During Q2 2026, state-sponsored Advanced Persistent Threat (APT) groups from Iran, Russia, China, and North Korea continued to demonstrate sophisticated cyber capabilities through espionage, credential theft, infrastructure pre-positioning, supply-chain compromise, and destructive cyber operations. These threat actors increasingly leveraged living-off-the-land techniques, cloud service abuse, zero-day vulnerabilities, and AI-assisted social engineering to evade detection and maintain persistence.
Chinese threat groups intensified espionage campaigns targeting telecommunications providers, government entities, critical infrastructure, and technology organizations across the Indo-Pacific region. Russian APTs continued targeting NATO-aligned countries, defense organizations, and government agencies while expanding cyber influence operations and exploiting edge-network vulnerabilities. Iranian actors focused heavily on Middle Eastern adversaries, critical infrastructure, telecommunications, and government sectors through phishing, credential harvesting, and destructive malware campaigns. North Korean operators maintained financially motivated attacks against cryptocurrency firms while simultaneously conducting strategic espionage operations targeting defense, aerospace, and software development organizations.
The quarter demonstrated a growing convergence between cyber espionage, supply-chain attacks, cloud exploitation, and operational technology (OT) targeting, underscoring the increasing risk posed by nation-state cyber actors.
During Q2 2026, MuddyWater continued to demonstrate its operational maturity through espionage-focused campaigns targeting government, telecommunications, defense, energy, and critical infrastructure sectors across the Middle East, Europe, and Africa. The group leveraged spear-phishing campaigns containing malicious archives and document lures to deploy PowerShell-based payloads and remote administration tools. Researchers observed increased use of legitimate remote management software, PowerShell scripts, and cloud-hosted command-and-control (C2) infrastructure to blend malicious activities with normal network traffic.
The threat actor continued to employ living-off-the-land techniques, abusing native Windows utilities for reconnaissance, credential harvesting, and lateral movement. Several campaigns indicated the group’s ongoing focus on intelligence collection and long-term persistence rather than disruptive operations. MuddyWater’s evolving infrastructure and reliance on legitimate tools make detection increasingly difficult, particularly for organizations operating in sectors aligned with Iranian strategic interests.
Throughout Q2 2026, OilRig remained highly active, conducting cyber-espionage operations against government agencies, financial institutions, manufacturing organizations, and technology companies. The group deployed updated variants of custom backdoors and downloaders while continuing to abuse trusted cloud services for command-and-control communications and data exfiltration.
OilRig operators were observed exploiting internet-facing applications and compromised credentials to gain initial access. Following the compromise, the group utilized PowerShell-based frameworks, credential theft tools, and custom malware families designed to establish persistence and collect sensitive information. Their campaigns highlighted a continued emphasis on stealth, leveraging legitimate web services and encrypted channels to evade traditional security monitoring.
The group’s activity suggests a sustained intelligence-gathering mission supporting Iranian geopolitical objectives, particularly against regional adversaries and organizations possessing strategic information.
APT42 significantly expanded its social-engineering operations during Q2 2026, targeting policy experts, journalists, researchers, non-governmental organizations, and government officials. The group relied heavily on credential-harvesting campaigns, impersonation tactics, and fake login portals designed to steal account credentials and bypass multi-factor authentication protections.
Researchers identified sophisticated phishing infrastructure mimicking popular cloud services and collaboration platforms. The actor demonstrated extensive reconnaissance prior to engagement, tailoring phishing lures to individual targets using publicly available information. Once access was obtained, APT42 focused on email collection, contact harvesting, and intelligence gathering from cloud-based accounts.
The group’s persistent targeting of individuals associated with foreign policy, regional security, and geopolitical affairs underscores its role as a key intelligence collection asset supporting Iranian strategic objectives.
During Q2 2026, CyberAv3ngers maintained its focus on operational technology (OT) and industrial control system (ICS) environments, targeting organizations operating critical infrastructure. The group continued to exploit internet-exposed industrial devices, programmable logic controllers (PLCs), and supervisory control and data acquisition (SCADA) systems.
Activity observed during the quarter demonstrated an emphasis on disrupting or manipulating industrial processes rather than traditional data theft.
CyberAv3ngers leveraged publicly exposed industrial assets and weak authentication mechanisms to gain access to operational networks. Their campaigns reinforced concerns regarding the security of critical infrastructure sectors, particularly water, energy, and manufacturing environments.
The group’s operations highlight Iran’s growing capability and intent to target operational technology systems, increasing the risk to organizations responsible for essential services and national infrastructure.
FIN7 significantly increased its operational activity during Q2 2026, conducting multiple campaigns targeting financial institutions, government entities, logistics providers, technology companies, and industrial organizations across Asia, Europe, and North America.
Researchers observed the group deploying ransomware, financial malware, destructive wiper capabilities, and VPN-focused intrusion techniques. Several campaigns leveraged exploitation of internet-facing infrastructure, remote access services, and enterprise systems to establish persistence and facilitate follow-on operations.
The threat actor continued utilizing malware families associated with both financially motivated and disruptive operations, including Black Basta ransomware, Dridex, Cyclops Blink, Sodinokibi, and custom wiper malware. These toolsets enabled credential theft, lateral movement, data theft, and operational disruption across targeted networks.
FIN7 demonstrated a broader geographic reach compared to previous quarters, expanding activity across transportation, government, aerospace, retail, and financial sectors. The group’s operational behavior highlights its continued evolution as a highly capable threat actor blending cybercrime operations with advanced intrusion capabilities.
FIN11 remained highly active throughout Q2 2026, conducting campaigns against financial institutions, government agencies, industrial enterprises, and technology organizations. The actor demonstrated a continued focus on ransomware-enabled intrusions combined with intelligence-gathering activities designed to maximize operational impact.
Researchers observed the deployment of remote access trojans, destructive wiper malware, ransomware payloads, and VPN exploitation techniques. Several campaigns involved credential theft, network reconnaissance, and post-compromise lateral movement designed to maintain access and facilitate additional payload delivery.
FIN11 utilized malware families including Black Basta ransomware, Clop ransomware, FlawedAmmy RAT, Ryuk ransomware, Cyclops Blink, Dewmode, and custom wiper malware. These tools enabled persistent access, system compromise, and large-scale disruption of targeted environments.
The actor’s targeting patterns indicate a strong interest in organizations operating within financial services, government, telecommunications, industrial manufacturing, and critical infrastructure sectors. FIN11 continues to demonstrate a combination of financial motivation and sophisticated intrusion capabilities that make it a significant threat to enterprise networks worldwide.
TA505 maintained a consistent operational tempo during Q2 2026, continuing to target organizations across North America, Europe, the Middle East, and Asia-Pacific. The group focused primarily on financial services, government organizations, telecommunications providers, and technology companies.
Researchers observed the deployment of ransomware and persistent backdoor implants designed to establish long-term access within victim networks. The actor targeted enterprise applications, database platforms, operating systems, and internet-facing web services to facilitate compromise and persistence.
TA505 continued leveraging malware families associated with ransomware delivery and post-compromise operations, including Clop ransomware and LODEINFO. The group’s campaigns demonstrated a preference for maintaining persistent access before conducting additional malicious activities.
The actor’s continued targeting of critical business sectors, combined with its history of malware distribution and financially motivated attacks, reinforces its position as one of the most persistent Russian cybercriminal groups operating globally.
Cozy Bear demonstrated renewed operational activity during Q2 2026, conducting sophisticated cyber espionage campaigns against government agencies, healthcare organizations, telecommunications providers, transportation entities, and strategic industrial organizations.
Researchers observed activity consistent with the group’s established tradecraft, including spear-phishing operations, credential theft campaigns, and stealth-focused intelligence collection efforts. The actor relied heavily on legitimate services, trusted authentication mechanisms, and carefully managed infrastructure to maintain long-term access while minimizing detection.
Unlike financially motivated threat actors, Cozy Bear prioritized intelligence collection and strategic espionage objectives. Several campaigns targeted organizations located in the United States, the United Kingdom, India, Japan, and Australia, reflecting a continued focus on geopolitical, economic, and technological intelligence gathering.
The group’s operational discipline, advanced persistence techniques, and emphasis on covert access remain consistent with long-standing Russian intelligence collection objectives. Analysts assess that Cozy Bear continues to represent one of the most sophisticated and strategically focused cyber espionage actors operating globally.
Stone Panda remained one of the most active Chinese cyber espionage groups during Q2 2026, increasing its operational tempo compared to the previous quarter. Researchers observed multiple campaigns targeting government agencies, financial institutions, telecommunications providers, and critical infrastructure organizations across North America, Europe, and the Asia-Pacific region.
During this period, the threat actor leveraged a combination of VPN and router exploitation, persistent backdoor implants, web shells, and remote access trojans to gain and maintain access within victim environments. Several campaigns involved the use of post-exploitation frameworks, including Cobalt Strike, alongside credential theft and lateral movement techniques designed to facilitate long-term espionage operations.
Stone Panda demonstrated continued interest in internet-facing infrastructure and enterprise technology platforms, targeting database management systems, web applications, email services, and network monitoring solutions. The actor also utilized malware families such as Winnti, LODEINFO, gh0st RAT, Volt, ASPXSpy, BLACKCOFFEE, and Zingdoor to support intelligence collection and persistence objectives.
The group’s broad victimology and sustained operational activity indicate a strategic focus on intelligence gathering, technology acquisition, and access development in support of long-term Chinese state interests.
MISSION2074 remained highly active throughout Q2 2026, conducting sophisticated cyber espionage campaigns against government entities, telecommunications operators, transportation organizations, energy providers, and technology companies.
Researchers observed the actor deploying persistent backdoors, remote access trojans, downloader frameworks, and Cobalt Strike-based post-exploitation toolsets. The group also leveraged VPN and router exploitation techniques, remote desktop abuse, and IoT-focused intrusion methods to expand access across targeted networks.
MISSION2074 demonstrated an extensive geographic reach spanning Europe, North America, the Middle East, and Asia-Pacific. Several operations focused on organizations involved in critical infrastructure, logistics, healthcare technology, telecommunications, and industrial development sectors.
The actor utilized malware and tools including PlugX RAT, NukeSped RAT, Sidewalk, Chrysalis, LODEINFO, Winnti, Volt, Mirai, and Zingdoor. These toolsets enabled credential theft, reconnaissance, persistence, and data exfiltration while maintaining a low detection profile.
The group’s activity reflects a sustained effort to collect strategic intelligence and maintain access to organizations that support regional economic, technological, and geopolitical priorities.
MISSION2025 emerged as a more active threat actor during Q2 2026 after exhibiting limited activity in previous reporting periods. Analysts observed multiple campaigns targeting organizations across North America, Europe, and Asia, with a particular focus on government entities, telecommunications providers, financial institutions, research organizations, and transportation sectors.
The actor primarily relied on persistent backdoor implants and remote access trojans to establish footholds within victim environments. Campaigns targeted web applications, application infrastructure software, open-source database technologies, and enterprise operating systems to obtain long-term access and support intelligence collection efforts.
Researchers identified the deployment of NukeSped RAT and Winnti-related malware during several operations, enabling remote control, surveillance, credential theft, and data collection capabilities. The actor demonstrated a preference for stealthy persistence mechanisms and selective targeting rather than high-volume intrusion activity.
MISSION2025’s increased activity during the quarter suggests growing operational maturity and a stronger focus on strategic intelligence collection against organizations involved in critical technologies, government operations, and communications infrastructure.
Hafnium continued conducting cyber espionage operations during Q2 2026, maintaining a consistent level of activity compared to previous quarters. The group remained focused on government agencies, technology organizations, telecommunications providers, transportation entities, and critical infrastructure operators.
Researchers observed the use of persistent backdoor implants, VPN and router exploitation, downloader frameworks, and Cobalt Strike-based post-exploitation activities. Hafnium continued leveraging stealthy intrusion techniques designed to establish long-term access while minimizing operational visibility.
The actor targeted database management systems, network monitoring platforms, operating systems, web applications, and VPN technologies across multiple regions, including Europe, North America, Asia-Pacific, and the Middle East. Operations frequently focused on organizations possessing sensitive governmental, technological, and strategic information.
Malware observed during these campaigns included Chrysalis, Winnti, Volt, Mirai, Zingdoor, and Cobalt Strike. These tools supported reconnaissance, credential access, lateral movement, persistence, and intelligence collection activities.
The group’s continued targeting patterns and operational behavior indicate an enduring focus on strategic intelligence gathering aligned with broader Chinese cyber espionage objectives and long-term access development against high-value targets.
During Q2 2026, the Lazarus Group continued to demonstrate its position as North Korea’s most sophisticated cyber threat actor through a series of financially motivated and espionage-focused campaigns targeting cryptocurrency exchanges, software vendors, defense contractors, and technology companies worldwide. The group relied heavily on social engineering techniques, supply-chain compromises, and exploitation of internet-facing services to establish initial access and maintain long-term persistence within victim environments.
Researchers observed Lazarus operators conducting highly targeted campaigns against cryptocurrency exchanges and decentralized finance (DeFi) platforms. Attackers impersonated venture capital firms, blockchain developers, and recruitment personnel to distribute weaponized project proposals and employment-themed lures. Once victims were compromised, the attackers deployed credential stealers and custom malware designed to collect wallet credentials, API keys, and sensitive financial information.
In parallel, Lazarus expanded its software supply-chain operations by compromising development environments and introducing malicious code into software build processes. These activities enabled the distribution of trojanized software packages to downstream organizations. The group also increased its focus on cloud-hosted infrastructure, targeting identity services and source code repositories through stolen credentials and authentication tokens. The campaign highlights Lazarus’ continued evolution in leveraging advanced intrusion techniques to support both intelligence collection and revenue generation objectives.
Kimsuky remained one of North Korea’s most active cyber espionage groups throughout Q2 2026, focusing primarily on government agencies, policy institutes, academic organizations, and defense-related research entities. The group’s operations were characterized by persistent intelligence collection efforts designed to gather strategic intelligence relating to regional security, diplomatic activities, and geopolitical developments.
The threat actor conducted extensive credential-harvesting campaigns using phishing emails disguised as diplomatic correspondence, research invitations, and policy discussion requests. Victims were redirected to convincing spoofed login portals specifically designed to capture authentication credentials from government officials, researchers, and academic personnel.
Researchers also identified updated malware families deployed by Kimsuky that were capable of harvesting browser credentials, session cookies, stored documents, and email communications. The stolen information was subsequently exfiltrated through encrypted command-and-control channels. The group’s continued use of trusted cloud services and legitimate online platforms enabled it to blend malicious activity with normal network traffic, increasing the effectiveness of its espionage operations and complicating detection efforts.
Andariel significantly increased its operational activity during Q2 2026, targeting organizations operating within the defense, healthcare, manufacturing, and critical infrastructure sectors. The group continued to blur the distinction between traditional cyber espionage and financially motivated cybercrime operations by combining intelligence collection activities with ransomware-enabled intrusions.
Several observed incidents involved attackers exploiting vulnerable internet-facing systems to gain initial access before deploying custom malware, credential theft tools, and ransomware payloads. Researchers noted substantial overlap between Andariel’s espionage toolsets and those used during financially motivated attacks, suggesting a coordinated operational approach.
The group also conducted extensive reconnaissance activities against energy, transportation, and industrial environments. Network mapping, credential harvesting, and lateral movement activities indicated a long-term intelligence collection objective. New variants of remote access trojans and custom loaders were deployed to maintain persistence and facilitate data exfiltration. The use of PowerShell-based tooling and legitimate administration utilities further demonstrated Andariel’s ability to evade security controls while maintaining access to compromised networks.
Sapphire Sleet, also known as BlueNoroff, remained heavily focused on financially motivated cyber operations throughout Q2 2026, primarily targeting cryptocurrency organizations, financial institutions, venture capital firms, and blockchain developers. The group’s operations reflected an ongoing effort to generate revenue through cryptocurrency theft and financial fraud.
Researchers observed Sapphire Sleet conducting sophisticated recruitment-themed social engineering campaigns in which attackers impersonated recruiters from prominent technology and cryptocurrency firms. Victims were invited to participate in coding assessments, employment interviews, or investment discussions that ultimately delivered malicious software designed to compromise systems and steal sensitive information.
In addition, the group distributed fraudulent cryptocurrency trading and investment applications containing information-stealing malware. These applications were designed to collect wallet credentials, authentication tokens, and financial account information from targeted users. Sapphire Sleet also conducted intrusions against banking institutions and fintech providers, seeking access to payment systems and transaction-related data. The actor demonstrated advanced operational security and persistence mechanisms, allowing prolonged access to victim environments while conducting financial theft operations.
During Q2 2026, threat actors from Iran, Russia, China, and North Korea continued to conduct sophisticated and diverse cyber operations, demonstrating significant advancements in their tactics, techniques, and procedures (TTPs) while expanding their operational reach across government, defense, telecommunications, financial services, technology, critical infrastructure, and manufacturing sectors. Iranian actors, including MuddyWater, OilRig, APT42, and CyberAv3ngers, focused heavily on cyber espionage, credential harvesting, cloud-service abuse, and operational technology (OT) targeting, highlighting Iran’s growing capability to support strategic intelligence collection and critical infrastructure operations. Russian threat actors such as FIN7, FIN11, TA505, and Cozy Bear combined ransomware deployment, destructive malware, financial cybercrime, and long-term espionage activities, demonstrating the continued convergence of financially motivated operations and state-aligned intelligence objectives. Chinese groups, including Stone Panda, MISSION2074, MISSION2025, and Hafnium, maintained persistent campaigns against government agencies, telecommunications providers, technology companies, and critical infrastructure operators, leveraging advanced malware, VPN and router exploitation, credential theft, and stealth-focused persistence mechanisms to facilitate strategic intelligence gathering. Meanwhile, North Korean actors such as Lazarus Group, Kimsuky, Andariel, and Sapphire Sleet continued to blend cyber espionage with financially motivated operations, targeting cryptocurrency platforms, software supply chains, defense organizations, and research institutions through sophisticated social engineering, credential theft, supply-chain compromises, and cloud-focused intrusions. Collectively, these nation-state actors demonstrated an increasingly integrated approach to cyber espionage, financial theft, supply-chain compromise, cloud exploitation, and critical infrastructure targeting, reinforcing the need for organizations to maintain robust cybersecurity defenses, proactive threat intelligence capabilities, and continuous monitoring against the evolving global APT threat landscape.
