Cloudflare-2026-threat-report.pdf (23 MB)

Cloudflare's 2026 threat report describes a shift toward high-trust exploitation, where adversaries favor stolen tokens, legitimate cloud services, SaaS integrations, and automation over bespoke exploits. The DPRK-relevant sections highlight North Korea's remote IT worker scheme, using deepfakes and fraudulent identities to place operatives on Western payrolls for espionage and illicit revenue. Cloudforce One also lists PatheticSlug as a North Korea-based actor abusing reputable cloud ecosystems, including Google Drive and Dropbox to host XenoRAT payloads and GitHub for covert C2. These examples matter because they show DPRK-linked operations blending into normal enterprise cloud traffic and identity workflows, reducing the value of defenses that focus only on obviously malicious infrastructure.