From cyberespionage to ideologically motivated attacks: APT groups and hacktivists in 2025

The global trend toward the digitalization of society year over year continues to drive growth in the number of high-tech cyberattacks and the overall level of cybercrime. The motivation of attackers is not limited to financial gain, and amid ongoing geopolitical conflicts, scientific rivalry, and clashes of economic interests between states and companies, the growing activity of APT groups and hacktivists is becoming increasingly noticeable. The goals and motivations of such groups range from profit to sabotage or espionage in the interests of particular states.

Research objectives:

• Assess the state of the global cyberthreat landscape for 2025.
• Identify regional trends in cyberattacks.
• Highlight the most active APT groups and hacktivists targeting different regions.
• Produce heat maps of tactics and techniques most popular among attackers in these regions.
• Develop conclusions and assumptions about the APT and hacktivist threat landscape for 2026 for each region.
• Forecast the activities of APT groups and hacktivists for each region.

Information on incidents and TTPs used by attackers was drawn from our own internal sources and open-source materials. Because open-source materials often publish only incomplete attack chains, the percentages shown in heat maps and charts may be lower than the actual figures, but they reflect the overall situation proportionally.

The grouping of countries is based on geographical location or formal participation in certain economic and political unions. Therefore, for example, this report classifies Ukraine as part of the European region and Moldova as part of the CIS.

The graphs are designed to reflect the activity of cybercriminal groups across the entire region, so the number of targeted countries, rather than the number of attacks, is used as the basis.

The tactics and techniques are described in terms of the MITRE ATT&CK Matrix for Enterprise. The report includes links to detailed descriptions of the techniques, groups, malware, or events mentioned.

The research report is intended to draw the attention of companies, government organizations, and individuals interested in the current state of cybersecurity in the context of advanced cybercrime to the most relevant tactics and techniques of APT groups and their targets in different regions. Terms used in the report are listed in the glossary on the Positive Technologies website.

Research scope

The main trend of the past year was not the use of new tools or techniques, but the blurring of boundaries between familiar categories of attackers. Some hacktivist groups, due to changes in their motivations and goals, began to fall under the definition of APT groups. Many such groups began to carry out attacks in support of the actions of certain states; their targets became more significant, the attacks more complex, and the impact shifted from classic DDoS and defacements to real sabotage or espionage. Hacktivist groups either turned to political hacktivism, which is sponsored and directed by a state (hacktivism for hire), or acted independently, choosing appropriate targets (government agencies, industry companies, or similar entities).

There are also coordinated attacks involving pro-state groups, when hacktivists and pro-state APT groups join forces. All these changes have led to certain hacktivist groups reaching a level close to that of APT groups, with their goals and motivations fully aligning. An example is the activity of the hacktivist group UCA, which, during its operations, began to cooperate with pro-state groups and attack critical information infrastructure in Russia.

Based on the above, this report includes political hacktivist groups in the overall statistics of attacks if they conducted sophisticated attacks, caused significant damage, were linked to pro-state groups, or acted in the geopolitical and military interests of certain states.

In 2025, the activities of groups carrying out advanced persistent threat (APT) attacks continued to pose a significant threat to states and organizations around the world. Based on the generally accepted definition of APT attacks, one can conclude that a group can be classified as an APT group if it meets certain criteria. These criteria include conducting planned, targeted attacks, demonstrating a high level of skill, and operating over a long period, thereby constituting a persistent threat.

APT groups may include pro‑state groups and non‑state organized groups (for example, groups specialized in e‑crime and commercial espionage), excluding ransomware‑as‑a‑service operators and ransomware operators.

These highly skilled groups typically conduct reconnaissance, industrial espionage, sabotage, support for special operations, and similar activities. Against the backdrop of continued growth in the use of ransomware by attackers and ongoing political and socioeconomic conflicts worldwide, more and more financially motivated cybercriminal groups are emerging. At the same time, the boundary between hacktivism and pro‑state cybercriminal activity is blurring, creating a more complex and extensive threat landscape..

Although hacktivist groups originally represented collectives that use hacking methods to pursue political, social, or ideological goals and draw attention to issues rather than personal gain, many of them now act not as digital protesters seeking wide coverage of their ideas but as direct participants in pro‑state operations or conduct serious attacks independently. Thus, in addition to APT groups, scope of this research includes hacktivist groups whose actions fit the definition of advanced persistent threat attacks and were monitored during 2025 and early 2026.

In 2025, the activity of APT groups and hacktivists worldwide exhibited several general trends, but persistent regional differences also stand out.

• Political hacktivism, combined with state coordination or sponsorship, has become a significant phenomenon in cyberattacks and information operations. Hacktivists now often act as proxies or participate in cyberattacks jointly with or under the direction of pro‑state groups.
• In 2025, the peak attacker activity occurred in North America, the CIS, and Europe. The most frequent targets were China, the United States, Russia, as well as regional centers of economic and geopolitical influence.
• Espionage and sabotage remain the main motives of pro‑state APT groups and hacktivists, while many operations combine intelligence objectives with overt destruction of infrastructure or data.
• Southeast Asia and the Pacific region continue to lead in the diversity of techniques, tactics, and procedures used by attackers. Groups operating in this area demonstrate high adaptability, actively combining legitimate tools, methods of bypassing security controls, and nonconventional TTPs. This is explained by the high level of digital infrastructure development in the leading countries of the region and the attackers' high level of skill.
• The Middle East is characterized by a focus on attacks against critical infrastructure, the public sector, and strategic industries (energy, logistics, and telecom). Typical scenarios in the region include data theft followed by destruction or sabotage, as well as influence operations amid military and political crises. However, in 2025, attacks were increasingly directed at private individuals and social facilities.
• Africa and Latin America remain regions with high activity by financially motivated groups, but in 2025 they also saw active pro‑state APT operations leveraging local conflicts, political instability, and weak infrastructure protection.
• The European region became the leader in the number of hacktivist groups attacking it. This is largely due to geopolitical disagreements and the massive media effect of such successful attacks.
• Phishing is the main method of initial intrusion (up to 43%). It remains the key vector of initial access in all regions. The active use of generative AI leads to more effective social engineering, greater personalization of emails, and more scalable campaigns.
• T1059 (Command and Scripting Interpreter) is the most popular way to execute malicious code (used by up to 42% of groups). Interpreters (PowerShell, CMD, Bash, Python) are already present in many systems, allow code to be executed, easily masquerade as legitimate administrative actions, and minimize the need to deliver separate executables.
• T1027 (Obfuscated Files or Information) is a key technique for bypassing protection systems (used by up to 38% of groups). Obfuscation effectively reduces detectability by both signature‑based and behavioral means, allows the same malicious code to be reused in different campaigns, and significantly complicates analysis and attribution.
• A high diversity of persistence techniques is observed in the arsenals of the groups under review, particularly in Europe and South Asia. This is driven by the high level of digitalization across industries in these regions, the heterogeneity of digital infrastructure, and, consequently, the availability of multiple persistence mechanisms within victim environments.
• In the CIS, Europe, and Africa, there is a clear emphasis on the use of authentication data (T1555 and T1003). This is directly linked to the predominance of espionage as a primary attacker objective.
• The use of advanced and less common techniques (T1123 (Audio Capture), T1070 (Indicator Removal), T1113 (Screen Capture), T1056.001 (Keylogging)) is observed across all analyzed regions. These techniques are leveraged not only for intelligence gathering but also for the subsequent use of collected data in generating AI-driven fake images and audio content.
• Across all regions, the protection of authentication data remains a systemic weakness. In most cases, attackers successfully extract credentials from web browsers, configuration files, process memory, and through the use of keyloggers.
• Artificial intelligence is being increasingly adopted by adversaries and is expected to further scale both the reach and effectiveness of cyberattacks.
• In 2026, a further increase in both the activity and complexity of APT attacks is expected. Larger-scale cooperation with hacktivist groups is anticipated. Against the backdrop of geopolitical tensions and sustained APT activity, the most targeted states may intensify digital isolation measures, particularly within critical infrastructure sectors. At the same time, pro-state groups are likely to shift toward more sophisticated, multi-stage operations involving early-stage malware deployment and the establishment of distributed footholds across multiple organizations.
• The continuation of geopolitical conflicts will drive the growth of information and psychological operations conducted by pro-state actors and affiliated hacktivist groups. An increase in for-hire cybercriminal groups is expected, fueled by the commercialization of hacktivism and its growing integration into state interests.

The modern cyberthreat landscape is characterized by the activity of heterogeneous threat actors, among which APT groups and hacktivist collectives occupy a prominent position. Their presence and operations shape a complex risk environment, where the key analytical dimensions for understanding the threat are adversary motivation and the TTPs they employ.

This section provides a high-level overview of the threat landscape, focusing on the characteristic behavioral patterns and strategic objectives of these groups.

The impact of attacks carried out by APT groups and political hacktivists can be far-reaching, with damage manifesting in various forms, from large-scale data breaches involving sensitive information to the direct disruption of critical infrastructure.

The motivations of these groups may vary, including:

• Data breaches and espionage. The theft of sensitive information remains a key objective for many adversary campaigns. In 2025, a number of high-profile data breaches occurred as a result of targeted intrusions. One example is the espionage campaign conducted by the Cloaked Shadow group, which affected several defense industry enterprises in Russia.
• Sabotage and disruption of systems. In 2025, there was a notable increase in destructive cyberattacks targeting critical infrastructure, carried out by both hacktivist groups and APT actors. For example, APT33 and affiliated groups such as MuddyWater and OilRig have been linked to a series of attacks, including attempts to gain access to critical information infrastructure (CII). The impact of such operations extends beyond direct financial losses (downtime, equipment recovery) to undermining trust in the security of entire sectors. Moreover, these attacks often produce cascading effects: disruptions in the energy sector can halt industrial production, while attacks on water treatment facilities may lead to humanitarian crises.
• Financial theft and extortion. Many groups pursue multiple objectives within a single campaign. A notable example is North Korean pro-state groups, which in 2025 stole a record volume of cryptocurrency totaling approximately $2 billion, an increase of 51% compared to the previous year. In addition to financial gain, these operations also enabled attackers to obtain large volumes of exchange customer data and personally identifiable information.

During such attacks, companies and governments lose sensitive information (personal data, trade secrets, or internal documents), incur direct financial losses, experience disruptions to critical services, and in some cases face risks to human life (for example, in attacks targeting healthcare, energy, or transportation systems).

Each of these incidents illustrates the broad spectrum of threats posed by APT groups and hacktivists: theft of military secrets, disruption of critical infrastructure, large-scale intrusion campaigns, and long-term cyberespionage operations that can persist for years.

Given the above, cybersecurity is no longer a purely technical issue but a strategic priority. The threat posed by such groups directly impacts national security, economic stability, and society as a whole, making investments in cybersecurity measures and counter-threat capabilities not just justified but essential.

To better understand the nature and scale of these threats, let us examine several notable incidents from 2025 involving APT groups and hacktivist actors:

• Theft of military technologies. In October 2025, the Lazarus Group conducted a targeted operation against at least three European companies specializing in drone manufacturing and defense components. The attackers sent spear-phishing emails disguised as job offers, containing malware that enabled remote access. As a result, sensitive technical data related to drone technologies and production processes was exfiltrated. Given that these companies are defense contractors, the breach posed a direct risk to military security.
• Zero-day vulnerability exploitation (USA, Europe, and Asia). In 2025, a large-scale campaign was uncovered in which East Asian APT groups exploited a previously unknown ToolShell vulnerability in the corporate platform Microsoft SharePoint. The attackers were able to compromise corporate networks across four continents, including the United States, where key government agencies were affected. In total, dozens of organizations across North America, Europe, Asia, and Africa were compromised.
• Long-term espionage and covert persistence. The UNC3886 group conducted a prolonged and stealthy campaign in 2025 aimed at infiltrating and maintaining persistence within corporate and infrastructure networks. As part of the Fire Ant campaign, attackers compromised systems hosted in virtualized environments and deployed backdoors, enabling long-term access and continuous data collection while remaining undetected within victim networks.

The activities of APT groups and hacktivists demonstrate a clear and sustained trend: attacks targeting critical information infrastructure are no longer isolated incidents, but are increasingly systemic, long-term, and strategic in nature. Modern APT actors and advanced hacktivist groups operate covertly, leverage multi-stage compromise chains, combine cyberespionage with sabotage, and deliberately target assets whose disruption may result in significant social, economic, and political consequences.

Amid escalating geopolitical tensions and the growing interest of pro-state actors and hacktivists in critical infrastructure, cybersecurity is evolving from a purely technical domain into a strategic priority for states.

Against this backdrop, there is a clear need to develop a set of key recommendations aimed at improving the resilience of organizations and governments against sophisticated targeted cyberattacks.

• First, organizations of all sizes should reconsider their traditional approach to security. Basic cybersecurity measures are no longer sufficient to counter highly skilled threat actors. A proactive cybersecurity strategy and continuous monitoring are required. Experts emphasize the need to transition from a reactive defense model to a cyber resilience framework, which means continuous threat detection, rapid incident response, and the ability to maintain operations even under active attack.
• Second, investment in modern cybersecurity technologies is consistently justified by the prevention of large-scale incidents. Equally important is the development of threat intelligence capabilities, including systems for collecting and analyzing data on potential attacks. In practice, this involves proactively identifying emerging tactics and tools used by APT groups and hacktivists, monitoring their activity on the dark web, and sharing indicators of compromise (IoCs) across organizations. Cyberthreat intelligence is now as critical as technical protection measures, as it enables early-stage detection and prevention of attacks.
• Third, the human factor and workforce readiness remain critically important. Many sophisticated attacks still originate from simple vectors such as phishing emails. Regular employee training in cybersecurity awareness, attack simulations (penetration testing, phishing simulations), and the development of a security-first culture within organizations help mitigate these risks. In addition, at the national level, there is a growing need to train a larger number of cybersecurity professionals capable of countering highly skilled adversaries.

The scale and severity of APT activity and political hacktivism necessitate substantial investment in cybersecurity. Spending on monitoring systems, threat intelligence capabilities, and employee training is significantly lower than the potential damage caused by a large-scale cyberattack.

The past year has clearly demonstrated that without preventive measures and the modernization of security controls, organizations face a high risk of data breaches, operational disruptions, and sabotage of critical services. Therefore, investment in cybersecurity should no longer be viewed as optional, but as a fundamental prerequisite for operational stability and security.

The objectives of such groups are becoming increasingly diverse. For example, many pro-state actors are no longer focused solely on critical infrastructure but are also targeting a broader range of organizations, including retail chains, sports and tourism facilities, and service sector companies, where geopolitical attribution, rather than potential damage, becomes the primary driver.

In addition, there has been a noticeable increase in attacks targeting healthcare institutions and educational organizations, with universities among those affected in several cases.

APT groups are increasingly focusing on major events, forums, sporting competitions, and large-scale gatherings, particularly those with a political dimension. In such cases, cybersabotage is aimed at damaging the international reputation of the host country, which often becomes the primary objective of the attackers.

A notable example is the surge in cybercriminal activity observed during the World Economic Forum 2025. During the event, phishing campaigns, attacks targeting participants, media organizations, and contractors, as well as attempts to compromise digital services were recorded. These activities were aimed at discrediting the host nation and undermining trust in its ability to ensure the security of international events.

It is important to note that such attacks are often closely linked to geopolitical conflicts and increasingly represent elements of cyberwarfare. Rising global tensions are driving the escalation of cyberattacks: APT groups operate in parallel with traditional instruments of pressure and, in some cases, in coordination with politically motivated hacktivists.

The motivation of threat actors, including traditionally intelligence-focused pro-state APT groups, is undergoing a rapid transformation. Their objectives now extend far beyond classical cyberespionage. There is a growing number of cases where even state-affiliated groups publicly released stolen databases on dark web forums to inflict reputational damage on their targets, as seen in attacks against media organizations, political parties, and industrial enterprises.

Geopolitical tensions have also reshaped the hacktivist landscape. Groups that previously operated purely on ideological grounds are increasingly being used as instruments of information and psychological operations, often directed or coordinated by more advanced pro-state APT actors. An example is the activity of the Void Manticore group, which demonstrated a hybrid approach in 2025, combining APT-style tactics with hacktivist methods.

As a result, the activities of these groups, once operating independently, are now increasingly converging and overlapping.

In addition, there is a growing number of cases in which groups that were not previously financially motivated are now compromising IT/OT environments to steal cryptocurrency, conduct extortion campaigns, sell access on dark web forums, and even disrupt industrial systems.

For example, the CyberVolk group combines elements of hacktivism with financially motivated operations and actively uses ransomware. In 2025, the group operated both as an ideologically driven hacktivist collective and as a financially motivated criminal entity, demanding cryptocurrency payments for data decryption while simultaneously disseminating politically motivated messaging through its channels.

A clear trend toward hybridization of operations is also emerging: diversionary DDoS attacks or large-scale phishing campaigns conducted by hacktivists are increasingly used as a cover for more covert and sophisticated intrusions involving vulnerability exploitation.

This convergence of tactics and interests between hacktivism, APT activity, and cybercrime creates a more complex and less predictable threat landscape. Traditional security approaches are becoming less effective, and organizations must now consider not only technical attack vectors but also their broader sociopolitical context.

At the same time, this raises the question of classification: how should such threats be categorized when hacktivist groups reach the level of APT capabilities or operate as proxies for pro-state actors? Addressing this requires a deeper analysis of attacker motivations, the impact of their operations, and the regional characteristics of political hacktivism.

Thus, it can be concluded that the boundary between advanced hacktivist groups and APT actors is gradually blurring, particularly in terms of motivation and operational objectives.

In 2025, government institutions, industrial enterprises, defense organizations, and the financial sector were the most frequent targets of APT-group and hacktivist attacks.

Given the predominance of political motivations, these sectors, where the majority of critical information infrastructure (CII) assets are concentrated, were of particular interest to both hacktivist groups and APT actors.

Traditionally, the most targeted countries during the reporting period were the United States, Russia, and China. The CIS region accounted for the highest number of such attacks.

This trend is driven by current geopolitical developments, the shifting focus from prolonged conflicts to emerging hotspots, and increasing tensions in the Pacific region, particularly those related to territorial disputes. In such contexts, threat actors prioritize regions with a high concentration of critical infrastructure in order to maximize impact.

In Southeast Asia, the activity of Chinese, Korean, and Indian pro-state groups has been observed, along with actors linked to the Middle East.

As for the regional distribution of hacktivist attacks, the following pattern can be observed.

Table 1. Distribution of hacktivist activity across regions

These observations suggest that political hacktivism predominantly emerges in the context of geopolitical tensions and is often used as an instrument of influence operations, espionage, or support for special operations.

Although hacktivism remains a regionally driven phenomenon, it can now be considered an established tool of state influence in cyberspace. Political hacktivist groups increasingly operate in close coordination with state actors, directly expanding the diversity of tools, techniques, and operational capabilities they employ.

With regard to the techniques, tactics, and procedures employed by threat actors, a global TTP heat map was developed as part of the study based on data from all groups tracked by Positive Technologies. In addition, separate regional heat maps were developed for each analyzed region.

Key observations from the heat map:

• Initial access:

  T1566 (Phishing) is used by up to 43% of groups, with the CIS, Europe, and ASEAN leading in phishing activity. Across nearly all regions, phishing remains the primary initial access vector, underscoring the effectiveness of social engineering as a core attack technique.

  T1190 (Exploit Public-Facing Application) is used by up to 38% of groups, with South Asia and ASEAN leading in adoption. Threat actors frequently target vulnerable VPNs and web applications due to their exposure on the external perimeter.

• Execution and persistence:

T1204 (User Execution) is used by up to 33% of groups, with Africa leading in the use of this technique. This reflects the prevalence of attacks delivered via malicious documents and software, particularly in regions with lower levels of cyberhygiene.

T1059 (Command and Scripting Interpreter) is used by up to 43% of groups and represents a consistent global trend. PowerShell and CMD are the most commonly used, although VBS scripts/macros and Python scripts are also observed in some regions. This highlights both the versatility of the technique and the difficulty of detecting such activity.

T1547 (Boot or Logon Autostart Execution) is used by up to 24% of groups, with Europe in the lead. The primary objective is persistence and long-term presence within compromised systems, often associated with espionage-driven campaigns.

• Command and control:

T1071 (Application Layer Protocol) is used by up to 33% of groups, predominantly in Asia and the CIS.

T1573 (Encrypted Channel) is used by up to 19% of groups, with the Americas leading. This indicates a higher level of operational maturity among threat actors.

T1105 (Ingress Tool Transfer) is used by up to 33% of groups, with the CIS and ASEAN leading. This technique is used to deliver remote access tools and post-exploitation frameworks, typically after the initial compromise.

• Data collection:

T1005 (Data from Local System) is used by up to 19% of groups, with the Americas leading. This reflects a strong focus on espionage and data-harvesting activities.

• Defense evasion:

T1027 (Obfuscated Files or Information) is used by up to 38% of groups, with Europe and ASEAN leading. Attackers actively obfuscate payloads to evade detection mechanisms.

T1140 (Deobfuscate/Decode Files or Information) is used by up to 29% of groups, with South Asia leading. This technique often accompanies obfuscation and the deployment of custom malware.

• Notable but less common techniques observed across regions:

T1574.001 (DLL): Southeast Asia is leading. This technique involves abusing trusted processes to load malicious DLLs.

T1583 (Acquire Infrastructure): the Americas are leading. Pre-deployment of attacker-controlled infrastructure (domains, servers) indicates preparation for large-scale, coordinated campaigns.

As in previous years, phishing and the exploitation of public-facing applications remain the primary initial access vectors across all regions. The use of command interpreters and tool transfer techniques forms the foundation of a significant portion of APT and hacktivist operations. At the same time, there is a clear shift toward the encryption and obfuscation of command-and-control channels, reflecting the increasing sophistication and maturity of threat actors.

The methods and techniques used by threat actors to achieve their objectives continue to evolve. There is a growing adoption of artificial intelligence across the attack chain, as well as an increased use of ransomware not only for financial gain but also as a tool of sabotage.

Particular attention should be paid to the periodic use of audio, video, and screen capture techniques. Many groups have increasingly leveraged AI to generate phishing campaigns as part of their operations. For example, in September 2025, the Kimsuky group used ChatGPT to generate fake South Korean military IDs, which were then used in phishing campaigns targeting defense institutions. These forged credentials increased the credibility of phishing emails and significantly improved the likelihood of victim engagement.

In addition, some APT groups have begun using AI for voice cloning and deepfake generation. This correlates with the high prevalence of T1123 (Audio Capture) observed across multiple regions. Beyond traditional espionage objectives, the collected data is also used to train AI models for subsequent operations, including defacement campaigns and the creation of fake audio messages.

For instance, between April and May 2025, threat actors from the BlueNoroff group used deepfake impersonations of Manta Network executives during Zoom meetings to persuade participants to install a malicious “update,” ultimately leading to system compromise.

In 2025, the number of ransomware-related incidents declined; however, financially motivated attacks are no longer limited to ransomware operators or RaaS affiliates. Some pro-state APT groups and hacktivists are also conducting such operations, targeting organizations to steal funds or exfiltrate data for subsequent monetization.

In most cases, financial gain remains the primary objective. However, ransomware is increasingly being used as a tactical component within broader attack chains, particularly for sabotage purposes.

Notably, in the second half of the year, the Dire Wolf group used ransomware not as a primary monetization mechanism, but as a tool for destructive impact. Following initial access and lateral movement within victim environments, the attackers deliberately encrypted servers and workstations, destroyed backups, and disrupted critical services. This resulted in prolonged downtime and significant financial damage, even when ransom payment was not the primary goal.

Based on the detailed analysis conducted, we can highlight the key regional characteristics of the analyzed geographical areas as follows:

• Europe. A stable presence of hacktivist activity alongside espionage conducted by pro-state APT groups. This can be attributed to a highly developed political ecosystem and active civil society, where hacktivism and state-sponsored cyberespionage are used as instruments of pressure and influence without directly escalating geopolitical conflicts.
• CIS and South Asia. A broad spectrum of scripts and techniques. The combination of heterogeneous infrastructure, availability of public tooling, and uneven cybersecurity investment across countries leads to the active use of universal scripts, public exploits, and hybrid attack techniques.
• Africa. A high prevalence of cyberfraud and social engineering. Low levels of cyberhygiene and regulatory maturity make social engineering and fraud among the most effective and low-cost attack methods.
• Middle East. A high share of sabotage- and espionage-driven attack scenarios. Geopolitical tensions and varying levels of critical infrastructure protection drive campaigns focused on disruption and intelligence gathering as part of broader geopolitical conflicts.
• The Americas. Advanced attacker tooling combined with financially motivated cybercrime. A developed financial ecosystem and expanding digital economy attract threat actors who often use relatively simple tools to achieve direct financial gain.
• Pacific region. A high volume of custom malware and scripts, as well as well-orchestrated phishing and information campaigns. The combination of technological maturity and ongoing geopolitical and information conflicts drives the development of tailored malware and sophisticated social engineering operations.

These trends in APT and political hacktivist activity observed in 2025, while broadly consistent across regions, underscore the need for a comprehensive approach to cybersecurity and preparedness for potential incidents based on in-depth analysis of TTPs. At the same time, each region retains distinct characteristics and influencing factors. These regional distinctions, together with the behavioral patterns of APT groups and political hacktivists, are examined in detail in the following sections.

CIS countries are rapidly advancing in both digitalization and cybersecurity. Russia, Belarus, and Kazakhstan hold leading economic positions in the region and place greater emphasis on information security, particularly amid the growing number of cyberattacks carried out by APT groups and hacktivists.

It is projected that between 2024 and 2029, the cybersecurity market in the CIS will grow at an annual rate of 5.97%, reaching a total volume of approximately $5.52 billion by 2029.

According to Positive Technologies, the primary share of attacks in 2025 targeted Russia (46% of all attacks in the region), followed by Belarus (11%) and Kazakhstan (8%).

These high figures are driven by involvement in a regional geopolitical conflict, large population size, and a high level of economic activity.

Government institutions, financial organizations, and industrial enterprises are the most frequent targets of APT groups and hacktivists in the CIS, accounting for 50% of all cyberattacks in the region. Notably, the majority of active groups focus on industrial targets.

This distribution is consistent with patterns previously observed in the CODE RED 2026 study, with one key difference: a higher volume of attacks targeting defense enterprises, which is characteristic of APT group activity.

Malware and social engineering remained the primary attack vectors. In some cases, these methods were augmented with the use of artificial intelligence. For example, the Goffee group and others used AI in attacks targeting Russian defense companies, leveraging it to craft phishing emails and develop malicious code.

In addition, a common trend among groups operating in the region is the use of targeted phishing campaigns based on current news cycles or impersonation of communications from regulatory bodies and government authorities.

The groups analyzed in this study traditionally demonstrate some of the most sophisticated attacks across multiple sectors, along with a tailored approach to targeting victims. We have identified and assessed the most active groups operating in the region.

The Rare Werewolf group emerged as the leader in terms of the number of CIS countries targeted, actively conducting malicious campaigns across the region. According to several reports, in September 2025 the group used its own malware modules developed with the help of AI to attack Russian enterprises in the aviation and radio electronics sectors. A targeted phishing campaign was observed, in which malicious emails led to the deployment of PowerShell scripts and the XMRig cryptocurrency miner on systems within Russian organizations across the CIS.

As for political hacktivism, it is present in the CIS (accounting for approximately 20% of incidents), but is largely subordinate to or overshadowed by pro-state groups. This is driven by the need for a high level of coordination in campaign execution amid ongoing geopolitical conflict in the region, which often forces hacktivists to operate as intermediaries. As a result, priority is typically given to APT groups and long-term, strategically driven operations.

Based on the techniques and tactics observed across the groups tracked in the region, we identified the most commonly used TTPs and compiled a regional heat map. The TTPs attributed to these groups were selected based on research data collected throughout 2025.

Analysis of the heat map data highlights the following characteristics specific to this region.

APT groups and hacktivists operating in the CIS follow a pragmatic and highly automated attack model focused on the direct exploitation of vulnerabilities. Their operational profile is characterized by the dominance of external service exploitation (T1190) as the primary entry vector, indicating a targeted search for weaknesses in perimeter systems, where outdated software is frequently encountered.

The widespread use of command-line interpreters (T1059) reflects a high degree of automation and a deliberate effort to maximize stealth through the use of legitimate tools. This is further reinforced by the use of obfuscation techniques (T1027) and the masking of C2 traffic as regular web activity (T1071), representing an adaptive response to the prevalence of signature-based (rather than behavior-based) endpoint protection mechanisms in the region.

Taken together, these characteristics form the profile of a technically competent adversary whose campaigns are targeted, covert, and focused on maintaining long-term persistence within compromised environments.

Based on the analysis of TTPs used by APT groups and hacktivists in the CIS in 2025, the following key recommendations can be proposed for the region.

Proactive threat hunting recommendations:

• Focus on PowerShell and Windows Command Shell execution: monitor all script execution scenarios, particularly those involving Base64 encoding.
• Detect signs of exploitation of external services: analyze web application logs and develop IDS rules for commonly used exploits.
• Control the transfer of tools and files: monitor anomalous, rare, or sudden downloads of executable files.
• Analyze anomalous HTTP/HTTPS traffic patterns.
• Inspect emails containing suspicious attachments, macros, or topics related to politics and military organizations.

Monitoring recommendations:

• Monitor frequent execution of powershell.exe, cmd.exe, and wscript.exe.
• Track the creation of scheduled tasks via Task Scheduler.
• Implement automated response mechanisms for attempts to obfuscate files or disguise file extensions.
• Increase visibility into RDP activity.
• Strengthen email filtering and antivirus scanning of attachments.
• Block unknown executables downloaded by users.
• Monitor autorun registry keys, NetShare activity, and the use of PsExec.

The CIS continues to be one of the leading regions in terms of APT and hacktivist activity. The operations of pro-state groups are expected to persist, with attackers further increasing their presence in the region. Even if current conflicts transition into a frozen phase, threat actors are likely to shift their focus toward industrial espionage and intelligence gathering, as adversarial states will continue to pose a threat. The large volume of compromised credentials will further contribute to their active use in authentication attempts.

With the advancement of generative AI, it has become even easier for attackers to leverage phishing techniques. The trend of using phishing as the primary initial access vector in targeted attacks is expected to continue. Notably, there is a growing use of T1123 (Audio Capture), with collected data increasingly being leveraged to deceive users in subsequent attack stages.

Based on the TTPs commonly used by APT groups and their long-standing presence in attacker toolkits, it can be concluded that adversary behavior is unlikely to change significantly and will largely remain within a set of established procedures.

In 2026, a number of political, economic, and humanitarian events are scheduled in the CIS. Although not directly related to cybersecurity, these events may attract increased attention from APT groups and hacktivist communities and act as catalysts for heightened cyberconflict:

• Summits and meetings of CIS governing bodies focused on the development and approval of the action plan for the second phase of the CIS Economic Development Strategy through 2030.
• The international industrial exhibition in Dushanbe scheduled for June 2026.
• The IV CIS Games to be held in Kazakhstan.
• The active phase of implementation and discussion of energy and transport projects in Central Asian countries (Kazakhstan, Uzbekistan, Tajikistan, Kyrgyzstan), including modernization of power grids, development of transit corridors, and the digitalization of infrastructure management.

Taken together, these events significantly expand the cyberattack surface across the CIS. An increase in activity from pro-state APT groups focused on espionage and strategic influence can be expected, along with a rise in hacktivist attacks linked to publicly visible and symbolically significant events. In addition, the use of information and psychological operations aimed at escalating conflicts and discrediting specific countries and initiatives is likely to intensify.

The European region continues its path of digital transformation and, while achieving notable progress in digitalization, is simultaneously facing growing cybersecurity challenges. Most large enterprises in the region are leaders in digital adoption, with implementation rates exceeding 90%.

Since the introduction of the GDPR (General Data Protection Regulation) in 2018, there has been a strong focus on data processing across Europe. The continued growth of digitalization has resulted in nearly every organization handling such data, leading to a significant increase in the number of data repositories by 2025. Naturally, these data stores and the organizations that manage them fall within the scope of interest of APT groups, both due to the potential for monetizing compromised data and for causing operational or reputational damage.

The European Union Agency for Cybersecurity (ENISA) has identified ten major cybersecurity threats through 2030, nearly all of which reflect techniques or vulnerabilities actively exploited by APT groups.

In addition to digitalization trends driving the increase in APT activity, geopolitical tensions among European countries, shaped by differing political positions on ongoing conflicts, continue to escalate.

These factors collectively contributed to a rise in threat actor activity over the past year. In Germany alone, cyberattack-related losses reached a record €300 billion by early September. The most targeted sectors were government institutions, industrial enterprises, and defense organizations.

The activity of APT groups and hacktivists in Ukraine, the United Kingdom, Germany, and France is driven by their direct and indirect involvement in ongoing regional geopolitical conflicts.

Political hacktivists and APT groups from various regions demonstrated high levels of activity in Europe over the past year. There has been a noticeable increase in attacks targeting European government, diplomatic, and political institutions for the purpose of espionage.

For example, between September and October 2025, the UNC6384 group conducted a cyberespionage campaign against diplomatic entities in Europe, including institutions in Hungary and Belgium, as well as other diplomatic targets across the region. In this campaign, attackers exploited a vulnerability in Windows and leveraged social engineering techniques to gain initial access to systems, enabling them to covertly exfiltrate data and monitor the diplomatic activities of EU states.

We have identified the most active groups operating in the region.

The Lazarus Group emerged as the leading actor targeting European countries in 2025. One example of its malicious activity is Operation DreamJob, which targeted European defense and aerospace companies. The campaign focused on organizations developing components and technologies for drones and aviation systems. Attackers used social engineering via fake job offers, distributing malicious documents and links containing malware such as ScoringMathTea and other backdoors.

As for political hacktivism, Europe represents a primary global target, with political hacktivists accounting for 65% of identified attackers. In this region, hacktivism is widely used as a tool of political protest and information pressure. A well-developed civil society, a low barrier to entry for information and psychological operations, and a high media impact even from relatively minor security incidents make political hacktivism a powerful instrument of influence on states.

Based on the techniques and tactics observed across the groups tracked in the region, we identified the most commonly used TTPs and compiled a regional heat map. The TTPs attributed to these groups were selected based on research data collected throughout 2025.

Based on the analysis of the heat map data, the following characteristics of the region can be identified.

APT groups and hacktivists operating in Europe demonstrate a high level of adaptability and stealth, aimed at bypassing complex, multi-layered security controls. Their operational profile is characterized by the prioritization of targeted phishing (T1566) as the primary access vector, the active use of legitimate tools (T1059) for in-memory execution, and credential theft (T1555) to gain access to sensitive information.

Stealth is achieved through obfuscation techniques (T1027) and the masking of C2 traffic as legitimate cloud service activity (T1071). This forms the profile of a patient, methodical, and technically sophisticated adversary whose campaigns are focused on long-term persistence within victim networks and espionage objectives.

After analyzing the TTPs used by APT groups and hacktivists in Europe in 2025, we developed a set of key recommendations for the region.

Proactive threat hunting:

• Look for program execution enabled via registry-based persistence, specifically T1547.001 (Startup, Registry Run Keys).
• Pay close attention to T1555 (Credential Dumping) and validate access to the Credential Store and LSASS-related activity.
• Treat T1566 (Phishing) as the primary initial access vector and T1036.007 (Masquerading: Double File Extension) as a common defense evasion method.
• Analyze UPX-packed files, Base64-encoded content, and JavaScript and HTA files.
• Look for covert autostart mechanisms, keyloggers, and password extraction from browsers.

Monitoring:

• Integrate PAM (Privileged Access Management).
• Enforce mandatory deployment of EDR with memory protection to prevent Mimikatz and LSASS-targeting attacks.
• Enforce a strict policy for removable media and USB device control.
• Strengthen access controls and MFA.
• Audit the use of outdated libraries and plugins.
• Monitor access to the Credential Store and LSASS.
• Configure detection rules for download and execution activity in %AppData% and %Temp%.

The European region is currently characterized by a complex landscape: some countries are facing economic challenges, some are actively involved in geopolitical conflicts, and others are focused on stabilizing their social and political environments.

Despite a high level of digital maturity, there is a relatively low level of cyberhygiene among organizations and users. The widespread use of social engineering techniques and insecure methods of storing sensitive data reinforces this trend. There is strong reason to believe that this situation will persist into 2026. Pro-state groups are expected to maintain a high level of activity in the region as long as conflicts of interest between countries continue.

Pro-state actors are also expected to focus on major events, including:

• G7 summit in France in June
• NATO summit in Ankara in July
• General elections in Sweden in September

Despite the adoption of comprehensive cybersecurity approaches, small and medium-sized businesses in Europe will continue to face unresolved challenges from 2025, alongside new threats. These may include information operations, compromise of political infrastructure, phishing campaigns, and manipulation within the media space.

Additional risks include attacks targeting campaign headquarters, email compromise, disruption of vote-counting processes, and operations involving deepfakes. Given the large number of summits and forums, there is also a risk of advance infiltration of government networks to enable the theft of sensitive information.

South Asia continues its path of digital transformation, achieving notable progress in digitalization while simultaneously addressing emerging cybersecurity challenges. India remains the digital and economic leader in the region, and it is also the primary target of APT activity.

As the number of cyberattacks continues to grow, regional investments in cybersecurity are also increasing at an average annual rate of 12.8% since 2022 and are projected to reach $52 billion by 2027.

In terms of targeted sectors, the overall pattern in South Asia shows that government institutions, financial organizations, and defense enterprises account for the majority of attacks.

While South Asia is achieving significant progress in digitalization, it is also facing growing cybersecurity threats and a number of political conflicts that may impact the regional landscape.

This underscores the need to strengthen security measures and increase investment in cybersecurity infrastructure across countries in the region.

India, Iran, and Pakistan emerged as the leading countries in terms of the number of active threat groups. This is driven both by their digital and economic prominence in the region and by their political positioning on key global issues.

Pro-state groups and hacktivists are highly active in the region. Some collectives conduct operations far beyond their primary area of activity, carrying out attacks on a global scale. There is also a clear trend of certain groups attempting to mimic East Asian threat actors, while the infrastructure of some South Asian groups is leveraged by external actors to conduct attacks against CIS countries. For example, the SideCopy group repeatedly engaged in deliberate imitation of East Asian APT groups in 2024–2025, adopting their tools and tactics. In particular, researchers noted similarities with APT37. The primary objective of such mimicry is to mislead analysts, especially in campaigns targeting government and military organizations.

Below, we highlight the most active groups operating in the region.

One of the leading groups in terms of the number of countries targeted in the region was the SideWinder group. In 2025, it was linked to a major breach in Pakistan: threat researchers confirmed that the group successfully compromised systems of the Cabinet of Ministers of Pakistan. As a result of the attack, the threat actors gained access to classified documents and government officials' accounts.

As for political hacktivism, in South Asia it serves as an extension of interstate and religious conflicts at a relatively low level of escalation, while strategic operations remain the domain of pro-state APT groups. Hacktivists account for approximately 15% of threat actors in the region, reflecting a balance between ideologically motivated attacks and the dominance of pro-state cyberoperations. Coordination with hacktivists or their use as proxies is most commonly observed in attacks targeting India and Pakistan during the active phases of their geopolitical conflict.

Based on the techniques and tactics employed by groups monitored in the regions, we identified the most commonly used TTPs and created a heat map for the region. The TTPs were selected from 2025 research materials.

APT groups and hacktivists operating in South Asia demonstrate a flexible and combined approach, integrating targeted social engineering with adaptive technical methods. Their operational profile is characterized by a strong reliance on phishing (T1566) as the primary initial access vector, complemented by the active use of interpreters (T1059) for code execution and obfuscation (T1027) to conceal malicious activity.

At the same time, a significant emphasis on sandbox evasion (T1497) indicates advanced capabilities in malware development and modification. This forms the profile of an adaptive and pragmatic adversary that effectively combines proven social engineering methods with technical techniques aimed at maintaining long-term persistence within victim networks and collecting sensitive information.

Based on the analysis of TTPs used by APT groups and hacktivists in South Asia in 2025, we developed the following key recommendations for the region.

Proactive threat hunting:

• Inspect email communications and attachments for phishing activity (T1566.001, T1204.002).
• Detect deobfuscation activity (T1140), including PowerShell decoding, Base64, and Gzip usage.
• Identify hidden executables and scripts in shared directories (T1055, T1083).

Monitoring:

• Use sandbox environments to analyze attachments and suspicious documents.
• Implement behavioral analytics to detect anomalies in user activity.
• Strengthen protection of entry points, including web services, VPN, and Outlook Web Access (OWA).

Overall, threat actors targeting South Asia rely heavily on social engineering combined with technical exploitation and a wide range of techniques. This results in flexible, adaptive, and less predictable attack patterns.

Digitalization in South Asia is leading to widespread adoption of smartphones and computers, making individuals increasingly vulnerable to cyberattacks. Greater attention must be paid to vulnerability management and software patching, as many threat actors in the region actively exploit unpatched systems and critical vulnerabilities. Both APT groups and hacktivists are likely to take advantage of these weaknesses, contributing to increased activity.

In 2026, South Asia will remain a region of heightened geopolitical and technological tension, creating favorable conditions for APT activity, hacktivist operations, and information and psychological campaigns. Key risk factors and events that may influence the regional cybersecurity landscape include:

• India will continue to strengthen its position as a regional and global geo-economic and technological hub. It is expected to actively participate in international formats such as the G20, the Quad, and strategic dialogues with the EU and the United States. At the same time, India plans to accelerate initiatives in import substitution, semiconductor development, cybersecurity, IT, and the space sector.
• Pakistan will continue to face internal political instability and significant economic pressure, while tensions with India are expected to persist in 2026.
• Iran will continue to respond to external political pressure and sanctions, including in cyberspace.
• Nepal and smaller states in the region may be used as transit zones and hosting locations for C2 infrastructure.

In 2026, the following trends are expected across South Asia:

• An increase in hacktivist campaigns linked to political crises and military incidents
• Active use of information and psychological operations, including disinformation, data leaks, and fabricated documents
• A rise in supply chain attacks, particularly targeting IT outsourcing, telecommunications, and the energy sectorContinued focus on data exfiltration and intelligence gathering rather than destructive operations
• Overall, South Asia will remain a high-risk region in terms of cybersecurity in 2026, with key threat drivers including geopolitical rivalry, internal instability in certain countries, and the rapid digitalization of both the economy and public administration.

The Association of Southeast Asian Nations (ASEAN) has demonstrated steady progress in economic development and digitalization for several years. This trajectory also requires increased attention to regional cybersecurity, particularly as competition for influence intensifies between China and the United States.

The economies of ASEAN countries are in a growth phase and, according to forecasts, are expected to expand from approximately $300 billion to $1 trillion by 2030. The regional cybersecurity market is projected to grow at an annual rate of 9.49% between 2025 and 2029, reaching $7.07 billion by 2029.

At the same time, despite growing awareness of cyberrisks, the information systems of small and medium-sized enterprises remain vulnerable. Only 68.5% of small businesses in ASEAN countries have implemented cybersecurity solutions.

In terms of targeted sectors, the region is characterized by the following top three: government institutions (24%), IT companies (13%), and industrial enterprises (12%). Notably, IT companies rank among the top three targets, reflecting the prevalence of supply chain attacks in the region and the rapid growth of IT startups.

This leadership is likely driven by a combination of rapid digitalization, strategic geopolitical positioning in Southeast Asia, a high concentration of government and industrial targets, and the use of their infrastructure as a convenient staging ground for regional cyberoperations.

The Asian region has traditionally been one of the most active in terms of operations conducted by pro-state groups and political hacktivists. We have previously published a detailed study covering its characteristics and threat landscape. Since the release of that study, no significant changes have been observed. East Asian pro-state groups remain highly active, continuing to rely on both publicly available and custom-developed malware, as well as phishing campaigns and vulnerability exploitation.

In addition, a study published by Sekoia in late 2024 on the operational structure of Chinese pro-state groups shed light on numerous incidents and their interconnections. These findings confirmed that Asian threat actors remain the dominant force in the region, employing some of the most sophisticated and diverse TTPs.

Below, we highlight the most active groups operating in the region.

There is no single dominant leader in the region in terms of the number of countries targeted. However, one APT group has been actively exploiting web application vulnerabilities since 2023 to infiltrate and compromise organizations across Southeast Asia, including Indonesia, Malaysia, the Philippines, Thailand, and Vietnam.

In 2025, multiple researchers reported campaigns attributed to this group targeting IT companies, universities, government institutions, and other organizations in the region. These attacks typically began with large-scale perimeter scanning and exploitation of known vulnerabilities in widely used frameworks and CMS platforms, followed by the deployment of web shells and the installation of backdoors to maintain long-term access.

As for political hacktivism, in ASEAN countries it persists as a form of low-threshold political and religious expression, partly due to relatively less stringent state control over cyberspace compared to countries such as China and North Korea. Hacktivists account for approximately 15% of threat actors in the region.

Based on the techniques and tactics observed across the groups tracked in the region, we identified the most commonly used TTPs and compiled a regional heat map. The TTPs attributed to these groups were selected based on research data collected throughout 2025.

Based on the analysis of the heat map data, the following characteristics of this region can be identified (see table).

APT groups and hacktivists operating in the region demonstrate a pragmatic, infrastructure-oriented approach with a strong focus on exploiting external vulnerabilities and actively moving within compromised networks. Their operational profile is characterized by the dominance of direct technical attack vectors, such as exploitation of public-facing applications (T1190), indicating the widespread presence of vulnerable systems across the region.

Following initial access, attackers prioritize stealth through obfuscation techniques (T1027). The strong emphasis on process discovery (T1057) and data collection (T1005) highlights the targeted nature of these campaigns, which are often aimed at the theft of sensitive information.

Overall, this forms the profile of an adaptive and technically proficient adversary that effectively exploits weaknesses in both perimeter defenses and internal network security to achieve its objectives.

Based on the analysis of TTPs used by APT groups and hacktivists in ASEAN in 2025, we developed the following key recommendations.

Proactive threat hunting:

• Detect compilation of executables or other binary files within user directories.
• Identify artifacts of common keyloggers and analyze processes associated with input capture (for example, window or keystroke interception). Monitor the creation of files with image-related extensions, which may indicate covert data collection.
• Search for indicators of backdoor deployment from custom or attacker-controlled domains.

Monitoring:

• Block IP addresses and domains associated with known C2 infrastructure used by widespread malware.
• Monitor file transfer activity within internal networks.
• Detect and control the use of commonly observed web shells in the region (e.g., China Chopper).
• Identify DNS tunneling and abnormal API usage patterns.

For initial access, attackers rely on reconnaissance-driven intelligence and select the most effective vector based on the target environment, with a strong focus on targeted attacks against organizations.

It is expected that both the activity of threat actors and the complexity of attacks in the region will continue to increase. Over the past year, the region was among the leaders in the use of less common techniques and procedures. Under these conditions, it is essential to closely track active threat actors, prioritize threat intelligence collection, and continuously develop and update detection logic.

An increase in activity from pro-state groups and hacktivists is anticipated, driven by conflicting policies among ASEAN states and the growing likelihood of escalation around Taiwan. The region may effectively become a cyberwarfare arena involving major APT groups engaged in espionage, sabotage, support of special operations, and intelligence gathering.

• In 2026, the Philippines assumed the ASEAN chairmanship (starting January 1, 2026) and announced a large number of meetings and events to be held across multiple cities.
• Economic growth and investment are expected to drive an increase in financially motivated attacks, including BEC (business email compromise). According to IMF estimates, ASEAN growth in 2026 is projected at approximately 4.3%.

Considering the region's TTP profile (a high prevalence of external service exploitation followed by multi-stage attack chains), the following trends are most likely in 2026:

• Increased attacks on the external perimeter, including web applications, VPNs, SSO systems, email gateways, and public-facing portals (particularly in government and critical infrastructure sectors).
• Cyberespionage and data exfiltration will remain the primary scenarios for pro-state APT groups. Key target sectors include government, diplomacy, defense, telecommunications, energy, transport and logistics, as well as large industrial and extractive enterprises.
• Growth of hacktivist activity and information and psychological operations related to the Philippines' ASEAN chairmanship and regional events.
• A rise in supply chain attacks, with high-risk targets including event contractors, IT outsourcing providers, hosting services, logistics companies, and system integrators.

Overall, in 2026 ASEAN is highly likely to become one of the most active regions in terms of cyberintelligence operations and threat actor activity.

Other countries that are not members of ASEAN but are located in East Asia, the Pacific region, or Oceania are considered in this report as part of a single geographic region. Many of them are also investing heavily in digitalization and cybersecurity. The undisputed leader among these countries in digitalization and the economy is China, which places particular emphasis on cybersecurity to address emerging threats.

According to the IMD World Digital Competitiveness Ranking for 2025, East Asian economies have demonstrated strong potential and readiness to adopt and explore digital technologies that drive economic transformation in business, government, and cybersecurity.

As for the southern part of the region, researchers predict that from 2025 to 2029, the cybersecurity market in Australia and Oceania will grow by 7.08% annually, reaching a volume of approximately $6.6 billion by 2029.

In this region, the most frequently attacked sectors are government agencies, industry, and IT companies. Government agencies account for nearly a quarter of the targeted entities, which is linked to the high level of activity by pro-state groups in the region.

If we take a closer look at Oceania, according to Positive Technologies, 2025 was marked by a prevalence of cyberfraud and phishing in the region. Increased geopolitical tensions in the Pacific region may be accompanied by a rise in cybercriminal activity. The role of state-sponsored groups is growing, and they may change the regional landscape of cyberthreats.

In 2025, a significant escalation was also noted around the island of Taiwan. Most cyberattacks on the island were carried out by state-sponsored groups, targeting the telecommunications, transportation, and defense sectors.

East Asia and Oceania, as one of the most prolific regions in terms of pro-government group and hacktivist activity and a source of some of the most dangerous actors, has traditionally been characterized by a large number of attackers. We have identified the most prominent groups in the region.

The Lazarus Group emerged as the clear leader in terms of the number of countries targeted. One example is the series of attacks against South Korea, which the Lazarus Group carried out in collaboration with Kimsuky.

Researchers note that in 2025, the Lazarus Group and Kimsuky carried out 58 cyberattacks targeting, among other things, South Korea's virtual assets, IT sector, and financial systems. These actions include both instances of cryptocurrency theft and attempts to infiltrate infrastructure through social engineering and the use of malware.

As for political hacktivism, cyberoperations in East Asia and Oceania are strictly controlled by the state, which is why centralized pro-state APT structures predominate, while independent hacktivism has been virtually eliminated. Hacktivists account for only 7% of active groups in East Asia and Oceania, and judging by attribution data from open sources, they are not representatives of the region, which underscores the dominance of pro-state cyberespionage and strategic operations over public and ideological attacks.

Based on the techniques and tactics employed by groups monitored in the regions, we identified the most commonly used TTPs and created a heat map for the region. The TTPs were selected from 2025 research materials.

Based on the data from the heat map, the following characteristics of this region are particularly noteworthy.

APT groups and hacktivists operating in East Asia and Oceania demonstrate a balanced and adaptive approach that combines social engineering with technical tradecraft. Their operational style is characterized by a strong emphasis on phishing (T1566) as the primary initial access vector, highlighting the human factor in the region's highly digitized societies. Once inside, attackers actively use interpreters (T1059) to execute code and place significant emphasis on obfuscation (T1027) to evade detection. A unique feature is the active use of input interception techniques (T1056) for both credential theft and information gathering, underscoring a focus on directly capturing user data. The prevalence of web protocols for C2 (T1071) and exfiltration (T1041) reflects a desire for maximum stealth in networks with advanced monitoring. Overall, this paints a picture of a pragmatic and methodical adversary whose campaigns are geared toward a long-term presence on the victim's network and the theft of confidential data within the context of a sophisticated but not always uniformly protected IT infrastructure.

After analyzing the TTPs characteristic of APT groups operating in Oceania and East Asia in 2025, a number of recommendations can be made.

Proactive threat detection:

• Analyze the use of non-standard archive file extensions (.iso, .img).
• Monitor for suspicious calls to tasklist and ps.

Monitoring:

• Keep email archive analysis rules up to date.
• Integrate correlation rules for process launch analysis.
• Monitor commands with cmd.exe /c and download URLs.
• Checking POST network requests without a User-Agent header.

The activity of the groups is expected to increase. The political situation in the Pacific region has been tense for quite some time. It is anticipated that the activity of pro-state groups may shift from Oceania and Southeast Asia toward East Asia if tensions in the Pacific continue to rise. As for the deployment of ransomware, the trend of pro-state groups using such malware for sabotage or financial gain will continue. Otherwise, the cyberthreat landscape will be influenced by various events expected in 2026.

• Elections are scheduled for June 2026 in the Republic of Korea.
• China will host the APEC Leaders' Summit in Shenzhen.
• Local elections will be held in Taiwan in November 2026.
• New Zealand is also scheduled to hold its next general election in November.
• An additional factor driving the activity of cybercriminal groups is the crisis surrounding Taiwan and tensions in the South China Sea.
• Another factor will be North Korea's activity on the world stage and in cyberspace.

Separately, the trend is expected to continue with some of the pro-state groups employing illicit monetization models (including RaaS and other forms of financial cybercrime). In practice, this is particularly relevant for actors linked to North Korea, who continue to combine intelligence gathering with fundraising through cyberoperations (including attacks on major cryptocurrency exchanges).

In 2026, the region will see an increase in state-sponsored APT operations, primarily surrounding major international events (the APEC summit in China), electoral cycles (Taiwan, South Korea, New Zealand), and persistent geopolitical tensions. Most likely scenarios:

• Cyberespionage and data exfiltration (public administration, defense, diplomacy, telecoms, logistics, high-tech).
• Information and psychological operations and interference (leaks, forgeries, compromise of headquarters or contractors).
• Multi-stage campaigns by groups focused on compromising accounts, web infrastructure, and supply chains.

Latin American countries are making considerable progress in digitalization and cybersecurity, although gaps remain in legal frameworks and the implementation of security systems. The region is seeing rapid growth in the adoption of digital technologies. In Mexico alone, there are more than 1,100 fintech companies. Digital payments, including mobile wallets and contactless payment methods, are gaining momentum, particularly in countries such as Brazil and Argentina. In Brazil, for example, the Pix system has become the primary method of digital payment for millions of people.

However, Latin America remains one of the most vulnerable regions to the activities of cybercriminal groups, specifically various e-crime groups and financially motivated criminals. Despite the accelerating digital transformation, investment in cybersecurity in Latin America remains low. At the same time, legislative efforts to regulate this issue have been underway for some time. For example, Brazil enacted the General Personal Data Protection Law (LGPD) back in 2018, similar to the GDPR in the EU, to strengthen data protection and cybersecurity. Nevertheless, there is inconsistency across the region in the implementation of such laws and their enforcement.

Brazil, Mexico, and Colombia are the most affected countries, accounting for nearly 90% of cyberattacks in the region, according to Positive Technologies. This is because these countries have the most developed economies in the region and are actively involved in international politics.

The public, defense, and financial sectors were the primary targets of cyberattacks. Despite the risks, as of 2024, only seven countries in Latin America had plans in place to protect critical infrastructure from cyberthreats.

The Americas, one of the most active regions in terms of pro-state group activity, have traditionally been characterized by a large number of threat actors. We have identified the most prominent groups operating in the region.

One of the region's leading groups turned out to be the financially motivated group TA558. In the summer of 2025, researchers observed a new wave of attacks carried out by TA558 against hotels and tourism businesses in Brazil and other Spanish-speaking countries in Latin America. In these campaigns, the attackers sent phishing emails disguised as booking requests, invoices, or job offers. The goal was to distribute Venom RAT, which was used to gain remote access and steal guests' payment card data and other sensitive information. The attacks primarily targeted Brazil but also affected the hospitality sector in other countries across the region.

As for North America, the region remains a year-after-year leader in overall cyberattack volume. The United States and Canada are highly digitalized; combined with their geopolitical roles, this contributes to sustained targeting and amplifies cybersecurity challenges. As the regional leader, the United States remains one of the primary targets of cyberattacks. The public sector was hit hardest, accounting for 25% of recorded attacks.

Political hacktivism in the region is generally low-profile. Threat actors are centered on direct financial gain rather than ideological or political motives, which is why ransomware and criminal syndicates predominate over hacktivist groups. Hacktivists account for only 9% of attackers in the region, indicating the dominance of financially motivated threats over ideological operations.

Based on the techniques and tactics employed by groups monitored in the regions, we identified the most commonly used TTPs and created a heat map for the region. The TTPs used by these groups were selected from 2025 research materials.

Based on the data from the heat map, the following characteristics of this region are particularly noteworthy.

Groups operating in North and Latin America demonstrate a highly adaptive and financially motivated approach, combining traditional social engineering techniques with advanced technical methods to bypass modern security systems. Their operational style is characterized by the dominance of phishing (T1566) as the primary access vector, indicating exploitation of the human factor. Once inside, the attackers extensively use interpreters (T1059) to execute commands and scripts and actively employ obfuscation (T1027) to evade EDR solutions. The focus on credential theft (T1003) and systematic data collection (T1005) reflects the objectives of industrial espionage and financially motivated crimes. The final stage often involves data encryption (T1486), reflecting the prevalence of ransom-driven operations. Overall, tid e9 his paints a picture of a technically sophisticated, pragmatic, and dangerous adversary whose campaigns are geared toward maximizing economic damage and establishing a sustained presence within corporate networks.

By analyzing the TTPs characteristic of groups operating in North and Latin America, we can offer a number of recommendations for proactive threat hunting and monitoring.

Proactive threat hunting:

• Monitor for unusual execution of files with extensions such as .vbs, .py, .ps1, and similar.
• Analyze the memory of suspicious processes.

Monitoring:

• Monitor user folders containing executable files.
• Implement extended logging of command-line interpreters; deploy EDR or similar solutions.
• Monitor the use of legitimate remote-access tools (AnyDesk, TeamViewer).

Latin America remains one of the most lucrative regions for financially motivated criminals. It is fair to say that cybercrime groups are most active in this region.

As in other regions, the cyberthreat landscape will also be shaped by the political developments. Pro-state group activity is expected to increase amid several high-profile events in 2026:

• The 2026 FIFA World Cup (USA–Canada–Mexico, June 11–July 19, 2026)
• U.S. elections on November 3, 2026
• Presidential elections in Brazil, Colombia, Costa Rica, Haiti, and Peru in 2026.

Based on the region's 2025 TTP profile, the likely scenarios for 2026 are:

Espionage targeting the public sector, the defense sector, the energy sector, telecommunications, major export industries, and the financial sector (to support foreign-policy decision-making, sanctions-related objectives, and competitive intelligence).

Supply chain attacks (targeting IT outsourcing providers, MSPs, system integrators, marketing agencies, event platforms) are one of the easiest routes into large organizations.

Financially motivated attacks (including the compromise of business correspondence and payments) amid major events and electoral cycles.

In 2026, North and Latin America are likely to face increased pressure due to the combination of a major international sporting event and a busy electoral calendar. This creates favorable conditions for APT-led espionage, hacktivism, information and psychological operations, and financially motivated campaigns.

In 2025, the African region was characterized by a high rate of cyberfraud despite comparatively low levels of digitalization versus other regions covered in the report. In recent years, however, many African countries have made noticeable progress in digital adoption, which has also exposed serious cybersecurity challenges.

Forecasts indicate that the cybersecurity market is expected to grow at a 9.06% annual rate from 2025 to 2029, highlighting increased investment in this sector. Across Africa, the market is developing as countries such as South Africa and Kenya invest in advanced technologies to counter cyberthreats.

Since 2019, as part of the World Bank's “Digital Economy for Africa” (DE4A) initiative, 70 digitalization projects have been implemented across 37 African countries, with a total investment of about $9 billion, aimed at building a resilient and inclusive digital economy. The adoption of instant payment systems (IPS) has surged: 31 systems are operational in 26 countries, with another 27 in development. Over five years, transaction volumes and value have grown by 37% and 39%, respectively, reflecting the widespread adoption of digital payments. All of this has contributed to rising fraud in the region, the spread of ransomware, and increased ideologically driven hacktivist activity. However, pro-state groups have been largely absent from the current wave of cyberattacks.

In addition, Interpol's 2024 report on cyberthreats in Africa noted a surge in cybercrime across the continent, with ransomware, business email compromise, and online fraud identified as rapidly growing threats. Operation Serengeti was conducted in 2024, but attention to this issue did not fade. From June to August 2025, a large-scale operation, Serengeti 2.0, was carried out across the continent. A total of 1,209 suspects were arrested, and assistance was provided to more than 88,000 victims, whose financial losses worldwide are estimated at nearly $97 million. According to Positive Technologies, South Africa, Kenya, and Nigeria were identified as the primary African countries facing significant cyberthreats. The fact that they are among the most economically and digitally developed countries in Africa explains this situation. However, while these countries are among the leaders in terms of cybercrime metrics, they are not the most targeted by APT groups and hacktivists in the broader African context.

The African region differs significantly from other regions in terms of its cyberthreat landscape, including the industries most frequently targeted. Government agencies, the general public and social infrastructure, as well as defense contractors, manufacturing, and IT companies, are among the most targeted sectors. The high number of incidents across multiple sectors simultaneously indicates significant cybersecurity challenges in several areas at once.

The development of African countries, as well as the growing interest of the United States, China, and Russia in the region, are giving rise to numerous political and economic processes that contribute to instability and armed conflicts. Such events are often accompanied by increased APT activity. We have identified the most active groups in the region:

In addition to the widespread use of spyware from the Intellexa consortium, both known groups and new threat actors were active in Africa. One such discovery was the Desert Dexter group, which our researchers identified in 2025. The group had targeted approximately 900 potential victims by early 2025. These included ordinary users and employees of companies in the energy, construction, IT, and agriculture sectors.

As for political hacktivism, cyberthreats in Africa are primarily driven by external pro-state and criminal actors, while local ideologically motivated hacktivism is less developed. Hacktivists account for only 7% of all attackers in Africa, underscoring the dominance of external cyberespionage and financially motivated attacks over ideological operations.

Based on the techniques and tactics employed by groups monitored in the regions, we identified the most commonly used TTPs and created a regional heat map. The TTPs were selected from 2025 research materials.

Based on the data from the heat map, the following characteristics of this region are particularly noteworthy.

APT groups and hacktivists in Africa demonstrate a direct approach focused on maximum effectiveness with minimal complexity. Their modus operandi is characterized by the prevalence of direct infrastructure attacks (T1190) as the primary vector, indicating a large number of easily accessible targets. Once inside, attackers make extensive use of interpreters (T1059), demonstrating the highest reliance on automation among all regions. Obfuscation (T1036) and process injection (T1055) are used as primary concealment methods and are often sufficient to bypass basic defenses. The focus on credential theft (T1555) and local data collection (T1005) aligns with the objectives of financial gain and industrial espionage. Overall, this paints a picture of a pragmatic, technically competent, and profit-driven adversary whose campaigns rely on exploiting vulnerabilities and insufficient investment in regional cybersecurity.

Attackers actively use:

• Command-line interpreters to execute payloads
• Exploitation of vulnerable public-facing services and phishing to gain initial access
• Standard persistence mechanisms (scheduled tasks, autorun)
• Traffic obfuscation and masking to bypass security measures

This allows us to provide several recommendations for proactive threat hunting and monitoring.

Proactive threat hunting:

• Search for credentials in open or poorly protected files. Analyze access to them.
• Analyze processes' API calls to audio devices.

Monitoring:

• Monitor access to browser password storage.
• Log processes that access the microphone.

Overall, the region is characterized by attacks of moderate technical complexity but a high degree of repetitiveness in basic techniques, which creates conditions for large-scale campaigns targeting government organizations, the telecommunications sector, financial institutions, and critical infrastructure, particularly in countries with developing digital economies.

In 2025, a number of significant political, social, and economic events are expected to unfold in the African region, which will reshape the balance of power and impact the cyberthreat landscape.

The struggle among major world powers for economic partnerships and influence in this region also affects the potential development of armed conflicts, which in today's reality are almost always accompanied by the activity of various APT groups and hacktivists. The African region is characterized by numerous hotspots and points of conflict that could lead to incidents linked to the activity of these groups.

In 2026, a number of African countries are expected to hold elections, experience a change in political leadership, or further deepen domestic political reforms, which traditionally increases APT groups' interest in the public sector.

• Nigeria will continue its reform efforts in the energy and financial sectors.
• Kenya is actively striving to become a regional hub in East Africa.
• Egypt is a key player in North Africa and the Middle East.
• Senegal and other West African countries are driving power redistribution and weakening of the influence of former colonial powers.

The persistence and potential escalation of conflicts in several subregions will be one of the key drivers of growing cyberthreats:

• The Sahel (Mali, Burkina Faso, Niger): ongoing instability and the presence of external military and political interests
• Somalia and East Africa: regional instability, as well as proximity to strategic maritime routes
• Political instability in Libya

International infrastructure projects involving China, the BRICS countries, the EU, and Middle Eastern states will continue. Africa will remain a zone of geopolitical rivalry. This creates conditions for:

• Long-term cyberespionage
• Covert operations against diplomatic missions
• Sabotage of competitors' infrastructure and investment projects.

In 2026, Africa will be characterized by an increase in the intensity and political motivation of attackers. The primary targets of attacks will continue to be government agencies, critical infrastructure, energy, transportation, finance, and contractors involved in international projects, while cyberoperations will increasingly be paired with information and psychological campaigns.

Over the past few years, the Middle East has become not only a magnet for various APT groups, but also an economic and digital hub. In 2025, the digital transformation industry in the Middle East was valued at approximately $1.48 billion, and it is projected to grow at a compound annual growth rate (CAGR) of 11.8%, reaching $2.58 billion by 2029. A significant portion of investment in the region is directed toward cybersecurity. Gartner forecasts that end-user spending on information security in the MENA region will reach approximately $4 billion in 2026, representing growth of about 10.1% compared to 2025.

The Middle East has long been a primary target for APT groups and hacktivists, and this trend continued throughout 2025. The high volume of sophisticated, targeted attacks in the region, including attacks on critical infrastructure and the banking sector, along with increased hacktivist activity, supports this assessment. Furthermore, ongoing regional conflicts and elevated hacktivist activity have led to cyberattacks being used as tools for information and psychological influence, with frequent attacks on critical infrastructure and government agencies.

It is worth noting that attacks targeting the general public and social infrastructure account for the largest share in this region (19%), which is a distinctive feature of the region. The region has a high proportion of politically and ideologically motivated cyberoperations aimed at creating mass psychological impact, which explains the high percentage of attacks on the general public and social infrastructure.

In the Middle East, the activity of state-backed groups and hacktivists has declined compared to 2023–2024. We have identified the most active groups in the region.

One of the main players in the region was the APT35 group. In January and February 2025, APT35 carried out a series of targeted phishing campaigns against diplomatic missions, foreign policy analysts, and government agencies in the Middle East. The attacks involved sending emails purporting to be from official organizations and containing malicious attachments and links to fake authentication pages, with the aim of stealing credentials and gaining access.

As for political hacktivism in the Middle East, hacktivism functions as a tool of ideological confrontation but takes a back seat to state-sponsored and espionage operations amid high regional conflict. Hacktivists account for 12% of attackers in the region, reflecting a balance between ideological campaigns and the dominance of state-sponsored cyberespionage.

Based on the techniques and tactics employed by the groups tracked in the region, we identified the most commonly used TTPs and created a regional heat map. The TTPs were selected from 2025 research materials.

Based on the data from the heat map, the following characteristics of this region are particularly noteworthy.

APT groups and hacktivists operating in the Middle East demonstrate a balanced approach that combines social engineering with technical methods and focuses on targeted attacks against critical sectors. Their operational style is characterized by a strong emphasis on phishing (T1566) as the primary access vector, indicating exploitation of the human factor amid high political and economic tensions. Once inside, the attackers actively use legitimate script interpreters (T1059) to execute code and obfuscation (T1027) to evade detection. A unique feature is the active use of input interception techniques (T1056) for both credential theft and information gathering, underscoring a focus on espionage and the collection of confidential data. The prevalence of web protocols for C2 (T1071) and exfiltration (T1041) reflects a preference for stealth in networks with advanced monitoring. Overall, this paints a picture of an adaptive and determined adversary whose campaigns are geared toward long-term persistence, espionage, and the potential for destructive impact on the region's critical infrastructure.

After analyzing the TTPs for 2025, we can offer a number of recommendations for proactive threat hunting and monitoring in this region.

Proactive threat hunting:

• Analyze the context of incoming emails (senders, attachments, links).
• Increase focus on VPN, Exchange, and Outlook Web Access.
• Search for PowerShell, CMD, and WMI calls, especially those involving obfuscation.
• Analyze non-standard HTTP/HTTPS and DNS traffic.
• Analyze suspicious transfers of EXE, DLL, and BAT files from external sources.

Monitoring:

• Monitor API requests.
• Use EDR to monitor command-line interpreters.
• Block unsigned PowerShell execution.
• Minimize the use of local administrator accounts.
• Monitor the collection and transmission of LSASS dumps and browser data files.
• Monitor new scheduled tasks, services, and startup keys.
• Track SMB and RDP sessions between network segments.

The region exhibits a wide variety of techniques, including rare TTPs, indicating the presence of pro-state groups, political hacktivists, and financially motivated groups. Overall, the threat landscape in the Middle East in 2025 is characterized by persistent, multi-stage attacks. The primary focus is on the public sector, energy, telecommunications, and international projects.

To forecast changes in the cyberthreat landscape, a number of important political, social, and economic developments in the Middle East expected in 2026 are taken into account.

In 2026, the Middle East will remain a region with high levels of APT activity and hacktivism, where cyberoperations and attack campaigns will be closely linked to the geopolitical situation, energy and infrastructure projects, and domestic politics. Against the backdrop of intensifying competition among external actors and ongoing instability, an increase in cyberespionage, sabotage, attacks on critical infrastructure, and information and psychological operations is expected.

• The crisis in the Gaza Strip continues.
• The Red Sea remains a focal point of political influence. Threats to shipping and the military presence of external forces will persist.
• Syria, Iraq, and Yemen remain zones of ongoing instability.
• Oil, gas, and petrochemicals will remain key sectors for the region in 2026.
• Megaprojects in the Gulf states (smart cities, transportation hubs, large-scale digitization of public services) will continue.
• Israel will remain highly involved in conflicts and maintain a high level of digitization.

The primary risk lies in targeted attacks on contractors and integrators, the compromise of engineering segments, and attacks on corporate networks aimed at blackmail. The expansion of cross-border cooperation and investment is heightening the interest of APT groups and hacktivists in interstate negotiations, contracts, and regulatory initiatives. In 2026, the region will be highly sensitive to domestic political processes. Even where elections are not formally the primary mechanism for changes in power, information operations and data breaches remain tools for exerting pressure.

In 2026, the intensity and political motivation of APT operations in the Middle East are expected to increase. The most likely scenarios are:

• Cyberespionage targeting the public sector, the defense sector, diplomatic missions, and major corporations
• Sabotage and attacks targeting critical infrastructure logistics
• Supply chain attacks via megaproject contractors and IT providers
• Information and psychological operations (leaks, breaches, forgeries, compromise) against the backdrop of conflicts and domestic political agendas.

Globalization, international cooperation, and widespread digitalization are gaining momentum every year. At the same time, new conflicts and disputes continue to flare up around the world. The number of potential targets for attacks by APT groups and hacktivists is growing, as is the damage they cause. To protect their critical infrastructure and ensure national security, countries must pay sufficient attention to cybersecurity issues, taking into account current regional trends and attacker behavior. To do this, it is important not only to study techniques, tactics, and procedures, but also to anticipate which cybersecurity trends will emerge, persist, or change.

1.       AI in cyberattacks. Artificial intelligence is already widely used by intruders. According to our forecasts, in the future, attackers will eventually be able to apply AI across all tactics in the MITRE ATT&CK matrix and in 59% of its techniques. You can read more about this in our study.

2.      Digital isolation of states under attack. As geopolitical tensions rise and cyberattacks carried out by APT groups and political hacktivists intensify, the most attacked countries may use digital isolation as a countermeasure.

3.      Strategically sophisticated cyberattacks using malware. In 2026, we expect attacks by advanced pro-government groups to become more complex. Previously, there were few such groups, but there is a growing tendency for attackers to infiltrate multiple organizations, establish a foothold, and later use pre-positioned malware to attack victims.

4.      Growth in information and psychological operations conducted by hacktivists under the control of states and pro-government groups. Ongoing geopolitical conflicts continue to encourage states to use information warfare methods and to involve pro-government groups and political hacktivists in these activities.

5.      The rise in the number of cybercriminal groups for hire. The number of groups offering their services to carry out various cyberattacks is expected to increase due to the active involvement of political hacktivists in pro-state operations.

6.      APT threats remain the primary danger among advanced cyberthreats, but state-sponsored political hacktivism is becoming an amplifier.

1. Strengthen cybersecurity through a comprehensive approach

Attacks by criminal groups require special attention and comprehensive protection that combines technology with measures to minimize the impact of human error. The main recommendation is to combine various protection mechanisms to reduce risks, as well as to implement a zero-trust policy. Additionally, any organization facing such attacks needs commercial or in-house threat intelligence (TI). Only with up-to-date threat intelligence is it possible to anticipate and prevent attacks and to develop detection logic. If an information system is still being developed, the risk of attacks must be taken into account, and security mechanisms should be implemented during the design phase. Furthermore, analysis of these groups' activity shows that phishing remains the primary method of initial access in targeted attacks by APT groups; therefore, employee training should also be prioritized.

2. Audit processes, software, and information systems

Regular audits help identify vulnerabilities, misconfigurations, and non-compliance with security requirements. They must be conducted in accordance with applicable national standards. It is necessary to perform software vulnerability analysis, audit user accounts and privileges, and verify the security of the network perimeter and cloud solutions.

3. Deploy advanced security products

To protect against attacks, it is necessary to use modern cybersecurity solutions, including:

• EDR/XDR (endpoint detection and response, extended detection and response): detection of attacks on endpoints.
• SIEM (security information and event management): centralized collection and correlation of security events.
• NGFW (Next-Generation Firewall) and IDS/IPS (intrusion detection and prevention): intrusion prevention and traffic filtering.
• DLP (data loss prevention): prevention of data leaks and breaches.
• SOAR (security orchestration, automation, and response): automation of incident response.

4. Conduct proactive threat hunting and analysis

When dealing with advanced threat actors, it is essential to identify potential and hidden threats before they lead to an incident: 

• Use the MITRE ATT&CK framework to support iterative, proactive threat hunting.

• Write YARA rules and process IoCs (indicators of compromise) to detect malicious objects based on available data.
• Perform network traffic analysis (NTA/NDR) to detect anomalies.

5. Improve monitoring and response capability

An effective internal or external SOC (security operations center) plays a crucial role in defending against attacks by monitoring logs, events, and anomalies around the clock. Regular testing and training of SOC analysts, along with ongoing professional development, helps them perform this role more effectively.

6. Validate defenses through red teaming

Assess security by simulating real-world attacks. Emulating the actions of malicious groups with the help of a specialist team helps determine how prepared an organization is for attacks of this magnitude. Testing defenses against phishing and social engineering, along with running through different attack scenarios, allows you to assess how well the defense program is structured, how quickly attacks are detected, and how effectively the blue team responds.

Countering APT groups and hacktivists requires a comprehensive approach that combines technology, processes, and specialist training. Only continuous improvement of defenses, proactive threat analysis, realistic testing, and team training can minimize the risks of targeted attacks.