Full Report
Trellix issued new research on Tuesday, identifying that the threat landscape has seen a notable intensification, with threat... The post RSA 2025: Trellix CyberThreat reveals 136% surge in APT attacks on US in Q1 2025 as threat landscape intensifies appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: APT40
## Attribution & Identity
- Primarily attributed to China.
- Mentioned alongside Mustang Panda as one of the most active Chinese APT groups during the reporting period.
## Activity Summary
- APT40 was identified as one of the most active APT groups globally during the reporting period (Q1 vs. Q4 last year).
- APT40, combined with Mustang Panda, accounted for 46 percent of all detected APT activity.
- Associated with China-based threat actors that demonstrated increasingly refined tactics.
## Tactics, Techniques & Procedures
- Shifting focus from traditional methods like phishing to exploiting both zero-day and known vulnerabilities.
- Leveraging more sophisticated tools, enhanced evasion techniques, and advanced post-exploitation frameworks.
- Increasing exploitation of known software vulnerabilities.
- Targeting security software itself to undermine protective infrastructure.
## Targeting
- Sectors: Telecommunications, Transportation/Shipping, Technology (though less specific attribution to APT40 directly than overall APT trends). Government institutions remained the top target across all APTs.
- Geography: Türkiye (most frequently targeted country overall), United States (substantial rise in targeted attacks).
- Victims: Not specifically named for APT40, but targeting is aligned with sectors seeing high overall APT detection.
## Tools & Infrastructure
- Malware families used: Not explicitly listed for APT40 specifically in this text.
- Infrastructure (C2, domains, IPs): Not explicitly listed for APT40 specifically in this text.
## Implications
- APT40 represents a persistent and evolving threat from China, contributing significantly to the 45% global rise in APT detection volume seen in Q1.
- Their shift towards exploiting vulnerabilities (zero-day and known) indicates a tactical maturation aiming to bypass defenses.
## Mitigations
- Focus defenses on detecting exploitation of known software vulnerabilities.
- Implement robust protection against attacks targeting security software itself.
- Maintain defense-in-depth strategies capable of addressing multi-vector threats.
***
# Threat Actor: Mustang Panda
## Attribution & Identity
- Primarily attributed to China.
- Mentioned alongside APT40 as one of the most active Chinese APT groups during the reporting period.
## Activity Summary
- Mustang Panda was identified as one of the most active APT groups globally during the reporting period (Q1 vs. Q4 last year).
- Mustang Panda, combined with APT40, accounted for 46 percent of all detected APT activity.
## Tactics, Techniques & Procedures
- China-based actors, including those like Mustang Panda, demonstrated increasingly refined tactics.
- Shifting focus from traditional methods like phishing to exploiting both zero-day and known vulnerabilities.
## Targeting
- Sectors: Not specified for Mustang Panda directly, but targeting aligns with overall APT trends (Telecom, Government).
- Geography: Not specified for Mustang Panda directly, but contributing to threats focused on Türkiye and the U.S.
- Victims: Not specifically named.
## Tools & Infrastructure
- Malware families used: Not explicitly listed for Mustang Panda.
- Infrastructure (C2, domains, IPs): Not explicitly listed for Mustang Panda.
## Implications
- Mustang Panda is a primary driver, alongside APT40, of the high volume of detected Chinese-affiliated APT activity.
## Mitigations
- Focus defenses on detecting exploitation of known software vulnerabilities.
- Enhance detection capabilities against advanced post-exploitation frameworks.
***
# Threat Actor: APT41
## Attribution & Identity
- Primarily attributed to China.
## Activity Summary
- Activity saw a significant increase of 113 percent in Q1 compared to the previous quarter.
- Activity contributes to the growing complexity and breadth of Chinese global cyber operations.
## Tactics, Techniques & Procedures
- Exhibits persistent and evolving cyber operations aligning with overall Chinese actor trends (e.g., shifting to vulnerability exploitation).
## Targeting
- Sectors: Global industries.
- Geography: Not specified beyond global scope.
- Victims: Not specifically named.
## Tools & Infrastructure
- Malware families used: Not explicitly listed.
- Infrastructure (C2, domains, IPs): Not explicitly listed.
## Implications
- APT41’s massive surge in activity (113% increase) marks it as a rapidly escalating threat during the reporting period.
## Mitigations
- Proactive patching and vulnerability management are critical given observed shifts in tactics.
***
# Threat Actor: Midnight Blizzard (APT29)
## Attribution & Identity
- Known Alias: APT29.
- Identified as the third most active group during the reporting period.
- Aligned with Russia.
## Activity Summary
- Activity surged, specifically noted in the last quarter of 2024 (although analysis covers Q1 2025).
- Focused heavily on espionage and targeting resilient sectors.
## Tactics, Techniques & Procedures
- Focused heavily on the transportation/shipping and telecommunications sectors.
## Targeting
- Sectors: Transportation and Shipping (55 percent of focus), Telecommunications (40 percent of focus). Government institutions were the overall top target category across all APTs.
- Geography: Not specified.
- Victims: Government and NGOs (based on associated research link).
## Tools & Infrastructure
- Malware families used: Not explicitly listed.
- Infrastructure (C2, domains, IPs): Not explicitly listed.
## Implications
- Midnight Blizzard continues to focus on critical infrastructure sectors like transport and telecom, indicating strategic intelligence-gathering priorities tied to logistics and wartime support.
## Mitigations
- Harden security controls within Transportation/Shipping and Telecommunications sectors.
- Focus monitoring on advanced espionage techniques often associated with APT29.
***
# Threat Actor: Sandworm Team
## Attribution & Identity
- Aligned with Russia.
## Activity Summary
- Detected a rise in activity associated with Sandworm during Q4 2024.
## Tactics, Techniques & Procedures
- Not detailed in the text beyond the observed rise in activity.
## Targeting
- Sectors/Geography/Victims: Not detailed.
## Tools & Infrastructure
- Malware families used: Not explicitly listed.
- Infrastructure (C2, domains, IPs): Not explicitly listed.
## Implications
- Indicates escalating Russian state-sponsored activity impacting critical systems late last year.
## Mitigations
- Increase vigilance for attack patterns associated with known Russian state-sponsored military groups.
***
# Threat Actor: Black Basta (Ransomware Group)
## Attribution & Identity
- Ransomware group.
## Activity Summary
- Observed utilizing generative AI tools (like ChatGPT) to enhance operational efficiency.
## Tactics, Techniques & Procedures
- Use of AI for creating fraudulent formal letters in English.
- Use of AI for paraphrasing text.
- Use of AI for rewriting C#-based malware into Python.
- Use of AI for debugging code.
- Use of AI for collecting victim data.
## Targeting
- Sectors/Geography/Victims: General ransomware targeting, focused on efficiency via AI.
## Tools & Infrastructure
- Tools: ChatGPT and other AI tools.
- Malware: Observed rewriting C#-based malware into Python, suggesting flexibility in payload deployment.
## Implications
- Represents the growing sophistication of ransomware operations leveraging AI for efficiency, communication formality, and technical adaptation.
## Mitigations
- Develop new detection heuristics for code rewritten by AI (e.g., Python variants of C# malware).
- Enhance vetting procedures against highly formal or contextually accurate phishing/extortion communications.