ESET observed multiple North Korea-aligned groups targeting developers, cryptocurrency interests, strategic industries, and ethnic Korean communities from October 2025 through March 2026. Andariel deployed TigerRAT and attempted Rook ransomware against a South Korean engineering company whose equipment is used in liquid hydrogen and nuclear-sector contexts, suggesting technology theft with possible distraction or monetization. Lazarus-linked Operation DangerousPassword compromised the axios npm package after a fake-company, Slack, and Teams-update social engineering operation stole a maintainer's npm token and published trojanized axios versions with a malicious plain-crypto-js dependency. Operation DreamJob shifted toward weaponized MFC applications and newer BlindingCan variants against South Korean newspaper and pharmaceutical targets, while ScarCruft compromised the sqgame platform to deliver Android BirdCall, RokRAT, and Windows BirdCall for espionage against Yanbian users. The activity matters because it combines supply-chain compromise, developer social engineering, ransomware, RAT deployment, and strategic collection across sectors directly relevant to North Korean state objectives.