Exploits CVEs in the wild

apt

Also known asaptapt_actorsapt_groupapt_groupsapts

APT groups is a generic umbrella term for advanced persistent threat actors rather than a single named threat actor. The provided content describes APT activity in Q3 2025 as being dominated by zero-day vulnerabilities that were initially uncovered during investigations of isolated incidents, followed by broader exploitation after public disclosure. Reported exploitation and post-exploitation activity associated with APT attacks included use of common C2 frameworks such as Metasploit, Sliver, Mythic, Empire, and rapid adoption of Adaptix C2. The content also states that exploits interacting with C2 agents in APT attacks included CVE-2020-1472 (ZeroLogon), CVE-2021-34527 (PrintNightmare), and WinRAR vulnerabilities CVE-2025-6218 and CVE-2025-8088. The report highlights “ToolShell” Microsoft SharePoint vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771) enabling authentication bypass and full server compromise, and references CVE-2025-41244 in VMware Aria Operations and VMware Tools as a privilege-escalation issue that researchers claimed was used in real-world attacks in 2024. Separately, the content states that nation-state attacks by APT groups have been documented using NTP for passive reconnaissance inside government and critical infrastructure networks, including silent enumeration of high-value hosts by querying NTP peers before spear-phishing campaigns. Aliases present in the content are: apt, apt_actors, apt_group, apt_groups, and apts.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

12 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics15 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1190

Exploit Public-Facing Application

TA0002

Execution

1 technique

T1059

Command and Scripting Interpreter

TA0003

Persistence

1 technique

T1505

Server Software Component

T1505.003

Web Shell

TA0005

Stealth

2 techniques

T1036

Masquerading

T1036.005

Match Legitimate Resource Name or Location

T1070

Indicator Removal

TA0007

Discovery

2 techniques

T1018

Remote System Discovery

T1087

Account Discovery

T1087.002

Domain Account

TA0009

Collection

1 technique

T1005

Data from Local System

TA0011

Command and Control

2 techniques

T1090

Proxy

T1090.001

Internal Proxy

T1572

Protocol Tunneling

TA0040

Impact

1 technique

T1486

Data Encrypted for Impact

WEAPONIZED

Associated vulnerabilities

4 CVEs this actor has used in observed campaigns. 4 of them exploited in the wild.

CVE-2021-40539Authentication Bypass and RCE in Zoho ManageEngine ADSelfService PlusIn the wildEvidence1

...active exploitation of a newly identified vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus... rated critical... an authentication bypass vulnerability affecting ... REST API URLs that could enable remote code execution... reports of malicious cyber actors using exploits against CVE-2021-40539 to gain access...

CVE-2022-37969Windows Common Log File System Driver Elevation of Privilege VulnerabilityIn the wildEvidence1

The bug that's already being exploited in the wild, tracked as CVE-2022-37969, is in Windows' Common Log File System... Exploit code for this privilege-escalation flaw is also publicly available.

CVE-2025-34291Langflow Origin Validation Error Account Takeover and RCEIn the wildEvidence1

The first flaw added to the KEV catalog targets Langflow... Tracked as CVE-2025-34291 and carrying a critical CVSS score of 9.4, the vulnerability affects all installations up to and including version 1.6.9... When an authenticated Langflow user is tricked into visiting a malicious webpage... the attacker takes over the user session and leverages Langflow’s built-in visual code execution suite to gain remote code execution (RCE) natively over the host runtime.

CVE-2026-34926Directory Traversal in Trend Micro Apex One (On-Premise)In the wildEvidence1

The second newly listed exploit hits traditional network defense layers, targeting a directory traversal vulnerability within Trend Micro Apex One. Tracked as CVE-2026-34926 (CVSS 6.7), the flaw is strictly isolated to on-premises installations of the Apex One server software... a pre-authenticated local attacker can use directory traversal primitives... to bypass filesystem restrictions and programmatically write data into highly restricted internal directories.

IOCS

Observables

300 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

300 IOCsView more in app

hash.md5

269 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+261

Domains

12 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+4

ip.v4

7 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

uri

6 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

hash.sha256

3 total

•••••••••••••••••••••••••••

hash.sha1

2 total

•••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

securelistNews

Dec 3, 2025

Exploits and vulnerabilities in Q3 2025

Advanced Persistent Threat (APT) groups in Q3 2025 are actively exploiting both new zero-day and long-standing vulnerabilities to gain initial access to systems, launch C2 frameworks, and move laterally within victim networks. They are leveraging a mix of recently discovered and older vulnerabilities, with a focus on those that enable remote code execution and privilege escalation.

osint team blogNews

Sep 11, 2025

Network Time Protocol (NTP) Abuse for Enterprise Recon | Cyber Codex

APT groups have used NTP abuse for passive reconnaissance, silently enumerating high-value hosts and mapping internal network structures prior to launching targeted attacks such as spear-phishing campaigns.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping12

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs4

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables300

Domains, IPs, and hashes tied to this actor, refreshed continuously.