NSFOCUS Monthly APT Insights – November 2025
Regional APT Threat Situation
In November 2025, the global threat hunting system of Fuying Lab detected a total of 28 APT attack activities.
NSFOCUS Monthly APT Insights – November 2025
Regional APT Threat Situation
In November 2025, the global threat hunting system of Fuying Lab detected a total of 28 APT attack activities. These activities were primarily concentrated in regions including South Asia and East Asia, with a smaller portion also found in Eastern Europe and Middle East. Some organizations remain unattributed to known APT groups, as shown in the figure below.
Regarding the activity levels of different groups, the most active APT groups in this month were Sidewinder and APT36 from South Asia, while other relatively active groups included Gamaredon from Eastern Europe, and MuddyWater from Middle East. Other active groups also include Kimsuky and Konni from East Asia.
The most prevalent intrusion method in this month’s incidents was spear-phishing email attacks, accounting for 78% of all attack events. A small number of threat actors also utilized vulnerability exploitations (11%) for infiltration and watering hole attacks (7%).
In November 2025, the primary target industries for APT groups were government agencies, accounting for 32%, followed by military institutions accounting for 29%. Other attack targets included organizations or individuals, financial institutions, and research institutions.
South Asia
In November 2025, APT activities in South Asia were primarily initiated by known APT groups, with victims including Indian government departments, Indian military institutions, Indian organizations or individuals, government departments and military institutions in Pakistan and Bangladesh, the Sri Lankan navy, and the Azerbaijani government. In terms of attack tactics, the APT activities in South Asia this month mainly relied on spear-phishing email attacks. A typical decoy involved a phishing email targeting the Indian Ministry of Defense.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
East Asia
In November 2025, APT activities in East Asia were primarily initiated by known APT groups, with victims including South Korean government departments, financial institutions, and research institutions.
In terms of attack tactics, APT activities in East Asia this month mainly relied on spear-phishing email attacks, with some groups also employing watering hole attacks. Regarding spear-phishing attacks, a typical decoy involved reports on specific financial transactions or related legal documents. Attackers sent phishing emails containing alerts about transaction anomalies, luring targets to click.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
Eastern Europe
In November 2025, APT activities in Eastern Europe were primarily initiated by known APT groups, with victims including the Ukrainian State Anti-Corruption Bureau and Ukrainian military institutions. In terms of attack tactics, APT activities in Eastern Europe this month mainly relied on spear-phishing email attacks. A typical decoy involved Ukrainian government documents.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
Middle East
In November 2025, APT activities in the Middle East were primarily initiated by known APT groups, with victims including Israeli organizations or individuals and Middle Eastern research institutions. In terms of attack tactics, APT activities in the Middle East this month mainly relied on spear-phishing email attacks.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
Global Key APT Events
Event Name
Related Groups
Network Attack Campaign by an Unknown APT Group Leveraging the OpenAI Interface
SesameOp
Indian APT Group Bitter’s Network Attack Campaign Utilizing the WinRAR Vulnerability CVE-2025-6218
BITTER
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
Interpretation of Key APT Events
Unknown APT Group Leveraging OpenAI Interface in Cyber Attack Campaign
In July 2025, an unknown attack group planned and launched a deep penetration attack against a specific target environment. The new backdoor program disclosed in this incident was named ” SesameOp “. The attackers used a special injection technique and a communication mode that exploited the OpenAI interface in this attack operation, with the main purpose of conducting long-term cyber espionage activities.
The most notable feature of SesameOp in this incident is the abuse of the OpenAI Assistants API as its C2 channel. This method of using legitimate AI infrastructure for communication is extremely rare in previous attacks. This report will focus on analyzing the principle of how this backdoor injects through the XXX via the OpenAI API.
The abuse of the OpenAI interface by XXX is essentially an attack technique that uses cloud services such as C2. This technology has been developed for many years, and APT groups or hacker groups have previously used cloud services such as Pastebin, OneDrive, Mega, and Dropbox to transmit C2 instructions. This kind of abuse of cloud services usually requires a key bound to the attacker’s account. After the Trojan program enters the personal space of the account through the key, it extracts the encrypted attack instructions from it. The operation of SesameOp this time also follows this process.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
The Cyber-attack Operation by the Indian APT Group BITTER Exploiting the WinRAR Vulnerability CVE-2025-6218
The India-based APT group BITTER carried out a phishing campaign targeting Pakistan and the Kashmir region in November 2025. In this operation, it first employed the WinRAR zero-day vulnerability CVE-2025-6218, which emerged in June 2025, as the initial payload. This is the first known instance of an APT group using this vulnerability.
Group Name
BITTER
Appear Time
2013
Attack Target
Bangladesh, China, India ……
CVE-2025-6218 is a WinRAR path traversal vulnerability. By constructing a relative path and using the “..” character along with a special construction method, it triggers path traversal, allowing files to be extracted to a specified path to achieve the effect of automatic execution.
Subscribe NSFOCUS Threat Intelligence for full details of APT incident insights.
The post NSFOCUS Monthly APT Insights – November 2025 appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..
*** This is a Security Bloggers Network syndicated blog from NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. authored by NSFOCUS. Read the original post at: https://nsfocusglobal.com/nsfocus-monthly-apt-insights-november-2025/
About Author
