Kaspersky claims to have discovered 32 “super dangerous” zero-days in the last decade in products from Adobe, Microsoft and Google, among others.
Sergey Lozhkin, head of the company’s global research and analysis team in the APAC and META regions, speaking at the company’s cyber security conference in Phuket, Thailand, on 23 May, said that among the most recent, Kaspersky had discovered a vulnerability in Google’s Chrome browser earlier this year.
A zero-day is an unknown or unaddressed vulnerability in a computer system, which, if discovered by a bad actor, can be leveraged for access and data exfiltration. “If you have a zero-day, it’s an open doorway into the system,” he said.
Lozhkin added that the zero-day found in Chrome was used in advanced persistent attacks, and had been sponsored by a nation state, which he didn’t name.
“Everybody uses a browser and everybody clicks links. Everyone is a potential victim if you use any browser. It doesn’t matter if you use Firefox or Safari. A browser is a very popular door in incoming attacks.”
The Chrome zero-day was a one-click attack, said Lozhkin.
“The bad guys sent a mail, with a link to a website relating to an economic discussion forum for Russian users. Imagine if a company received the mail, and an employee clicked on the link, the zero-day would immediately be triggered and malware would be in the system. A nation state-sponsored actor will then exfiltrate all their data.”
Lozhkin said only governments will typically have the resources needed to develop the most dangerous and sophisticated malware. “To catch these kinds of attacks and analyse them takes time, effort, experience and knowledge. But the targets are always the same – the government, telecommunications and IT companies,” he said.
The most active APT groups in 2025 include Sidewinder, TetrisPhantom and the Lazarus Group, the latter of which is seen as the most dangerous, and has stolen an estimated $10 billion over the past decade, according to Lozhkin. The group is said to have links with the North Korean government.
“It’s nation-state sponsored, and they’re hunting money.”
He said Lazarus has been responsible for recent breaches of crypto markets and exchanges as well as traditional banks. “If they have this amount of money, they can train [staff] and build [malicious programs].
“They are masters at social engineering,” he said, and mentioned a recent attack by the Lazarus Group, which has become known as “Operation 99”. Here, a fake company, with a bank account, will be officially registered in a target country, and will lure developers into applying for work. The developers will then be asked to do code reviews, and they’ll then download malicious files. “They’re very imaginative. They’ll call you on WhatsApp and speak to you in perfect English, with no accent,” he said, and added that a developer at a crypto-currency exchange had been a recent victim.
In contrast to the Lazarus Group, the TetrisPhantom group specialises in offline attacks and can infiltrate targets, which aren’t connected to the internet. The group uses USB drives to infect targets’ laptops, which will in turn infect the company’s systems the next time the person connects to the network. “You won’t see a single file on the USB drive because they create stealth file systems. You can delete everything, but it [the malicious file] will still be there.” He says the file will run inside the memory.
“Nobody removes servers or critical infrastructure, which is why they created file-less malware to live inside the memory, which won’t leave a trace on the hard disk, and it can live for years.”
Share