North Korean APT activity in Q2 2026 combined cryptocurrency theft, supply-chain compromise, cloud-focused intrusions, and strategic espionage. Lazarus targeted cryptocurrency exchanges, DeFi platforms, software vendors, defense contractors, and technology companies through social engineering, trojanized project or job lures, compromised development environments, and stolen credentials. Kimsuky pursued credential harvesting and intelligence collection against government, policy, academic, and defense-research targets, while Andariel expanded activity against defense, healthcare, manufacturing, critical infrastructure, energy, transportation, and industrial environments. Sapphire Sleet focused on cryptocurrency and financial targets through recruitment-themed lures and fraudulent trading or investment applications designed to steal wallet credentials, tokens, and financial account data.