February 2026 APT Group Trends Report

This report summarizes February 2026 APT activity and related cybercrime: a Notepad++ supply‑chain compromise deploying Chrysalis and Cobalt Strike; APT28 rapidly weaponizing Office/MSHTML zero‑days to install long‑term implants; TA‑RedAnt (APT37) using USB and Zoho WorkDrive C2 to breach air‑gapped environments; zero‑day exploitation against a Singapore telco and VMware backup/recovery (UNC3886, UNC6201); Cisco Catalyst SD‑WAN compromise (UAT‑8616); and Lazarus/BlueNoroff financially motivated ransomware/extortion and macOS credential theft via real‑time social engineering. The incidents demonstrate active, sophisticated exploitation of zero‑days, supply‑chain and backup infrastructure compromises, and high operational risk to critical sectors.