Mandiant assesses that North Korea's cyber program has shifted toward a more flexible structure where DPRK-aligned groups share tooling, targeting, and personnel across espionage and financial operations. The report links this change to post-2020 pressures, including operators cut off during COVID-19 border restrictions and signs of self-funding through Andariel ransomware activity such as MAUI and HolyGh0st and APT43 cryptocurrency theft. It also describes task-force-like campaigns that combined APT43, TEMP.Hermit, and possibly Andariel activity around COVID-19 targeting. Mandiant warns that overlapping indicators now make DPRK attribution harder while allowing operators to move between blockchain, fintech, conventional weapons, nuclear, and intelligence collection priorities.