APT groups active in 2026: who they are and what they want

Advanced Persistent Threats (APTs) are state-affiliated or state-tolerated groups conducting long-term cyber operations for espionage, financial gain, or sabotage. Mandiant, CrowdStrike, and Recorded Future maintain public taxonomies — APT28, APT29, Lazarus, Sandworm, MuddyWater, OilRig, Charming Kitten — each tracked through TTPs, tooling, and infrastructure. The MITRE ATT&CK framework catalogs over 150 named groups with 600+ techniques.

Lazarus Group, attributed to North Korea's RGB, focuses on financial crime — cryptocurrency exchange theft via malicious npm packages and macOS dylib hijacking — and has stolen billions of USD in digital assets since 2017. The group's recent operations use trojanized Node.js packages and LinkedIn social engineering of crypto firm employees, often delivering custom backdoors like RustBucket and KandyKorn. Any Azerbaijani fintech or crypto-adjacent business handling foreign-exchange flows is in scope.

Sandworm (GRU Unit 74455) is responsible for NotPetya, the Industroyer attacks on Ukrainian electric grid, and ongoing operations against energy and telecommunications across the broader region. APT28 (Fancy Bear) and APT29 (Cozy Bear / Midnight Blizzard) target government, defense, and policy think tanks for intelligence collection. Iranian-attributed MuddyWater and OilRig actively operate against Middle Eastern and Caucasus targets, including telecom and energy.

For Azerbaijani organizations, the practical question is which groups likely care about you. Energy and SOCAR-adjacent firms: Sandworm, MuddyWater. Banks and fintech: Lazarus, FIN groups. Government and policy adjacent: APT28, APT29. Defense suppliers: Charming Kitten. Map your sector to actor groups via the ATT&CK Navigator, build detection logic for the top 20 techniques those actors use, and validate continuously with Atomic Red Team. The Cyber Security Center of Azerbaijan and the Group-IB Azerbaijan office publish region-specific advisories worth subscribing to.