However, they, at least in my experience, are limited. They seem to limit themselves to Windows systems. I've not yet seen (not that it hasn't happened, but I've not seen it) a Unix system compromised by the APT. If you have, chime in at any time. So far, they've all been Windows systems. This is understandable and predictable. One place I've seen the APT establish a presence is on a web server. Yes, the APT is on your web server. In my experience this has been for C2.
Common traits of an APT web server compromise that I've seen:
Windows Server 2003
Often poorly managed - the system may be a development system, or one that is in the process of being decommissioned.
Administrator is the most commonly used account for management.
Security logs and auditing is weak and not offloaded or rolled over periodically.
RDP is available
They modify forward DNS lookups for their domains to point to your system.
They don't really attempt to hide their presence.
They create files and host them on your webserver.
Excessive use of the Administrator account, often during non-business hours.
Server may begin proxying traffic to/from China.
A pattern change of many to one relationships, meaning your server will begin seeing requests from many hosts that it normally never receives traffic from and requests are for files and pages that didn't exist prior to the incident. This is often a behavioral pattern anomaly.
Logs on the server will likely indicate the presence of new files in the form of excessive requests to which your server will likely respond with a 404. That is of course, until your server goes active and DNS propagation occurs.
Your webserver may begin to initiate outbound connections to remote systems that it is not cleared to communicate with and may begin acting as a proxy.
The administrator account is being used to browse the web from the web server. This should be a no-no in any environment and is therefore an anomalous event.
Your webserver may resolve to a domain that is not yours.
As mentioned above, you'll note a behavioral change in who is talking to your server and for what.
Cull your logs for: