An advanced and deliberate cyber operation, known as “MISSION2025,” is significantly expanding the threat surface for critical industries, like manufacturing, and is affecting other infrastructure globally.
Cyfirma researchers have linked this China-sponsored threat actor, tracked as APT41, to activity that dates back to at least 2012, yet newer evidence suggests they ramped up their activity in early 2025 with a more aggressive operational tempo.
MISSION2025’s services are well resonated with the China’s economic agenda, most notably the “Made in China 2025,” that seeks to steer China’s economy to higher value-added products and services.
The group has primarily engaged in cyberespionage and intellectual property theft, frequently focusing on sensitive information, corporate secrets, and research and development. But they also pursue intrusions for financial gain when the moment’s right because they are adversaries of the second category as well.
The global presence of the campaign is varied, with over 40 industry sectors affected across various countries worldwide, including the U.S., U.K., Japan, India, EU member states, Southeast Asia, and Taiwan.
They focus specifically on important sectors essential to national and economic security, including aerospace, defense, energy, healthcare systems, telecommunications networks, banking and manufacturing facilities. There is this broad daylight targeting that signals a very clear plan to infiltrate and abuse big money-sector across the globe.
MISSION2025 uses a variety of tactics, techniques, and procedures (TTPs) for initial access, such as spear-phishing e-mails delivering malicious attachments (e.g., ZIP archives with an obscured LNK file) and links to malicious payloads from compromised or free web hosting services.
Their tactics include social engineering, unsophisticated or extreme use of the Windows Command Shell, as well as advanced evasion techniques like in-memory payloads and also the manipulation of Windows CLFS (Common Log File System) to avoid being detected by conventional security tools. For persistence, they spawn new Windows services, edit registry run keys, and hijack legitimate program execution paths.
In a widening threat landscape, more than ever, organizations – especially ones in manufacturing and critical infrastructure – need to remain vigilant.
Cybersecurity professionals recommend using strong defenses such as thorough employee training that helps employees identify such advanced phishing attempts, strong network segmentation, system updates, and defenses capable of identifying and stopping the ever-evolving and increasingly sophisticated capabilities employed by groups like MISSION2025.
