Kaspersky reports surge in APAC cyber espionage threats

Cyber espionage remains the dominant motive behind Advanced Persistent Threat (APT) activity in the Asia-Pacific region from 2024 to the first half of 2025, according to cybersecurity and digital privacy firm Kaspersky. The company’s Global Research and Analysis Team (GReAT) continues to monitor over 900 active APT groups and operations worldwide, with several major ones focusing their attacks on governments, military bodies, diplomatic missions, and critical infrastructure across Asia Pacific.

Lead Security Researcher Noushin Shabab from Kaspersky GReAT said that ongoing geopolitical tensions and rapid digital growth have made the region a prime target for cyber espionage. The complex environment has allowed multiple threat actors to evolve, adapting new techniques and tools to maintain persistent access to high-value networks.

Among the most aggressive is SideWinder, known for targeting government, military, and diplomatic entities with spear-phishing and custom attack platforms. The group has expanded its interest to include maritime and logistics sectors in countries such as Bangladesh, Vietnam, China, and India. Kaspersky also found evidence of its focus shifting toward nuclear facilities and energy infrastructure across South Asia. Its operations use deceptive emails disguised as regulatory communications to install malware that can access sensitive operational and research data.

Another long-active actor, Spring Dragon or Lotus Blossom, focuses on Vietnam, Taiwan, and the Philippines. The group uses spear-phishing, exploit attacks, and compromised websites to infiltrate networks, with over 1,000 malicious samples detected over the last decade.

Tetris Phantom, identified in 2023, has evolved from attacks on secure USB drives to deploying two new tools—BoostPlug and DeviceCync—that inject remote access malware such as ShadowPad, PhantomNet, and Ghost RAT onto victim systems.

HoneyMyte continues to spy on political and strategic institutions, mainly in Myanmar and the Philippines. The group has recently used ToneShell malware delivered via multiple campaign loaders. ToddyCat remains active in Malaysia, utilising advanced evasion methods based on open-source code to maintain covert access within targeted environments.

Lazarus, the state-sponsored group behind the Bangladesh Bank Heist, still conducts both espionage and financially motivated campaigns. In early 2025, Kaspersky uncovered a new Lazarus operation called “Operation SyncHole,” which targeted South Korean supply chains and exposed a zero-day vulnerability in third-party software. At least six South Korean companies were affected.

Mysterious Elephant, first observed in 2023, continues to expand its toolkit with new backdoor families and stealth techniques, targeting victims in Pakistan, Sri Lanka, and Bangladesh.

Kaspersky analysts believe that many of these threat actors are state-sponsored, using cyber operations as strategic tools to gain geopolitical advantages rather than financial profit. The company warns that the scale and sophistication of these campaigns highlight the need for governments and organisations in sensitive sectors to strengthen their cyber defences and invest in modern threat intelligence.

To mitigate APT attacks, Kaspersky advises ensuring all software is up to date, performing thorough cybersecurity audits, and closing any identified vulnerabilities. Organisations are also encouraged to adopt comprehensive security solutions with real-time detection and response capabilities, and provide their information security teams with advanced threat intelligence for early risk identification. Kaspersky’s latest insights and reports on APT activities are available on Securelist.