom backdoors, including tools for email, SSH, and DNS-based data exfiltration to target Iraqi government agencies.

Another APT34 subgroup used simpler PowerShell-based malware to target Yemeni companies, mostly in the telecom industry. Researchers evaluate the activity as part of Iran’s Ministry of Intelligence and Security’s continuous intelligence gathering, which includes against nations regarded as regional allies.

North Korea-Aligned APT Groups

Lazarus Group:

Hidden Cobra, Zinc, APT-C-26, Guardians of Peace, Group 77, Who Is Hacking Team, Stardust Chollima, and Nickel Academy are just a few of the names given to the Lazarus Group. The group is attributed to the Democratic People’s Republic of Korea’s (DPRK) Reconnaissance General Bureau (RGB).

Based on analysis conducted by the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), the U.S. government released a joint technical alert (TA17-164A) in 2017 designating Hidden Cobra as a “North Korean state-sponsored malicious cyber organization.”

The Lazarus group was initially discovered and mentioned in the “Operation BlockBuster” report (2016), which was released by a group of security companies under Novetta’s leadership to look into the 2014 Sony Pictures Entertainment hack. Researchers were able to determine the Lazarus group’s actions as early as 2009 (perhaps 2007) by tracing the malware and the attackers’ method of operation.

The group mixes financial activities such as ransomware, cryptocurrency theft, and cyber heists with espionage.

Activity in 2025

South Korean authorities believe that North Korea’s Lazarus group was probably responsible for a $30 million cryptocurrency theft from Upbit, the nation’s biggest exchange. According to investigators, the attackers utilized laundering methods similar to those used in earlier Lazarus operations after posing as Upbit administrators to gain access to the platform and transfer the money. Upbit relocated all assets to secure cold wallets, halted deposits and withdrawals, and characterized the event as an abnormal withdrawal.

Upbit is attempting to freeze the assets after tracking down a portion of the stolen cryptocurrency to another wallet. Authorities observed strong similarities to a 2019 Upbit hack that was also linked to Lazarus and caused a $40 million loss. The gang has stolen billions of cryptocurrency in recent years. Large-scale thefts connected to Lazarus, including over $1 billion in 2024 and other well-known exchange attacks, have been reported by blockchain analysis companies and the UN.

Andariel

Andariel, also known as Jumpy Pisces, is a North Korea linked threat actor associated with the Lazarus Group. The group conducts cyber espionage and ransomware operations against financial institutions, government bodies, and critical industries such as defense and energy. Its activity combines financial theft with intelligence collection, often aligned with state interests. Andariel commonly gains access through spear phishing, exploits vulnerable systems, deploys custom malware and ransomware, and moves laterally within networks while using evasion techniques to avoid detection.

Activity in 2025

Researchers report that North Korea linked Andariel abused RID hijacking to grant admin rights to low privilege Windows accounts. The group gained SYSTEM access using PsExec and JuicyPotato, modified the SAM registry, and hid traces through registry cleanup. Mitigation requires monitoring LSASS activity, restricting privilege escalation tools, and enforcing MFA.

South Asia and Other Regions

APT36 (Transparent Tribe):

APT36 is a cyber-espionage group affiliated with the Pakistani government that has been active since at least 2013. Other names for this group include Transparent Tribe, Mythic Leopard, Earth Karkaddan, ProjectM, and COPPER FIELDSTONE. The group has a long history of targeting Indian government, military, and defense-related companies and is thought to be acting on behalf of Pakistan’s military or intelligence services.

APT36 uses phishing, remote-access trojans, and deceptive infrastructure to carry out long-term intelligence-gathering activities. The group uses new platforms, cloud services, and malvertising operations to stay effective in the threat landscape of South Asia despite having a limited level of technical skill.

Activity in 2025

An continuous cyber espionage campaign targeting Indian government and defense organizations is being carried out by Transparent Tribe, also known as APT36, a threat actor with ties to Pakistan. The most recent activity delivers malicious Linux .desktop files disguised as PDFs via spear-phishing emails. These files display a fake PDF, download and run encoded payloads, execute hidden Bash commands, and create persistence via autostart, cron jobs, and systemd abuse.

Data exfiltration and remote control are made possible by the malware’s usage of DNS and UDP for covert communication after connecting to a hardcoded command-and-control server. The campaign was discovered on August 1, 2025, and it is still going strong.

Conclusion

These actors operated with clear goals and long timelines. Their activities affected governments, critical infrastructure, and private organizations across regions.

Tracking such actors requires more than tracking other threat actors. It requires continuous visibility into who the actors are, how they operate, and where they are active. SOCRadar’s Threat Actor Intelligence module addresses this need by providing structured profiles of threat actors, their tactics and techniques, and their historical operations. It enables teams to monitor ongoing activity and relate it to their own industry or geography.

By linking observed APT activity to known actors and TTPs, organizations can move from reactive defense to informed risk prioritization. Understanding the enemy is a core requirement of modern cyber defense. Threat Actor Intelligence supports this by turning fragmented threat data into actionable context.