Nation-state hacking teams are increasingly hiding their operations inside the same AI assistants, developer platforms and cloud apps that everyone else uses, according to the June 2026 APT trend report from AhnLab's Security Emergency response Center (ASEC). Across 20 tracked groups, the researchers describe a clear shift away from planting traditional malware and toward stealing accounts and tokens, abusing trusted services, and quietly poisoning software supply chains.
North Korea targets developers
North Korea linked crews leaned hard on platforms built for programmers. ASEC reports that groups tied to Pyongyang used GitHub, Google Docs, npm and VS Code to lure developers, cryptocurrency staff and security researchers with fake job offers, code review requests and phony breach notifications. One group compromised the Mastra npm supply chain to slip a malicious dependency into more than 140 packages, while Kimsuky abused the Dropbox API and GitHub Releases for command and control. The Lazarus Group pushed typosquatted npm packages, and APT37 deployed a custom remote access tool for keylogging, screen capture and microphone recording.
China widens its aim, Russia sharpens stealth
Chinese actors broadened targeting beyond government and defense to medical research and energy. Mustang Panda turned Zoho WorkDrive into a covert exfiltration channel, while other clusters increasingly abused cloud services and OAuth tokens rather than dropping obvious implants. Russian groups kept their long war on Ukraine going with stealthier tooling: APT28 hid stolen data inside PNG images and used cloud storage for control, and Gamaredon continued spreading its Gamma family of tools through legitimate services and USB propagation. Notably, at least two Russia aligned operations wired large language models directly into their attack chains to generate commands on the fly.
Iran and India round out the picture
MuddyWater rented malware as a service from a Russian speaking criminal ecosystem to hit defense, energy and telecom targets across Israel, the Middle East, the US and Europe, and another Iranian crew used fake LinkedIn recruiters to deliver its payloads. India linked groups including Bitter and Khmer Shadow relied on phishing pages and DLL sideloading against government and email service users. The through line, ASEC notes, is that the highest tempo activity clustered around regions of high geopolitical tension, including Ukraine, India, Pakistan, China and South Korea.
What defenders should take away
The report reinforces a trend IntelFusions has tracked in individual campaigns, from APT-C-60 hiding inside GitHub and GitLab to AI-built malware loaders: state crews now prefer to blend into legitimate SaaS traffic and steal identities rather than fight endpoint defenses head on. Defenders should watch OAuth token grants and third party app connections as closely as they watch malware, scrutinize dependencies pulled from npm and other registries, and treat unexpected use of developer platforms as a possible intrusion rather than benign noise.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.