An analysis found that half of the APT attacks in the past year were carried out by North Korean hacking groups. APT attacks are "advanced persistent threats," crimes that steal sensitive data such as personal information through persistent hacking attempts over a long period.
According to the report "2025 cyber threat trends & 2026 outlook" on the 30th, there were 86 APT attacks by North Korean hacking groups from Oct. 2024 to Sept. this year. They accounted for 49.1% of 175 disclosed attacks.
Lazarus, known as a hacking group under North Korea's Reconnaissance General Bureau, had the most with five cases. It was followed by ▲ Kimsuky with three ▲ Andariel with two ▲ Konni with two ▲ TA-RedAnt (RedAnt) with two.
Lazarus expanded its targets to a range of industries, including cryptocurrency, finance, information technology (IT), and defense. It developed numerous multi-platform malware programs that support both Mac operating systems (OS) and Linux.
Lazarus used various hacking methods, from an "Operation Sinkhole" technique that hacks websites frequently visited by targets to plant malware, to luring victims through AI-based fake interviews. It also used a method of planting malware in developers' open-source platforms.
In addition, Kimsuky frequently sent phishing emails disguised as lecture requests or interview inquiries, and Andariel distributed malware targeting domestic asset management solutions. TA-RedAnt (RedAnt) sometimes impersonated real people using AI images and voice modulation.
AhnLab predicted that while hacking groups continue attacks targeting core national infrastructure, attacks on transportation networks such as rail, maritime, and aviation, as well as on communications networks, will increase in 2026. It also expected that some state-backed groups will carry out attacks citing geopolitical conflicts.