Purpose and Scope.

this report summarizes major APT group activity in February 2026.
the analysis covers supply chain compromises, zero-day exploits, network segregation bypass, and backup and network infrastructure compromises.
the major groups included in the report are APT28, Lotus Blossom, TA-RedAnt (APT37), UAT-8616, UNC3886, and UNC6201.

Major APT groups by region.

Lotus Blossom exploited the Notepad++ update chain to inject malicious executables into legitimate updates and used a combination of DLL file sideloading and multi-stage loaders to deploy the Chrysalis backdoor and Cobalt Strike Beacon.
the attack is a supply chain attack that targets the update chain of a wide range of organizations, including developers, government agencies, telecommunications and aviation, and enables post-infection system information collection, remote command execution, and file exfiltration.
APT28 weaponized Office and MSHTML zero-days (CVE-2026-21509, CVE-2026-21513) shortly after their disclosure and launched a large-scale APT attack against European military, government agencies, and transportation organizations, as well as Ukrainian organizations.
the group used a complex multi-stage loading chain of spear phishing documents, LNK exploits, WebDAV calls, COM hijacks, and steganography to install remote control implants such as Covenant Grunt.
TA-RedAnt (APT37) targeted disconnected environments and used a combination of LNK-based initial penetration, Zoho WorkDrive-based C2, Ruby runtime droppers, USB propagation, and command delivery to conduct persistent reconnaissance, keylogging, and audio-video collection in closed networks.
UNC3886 targeted a major telecommunications company in Singapore, utilizing zero-days to bypass perimeter firewalls, evade detection with ORB network-based covert communications and rootkits, and steal telecommunications infrastructure technical data.
UAT-8616 leveraged a Cisco Catalyst SD-WAN authentication bypass zero-day (CVE-2026-20127) and an additional vulnerability (CVE-2022-20775) to gain administrator-root privileges and establish a long-term foothold on the control plane.
UNC6201 exploited a Dell RecoverPoint for VMs zero-day (CVE-2026-22769) to compromise VMware backup-recovery infrastructure and neutralize recovery schemes with a GRIMBOLT-BRICKSTORM backdoor.
north Korean-affiliated groups have been targeting the financial, healthcare, and cryptocurrency sectors, including leveraging Medusa RaaS, real-time social engineering (Prospect Call), exploiting deepfakes and meeting platforms, and advancing segregation network penetration.
Lazarus used Medusa ransomware and custom backdoors and stealers to target U.S. healthcare organizations and Middle Eastern organizations to extort money and threaten disruption.

Conclusion.

the APT activity observed in February 2026 combined zero-day, supply chain compromise, and air-gap evasion techniques to increase the risk of prolonged penetration of high-value infrastructure and neutralization of data and recovery systems.
the impact is particularly significant if administrative privileges are gained, including software update chains, backup and recovery systems, and SD-WAN.
from a security operations perspective, it is concluded that rapid response to vulnerabilities, supply chain integrity verification, and reexamination of segregation ancillary controls are needed.