Advanced Persistent Threat groups are not hackers with flags — they are intelligence operations with cyber capabilities. Understanding them requires moving beyond IOC lists and thinking in terms of operational patterns: how they gain access, how they persist, how they move laterally, and how they extract value — all while remaining invisible for months or years.

This write-up profiles the operational landscape as it stands in 2025, drawing on PRODAFT, Mandiant, CrowdStrike, and Microsoft intelligence reporting. The focus is on TTPs, not attribution politics — because defending against a technique works regardless of which government funds it.

The Operational Tiers

Not all APTs operate at the same level. The landscape stratifies into three operational tiers based on capability, tooling sophistication, and target selection:

Tier 1 — Strategic Cyber Operations

Nation-state units with dedicated zero-day development, custom implant frameworks, and the operational discipline to remain undetected for years.

Key actors: Volt Typhoon (China/PRC — critical infrastructure pre-positioning), Cozy Bear / APT29 (Russia/SVR — diplomatic and political intelligence), Equation Group (US/NSA — strategic signals intelligence), Lazarus Group (DPRK — financial theft and espionage hybrid).

Defining characteristic: These groups develop or procure zero-day exploits and deploy custom, modular implant frameworks that are unique to their operations. Their tooling is not found on GitHub. Their operational security includes anti-forensics, timestomping, log manipulation, and living-off-the-land techniques that avoid dropping detectable binaries.

Tier 2 — Focused Espionage Operations

State-sponsored groups with strong technical capability but narrower target sets. They use a mix of custom and publicly available tools, and their operations are often sector-specific.

Key actors: Mint Sandstorm / APT35 (Iran/IRGC — defense, energy, academia), Mustang Panda (China/MSS — Southeast Asian governments), Turla / Venomous Bear (Russia/FSB — government networks, diplomatic targets), Kimsuky (DPRK — think tanks, nuclear policy researchers).

Defining characteristic: These groups recycle infrastructure more frequently, occasionally reuse tools across campaigns, and are more likely to be caught — but they iterate quickly on their TTPs after public exposure.

Tier 3 — Mercenary and Blended Operations

Private-sector offensive contractors, ransomware groups that moonlight for state interests, and hacktivist fronts with state backing.

Key actors: Various “cyber mercenary” firms selling surveillance capabilities, ransomware groups like Sandworm-adjacent operations that blur the line between criminal profit and state objectives.

Defining characteristic: Operational discipline varies widely. Attribution is deliberately ambiguous — which is the point.

Technical Deep Dive: Five Active Campaign Patterns

Pattern 1 — Edge Device Exploitation (Volt Typhoon Model)

The most consequential shift in APT tradecraft since 2023: targeting network edge devices (routers, VPN concentrators, firewalls) instead of endpoints.

Why edge devices? They run stripped-down Linux/BSD variants with no EDR coverage. They have high network privilege. They are patched infrequently. And forensic tooling for these platforms is primitive compared to Windows.

The Volt Typhoon playbook:

  1. Initial access via zero-day or n-day exploit in a Fortinet, Ivanti, or Cisco device.
  2. Implant persistence in the device firmware or runtime memory — surviving reboots but not firmware reflashes.
  3. Living-off-the-land from the compromised edge device: using built-in ssh, tftp, curl to pivot into the internal network. No malware is deployed to endpoints.
  4. Traffic tunneling through the compromised device, making C2 communications indistinguishable from legitimate management traffic.

Detection challenge: There is no endpoint telemetry to analyze. Network flow analysis and device integrity verification (comparing firmware hashes against known-good baselines) are the primary detection vectors.

Defensive response:

  • Implement CISA’s KV Botnet guidance for edge device integrity.
  • Enable NetFlow/IPFIX and monitor for anomalous outbound connections from network infrastructure devices.
  • Segment management interfaces — management plane access should never traverse the same network as data plane traffic.

Pattern 2 — Cloud Identity Compromise (APT29 Model)

APT29 (Cozy Bear) has fully adapted to cloud-first enterprise environments. Their 2024–2025 campaigns against Microsoft, HPE, and European government agencies demonstrate a mature cloud-native tradecraft:

  1. Password spray against legacy accounts or service principals that lack MFA.
  2. OAuth application abuse — registering rogue applications or hijacking existing app registrations to gain persistent API access.
  3. Token theft — stealing refresh tokens from compromised developer workstations. A single Azure/M365 refresh token can grant months of access without re-authentication.
  4. Mailbox exfiltration via Microsoft Graph API — reading email programmatically without triggering Outlook-level logging in default configurations.

The key insight: APT29 does not need to “hack” anything traditional. They authenticate using stolen but valid credentials, operate through legitimate APIs, and exfiltrate data through sanctioned cloud channels. From the platform’s perspective, every action looks like a normal user or application.

Detection requires:

  • Unified audit logging across Azure AD, M365, and all connected SaaS. Default logging is insufficient — enable E5/G5-level audit logging.
  • Impossible-travel detection on service principal authentications, not just user accounts.
  • Application consent monitoring — alert on new OAuth grants, especially those requesting Mail.Read, Files.ReadWrite.All, or Directory.ReadWrite.All.
  • Token lifetime analysis — flag refresh tokens active for anomalously long periods without re-authentication.

Pattern 3 — Supply Chain Infiltration (Multi-Actor)

Multiple APT groups have adopted supply chain compromise as a standard access methodology, following the blueprint established by SolarWinds (APT29) and refined by the xz Utils incident:

Software supply chain:

  • Compromising open-source maintainer accounts (xz Utils model)
  • Injecting malicious code into build pipelines of commercial software vendors
  • Trojanizing legitimate installers distributed through compromised update servers

Service provider compromise:

  • Targeting Managed Service Providers (MSPs) to gain downstream access to hundreds of customer networks
  • Compromising cloud hosting providers to access tenant data
  • Infiltrating HR/payroll SaaS platforms for identity and financial data

Hardware supply chain:

  • Firmware implants on network equipment during manufacturing or transit (documented by Bloomberg, denied by vendors, confirmed in classified assessments)
  • Modified UEFI/BIOS implants that persist below the OS level

Defensive priority: Zero-trust architecture that assumes the supply chain is compromised. Verify every binary, monitor every API call, and segment every vendor connection as if it were an untrusted network.

Pattern 4 — Destructive Operations Under Cover (Sandworm Model)

Russia’s Sandworm (GRU Unit 74455) represents the convergence of espionage, sabotage, and information warfare. Their operations against Ukraine have served as a live laboratory for destructive cyber capabilities:

Wiper variants: CaddyWiper, HermeticWiper, AcidRain, SwiftSlicer — each tailored to a specific target type (Windows endpoints, Linux servers, satellite modems, Active Directory).

Operational pattern:

  1. Initial compromise months before the destructive event (often via spearphishing or credential theft).
  2. Extensive reconnaissance and lateral movement using Impacket tools and custom PowerShell.
  3. Deployment of Group Policy-based wipers to maximize simultaneous impact across the domain.
  4. Coordination with kinetic military operations or information warfare campaigns.

Key TTP: Sandworm frequently disguises destructive operations as ransomware — deploying NotPetya-style pseudo-ransomware that encrypts without a valid decryption path. This provides plausible deniability and delays incident response, as defenders initially treat it as a criminal event.

Pattern 5 — Financial Operations (Lazarus Model)

North Korea’s Lazarus Group operates as a profit center for the regime, generating billions in stolen cryptocurrency and conducting bank heists. Their tradecraft blends espionage-grade capabilities with financially motivated operations:

Cryptocurrency theft:

  • Targeting DeFi protocol developers with trojanized Node.js packages and fake job offers containing malicious PDFs.
  • Compromising cryptocurrency exchange hot wallets through social engineering of key holders.
  • Exploiting smart contract vulnerabilities identified through stolen source code.

The $1.5B Bybit hack (2025): Attributed to Lazarus, this operation compromised a developer’s workstation through a malicious Docker project, pivoted to internal systems, and ultimately gained access to the multi-signature wallet approval process. The funds were laundered through thousands of intermediate wallets and cross-chain bridges within hours.

Operational characteristic: Lazarus demonstrates that nation-state TTPs — zero-days, custom implants, operational patience — can be applied to purely financial objectives at a scale that dwarfs traditional cybercrime.

Infrastructure Analysis: How APTs Build and Maintain Operations

C2 Architecture Patterns

Multi-hop relays. Tier 1 APTs never communicate directly with their implants. Traffic passes through 2–4 relay nodes: compromised WordPress sites, rented VPS instances in neutral countries, and Tor exit nodes. Each hop uses a different protocol (HTTPS, DNS-over-HTTPS, WebSocket).

Domain fronting and CDN abuse. C2 traffic is routed through legitimate CDNs (Cloudflare, Fastly, Azure CDN), making it indistinguishable from normal web browsing at the network level. The actual destination is hidden behind the CDN’s shared IP space.

Operational relay boxes (ORBs). PRODAFT’s research has documented how Chinese APT groups maintain networks of compromised SOHO routers and IoT devices as operational relay infrastructure. These ORB networks provide:

  • Geographic diversity (traffic appears to originate from the victim’s own country)
  • Disposability (individual nodes can be burned without exposing the upstream infrastructure)
  • Scale (thousands of nodes provide bandwidth for data exfiltration)

Infrastructure Lifecycle

APT infrastructure follows a predictable lifecycle that enables tracking:

  1. Provisioning — domains registered through privacy-protected registrars, VPS purchased with cryptocurrency, SSL certificates obtained from Let’s Encrypt or ZeroSSL.
  2. Staging — infrastructure sits dormant for 30–90 days to age past newly-registered-domain blocklists.
  3. Operational — active C2 communications during the campaign.
  4. Burn and rotate — infrastructure is abandoned after public exposure or mission completion. Tier 1 actors never reuse burned infrastructure; Tier 2 actors sometimes do.

Building a Detection Strategy

Focus on Behaviors, Not IOCs

IOCs (IPs, domains, hashes) are ephemeral — APTs rotate them constantly. Behavioral detections based on TTPs are durable:

BehaviorDetection Logic
Edge device compromiseUnexpected outbound connections from network infrastructure IPs; configuration changes outside maintenance windows
Credential spray on cloud identityHigh-volume failed auth from residential IPs; successful auth to dormant accounts
LDAP reconnaissanceLarge LDAP query volumes from workstation-tier hosts (BloodHound signature)
Lateral movement via RDPRDP sessions from server-to-server or workstation-to-DC (abnormal flow direction)
Data staging for exfiltrationCompression utilities (7z, rar) executed on servers; large archive files created in temp directories
C2 via legitimate servicesPeriodic beaconing patterns to cloud APIs; anomalous DNS-over-HTTPS volume

Threat Hunting Priorities

  1. Hunt for pre-positioning. Volt Typhoon’s model means the compromise may have happened months ago. Hunt for dormant access: unused service accounts with recent auth, edge devices with unexplained configuration changes, and scheduled tasks that have never executed.
  2. Hunt in cloud audit logs. Most APT29-style compromises are invisible without E5-level Azure AD audit logging. Enable it, retain it, and actively review application consent events, mailbox access patterns, and Graph API call volumes.
  3. Hunt at the identity tier. Kerberos ticket anomalies, certificate-based auth from unexpected sources, and privilege escalation paths in Active Directory are the highest-value detection surfaces.

Conclusion

The 2025 APT landscape is defined by convergence: espionage groups adopting criminal techniques, criminal groups operating with nation-state sophistication, and all of them shifting toward cloud-native, identity-focused operations that make traditional perimeter security irrelevant.

Defenders who wait for IOC feeds are defending against yesterday’s campaign. The organizations that detect and survive APT operations are the ones that hunt for behavioral anomalies — because the techniques are more stable than the infrastructure, and the infrastructure is more stable than the IOCs.

References

  • PRODAFT. APT infrastructure analysis and ORB network research. prodaft.com
  • Microsoft Threat Intelligence. Volt Typhoon, Midnight Blizzard (APT29), Mint Sandstorm activity reports. microsoft.com
  • CrowdStrike. 2025 Global Threat Report. crowdstrike.com
  • Mandiant. M-Trends 2025 and APT campaign analysis. mandiant.com
  • CISA. Volt Typhoon advisory (AA24-038A) and KV Botnet guidance. cisa.gov
  • MITRE ATT&CK. Group profiles and technique mapping. attack.mitre.org
  • Chainalysis. North Korean cryptocurrency theft analysis. chainalysis.com