Key Takeaways
1. Introduction
TrendAI’s 2025-APT Annual Report offers a strategic overview of advanced persistent threat (APT) campaigns in 2025 and the first quarter of 2026, providing valuable insights for decision makers and senior defenders. It examines a pivotal year where cyberwarfare transcended traditional espionage to become a core pillar of national survival and regional dominance. A defining characteristic of 2025 was what major thinktanks sometimes describe as the “Digital Autocracy” bloc; an informal axis of upheaval between China, Russia, North Korea (DPRK) and Iran.[1]
This report describes the 2025 campaigns and activities of APT actors aligned with Russia, China, and North Korea and how they try to leverage artificial intelligence (AI)[2] in an effort to neutralise Western sanctions and project power at “machine speed.”
1.1. 2025 Annual Highlights
1.2. Strategic Outlook (2026-2027)
There are significant differences in the AI technology investments and development plans between the US and other countries. [5] While China can compete with and even potentially exceed the advancements and innovations resulting from AI investments in the West, both North Korea and Russia face challenges in keeping pace. This technological gap means that DPRK- and Russia-aligned APT actors will likely rely on niche attack methodologies and third-party AI platforms for their campaigns. Meanwhile, we can expect advanced attacks in the near future from China-aligned threat actors who will prove to be adept at using domestic AI tools and platforms.
The next 24 months will be a race for “resilience at machine speed.” As APT actors move towards fully autonomous kill chains, the window for human intervention is closing. Successful defensive measures will depend on the deployment of “defensive AI” that can anticipate and neutralise agentic threats before they can perform lateral movement. In essence, no nation can afford to let its rivals get too far ahead in AI technologies.
2. Geopolitical Threat Landscape
In 2026, the global landscape is being dominated by a “Digital Autocracy” axis. China, Russia, Iran and North Korea have formed an informal strategic bloc aimed at achieving “digital sovereignty” using AI as a force multiplier to bypass Western sanctions and modernise their military and cyber capabilities.
For the rest of this report, our focus will be on China, Russia, and North Korea.
| Feature | China (CN) | North Korea (DPRK) | Russia (RU) |
| Primary Goal |
Global hegemony Self-reliance |
Regime survival/sabotage | National sovereignty |
| AI Infrastructure | Sovereign Stack (Huawei/SMIC) | Illicit/Russia-aided | Grey market/nuclear-backed |
| APT Style | Industrialised espionage | Financial and military asymmetry | Financial and military asymmetry: Strategic sabotage |
Table 1. AI strategies of China, Russia and North Korea
2.1. People's Republic of China
2.1.1 Political Trends
2.1.2.APT Activities Overview
In 2025, China-aligned APT groups expanded and further advanced their global cyberattacks. Several China-aligned groups deployed advanced malware and new methods to continue their cyberespionage activities.
A new trend that has emerged with these groups’ activities is an advanced collaboration model we call "Premier Pass-as-a-Service.”[11] This model refers to an arrangement where a specific threat group infiltrates deep within a target organisation, then provides or shares the maintained access as a “priority pass” service to another specific group. Similar to a priority pass at a theme park, this mechanism allows the second group to skip the initial intrusion process and gain direct backdoor access to sensitive assets. There have been incidents where Earth Preta and Earth Naga were active within the same session, corroborating the reality of this model. This collaboration, which we have classified into a four-tier framework from A to D, is a complicating element that not only enables prolonged underground activities but also makes intrusion detection and attribution significantly more difficult for organisations.
However, since this organisation provides services to numerous Taiwanese manufacturers, the intent to target the supply chain of high-tech manufacturing companies was clear. Attackers used several sophisticated evasion techniques and a long-term infiltration strategy, persistently targeting the electronics industry supply chain in Taiwan. Additionally, arrests related to the theft of vaccine data from US companies[12] and the exposure of over 4 billion leaked personal data records within the country occurred in succession. [13]
2.1.3. Impact
The impact of China-aligned APT activities is multifaceted. Intellectual property and confidential information stolen through cyberespionage can contribute to the strengthening of defence capabilities and high-tech industries.
For instance, espionage against government and research institutions in Taiwan and Japan targets information that directly affects regional security and foreign policy (such as diplomatic negotiation strategies and advanced technology trends), posing a serious threat to the targeted nations. Furthermore, as evidenced by the attack targeting a Taiwanese supply chain server, these groups seek to enter major corporate networks through indirect routes, spreading the risk across broad industries. Even for companies outside traditional high-risk sectors, there is a risk that their business partners or service providers could be used as a stepping stone, necessitating increased vigilance across the entire supply chain.
It is also noteworthy that cyberattacks are occurring in connection with domestic situations. The 2025 arrests regarding vaccine data theft confirmed that espionage activities continue to target medical and academic institutions. Furthermore, Western nations have strengthened moves to exclude communications equipment from certain providers due to security concerns, with the US and Europe implementing phase-out policies in 2025. [14] These measures reflect a growing international distrust of these cyber activities and exert both diplomatic and economic pressure on the government.
The "Premier Pass-as-a-Service" trend is particularly troublesome for defenders. By sharing access rights behind the scenes, it becomes difficult to track attacks based on the traces of a single group, potentially delaying the blocking of intrusion routes and the identification of the scope of damage. Consequently, early discovery and containment have become more difficult, increasing the risk of long-term exploitation of confidential information. In fact, the apparent inactivity of some China-aligned APTs in recent years may be due to their shift toward this collaborative model.
As described, the China-aligned APT threat is backed by advanced technical capabilities and national strategy, making it a risk that cannot be ignored by government agencies or general corporations. Because the targeted domains range from diplomatic and security information to advanced technology, economic data, and personal records, senior management, including CISOs, must understand the latest intelligence tactics and continuously review their own defence postures. Cross-domain defence (supply chain risk management, detection of unusual remote management tools, etc.) and the strengthening of information-sharing systems with government agencies are required.
2.2. Democratic People's Republic of Korea (DPRK)
2.2.1. Political Trends
2.2.2 APT Activities Overview
The activities of DPRK-aligned cyber units remained aggressive and diverse in 2025. To potentially support the state's fiscal and military objectives, these groups continued the theft of funds from financial institutions and cryptocurrency businesses, the collection of confidential information, and offensive cyber operations against various countries. Notably, DPRK-aligned APT groups employ sophisticated methods to target developer communities and software supply chains, characterised by a wide range of attacks beyond the traditional government and defence sectors.
2.2.3. Impact
DPRK-aligned APT activities are positioned as an essential “side business,” potentially for maintaining the regime and achieving strategic goals, with impacts spreading across both international security and cyberspace. With regards to financial impact, North Korea obtains vast funds through cyberattacks even under sanctions. In fact, the amount of stolen cryptocurrency accumulates year by year, with UN reports suggesting that a significant portion of the funds for nuclear and missile development could be covered by cybercrime proceeds. [23] A massive theft of assets from a South Korean cryptocurrency exchange in 2025 highlights how these motivated cyberattacks represent a major management risk for the financial sector. Across the broader enterprise landscape, the targeting of software development and IT service providers has expanded to organisations beyond just the crypto and fintech fields. Attacks originating from trusted products and services, such as malware in NPM packages, or advanced social hacking using fake job openings, risk spreading cascading damage.
In terms of information security, country secrets are threatened by these cyberespionage activities. Military secrets, sensitive diplomatic information, and personal information of individuals such as activists critical of North Korea are among the primary targets of these attacks, with the impact of leakage leading directly to human damage and security risks. For instance, Earth Kumiho targets geopolitical information and diplomatic secrets from think tanks, which can be used to gain an advantage in diplomatic strategy or negotiations with the US. Furthermore, DPRK-aligned cyber units often operate with a high degree of autonomy while leveraging internet infrastructure located in Russia or China, alongside DPRK-linked reconnaissance activities related to the war in Ukraine. This indicates that North Korea is stepping into a new stage where it involves itself in foreign conflicts by combining cyber capabilities with traditional military operations.
The international community is strengthening its response to these developments through law enforcement and sanctions. The US Treasury specifically designated Kimsuky for sanctions in November 2023, freezing the assets of related organisations and individuals. Furthermore, the US Department of Justice and South Korean authorities have taken concrete actions, such as indicting agents involved in cryptocurrency hacking and seizing virtual currency wallets used in crimes. In 2025, the United States sanctioned dozens of individuals and entities involved in DPRK-aligned illicit IT worker schemes, while intensifying efforts to disrupt related money-laundering networks, which include the use of cryptocurrency services and facilitators. While these international measures are expected to place pressure on illicit funding channels, the DPRK-aligned threat actors will likely pursue new methods to sustain their operations.
For organisations, it is important to note that these APTs do not necessarily target only state secrets but also intrude into private companies for profit. Companies handling crypto assets and blockchain technology, as well as groups of engineers with deep overseas connections, are prime targets for these groups. Moreover, these APT actors possess high stealth capabilities; once they gain entry into the system, they are able to hide for long periods, making it difficult to assess damage and impact. CISOs and senior managers should keep in mind that their own companies or related industries could be targets and strengthen defensive measures by gathering threat intelligence, actively monitoring indicators of compromise (IOCs), and regularly conducting incident response drills.
2.3. Russian Federation
2.3.1. Political Trends
2.3.2. APT Activities Overview
Russia-aligned intrusion sets synchronised with the invasion of Ukraine and deployed aggressive cyber operations in 2025. While continuing sabotage and espionage against Ukraine and its supporters, they also diverted their advanced cyber technology to espionage activities worldwide.
2.3.3. Impact
Russia-aligned APT activities strongly exhibit the characteristics of cyber warfare, supporting the actual war in Ukraine, with their impact potentially reaching both the battlefield and the international community. The spearhead of these attacks is also directed not only at countries supporting Ukraine but also towards neutral countries, creating global security risks. Groups like Pawn Storm and Earth Koshchei carried out espionage and sabotage against organisations in Western countries (government agencies, energy companies, logistics companies, international organisations, etc.) supporting the war. For example, hacking attacks launched against the French government and US companies were publicly condemned and became a diplomatic issue, intensifying state-to-state confrontation in cyberspace. Consequently, Western nations imposed cyber sanctions and issued public denunciations against Russia-aligned actors. In 2025, countries like France and the UK cited the involvement of military intelligence in official statements. This is an unusually strong measure, and international pressure is rising even in cyber domains.
Companies should note that these Russia-aligned APT attacks are not limited to government targets. Western defence-related and energy companies, as well as media and communications companies, have become targets for threat actors who aim to sever the flow of strategically important goods and information. Furthermore, credential theft campaigns that target a wide range of users indiscriminately (such as those conducted by Earth Koshchei) can affect general companies and individuals with no direct relation to military or diplomacy. This suggests that the attackers are casting a wide net for intelligence collection to acquire access rights in various fields for future operations.
In response, Western nations have been strengthening cooperation to counter these APTs. NATO is strengthening information sharing among member states through its Cyber Defence Centre, while the European Union (EU) has implemented asset freezes on individuals and organisations under its cyber sanctions regime. Japan also issued a statement for the first time in 2025, publicly naming and condemning specific threat groups, while the joint G7 statement called for coordinated action against malicious cyber activities. Although such measures impose a certain diplomatic cost, their ability to immediately halt ongoing attacks is limited. Therefore, companies and organisations must continue to prioritise independent defensive measures.
For CISOs and senior security executives, the Russia-aligned APTs cannot be ignored as a geopolitical risk. Companies involved in businesses supporting Ukraine or the energy, transportation, and communications sectors (fields of high interest to the government) could become direct targets. Even those that are not may suffer indirect damage if suppliers or partners are attacked. Organisations should integrate state-level attack scenarios into their incident response plans and strengthen preparedness through threat hunting and red team exercises. We also recommend that companies in critical infrastructure industries deepen cooperation with government authorities and actively participate in sharing early warning information and joint cyberdefense exercises.
Overall, Russia-aligned APT activities in 2025 demonstrated a growing global reach while remaining closely tied with the war in Ukraine, reinforcing the view that cyberspace has become one of the main battlefields of state-to-state confrontation. We expect this trend to persist, making it essential for corporate leadership to view cybersecurity from the perspective of geopolitical risk management and deal with it strategically. Cooperation between governments and the private sector to improve defence technology and establish deterrents will be the key to long-term cyberthreat mitigation.
3. Industry Victimology and Vertical Analysis
3.1. Global Targeting Statistics
Victimology Data
This section provides a statistical presentation of industries affected by APTs and the data-driven rationale for identifying four primary target sectors: Government & Defence, Energy & Logistics, Technology & Manufacturing, and Financial Services.
Figure 1. The top targeted industries by frequency of APT attacks
| Industry | 2025 | 2024 | |
| Government | 1480 | 981 | 50.87% |
| Technology | 674 | 491 | 37.27% |
| Financial services | 427 | 412 | 3.64% |
| Telecommunications | 227 | 344 | -34.01% |
| Communications & media | 149 | 261 | -42.91% |
| Manufacturing | 419 | 230 | 82.17% |
| Education | 321 | 215 | 49.30% |
| Energy | 98 | 46 | 113.04% |
| Infrastructure | 60 | 72 | -16.67% |
Government institutions remain top APT targets due to their control over policy, diplomacy, and defence. Observed campaigns primarily emphasise long-term infiltration, internal network reconnaissance, and intelligence collection.
3.2. Threats Against Government and Defence
Government institutions remain top APT targets due to their control over policy, diplomacy, and defence. Observed campaigns primarily emphasise long-term infiltration, internal network reconnaissance, and intelligence collection.
3.3. Threats Against Critical Infrastructure (Energy, Transport, Logistics)
APT activity targeting critical infrastructure has also increased significantly, reflecting its central role in national security and economic stability. APT campaigns predominantly focused on intelligence collection related to power grids and oil and gas infrastructure. These operations typically prioritise reconnaissance, credential harvesting, and prepositioning rather than immediate disruption, aligning with preparedness and deterrence strategies under geopolitical confrontation.
3.4. Threats Against Technology and Manufacturing
Technology and manufacturing sectors are highly targeted because of their critical roles in innovation and global supply chains. APT actors seek not only intellectual property and advanced research outcomes but also leverage these industries as entry points for lateral movement into government networks or critical infrastructure.
3.5. Threats Against Financial Services
While espionage remains the dominant motivator in other sectors, the financial sector continues to be a primary target for DPRK-aligned actors focused on illicit revenue generation.
4. Strategic Forecast: A Two-Year Horizon
The next two years will be a race to see what cybersecurity strategies and solutions can achieve “resilience at machine speed.” Organisations need to be able to quickly adapt and recover from disruptions or cyber threats with the speed and efficiency of automated machine-driven processes. In the context of cybersecurity, it emphasises the importance of leveraging technology and automation to enhance resilience, enabling defences to respond and adapt to threats as rapidly as they occur, minimising downtime and maintaining operational continuity.
Countries around the world are accelerating efforts to reduce dependence on foreign AI platforms, cloud services, and digital connectivity. In an increasingly competitive environment, states can ill afford to let their rivals get too far ahead in AI technology. As a result, worldwide investments in sovereign AI tools, LLMs, and AI platforms have become priorities. AI development is more than a defensive requirement against criminal and APT-driven cyberattacks; states are also increasingly motivated to integrate AI into large-scale offensive operations.
4.1. Emerging Technologies and Threat Vectors
Private companies and governments are investing unprecedented sums in AI. According to estimates published by Reuters [34], global investment in AI reached approximately 1.6 trillion dollars from 2013 to 2024, surpassing the cost of landmark historic initiatives like the Manhattan Project and NASA’s Apollo program.
While debate continues whether the massive investments into AI will pay off, a global race is underway to achieve leadership in AI-related technologies. In the West, the main driver is largely commercial, while, in contrast, in some countries, such as China, AI technology development is directed by the state. China has the ambition to be the world leader in AI technologies by 2030, focusing on autonomous driving, robotics, facial recognition, and the military use of AI (such as drones), and is widely regarded as the only nation that can seriously compete with the US. Other states, such as North Korea and Russia, suffer from imposed sanctions that restrict their ability to compete at the same level. Recognising these limitations, Russia has increasingly focused on AI sovereignty instead.
Regardless of AI’s ultimate commercial success, it will fundamentally reshape how APT actors will conduct cyberattack campaigns in the next few years. We anticipate several significant changes fueled by AI:
4.2. Evolution of APT Tactics
This section summarises our predictions regarding the automation of attacks, advanced evasion techniques, and the shift towards stealthier operations.
4.2.1. Automation of Attacks Using AI: Stealthier Operations
APT actors are increasingly using AI platforms to automate attack workflows and enhance evasion capabilities. Soon, attackers will use AI-driven reconnaissance to map corporate and government network infrastructures and quickly identify vulnerabilities. The use of agentic AI composed of relatively small, seemingly fragmented tasks will avoid triggering safety filters, enabling attackers to automate multiple steps in the kill chain with minimal need for human intervention. An attack resembling this was reported in November 2025, illustrating an early step towards autonomous attack operations. [36]
In this campaign, human intervention remained critical, but it reflects a trajectory towards autonomous kill chains that are fully automated, AI-enabled attacks. We expect APT actors to outpace typical cybercriminal groups by leveraging state-level resources, which include tools developed by military and defence contractors. This trend is further evidenced by the early use of AI in disinformation campaigns. The FBI reported that Russian-aligned actors began to develop an AI-powered system called Meliorator as early as 2022, intended to support foreign malign influence and disinformation operations. [37]
Several APT actors were reported to have used publicly available AI platforms, like OpenAI[38] and Gemini [39], to conduct reconnaissance, collect information, and research vulnerabilities. These groups also use generative AI to produce deepfake videos and craft highly convincing messages for spear-phishing campaigns. Looking ahead, we expect that the more brazen APT groups such as Pawn Storm will continue to leverage publicly available AI platforms and tools for evasion and rapid deployment.
However, at the same time, more stealthy APT actors will transition away from using Western-based AI platforms and start to use homegrown AI tools, language models, and sovereign AI platforms, leading to reduced visibility on how these groups are using AI in their attacks. We also expect that both APT actors and regular cybercriminals will continue to exploit vulnerable corporate MCP servers for data exfiltration. [40]
4.2.2. Prepositioning in Critical Infrastructure and Residential IoT Devices
APT actors will persist in their efforts to preposition within critical infrastructures such as telecommunications networks and power grids. Simultaneously, state-sponsored entities are increasingly exploiting millions of compromised residential IoT devices that are part of proxy networks and botnets. Some of these botnets are specifically created by APT actors themselves. [41]
Large residential proxy networks are being established by companies with formal legal structures and physical offices. Although these networks have been set up primarily for cybercriminal activities, they represent significant national assets for the countries where the companies managing them are headquartered. Following this reasoning, these large residential proxy networks can also be viewed as positioning by nation-state actors.
In times of heightened geopolitical tensions, these networks can be used for espionage, DDoS attacks, large-scale password spray attacks, as well as a launching point for attacks against devices on the local network that are not directly exposed to the internet but can be accessed through end nodes of residential proxy networks. Despite efforts to dismantle some of the networks,[42] massive botnets of IoT devices continue to operate.
4.2.3. Collaboration Among APT Groups
APT groups are increasingly sharing access and infrastructure to enhance their technical capabilities. These partnerships produce more sophisticated, stealthy operations[43], [44] that make attribution more difficult. The December 2025 attack against the Polish electrical grid was attributed by security vendor ESET to the Russian-aligned group Sandworm,[45] while CERT Polska attributed the campaign to Ghost Blizzard. [46] This example illustrates how attribution has become murky, with different organisations openly disagreeing on the source of the attack.
4.2.4. Cybercenaries, Private Companies, and Criminal Groups
In recent years, specialised and previously unknown APT groups have begun supplanting some of the special tasks and operations associated with long-established threat actors. A clear example is the Russian-aligned actor group Void Blizzard (Laundry Bear)[47] that successfully breached the Dutch National Police in 2024. [48] According to Dutch intelligence services, Void Blizzard conducts its cyber operations at a rapid pace, with relatively simple methods that are difficult to detect. CERT-UA attributed campaigns against Ukrainian organisations in late 2025 to Void Blizzard, even while the TTPs appear different. [49] In 2025, an alleged member of Void Blizzard was arrested in Thailand,[50] with unconfirmed online reporting suggesting that this Russian individual had a past as a cybercriminal.
Criminal groups, such as Void Rabisu[51] and the cybermercenary group Void Balaur [52], have shifted from purely financial motives to geopolitical-motivated campaigns, possibly acting on behalf of existing intelligence services. Given the volatile geopolitical climate, we expect cybermercenaries and private companies to play a bigger role in APT campaigns.
5. Risk Mitigation and Defensive Strategies
The 2025 landscape requires a fundamental shift from preventing intrusions to limiting damage from inevitable compromises. Nation-state-aligned actors will gain access to target environments; the question is how quickly organisations will be able to detect them and how much damage they can do before discovery. For companies whose operational profile or internal risk assessments place them at high interest to a foreign state, the following strategic defence considerations are recommended. Effectively implementing these defences will require a modern, full-stack platform designed to cover all elements of the organisation. Fragmented reliance on multiple point solutions leaves visibility and security gaps, which nation-state-aligned groups particularly excel at exploiting.
5.1. Operating Under the "Assumed Breach" Mindset
Adopting an “assume breach” mindset reflects the reality that nation‑state–aligned threat actors will eventually penetrate even well‑defended environments. Rather than focusing exclusively on perimeter prevention, this approach prioritises early detection, damage containment, and operational resilience. By accepting that compromise is possible, organisations can develop strategies that reduce impact.
Limiting the blast radius
Detecting lateral movement
Planning for long-term compromise
5.2. Implementing Practical, Not Aspirational AI Defences
As AI becomes embedded in both offensive and defensive cyber operations, effective defence requires a measured, pragmatic approach rather than reliance on speculative “AI versus AI” narratives. While automation and machine learning offer meaningful advantages, they do not replace human judgment, particularly in high‑impact decisions involving containment, recovery, or business continuity. This involves focusing on slowing attackers and augmenting human analysts.
Slowing automated reconnaissance
Implementing human-AI collaboration
5.3. Accepting the Limits of Edge Devices and Supply Chains
Edge infrastructure and software supply chains have become favoured entry points for threat actors, reflecting their central role in enterprise connectivity. VPN gateways, firewalls, IoT devices, and third‑party dependencies are frequently targeted to establish initial access or persistence, often outside the visibility of security controls. Effective defence in these areas requires accepting that not all compromises can be prevented and focusing instead on isolation, rapid containment, and impact reduction.
Protecting edge devices
Defending the supply chain
5.4. Understanding That Collective Defence Is the Only Sustainable Solution
Nation‑state–aligned threat actors cannot be countered effectively in isolation. Their scale, resources, and persistence exceed what any single organisation can sustain over time. As a result, long‑term resilience depends on collective defence, combining intelligence sharing, coordination, and joint response efforts to increase attacker cost and reduce operational freedom.
5.5. Improving Visibility and Awareness
5.5.1. The Importance of Comprehensive Visibility
Attackers tend to dwell and expand within the gaps: unmanaged endpoints, shadow IT, forgotten cloud assets, and network segments outside your security perimeter. Addressing these gaps requires achieving unified visibility across the enterprise environment, which can be enabled through integrated security platforms such as Trend Vision One™,[53] alongside other complementary security technologies.
5.5.2. Knowledge Is Power: Actionable Threat Intelligence
Understanding which threat actors are targeting comparable organisations or their supply chains, the techniques they employ, and the indicators that signal their presence transforms visibility into actionable defence.
5.5.3. Shift to Proactive Defence
Combining comprehensive environment visibility with operationalised threat intelligence enables organisations to:
5.6. Conclusion: Resilience, Not Perfection
Organisations cannot indefinitely prevent nation-state-aligned actors from gaining initial access. Across the campaigns examined in this report, well‑resourced threat actors consistently demonstrated the ability to bypass perimeter defences, exploit trust relationships, and sustain covert access over extended periods. For governments and enterprises alike, the strategic objective is therefore not absolute prevention, but the ability to withstand intrusion, limit damage, and recover faster than adversaries can achieve their objectives.
This shift reflects the reality of the modern threat environment. APT campaigns have become an integral part of the geopolitical competition for many states, increasingly augmented by automation and AI. As attack speed accelerates and dwell times shorten, traditional security models that are built around episodic detection and manual response are proving insufficient. Resilience must now operate at machine speed, combining human decision‑making with automation, visibility, and pre‑planned response.
For organisations, the goal is to:
Organisations that demonstrate sustained resilience share several common characteristics. They accept the likelihood of compromise and design environments accordingly, collaborate with peers rather than operate in isolation, prioritise protection of critical assets, and invest in people and processes ahead of costly standalone tools.
The threat landscape is permanent. Resilience is not a one‑time initiative but an enduring operational posture, required for as long as geopolitical competition continues to shape cyberspace.
6. References
[1]Angela Stent. (October 2025). Atlantic Council. “The CRINK: Inside the New Bloc Supporting Russia’s War Against Ukraine.” Accessed on April 7, 2026, at: Link.
[2]TrendAI™. (Aug. 20, 2024). TrendAI™. “What Is Artificial Intelligence (AI)?” Accessed on Apr. 8, 2026, at: Link.
[3]CERT-UA. (July 17, 2025). CERT-UA. “Кібератаки UAC-0001 на сектор безпеки та оборони із застосуванням програмного засобу LAMEHUG (CERT-UA#16039).” Accessed on April 7, 2026, at: Link.
[4]Daniel Lunghi and Leon M Chang. (Oct. 22, 2025). TrendAI™. “Premier Pass-as-a-Service.” Accessed on April 7, 2026, at: Link.
[5]Reuters. (2025). Reuters. “AI Investment: The Future of the US Economy.” Accessed on April 7, 2026, at: Link.
[6]The State Council of the People’s Republic of China. (August 27, 2025). Gov.cn. “Latest Policies and Releases.” Accessed on April 7, 2026, at: Link.
[7]Reuters. (December 4, 2024). Reuters. “North Korea-Russia Treaty Comes Into Force, KCNA Says.” Accessed on April 7, 2026, at: Link.
[8]Francesco Torri and Manuel Núñez Fernández. (March 11, 2025). Undisciplined Environments. “China’s Expanding Footprint in South America’s Lithium Triangle.” Accessed on April 7, 2026, at: Link.
[9]Hara Hiroaki. (April 30, 2025). TrendAI™. “Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan.” Accessed on April 7, 2026, at: Link.
[10]Nathaniel Morales and Nick Dai. (Feb. 18, 2025). TrendAI™. “Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection.” Accessed on Apr. 7, 2026, at: Link.
[11]Daniel Lunghi and Leon M Chang. (Oct. 22, 2025). TrendAI™. “The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns.” Accessed on Apr. 7, 2026, at: Link.
[12]United States Department of Justice. (July 8, 2025). Office of Public Affairs. “Justice Department Announces Arrest of Prolific Chinese State-Sponsored Contract Hacker.” Accessed on Apr. 7, 2026, at: Link.
[13]Vilius Petkauskas. (June 10, 2025). Cybernews. “Largest Ever Data Leak Exposes Over 4 Billion User Records.” Accessed on Apr. 7, 2026, at: Link.
[14]Reuters. (July 30, 2025). Reuters. “Telefonica Ditches Huawei's 5G Gear in Spain and Germany; Keeps it in Brazil.” Accessed on Apr. 7, 2026, at: Link.
[15]Unit 42. (Nov. 21, 2023). Unit 42. “Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors.” Accessed on Apr. 7, 2026, at: Link.
[16]Feike Hacquebord and Stephen Hilt. (Apr. 23, 2025). TrendAI™. “Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations.” Accessed on Apr. 7, 2026, at: Link.
[17]Vanja Svajcer. (June 18, 2025). Talos Intelligence. “Famous Chollima Deploying Python Version of GolangGhost RAT.” Accessed on Apr. 7, 2026, at: Link.
[18]United States Department of the Treasury. (Nov. 30, 2023). Treasury News. “Treasury Targets DPRK’s International Agents and Illicit Cyber Intrusion Group.” Accessed on Apr. 7, 2026, at: Link.
[19]Dominik Reichel. (June 17, 2025). Unit 42. “Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation.” Accessed on Apr. 7, 2026, at: Link.
[20]ESTsecurity. (June 20, 2019). ESTsecurity. “[스페셜 리포트] APT 캠페인 'Konni' & 'Kimsuky' 조직의 공통점 발견.” Accessed on Apr. 7, 2026, at: Link.
[21]FSEC. (Mar. 13, 2025). FSEC. “금융보안원, 국가배후 해킹조직의 금융권 대상 위협 경고.” Accessed on Apr. 7, 2026, at: Link.
[22]ASEC. (July 21, 2025). ASEC. “악성 한글(.HWP) 문서를 이용한 RokRAT 악성코드 유포 주의.” Accessed on Apr. 7, 2026, at: Link.
[23]MSMT. (Oct. 22, 2025). MSMT. “The DPRK’s Violation and Evasion of UN Sanctions through Cyber and Information Technology Worker Activities.” Accessed on Apr. 7, 2026, at: Link.
[24]National Cybersecurity Agency of France. (Apr. 29, 2025). CERT-FR. “Targeting and Compromise of French Entities Using the APT28 Intrusion Set.” Accessed on Apr. 7, 2026, at: Link.
[25]NSA, FBI, CISA, et al. (May, 2025). NSA. “Russian GRU Targeting Western Logistics Entities and Technology Companies.” Accessed on Apr. 7, 2026, at: Link.
[26]Computer Emergency Response Team of Ukraine. (July 17, 2025). CERT-UA. “Кібератаки UAC-0001 на сектор безпеки та оборони із застосуванням програмного засобу LAMEHUG (CERT-UA#16039).” Accessed on Apr. 7, 2026, at: Link.
[27]Google Threat Intelligence Group. (Jan. 28, 2026). Google Cloud. “Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088.” Accessed on Apr. 7, 2026, at: Link.
[28]Computer Emergency Response Team of Ukraine. (Feb. 23, 2025). CERT-UA. “Цільова активність UAC-0212 у відношенні розробників та постачальників рішень АСУТП (CERT-UA#13702).” Accessed on Apr. 7, 2026, at: Link.
[29]Jacob Finn, Dmytro Korzhevin, Asheer Malhotra (June 5, 2025). Talos Intelligence. “Newly Identified Wiper Malware 'PathWiper' Targets Critical Infrastructure in Ukraine.” Accessed on Apr. 7, 2026, at: Link.
[30]Check Point. (Apr. 15, 2025). Check Point. “Renewed APT29 Phishing Campaign Against European Diplomats.” Accessed on Apr. 7, 2026, at: Link.
[31]CJ Moses. (Aug. 29, 2025). Amazon. “Amazon Disrupts Watering Hole Campaign by Russia’s APT29.” Accessed on Apr. 7, 2026, at: Link.
[32]CERT Polska. (2025). CERT.pl. “Energy Sector Incident Report – 29 December.” Accessed on Apr. 7, 2026, at: Link.
[33]Stephen Hilt and Robert McArdle. (Dec. 9, 2025). TrendAI™. “VibeCrime: Preparing Your Organisation for the Next Generation of Agentic AI Cybercrime.” Accessed on Apr. 7, 2026, at: Link.
[34]Reuters. (2025). Reuters. “AI Investment: The Future of the US Economy.” Accessed on April 7, 2026, at: Link.
[35]Stephen Hilt and Robert McArdle. (Dec. 9, 2025). TrendAI™. “VibeCrime: Preparing Your Organisation for the Next Generation of Agentic AI Cybercrime.” Accessed on Apr. 7, 2026, at: Link.
[36]Anthropic. (Nov. 13, 2025). Anthropic. “Disrupting the first reported AI-orchestrated cyber espionage campaign.” Accessed on Apr. 7, 2026, at: Link.
[37]Internet Crime Complaint Centre (IC3). (July 9, 2024). IC3. “State-Sponsored Russian Media Leverages Meliorator Software for Foreign Malign Influence Activity.” Accessed on Apr. 7, 2026, at: Link.
[38]OpenAI LLC. (Feb. 14, 2024). OpenAI. “Disrupting Malicious Uses of AI by State-Affiliated Threat Actors.” Accessed on Apr. 7, 2026, at: Link.
[39]Google Threat Intelligence Group. (Jan. 30, 2025). Google Cloud. “Adversarial Misuse of Generative AI.” Accessed on Apr. 7, 2026, at: Link.
[40]Alfredo Oliveira and David Fiser. (July 17, 2025). TrendAI™. “MCP Security Network: Exposed Servers are Backdoors to Your Private Data.” Accessed on Apr. 7, 2026, at: Link.
[41]Feike Hacquebord, Stephen Hilt, and Fernando Merces. (Mar. 17, 2022). TrendAI™. “Cyclops Blink Sets Sights on ASUS Routers.” Accessed on Apr. 8, 2026, at: Link.
[42]Google Threat Intelligence Group. (Jan. 29, 2026). Google Cloud. “No Place Like Home Network: Disrupting the World's Largest Residential Proxy Network.” Accessed on Apr. 8, 2026, at: Link.
[43]Daniel Lunghi and Leon M Chang. (Oct. 22, 2025). TrendAI™. “Premier Pass-as-a-Service.” Accessed on April 7, 2026, at: Link.
[44]ESET Research. (Sept. 19, 2025). ESET. “Gamaredon and Turla Target High-Profile Ukrainian Entities.” Accessed on Apr. 7, 2026, at: Link.
[45]ESET Research. (Jan. 30, 2026). WeLiveSecurity. “DynoWiper update: Technical Analysis and Attribution.” Accessed on Apr. 8, 2026, at: Link.
[46]CERT Polska. (Jan. 30, 2026). CERT.pl. “Energy Sector Incident Report - 29 December 2025.” Accessed on Apr. 7, 2026, at: Link.
[47]Microsoft Threat Intelligence. (May 27, 2025). Microsoft. “New Russia-Affiliated Actor Void Blizzard Targets Critical Sectors for Espionage.” Accessed on Apr. 7, 2026, at: Link.
[48]General Intelligence and Security Service. (May 27, 2025). AIVD.nl. “AIVD and MIVD identify new Russian cyber threat actor.” Accessed on Apr. 7, 2026, at: Link.
[49]Computer Emergency Response Team of Ukraine. (Jan. 20, 2026). CERT-UA. "Untrustworthy Fund": UAC-0190 Targeted Cyber Attacks on SOUs Using PLUGGYAPE (CERT-UA#19092). Accessed on Apr. 7, 2026, at: Link.
[50]Laura Sharman, Helen Regan, and Sean Lyngaas. (Nov. 15, 2025). CNN. “Russian alleged cyber-hacker faces extradition to US after arrest in Thailand.” Accessed on Apr. 7, 2026, at: Link.
[51]Feike Hacquebord, Stephen Hilt, Fernando Merces, and Lord Alfred Remorin. (May 30, 2023). TrendAI™. “Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals.” Accessed on Apr. 7, 2026, at: Link.
[52]Feike Hacquebord. (Nov. 10, 2021). TrendAI™. “Tracking Void Balaur’s Activities: A Cybermercenary’s Journey.” Accessed on Apr. 7, 2026, at: Link.
[53]TrendAI™. (2025). TrendAI™. “TrendAI Vision One™.” Accessed on Apr. 7, 2026, at: Link.
[54]TrendAI™. (2025). TrendAI™. “TrendAI Vision One™ Threat Intelligence.” Accessed on Apr. 7, 2026, at: Link.