APT

April 2025 APT Group Trends

  • May 16 2025
April 2025 APT Group Trends

 

Trends of major APT groups by country

 

1) North Korea

 

Since November 2024, the North Korean APT group has been exploiting the vulnerability of South Korean Internet financial security software. Similar attacks have been carried out in the past, and the threat actors have been launching attacks based on their understanding of the South Korean software ecosystem.

 

Konni

 

The Konni group distributed malware composed of an LNK file and AutoIT script through a spear phishing attack that impersonated a South Korean government agency.

 

Case 1.
Period From January to March 2025
Target Activists affiliated with a North Korea human rights and inter-Korean NGO
Initial Access Threat actors impersonated the National Human Rights Commission and the Korean National Police Agency to send spear phishing emails to recipients, urging them to reply. They then sent a malicious file.
Vulnerability N/A
Malware and Tool

·         Malicious file of LNK shortcut type

·         AutoIT script
Technique

·         Spear-phishing Disguised as Government Agency

·         Replying to Messages to Prompt Attacks

·         Using Non-Executable Malware
Damage Attempt to steal data and hack the device by installing malicious files
Description The Konni group impersonated a Korean government agency to launch spear phishing attacks. They distributed non-executable malware using LNK files and AutoIT scripts to infect users’ devices and steal data.
Source Analysis of Konni campaign impersonating the Korean National Police Agency and the National Human Rights Commission

 

Lazarus

 

The Lazarus group breached at least six South Korean industrial organizations through Operation SyncHole, a watering hole attack that exploited vulnerabilities in South Korean software.

 

Case 1.
Period November 2024 – March 2025
Target At least 6 organizations in South Korea’s software, IT, finance, semiconductor manufacturing, and telecommunications industries
Initial Access Watering hole attack
Vulnerability

·         Innorix Agent[2]

·         Cross EX[3]
Malware and Tools

·         ThreatNeedle

·         wAgent

·         Agamemnon downloader

·         SIGNBT

·         COPPERHEDGE
Technique

·         Watering hole

·         Exploiting Cross Ex vulnerability

·         Executing malware in memory

·         Lateral movement Using Innorix Agent
Damage

·         Breached at least 6 organizations in South Korea

·         Possibility of data breach and system compromise
Details

·         Attackers exploited the characteristics of the South Korean online environment

·         The Lazarus group has a deep understanding of South Korea’s software ecosystem and exploited it to launch supply chain attacks

·         Utilized a strategy similar to past campaigns such as Bookcode (2020), DeathNote (2022), and SIGNBT (2023)
Source Operation SyncHole: Lazarus APT goes back to the well[4]

 

2) China

 

Chinese APT groups are focusing their attacks on the Asian region. They have developed and are utilizing various techniques such as exploiting network device vulnerabilities and bypassing EDR products. An investigation is also being conducted on whether Earth Bluecrow is behind the breach of a Korean telecommunications company in April 2025.

 

APT41

 

APT41’s infrastructure was briefly exposed, and scripts, encrypted web shells, and reconnaissance tools that exploit the vulnerability of Fortinet devices were discovered.

 

Case 1.
Period March 2025
Target Japanese cosmetics company Shiseido
Initial Access

·         Attempted to gain initial access by exploiting the vulnerability of Fortinet firewall and VPN devices

·         Executed CLI commands through an unauthorized WebSocket endpoint
Exploited Vulnerability

·         CVE-2024-23108: Fortinet vulnerability

·         CVE-2024-23109: Fortinet vulnerability
Malware and Tools

·         KeyPlug backdoor

·         1.py: Detects Fortinet devices and identifies their versions​

·         ws_test.py: Exploitation of WebSocket CLI vulnerability

·         bx.php: A PHP web shell that decrypts and executes the encrypted payload in memory

·         fscan: Port scanning and service enumeration tool
Technique

– Executing commands via an unauthenticated WebSocket endpoint

·         Payload concealment using AES and XOR encryption

·         Network reconnaissance and internal portal exploration
Damage

·         Collected information on about 100 domains related to Shiseido

– Reconnaissance activities on internal systems and authentication portals
Description Exploited the vulnerability of Fortinet devices to gain initial access, then used an encrypted web shell and reconnaissance script to explore the target system
Source KeyPlug-Linked Server Briefly Exposes Fortinet Exploits, Webshells, and Recon Activity Targeting a Major Japanese Company[5]

 

Earth Bluecrow

 

The Earth Bulecrow group utilized a new controller for the BPFDoor backdoor to perform cyber espionage activities targeting the communication, finance, and retail industries in Asia and the Middle East.

 

Case 1.
Period 2021-Present
Targets Communication, finance, and retail industries in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt
Initial Access Unknown (Under investigation)
Vulnerability Exploited Unknown
Malware and Tools BPFDoor (Backdoor.Linux.BPFDOOR)
Technique

·         Packet filtering using Berkeley Packet Filter (BPF)

·         Activating the backdoor using a network packet containing the ‘magic sequence’

·         Concealment through process name change without port listening

·         Communicating via TCP, UDP, and ICMP protocols

·         Controlled via password authentication and encrypted connection
Damage

·         Long-term concealment within the system

·         Lateral movement within the network using reverse shell

·         Access to sensitive data and additional system control
Description

·         BPFDoor is a backdoor designed forstate-sponsored cyber espionage activities. It bypasses firewalls and communicates stealthily using BPF.

·         Opened a reverse shell to expand the threat actor’s access within the infected network
Source BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets[6]

 

 

[1] https://www.genians.co.kr/blog/threat_intelligence/konni_disguise

[2] https://www.krcert.or.kr/kr/bbs/view.do?searchCnd=1&bbsId=B0000133&searchWrd=&menuNo=205020&pageIndex=6&categoryCode=&nttId=71686

[3] https://www.krcert.or.kr/kr/bbs/view.do?searchCnd=&bbsId=B0000133&searchWrd=&menuNo=205020&pageIndex=1&categoryCode=&nttId=71693

[4] https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/

[5] https://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells

[6] https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html

 

Tags:
Previous Post

Next Post