Major threat actors active from 2024 - 2025

Spring Dragon (aka Lotus Blossom) has been active for over a decade, with particular interest in Vietnam, Taiwan, and the Philippines. Kaspersky researchers have detected 1,000 malicious samples used by this actor to target government entities in Southeast Asia. Their methods include spear-phishing, exploiting vulnerabilities, and watering hole attacks to infiltrate victims’ systems.

Lazarus, a notorious state-sponsored group infamous for the “Bangladesh Bank Heist”, continues to pose a major threat through both espionage and financially motivated campaigns. In early 2025, Kaspersky uncovered “Operation SyncHole”, a campaign targeting at least six organisations in South Korea’s IT, financial, semiconductor, and telecommunications sectors through a combination of watering hole attacks and exploitation of third-party software vulnerabilities.

HoneyMyte (aka Mustang Panda) aims to exfiltrate sensitive political and strategic information from governments and diplomatic entities in Southeast Asia, with a notable focus on Myanmar and the Philippines. In 2024, the group deployed the ToneShell malware using various loaders in its campaigns.

ToddyCat, a technically sophisticated group, has been targeting high-profile victims in Malaysia since 2020. In 2024, they were observed using updated tools to collect and exfiltrate data to multiple cloud storage solutions, and employing vulnerable Windows kernel drivers to disable monitoring systems.

Mysterious Elephant emerged as a relatively new actor discovered in 2023. This group uses a wide array of malware families. In a recent wave of attacks, their focus has been on entities related to the foreign affairs of Pakistan.

Tetris Phantom was discovered by Kaspersky in 2023. This group initially deployed highly sophisticated malware targeting secure USB drives. By 2025, they had added new tools to their arsenal, including BoostPlug and DeviceCync, to inject malware onto victims’ machines.