TOP Nation-State Cyber Threats Targeting the United States summarises how, in 2025 and 2026, state-linked groups focused on gaining long-term visibility through identities, inboxes and trusted processes rather than smashing front doors. According to SOCRadar’s 2026 U.S. Threat Landscape Report, selling made up 70.76% of observed Dark Web activity, highlighting how credentials and entry points move quickly in illicit markets.
The piece breaks down China-related espionage and long-dwell access, Russia-linked campaigns focused on logistics and defence-adjacent channels, North Korea-linked revenue operations and recruitment-based access, and Iran-linked credential theft via hiring and supplier access.
Notable examples include Salt Typhoon compromising email systems in January 2026, a May 2025 joint CISA advisory on GRU unit 26165 (APT28) targeting Western logistics and technology firms, and North Korea’s Kimsuky using QR codes embedded in spearphishing aimed at NGOs, think tanks and government bodies.
The analysis also covers recruitment-themed lures used by UNC1549 and UNC6446, and recommends hardening identities, monitoring mailbox activity, and reducing third-party exposure to raise the cost and reduce the success of such campaigns.