The cybersecurity threat landscape has entered a new era of intensity. Trellix’s recently released April 2025 CyberThreat Report revealed what may be the most active period of cyberattacks in U.S. history. Based on telemetry from over 30 million endpoints and sensors worldwide, the report offers a comprehensive and alarming view into the first quarter of 2025.
Advanced persistent threats (APTs), some of the most sophisticated and sustained forms of cyberattacks, surged to unprecedented levels. Trellix reported a 136% increase in APT detections as compared to the previous quarter. The report attributes much of this activity to China-linked actors, including the notorious APT40 and Mustang Panda groups, but also found new growth among Russia-aligned APT entities.
“An interesting finding that this report reaffirmed is the fact that nations are beginning and continuing to use cybercriminals as their proxies,” said John Fokker, Head of Threat Intelligence at Trellix. “Not only are nation-state actors becoming increasingly active and sophisticated, but they’re also becoming more organized. We saw this with the three most active APTs coming from Russia and China, evolving and refining their tactics from past activity.”
Historic Spike in APT Detections
The 136% surge in advanced persistent threat detections during Q1 2025 marks more than just a quarterly uptick – it signals a historic inflection point in the evolution of cyber conflict. This increase seems to represent more than just a spike in malicious activity. It could point to a larger, evolving trend of geopolitical tension, with critical infrastructure and commercial sectors increasingly in the crosshairs.
APTs are not random, one-off cyberattacks. Instead, they are long-term, strategic operations typically associated with nation-state actors, focused on espionage, the theft of intellectual property, and the disruption of critical infrastructure. The fact that the number of APTs has more than doubled in just three months suggests a coordinated escalation, not just a random fluctuation.
This spike stands out for other reasons, too. Trellix reports that this is the highest volume of APT activity they’ve ever recorded, and additionally, believes that the overall threat landscape isn’t just growing, it’s evolving. Attacks are more targeted, better funded, and more tied to geopolitical agendas. For defenders, it’s clear: reacting isn’t enough anymore. Staying ahead means adopting proactive, intelligence-driven security.
China-Linked Groups Driving Volume
Where are the attacks coming from? China-linked APT groups were the primary drivers of the Q1 2025 spike in activity, with the APT40 and Mustang Panda groups accounting for 46% of all APT detections, according to Trellix. These hacker groups are known for executing long-term, intelligence-driven campaigns that often blend cyber espionage with strategic disruption.
Another China-affiliated actor, AP41, saw a 113% increase in activity quarter-over-quarter, continuing its trend of targeting both government and private-sector organizations. This group has become notorious for its dual-purpose operations, blending state-sponsored objectives with financially motivated intrusions, making it one of the most versatile threats on the global stage.
The scale and coordination of these attacks suggest more than opportunistic hacking. Analysts point to new, more strategic goals, including intellectual property theft, surveillance, and infiltration of critical infrastructure. Tactics such as phishing, credential theft, and the use of custom malware demonstrate the sophistication of these nation-state groups and their campaigns.
Russia’s Persistent Cyber Presence
While China-linked groups dominated in volume, Russia’s APT29, also known as Midnight Blizzard, remains one of the most persistent and dangerous threats. Known for its deep ties to Russian intelligence services, APT29 has a long history of cyber espionage, particularly targeting government agencies, think tanks, and organizations tied to foreign policy.
In Q1 2025, APT29 continued its focus on stealthy, intelligence-gathering operations, with a growing emphasis on critical infrastructure. Rather than using high-profile, disruptive attacks, the group prefers long-term access and data exfiltration, often using living-off-the-land techniques and sophisticated phishing campaigns to evade detection. Its sustained presence highlights Russia’s strategic use of cyber operations as a tool of statecraft – quiet, persistent, and deeply embedded.
Telecom and Tech in the Crosshairs
Few sectors were hit harder in Q1 2025 than telecom and technology. APT activity in the telecom industry jumped by 92%, while the tech sector saw an even steeper spike of 119%. These industries are not just attractive, they’re strategic. Telecom companies manage the infrastructure that powers global communications, while technology firms hold vast amounts of intellectual property and sensitive customer data.
For threat actors, infiltrating these sectors offers high-value intelligence, potential access to broader supply chains, and even a path to future attacks against other critical targets. Nation-state groups often use telecom as both a direct target and a conduit for surveillance, while technology firms are increasingly vulnerable due to their innovation pipelines and global footprint. This trend highlights the urgent need for sector-specific defenses built on real-time threat intelligence and resilience planning.
Implications: Defending Against a New Era of Threats
The surge in APT activity isn’t just a cybersecurity issue – it’s a national security concern. With hostile nation-states escalating their campaigns against U.S. infrastructure and commercial sectors, the stakes have never been higher. Defending against today’s threats requires more than patching vulnerabilities; it demands strategic foresight, cross-sector coordination, and a shared understanding of the threat landscape.
Organizations must move from reactive to proactive security models, grounded in threat intelligence and supported by strong public-private partnerships. The April 2025 Trellix report makes it clear: no single entity can defend alone. Combating APTs will take a unified effort across industries, reinforced by government collaboration and investment in scalable, adaptive defenses.
