APTs Global Review 2022–2025: Trends, Regions & Forecast
By Abigail Darwish and Aryamehr Fattahi | 22 September 2025
Summary
Advanced Persistent Threats (APTs) are increasing in frequency and sophistication, driven by digital expansion, structural vulnerabilities, and geopolitical instability.
From 2022-2025, incidents rose by 18.9%, with the Asia-Pacific region dominating APT activity, followed by Europe and the Middle East.
Aided by AI, APTs have become a strategic tool of both state and non-state actors, undermining deterrence and eroding trust in digital system
Context: The Evolving APT Landscape
In recent years, Advanced Persistent Threats (APTs) have increased in frequency [See Figure 1] and have become a persistent challenge in the global cyber landscape. An APT itself refers to a covert cyberattack in which an individual or a group gains unauthorised access to a network, where it remains undetected for a sustained period. A notable example is the ‘Lazarus Group’, attributed to the North Korean government, which, between 2021 and 2025, has stolen over USD 5b in cryptocurrency. Whilst APTs are often state-sponsored operations, non-state actors have increasingly relied on these large-scale targeted cyberattacks to achieve political, economic and military objectives.
2022-2025, as examined in this study, is especially valuable as it coincides with a period of rapid digital expansion and increased geopolitical instability. Indeed, as a means to maintain operational continuity during the COVID-19 pandemic, reliance on digital services, including cloud infrastructure and remote access technologies, surged globally. This accelerated transformation, whilst necessary, also introduced a series of structural vulnerabilities. For instance, according to Common Vulnerabilities and Exposures (CVE), the list of known software and hardware vulnerabilities increased by ≈52%, rising by 8,547 cases from 2018 to 2022, spanning over the pre- and post-COVID periods.
In the latter period, from 2022 onwards, such vulnerabilities have persisted, if not intensified, as the ‘attack surface’ has broadened and the potential for intrusions increased. This has also been exacerbated by an industry-wide tendency to implement security measures reactively as opposed to proactively. This reality is compounded by heightened geopolitical instability, particularly in light of the Russia-Ukraine (2022-) and Israel-Gaza (2023-) wars, and the deterioration of US-China relations. Such dynamics have increased the appeal of cyber operations as instruments of coercion, disruption and intelligence gathering, creating an environment where APTs serve strategic rather than simply tactical purposes.
At the same time, Artificial Intelligence (AI) has increasingly been leveraged in APT attacks, with Large Language Models (LLMs) such as ChatGPT enabling more frequent and sophisticated intrusions. For example, APT groups, namely SweetSpectre, linked to China, have exploited ChatGPT for reconnaissance, vulnerability exploitation, detection evasion, and post-compromise activity. More importantly, the accessibility of ChatGPT, described as ‘convenient’ and ‘cost-effective’, has nullified the barriers to entry for malicious actors. Evidencing this, in October 2024, the founders of ChatGPT had announced the disruption of 20 ‘cyber and covert influence operations’ since the beginning of the year. More generally, criminal groups operating in non-Western and non-English speaking spheres can also exploit LLM platforms to produce credible phishing messages, a tactic that a recent Google Gemini report has attributed to an Iranian APT group.
Data Analysis: Trends and Regional Distribution
Figure 1: Number of Advanced Persistent Threats (APTs) between 2022-2025
The data shows that the number of APTs has risen steadily during this period [See Figure 1]. In 2022, this figure stood at 424, rising to 504 in 2025, representing an overall increase of 18.9%. Whilst the growth has been generally steady, the period from 2023 to 2024 experienced the largest year-over-year jump, with incidents increasing by 36 (≈8.0%).
The regional distribution of APTs in 2025 provides additional insight [See Figure 2]. The Asia-Pacific region accounts for the majority of incidents, with 54% of the global total. This concentration reflects several structural factors; the region includes the world’s most populous countries, such as China and India, and, particularly the former, possesses advanced digital capabilities that support sophisticated cyber operations. It is also home to numerous geopolitical rivalries, namely those between India and Pakistan, or China and Taiwan, that often manifest in cyberspace, fostering the development and deployment of APTs.
Europe (16.4%) and the Middle East (15.9%) also exhibit notable activity, likely due to the presence of capable threat actors, extensive digital infrastructure, and strategic geopolitical interests and conflicts at present. North America, by contrast, only accounts for 2.6% of recorded activity. This may be explained by the relatively low incentives for Canada and Mexico to conduct APT operations, and, considering that the United States (US) represents the majority of this share, perhaps it is reflective of America’s reliance on alternative cyber operations beyond traditional APT campaigns, including activities that are not publicly visible.
Regions such as Central Asia (1%), Africa (0.8%), and South America (0.8%) contribute significantly smaller shares of recorded incidents. These low levels likely reflect a combination of limited digital infrastructure, fewer sophisticated cyber capabilities, and reduced geopolitical incentives for state-sponsored or highly organised threat actors. Notably, 8.7% of incidents are attributed to unknown origins, which may be partly due to the earlier discussed use of AI, as such technologies can obscure the originating state of an attack.
Further, a closer look at national contributions within each region highlights the concentration of APT activity among a small set of states. In 2025, China made up ≈84% of Asia-Pacific APTs, Russia ≈81% of Europe APTs, and Iran ≈72% of the Middle East’s APT activity. This disproportionate representation indicates that cyber operations are still dominated by a limited number of highly capable actors, often backed by advanced digital infrastructure and strong geopolitical ambitions both regionally and globally.
Considering the data available in 2025, this trajectory of increasing APT activity, as well as the observed regional distribution, is expected to continue. The Asia-Pacific region will likely continue to represent the central focus of such activity, whilst other regions are likely to experience growth as digital adoption expands. APTs should therefore be understood not as isolated or exceptional incidents, but as a structural feature of the global cyber landscape.
Figure 2: APT Distribution by Region in 2025
Implications
The normalisation of APT operations as instruments of statecraft fundamentally alters international relations by creating persistent, low-level conflict conditions that exist below traditional warfare thresholds. Nation-states increasingly view sustained network presence within adversarial systems as strategic assets comparable to forward military deployments. This dynamic creates a new form of territorial occupation in cyberspace, where APT groups establish persistent footholds that enable intelligence collection, pre-positioned access for future operations, and demonstration of offensive capabilities.
The use of sophisticated evasion techniques, potentially aided by AI, also makes attributing APT attacks increasingly difficult, thereby weakening traditional deterrence frameworks that rely on the clear identification of threat actors. The inability to definitively attribute attacks creates opportunities for plausible deniability, enabling state actors to conduct operations whilst maintaining diplomatic flexibility. This erosion of accountability mechanisms further weakens international law enforcement and also creates incentives for escalatory responses based on incomplete information.
Moreover, as the frequency of APT attacks continues to increase, individuals and organisations, particularly in highly targeted countries such as the US, may become increasingly sceptical of the security and reliability of digital platforms, especially those underpinning critical infrastructure or holding sensitive data. The erosion of public trust is also exacerbated further by the role of AI, which bolsters the capabilities of malicious actors, lowering the technical barrier for attackers and increasing the frequency of attacks. Nevertheless, AI offers potential avenues for improved detection and mitigation of APTs, measures which could, if widely adopted, reduce exposure and strengthen public trust in the future.
Forecast
Short-term (Now - 3 months)
It is likely that APT activity will remain steady, with minor fluctuations in frequency or targeting.
It is likely that existing APT groups will continue integrating AI tools into their current operations, focusing on automating reconnaissance and improving phishing campaign effectiveness. However, significant capability enhancements will remain limited by the learning curve required to effectively weaponise these technologies.
Medium-term (3-12 months)
It is likely that ongoing geopolitical developments, particularly in Europe and the Middle East, will continue to influence the number and distribution of operations.
It is likely that AI will become more sophisticated, creating new avenues for APTs to increase their capabilities. This includes: automated vulnerability discovery, enhanced social engineering and evasion sophistication.
It is likely that the current regulatory gap surrounding AI use in cyber operations will be exploited by threat actors before comprehensive international frameworks emerge.
Long-term (>1 year)
It is highly likely that APT groups will increasingly emerge and that there will be a corresponding increase in activity globally.
It is likely that AI will progressively be used as a tool for detecting and preventing APTs.
There is a realistic possibility that regions currently lacking strong digital infrastructure will increasingly rely on APT use in the future.
It is likely that international cooperation mechanisms and frameworks will develop in response to increasing APT threats.
