Key APT Groups

 

Among the activities of APT groups in February 2026, attacks by APT28, Lotus Blossom, TA-RedAnt (APT37), UAT-8616, UNC3886, and UNC6201 were particularly prominent.

 

Lotus Blossom exploited the Notepad++ supply chain infrastructure to inject malicious executables into legitimate update processes, combining DLL sideloading with multi-stage loaders to deploy the Chrysalis backdoor and Cobalt Strike Beacon. This attack targeted the update chain used by diverse organizations including developers, government agencies, telecommunications, and aviation, constituting a supply chain breach. Post-infection, it enables system information collection, remote command execution, and file exfiltration, posing a very high risk.

 

APT28 weaponized Microsoft Office and MSHTML zero-day vulnerabilities (CVE-2026-21509, CVE-2026-21513) immediately after their disclosure, launching large-scale attacks against European military, government, and transportation agencies, as well as Ukrainian organizations. They employed complex multi-stage loading chains—including spear-phishing documents, LNK-based exploits, WebDAV external calls, COM hijacking, and steganography—to evade detection. Ultimately, they installed remote control implants like Covenant Grunt to maintain long-term internal control.

 

TA-RedAnt (APT37) directly targeted air-gapped environments, combining various ‘air-gap bypass’ techniques: LNK-based initial compromise, Zoho WorkDrive-based C2 communication, Ruby runtime droppers, and command delivery/data exfiltration via removable media (USB). This enables persistent reconnaissance, keylogging, and audio/video collection even within closed network environments, demonstrating a high threat level capable of effectively neutralizing air-gapped security models.

 

UNC3886 was confirmed to have exploited zero-day vulnerabilities against a major Singaporean telecommunications provider, bypassing perimeter firewalls and establishing covert communications over the ORB network. It evaded detection via rootkits while simultaneously stealing communication infrastructure technical data.

 

UAT-8616 exploited a zero-day authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN to gain administrator privileges. It then chained an additional vulnerability (CVE-2022-20775) to seize root privileges, establishing a long-term foothold on the control plane. Furthermore, UNC6201 conducted high-risk attacks by exploiting a zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines to directly compromise VMware backup and recovery infrastructure. It deployed the GRIMBOLT and BRICKSTORM backdoors to neutralize recovery systems.

 

Major APT Group Trends by Region

 

1) North Korea

 

North Korean-affiliated threat groups are intensifying their focus on financial theft, expanding their use of Medusa RaaS to target healthcare and non-profit organizations with financial and man-in-the-middle attacks. They are also attempting sophisticated interactive attacks, such as the ‘Prospect Call’ technique, which disguises itself as legitimate business meetings to directly steal macOS credentials using real-time social engineering. Concurrently, UNC1069 actively employs financial crime-oriented intrusion techniques exploiting AI and meeting platforms, including deepfake videos, fake Zoom meetings, and ClickFix-based command execution. TA-RedAnt (APT37) is enhancing its multi-stage attack capabilities to penetrate even air-gapped environments by combining Zoho WorkDrive C2, USB-based propagation, and Ruby-based loaders.

 

North Korean threat groups are rapidly evolving their attacks against high-value sectors like finance, cryptocurrency, and healthcare, centered on four pillars: expanded RaaS utilization, real-time social engineering, AI/deepfake-based trust exploitation, and advanced air-gapped network penetration techniques.

 

Lazarus

 

Lazarus has conducted financially motivated ransomware and extortion attacks targeting the U.S. healthcare sector and organizations in the Middle East using the Medusa ransomware.

 

Case 1.
Period	· November2025 – February 2026
Target	· U .S. healthcare institutions · U.S. mental health nonprofit organizations · Autism education facilities · Three U .S. private companies · Middle Eastern organizations
Initial compromise	· Medusa ransomware deployment · Attempted ransomware deployment after initial compromise · Financially motivated penetration
Exploited Vulnerabilities	· None
Malware and Tools	· Medusa : Ransomware operated as a ransomware-as-a-service · Comebacker : Customized backdoor and loader associated with Lazarus · Blindingcan : A remote access Trojan associated with Lazarus · ChromeStealer : Tool for extracting saved passwords from the Chrome browser · Curl : A data transfer tool using various network protocols · Infohook : Information-stealing malware · Mimikatz : Tool for dumping publicly available credentials · RP_Proxy : Custom proxy tool
Techniques	· Utilization of theRaaS model · Conducting extortion attacks targeting U.S. healthcare institutions · Theft of browser-stored passwords · Stealing browser- stored passwords · Utilizing custom backdoors and RATs · Bypassing network communications via proxy tools · Deploying ransomware for financial gain
Damage	· Data encryption · Average ransom demand of $260,000 · Risk of operational disruption for healthcare institutions · Attempts to extort money
Details	· Lazarus conducts extortion attacks targeting the U.S. healthcare sector using Medusa ransomware · Deployed Medusa ransomware targeting Middle Eastern organizations · Attempted infiltration of three U.S. healthcare institutions · Used tools like Comebacker and Blindingcan to conduct penetration and collect credentials · Credential theft carried out using ChromeStealer and Mimikatz · Continued activities aimed at generating monetary profits based on the RaaS model
Source	· North Korean Lazarus Group Now Working With Medusa Ransomware[1]

 

BlueNoroff, associated with the Lazarus Group, used Telegram and Microsoft Teams phishing calls to trick macOS users into executing terminal commands directly, enabling Keychain credential theft and data staging for exfiltration.

 

Case 2.
Period	· June 30,2025 – January 20, 2026
Targets	· macOS users · Crypto/Web3 organizations · Financial organizations
Initial Penetration	· Impersonating potential clients or partners on Telegram · Switching conversations to Microsoft Teams calls · Induce execution of terminal commands under the pretext of resolving audio issues · Use of lookalike domain teams.microscall[.]com
Exploitable Vulnerabilities	· None
Malware and Tools	· curl : Downloading malicious binaries · chmod : Granting execution permissions to downloaded files · codesign : Performing ad-hoc code signing · nohup : Execute background/detached processes · osascript : Performs data staging by creating directories and copying files · com .apple.sys.receipt: Executable file stored in cache path · com .apple.icloud.sync : Secondary component executed from temporary app bundle path · . aLTJwk: Hidden file executed in the /private/tmp path
Techniques	· Pre-contact and trust-building via Telegram · Real-time social engineering via Teams calls · Using audio troubleshooting as a pretext · Disguised cache path to appear like a system path · Download payload using curl · Permission change with chmod 777 · Reducing execution friction with ad-hoc code signing · Isolated execution using nohup · Execute secondary component in temporary path · Extract zip and execute hidden file · Directly copy user Keychain database · AppleScript-based data staging · Outbound connection to attacker -controlled new domain
Impact	· Access to user Keychain credentials · Credential theft · Preparing for data exfiltration · Communication with attacker-controlled infrastructure occurs
Details	· Impersonating a business prospect or partner on Telegram, then directing the victim to a Teams call · Induce victim to execute terminal commands directly under the pretext of resolving audio issues · Granting permission to download and execute a binary via curl to the /Library/Caches/com.apple.sys.receipt path · Uses codesign and nohup to reduce execution friction and run in isolation · Additional execution of secondary components and hidden files under /private/tmp/com.apple.icloud.sync.app · Collect credentials by copying login.keychain-db · Stages files and directories using osascript to prepare for exfiltration
Source	· North Korea’s “Prospect Call” Trap: Lazarus Turns Teams Meetings into macOS Credential Theft[2]

 

 

---

[1] https://www.security.com/threat-intelligence/lazarus-medusa-ransomware

[2] https://daylight.ai/blog/prospect-call-microsoft-teams-meetings