Executive Summary
Between Q2 and Q3 2025, ESET researchers identified a significant rise in sophisticated Advanced Persistent Threat (APT) attacks spanning multiple regions and industry verticals. State-sponsored actors leveraged encrypted communications and advanced lateral movement tactics to compromise organizations’ east-west cloud traffic, successfully bypassing conventional perimeter defenses. These campaigns exploited unmonitored internal traffic and insufficient network segmentation, leading to the exfiltration of sensitive data and critical infrastructure disruptions. The attackers demonstrated thorough knowledge of multi-cloud environments, combining zero-day exploits with stolen credentials to maintain persistent access and evade detection for weeks.
This incident is emblematic of a broader trend—APT groups are accelerating the use of sophisticated, stealthy methods in hybrid cloud contexts. Modern enterprises must recognize the increased risk to east-west workloads, stay vigilant to evolving TTPs, and augment internal defenses in the face of rising geopolitical tensions and regulatory enforcement.
Why This Matters Now
This incident underscores the urgent need for organizations to address internal visibility gaps and enforce segmentation in multi-cloud and hybrid environments. As APT actors increasingly bypass traditional defenses and leverage encrypted channels, failure to adapt security controls now can leave businesses highly vulnerable to advanced, persistent threats.
Attack Path Analysis
APT actors initiated the attack by exploiting a cloud misconfiguration or stolen credentials to gain initial access. Privileges were escalated through manipulation of IAM roles or abuse of container runtime permissions. Lateral movement was achieved via east-west traffic between workloads, possibly including Kubernetes pod-to-pod traversal or multi-region pivoting. The adversary established command and control using encrypted outbound channels, evading perimeter controls. Data was exfiltrated covertly, leveraging egress channels to external destinations. Finally, the attackers executed disruptive actions such as deploying ransomware, deleting backups, or impacting business operations.
Kill Chain Progression
Initial Compromise
Description
Attackers gained access through cloud service misconfiguration or compromised credentials, exploiting exposed interfaces.
Related CVEs
CVE-2025-20393
CVSS 10A critical vulnerability in Cisco AsyncOS Software allows unauthenticated remote attackers to execute arbitrary system-level commands.
Affected Products:
Cisco Secure Email Gateway – AsyncOS Software
Cisco Secure Email and Web Manager – AsyncOS Software
Exploit Status:
exploited in the wildCVE-2025-41244
CVSS 7.8A local privilege escalation vulnerability in VMware Tools and VMware Aria Operations allows a local user to gain root access on a virtual machine.
Affected Products:
VMware VMware Tools – 12.4.9, 12.5.4
VMware VMware Aria Operations – SDMP enabled
Exploit Status:
exploited in the wildCVE-2025-31324
CVSS 10A critical vulnerability in SAP NetWeaver Visual Composer allows unauthenticated attackers to upload arbitrary files, leading to remote code execution.
Affected Products:
SAP NetWeaver Visual Composer – All versions
Exploit Status:
exploited in the wildCVE-2025-61932
CVSS 9.3A critical vulnerability in Motex Landscope Endpoint Manager allows remote code execution due to improper verification of incoming requests.
Affected Products:
Motex Landscope Endpoint Manager – 9.4.7.2 and earlier
Exploit Status:
exploited in the wildCVE-2025-53767
CVSS 10A critical vulnerability in Azure OpenAI allows unauthenticated users to access sensitive AI data.
Affected Products:
Microsoft Azure OpenAI – All versions
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing
Valid Accounts
Command and Scripting Interpreter
Obfuscated Files or Information
Process Injection
Data from Local System
Exfiltration Over C2 Channel
Remote Access Software
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Users
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA – ICT Risk Management Framework
Control ID: Article 10
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21(2)
CISA ZTMM 2.0 – Identity Management and Access Control
Control ID: ICAM.1.1
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Critical exposure to APT attacks targeting encrypted traffic and network infrastructure, requiring enhanced east-west traffic security and zero trust segmentation capabilities.
Financial Services
High-value APT targets needing comprehensive threat detection, egress security controls, and multicloud visibility to protect sensitive financial data and transactions.
Government Administration
Prime APT campaign targets requiring advanced anomaly detection, secure hybrid connectivity, and cloud-native security fabric to protect classified information systems.
Health Care / Life Sciences
APT threats exploit healthcare networks through lateral movement, demanding HIPAA-compliant encrypted traffic protection and Kubernetes security for medical applications.
Sources
- The who, where, and how of APT attacks in Q2 2025–Q3 2025https://www.welivesecurity.com/en/videos/who-where-how-apt-attacks-q2-2025-q3-2025/Verified
- ESET APT Activity Report Q2 2025–Q3 2025https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2-2025-q3-2025/Verified
- Cisco email security products actively targeted in zero-day campaignhttps://www.techradar.com/pro/security/cisco-email-security-products-actively-targeted-in-zero-day-campaignVerified
- Broadcom finally patches dangerous VMware zero-day exploited by Chinese hackershttps://www.techradar.com/pro/security/broadcom-finally-patches-dangerous-vmware-zero-day-exploited-by-chinese-hackersVerified
- CISA warns Motex Landscope Endpoint Manager has a worrying security flaw, so patch nowhttps://www.techradar.com/pro/security/cisa-warns-motex-landscope-endpoint-manager-has-a-worrying-security-flaw-so-patch-nowVerified
- Microsoft's latest major patch fixes a serious zero-day flaw, and a host of other issues - so update nowhttps://www.techradar.com/pro/security/microsofts-latest-major-patch-fixes-a-serious-zero-day-flaw-and-a-host-of-other-issues-so-update-nowVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix CNSF controls such as zero trust segmentation, workload isolation, continuous east-west traffic monitoring, and strict egress enforcement would have detected, contained, or prevented the attacker's movement, command and control, and exfiltration, minimizing breach scope and business impact.
Control: Multicloud Visibility & Control
Mitigation: Unusual access events detected and alerted in real time.
Control: Zero Trust Segmentation
Mitigation: Least-privilege network boundaries contain privilege escalation and prevent cross-environment abuse.
Control: East-West Traffic Security
Mitigation: Lateral movement attempts are monitored, restricted, and can be blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound connections to unapproved destinations are blocked or flagged.
Control: Encrypted Traffic (HPE)
Mitigation: Detection of anomalous encrypted data flows and prevention of unapproved transfers.
Rapid detection and response to attack execution minimize dwell time and blast radius.
Impact at a Glance
Affected Business Functions
- Email Communications
- Virtualization Services
- Enterprise Resource Planning
- Endpoint Management
- AI Data Processing
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive corporate emails, virtual machine data, ERP system information, endpoint configurations, and AI processing data.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce identity-based zero trust segmentation and microsegmentation to contain lateral movement from compromised accounts or workloads.
- • Deploy continuous east-west traffic inspection and anomaly detection to spot unauthorized internal access or covert C2 activities.
- • Strictly manage and monitor egress connectivity using centralized policy enforcement, FQDN filtering, and egress NAT controls.
- • Harden Kubernetes and cloud-native workloads via pod-level firewalls, namespace segmentation, and runtime enforcement.
- • Maintain unified, centralized multicloud visibility and audit trails with automated alerting to enable rapid detection and response.
