In a presentation, Noushin Shabab, Lead Security Researcher at Kaspersky’s Global Research and Analysis Team (GReAT), revealed the major cyber espionage groups persistently targeting state secrets, military intelligence, and more from governments across the region.

Globally, Kaspersky GReAT researchers monitor more than 900 APT groups and operations. In APAC, the major groups active from 2024 to the present include:

• SideWinder – dubbed “the most aggressive threat in APAC,” this APT group targets governments, military, and diplomatic entities in the region with spear-phishing and sophisticated attack platforms. It has a persistent interest in maritime sectors (Bangladesh, Cambodia, and Việt Nam) and logistics (China, India, and Maldives). Just last March, Kaspersky GReAT experts also revealed that the group showed a heightened focus on nuclear power plants and energy facilities across South Asia.

SideWinder adapts its tools quickly to avoid detection, making it a persistent threat. When targeting nuclear infrastructure, the group uses highly tailored spear-phishing emails that appear related to regulations or facility operations. Opening these emails triggers a malware chain, potentially giving attackers access to sensitive operational data, research, and personnel information.

Sri Lanka, Nepal, Myanmar, Indonesia, and the Philippines are also on SideWinder’s target list.

• Spring Dragon aka Lotus Blossom – with particular interest in Việt Nam, Taiwan (China), and the Philippines, this threat actor utilises spear phishing, exploits, and watering hole attacks to infiltrate victims’ machines. Kaspersky researchers have detected 1,000 malicious samples used over a decade to target government entities in Southeast Asia.

• Tetris Phantom – discovered by Kaspersky GReAT researchers in 2023, this APT group first deployed highly sophisticated malware targeting a type of secure USB drive. From last year to 2025, it has added two attack tools to its arsenal: BoostPlug, a plugin-based framework, and DeviceCync, which injects ShadowPad, PhantomNet, and Ghost RAT into victims’ machines.

• HoneyMyte – known for aiming to exfiltrate sensitive political and strategic information from governments and diplomatic entities in Southeast Asia, most notably Myanmar and the Philippines, this threat actor now utilises ToneShell malware deployed via multiple loaders in different campaigns throughout 2024 and 2025.

• ToddyCat – primarily targeting high-profile victims in Malaysia since 2020, this technically sophisticated group has developed malicious tools based on publicly available code to bypass legitimate security software, evade detection, and maintain covert access within targeted environments.

• Lazarus – the group known for the infamous “Bangladesh Bank Heist,” this state-sponsored threat actor continues to be one of the major APTs in the region with both espionage and financially motivated campaigns.

Earlier this year, Kaspersky GReAT experts uncovered “Operation SyncHole,” a new Lazarus campaign combining a watering hole attack with the exploitation of vulnerabilities in third-party software to target organisations in South Korea. During the research, company experts also discovered a zero-day vulnerability in Innorix Agent software. At least six South Korean firms in key sectors were targeted, with the actual number of victims potentially higher.

• Mysterious Elephant – first observed by Kaspersky in May 2023, the group deploys novel backdoor families capable of executing commands and handling files stealthily. It stands out from, and sometimes overlaps with, the techniques of APTs like Dropping Elephant, Origami Elephant, Bitter, Confucius, and SideWinder.

In 2025, Kaspersky experts observed that the group constantly added new tools and techniques to their arsenal to target victims in Pakistan, Sri Lanka, and Bangladesh.

To defend against APT attacks, Kaspersky recommends accurate detection, rapid response to known tactics, and prompt remediation of vulnerabilities. Additional advice includes:

• Always keep software updated on all devices you use to prevent attackers from infiltrating your network by exploiting vulnerabilities.

• Carry out a cybersecurity audit of your networks and assets to reveal gaps and vulnerable systems, and address any weaknesses discovered in the perimeter or within the network.

• To protect your company against a wide range of threats, use solutions from the Kaspersky Next product line that provide real-time protection, threat visibility, investigation, and response capabilities such as EDR and XDR for organisations of any size and industry.

• Provide your InfoSec professionals with in-depth visibility into cyber threats targeting your organisation. The latest Kaspersky Threat Intelligence will provide them with rich and meaningful context across the entire incident management cycle and help them identify cyber risks in a timely manner.

To learn more about the latest APT reports, visit https://securelist.com/.