June 2026 Threat Trend Report on APT Groups
Purpose and Scope
The June 2026 Threat Trend Report on APT Groups summarizes the trend of state-sponsored threat groups actively incorporating generative AI, cloud services, OAuth tokens, and commercial MaaS (Malware-as-a-Service) platforms into their attack operations. A key finding is that the scope of attacks has expanded beyond traditional Malware infections to include account and token theft, exploitation of legitimate services, and compromises of supply chains and cloud environments.
Status of Major APT Groups by Region
North Korea
Threat actors linked to North Korea exploited developer-friendly platforms such as GitHub, Google Docs, npm, and VS Code to target developers, cryptocurrency professionals, and information security personnel. Social engineering tactics included job offers, code reviews, notifications of personal data breaches, and security advisories, while legitimate cloud services such as GitHub Releases, Google Drive, Dropbox, and pCloud were used for C2 communication and payload delivery. APT38 (Sapphire Sleet) compromised the Mastra npm supply chain to inject the “easy-day-js” dependency into more than 140 npm packages, while Kimsuky used malicious LNK files, the Dropbox API, GitHub Releases, and Google Drive for Information Theft and command execution. The Lazarus Group distributed brand-jacking and typosquatting packages via npm, while TA-RedAnt (APT37) used NarwhalRAT (a malware for information gathering and remote control) to perform keylogging, screen capture, and microphone recording. UNK_DeadDrop exploited GitHub or GitLab repositories, as well as VS Code and Cursor, to commit credential theft and steal cryptocurrency wallets from developers’ systems.
China
Chinese threat actors have broadened their targets beyond government agencies, diplomatic organizations, and defense sectors to include medical research institutions and the energy industry. FishMonger used SprySOCKS, WINDRV, and WINPLUS to enhance stealth and persistence against government organizations, while Mustang Panda used SHARDLOADER, MINIRECON, and ZOHOMURK to exploit Zoho WorkDrive as a C2 and data exfiltration channel. UNC6508 compromised REDCap servers to engage in credential theft using INFINITERED and covertly exfiltrate emails, while activities by APT10, ToddyCat, and the Velvet Ant family showed a pronounced tendency to exploit the cloud, OAuth tokens, and legitimate services.
Russia
Russian-linked threat groups continued their long-term espionage activity focused on Ukraine and enhanced their stealth capabilities. APT28 evolved PixyNetLoader, utilizing COM persistence, PNG steganography, and FILEN-based cloud C2, and expanded its tactics to include X-Agent, X-Tunnel, and LameHug (malware that generates commands using an LLM and collects documents for Information Theft). Gamaredon used GammaPhish, GammaWorm, GammaLoad, and GammaSteel to establish persistence, achieve physical propagation, and steal documents, actively exploiting legitimate Services, cloud storage, and tunneling infrastructure. Turla deployed STOCKSTAY (a .NET-based multi-component backdoor) to conduct long-term surveillance of Ukrainian and European diplomatic organizations. GREYVIBE utilized generative AI and large language models (LLMs) throughout its operations to target Ukraine-related organizations, while SiribClone targeted Russian military personnel using Telegram phishing and Android spyware.
Iran
MuddyWater leveraged CastleRAT MaaS and ChainShell from the TAG-150 criminal ecosystem to target defense, energy, government, and telecommunications organizations in Israel, the Middle East, the US, and Europe. Nimbus Manticore lured victims using fake LinkedIn recruiters and by impersonating the Ebix job portal, then deployed data exfiltration and remote control capabilities via a .NET AppDomain hijacking-based sideloading chain. It was confirmed that Iran-linked activities tend to leverage external criminal ecosystems, such as Russia MaaS, and enhance their stealth by exploiting DLL sideloading and Azure-based infrastructure.
India
Bitter (APT-C-08) stole account credentials via phishing sites and download pages that were disguised as the 163 email service, and used Requirement_Letter.Vbs to establish persistence, perform Information Theft, and execute remote commands. CNC (APT-C-48) carried out file exfiltration and CMD command execution through phishing attachments disguised as personal resumes and Search1ndexer.Exe. Khmer Shadow targeted Cambodian government agencies using SFX archives, DLL sideloading, NIGHTFORGE, and Havoc Demon. OceanLotus targeted Vietnamese stock investors and infrastructure and transportation construction companies by exploiting the FireAnt MetaKit supply chain breach and utilizing SPECTRALVIPER.
Conclusion
In June 2026, information on a total of 20 APT groups was disclosed. The primary attack targets were regions with high geopolitical tensions—such as Ukraine, India, Pakistan, China, and South Korea—as well as high-value sectors including developers, government, defense, healthcare, and energy. Threat actors refined their tactics to engage in account and credential theft and maintain long-term persistence by exploiting legitimate services, the cloud, supply chains, phishing lures, development platforms, and document files.