apt
Safeguard articles tagged "apt" — guides, analysis, and best practices for software supply chain and application security.
24 articles
ESET's May 2026 APT Report: Oil Shipments, Drone Makers, and a Poisoned npm Library
ESET's APT Activity Report (May 28, 2026) maps China-, North Korea-, Russia-, and Iran-aligned operations from October 2025 to March 2026 — including BlueNoroff's compromise of the axios npm package, a textbook supply-chain espionage event.
Screening Serpens (UNC1549): Iran-Nexus Espionage and the MiniUpdate RAT (May 2026)
Unit 42's May 22, 2026 report tracks the Iran-nexus group Screening Serpens deploying new MiniUpdate and MiniJunk V2 RATs against US, Israeli, and Gulf targets using job-themed lures and DLL sideloading.
Nation-State Actors Operationalize AI: Inside GTIG's May 2026 Threat Tracker
Google's Threat Intelligence Group documented China, North Korea, Russia, and Iran moving AI from experiment to operations in May 2026 — AI-assisted vulnerability research, LLM-enabled malware, and obfuscated model-access infrastructure.
Shadow-Earth-053: China-Aligned Espionage Across Asia and a NATO State (May 2026)
Trend Micro's May 1, 2026 disclosure of Shadow-Earth-053 documents a China-aligned campaign exploiting N-day Exchange and IIS flaws to plant Godzilla web shells and ShadowPad across government, defense, and civil-society targets in eight-plus countries.
Volt Typhoon: Critical Infrastructure Supply Chain
Volt Typhoon is pre-positioning inside U.S. critical infrastructure using living-off-the-land tradecraft and third-party access. Here is what defenders should do about it.
Cozy Bear / Midnight Blizzard Supply Chain Tactics
Midnight Blizzard (APT29, Cozy Bear) has refined long-dwell supply chain access into an operational art. Here is what their 2023-2025 pattern looks like to defenders.
DPRK IT Worker Supply Chain Insider Threat
DPRK operatives have placed themselves inside Western companies as remote developers. Here is how that pattern functions as a supply chain threat and how to detect it.
Black Basta Ransomware Leak Lessons Learned
The Black Basta chat leak gave defenders a rare inside view of how a ransomware program operates. Here are the durable engineering lessons to take from it.
LockBit Takedown: What Came After
Operation Cronos disrupted LockBit's infrastructure but not the underlying affiliate economy. Here is what actually changed and what defenders should take from it into 2026.
FIN7 Supply Chain Social Engineering (2024)
FIN7 built tooling that made its social engineering feel like a SaaS product. Here is how its 2024 tradecraft blended malvertising, fake tools, and credential theft into a supply chain attack.
Gamaredon Ukraine Targeting Supply Chain 2025
Gamaredon's 2025 operations against Ukraine have leaned harder into software and MSP supply chain pivots. Here is the tradecraft defenders need to recognize.
Lazarus Group: 3CX and Software Builds
Lazarus turned a developer's personal machine into a corporate build-system compromise. Here is how that cascade actually worked and what it teaches about build-system trust.