- 92% of Mobile Apps Found to Use Insecure Cryptographic Methods
- Can your phone last 10 years? Back Market and iFixit want to make it happen - here's how
- From Reactive to Proactive: IT Leaders Are Forging a New Path in 2025
- I avoid pricey flagship phones, but this OnePlus 13 deal has me reconsidering
- AI unleashes more advanced scams. Here's what to look out for (and how to stay protected)
APT Rogues’ Gallery: The World’s Most Dangerous Cyber Adversaries
Advanced Persistent Threat (APT) groups are not a new scourge. These sophisticated, state-sponsored cyber adversaries, with deep pockets and highly advanced technical skills, conduct prolonged and targeted attacks to infiltrate networks, exfiltrate sensitive data, and disrupt critical infrastructure.
The stakes have never been higher, so in this blog, we’ll look at some of the most notorious APT actors, their unique Tactics, Techniques, and Procedures (TTPs), and attacks attributed to them, and offer a few tips on how to defend against them.
The Lazarus Group
Originating from North Korea, the Lazarus Group has been active since at least 2009. It is notorious for a wide range of malicious activities, including financial theft, espionage, and disruptive attacks.
Its TTPs often involve spear-phishing campaigns, exploiting zero-day vulnerabilities, and deploying custom malware such as “WannaCry” ransomware. Known for targeting financial institutions, governments, and even cryptocurrency platforms, Lazarus recently expanded its operations to lure investors using a seemingly harmless decentralized finance (DeFi) game.
In recent years, it has begun targeting cryptocurrency exchanges to steal funds to line the North Korean regime’s pockets and recently stunned the crypto community by making off with $1.46 billion in Ethereum from Bybit.
Mythic Leopard
Mythic Leopard is a lesser-known APT group believed to be associated with the Pakistani government. The group has been active since at least 2013 and, over the past four years, has primarily targeted Indian military and government personnel. However, in the past year, its focus has expanded, increasingly attacking entities in Afghanistan, with its malicious activities detected across approximately 30 countries.
This APT employs custom Remote Access Trojans (RATs) developed in .NET and Python, continuously creating new tools for specific campaigns. Their typical attack method involves spear-phishing emails with MS Office documents containing embedded malicious macros that deploy the primary payload. While the Crimson RAT is commonly used as the final payload, researchers have also identified instances of Peppy malware, a Python-based Trojan.
Evasive Panda
Evasive Panda is a suspected Chinese state-sponsored APT group that has been active since at least 2012. Known for its sophisticated cyber espionage operations targeting individuals in mainland China, Hong Kong, Macao, and Nigeria. Government entities in China and Macao, among others.
The group utilizes a custom malware framework with a modular design, enabling its backdoor, MgBot, to receive additional modules that expand its spying capabilities and overall functionality. Towards the end of last year, it introduced CloudScout, a sophisticated and professional post-compromise toolset designed to extract data from multiple cloud services using stolen web session cookies.
Salt Typhoon
Salt Typhoon, also known as FamousSparrow or GhostEmperor, is a Chinese state-sponsored APT group that has been active since at least 2020, conducting widespread cyber espionage campaigns targeting major telecommunications companies in the US and Asia, including T-Mobile, AT&T, Verizon, and Singtel.
Its TTPs involve exploiting vulnerabilities in network appliances and IoT devices to establish persistent access, using living-off-the-land techniques to evade detection, and deploying custom backdoors like “GhostSpider” and “Masol RAT.”
These attacks have compromised sensitive data, including call logs and private communications of senior government officials.
Double Dragon
Double Dragon is a Chinese APT group infamous for conducting state-sponsored espionage and financially motivated cybercrimes. Its operations span various sectors, including healthcare, telecommunications, and finance. APT41’s TTPs encompass supply chain compromises, the use of sophisticated malware like “Winnti,” and the exploitation of software vulnerabilities to infiltrate networks.
In a campaign worth mentioning, this APT targeted the gambling and gaming industry, employing techniques such as Phantom DLL Hijacking and abusing WMIC.exe for persistence and evasion. It maintained persistent access to compromised networks for extended periods, cunningly adapting its tools and tactics based on the security team’s responses.
Fancy Bear
Fancy Bear is a Russian state-sponsored APT group with a history of cyber espionage and information warfare. It has targeted military, political, and media entities across Europe and the States.
Its TTPs include spear-phishing, deploying malware like “Sofacy” and “X-Agent,” and leveraging zero-day exploits. This group has been implicated in high-profile attacks, such as the breach of the Democratic National Committee in 2016 and attempts to influence political processes in various countries.
Flax Typhoon
Chinese APT group Flax Typhoon distinguishes itself by leveraging Internet of Things (IoT) devices as entry points into target networks. They have been observed exploiting public-facing servers and known vulnerabilities to gain access, primarily focusing on entities in Taiwan but with a growing global presence.
Its TTPs involve using tools like “China Chopper” and “SoftEther VPN” to establish persistence, relying heavily on hands-on activity, and using compromised IoT devices—such as cameras and DVRs—to build botnets for command and control purposes. These botnets facilitate data exfiltration and further network reconnaissance.
Last year, the US Justice Department announced the successful takedown of a botnet being used by Flax Typhoon to infect consumer devices like home routers, IP cameras, and DVRs, forming a network that bad actors used for malicious activities disguised as normal internet traffic.
Volt Typhoon
Volt Typhoon, a sophisticated Chinese state-sponsored APT group active since at least 2021, has US critical infrastructure in its crosshairs. Its operations focus on sectors such as communications, energy, transportation, and water services, and it uses “living-off-the-land” techniques, employing built-in network administration tools to blend with normal system activities and evade detection.
This group gains initial access by exploiting unpatched vulnerabilities and weak credentials in internet-facing systems and routes its traffic through compromised small office and home office (SOHO) network devices, including routers and firewalls, to obfuscate its activities.
In 2024, Volt Typhoon was implicated in attacks on US telecommunications infrastructure, including a breach of Singtel, where they established persistent access and exfiltrated sensitive data.
Multi-pronged Defense Needed
Thanks to their diversity and wide range of TTPs and targets, defending against APTs requires a multi-pronged cybersecurity strategy that unites proactive threat intelligence, advanced detection mechanisms, and robust security policies. This includes strong access controls, the enforcement of least privilege principles, and the use of multi-factor authentication (MFA) to limit unauthorized access.
Patching and updating software regularly is also key, as are endpoint detection and response (EDR) solutions, network segmentation, and behavioral analytics to help root out and contain threats before they turn into major disasters.
Also, entities should establish an incident response plan and use threat intelligence feeds to stay abreast of evolving APT tactics.
A Spanner in the Security Works
However, defense against APTs is being placed in jeopardy by confusing naming conventions, says Mike Kosak, a Senior Principal Intelligence Analyst at LastPass.
The way APTs are named has become increasingly chaotic, leading to confusion and inefficiencies in cybersecurity, he says. Each vendor assigns its own names to threat groups, often as a branding exercise, making it difficult to track adversaries across different reports.
A single group can be known by multiple unrelated names, such as Volt Typhoon, also being called Vanguard Panda, Bronze Silhouette, and several others. This lack of consistency is hampering collaboration among researchers, entities, and law enforcement, creating artificial subdivisions that do not reflect how threat actors operate in reality.
The result is a fragmented understanding of cyber threats, which can mislead defenders into focusing on narrowly defined subgroups rather than the broader tactics of an entire adversarial organization, Kosak adds.
To strengthen cybersecurity, he says the industry must adopt a standardized, clear naming system that reflects the reality of how nation-state threat actors function. Moving away from vendor-specific branding will help establish a common language, making it easier for experts and organizations to assess risks.
Also, defenders should focus on the full range of tactics used by entire intelligence or military agencies rather than limiting their strategies to specific subgroups—a broader approach that will fuel more comprehensive defenses and limit the risk of unexpected attacks.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.
