May 2026 Threat Trend Report on APT Groups
2026-06-16 • Ahnlab •
North Korean APT activity in May 2026 emphasized developer and software-supply-chain abuse: Lazarus weaponized Git Hooks and Jenkins CI/CD workflows to spread InvisibleFerret, BeaverTail, and FCCCall, raising risks to developer credentials and cryptocurrency wallets. Famous Chollima tampered with npm and Packagist development branches and used Cloudflare Workers and blockchain RPC as delivery or dead-drop infrastructure. Kimsuky relied on LNK phishing, code-hosting and cloud services, VSCode tunneling, and Microsoft CDNs to distribute multi-stage loaders, AsyncRAT variants, PebbleDash-derived tools, MoonPeak, and HttpSpy against South Korea, Afghanistan, education, defense, diplomacy, and cryptocurrency targets. TA-RedAnt compromised a Yanbian gaming platform and the Windows update chain to deliver BirdCall, RokRAT, and a trojanized mono.dll while also using spear phishing and disguised backdoors against defense, police, and North Korea-related sectors.