This week’s reporting shows adversaries prioritizing embedded access within trusted systems, where they use identity, SaaS platforms, and legitimate workflows to sustain long-term presence and reduce chance of detection. Of these, China’s continued pre-positioning of access represents the most strategically significant topic due to its alignment with future military operations.
Dutch intelligence says Chinese cyber capability equal to US
On 21 April 2026, the Dutch Military Intelligence and Security Service (MIVD) assessed in its 2025 annual report that China has likely reached parity with the US in offensive cyber capabilities, following a reorganization of its cyber forces that improved integration with military operations and accelerated exploitation of vulnerabilities. The report details sustained Chinese cyberespionage against Western defense industries, use of zero-day exploits, and a broad “whole of society” approach to intelligence collection, enabling large-scale acquisition of sensitive technology and access to critical networks. This assessment aligns with previous warnings from Western agencies that PRC-linked actors are prioritizing long-term access, particularly via exploitation of network edge devices and telecom infrastructure, positioning themselves for persistent intelligence collection and potential future operational use.
Assessment
China’s reorganization and sustained targeting reflects a deliberate strategy of pre-positioning access aligned to future operational requirements, not opportunistic espionage.
Key Drivers
- Integration of cyber forces with military operations indicates access development is aligned to operational requirements, not opportunistic collection.
- China’s state, commercial, and academic ecosystems enable continuous vulnerability discovery and exploitation, allowing access to be built and maintained at scale.
- Limited detection of Chinese activity suggests existing access likely exceeds what defenders currently observe, increasing the risk of pre-positioned presence.
Iranian recruits expand North Korea’s IT worker infiltration model
On 2 April 2026, research from Flare identified Iranian nationals participating in the broader North Korean IT worker (NKITW) scheme, a state-backed operation where technically skilled individuals use false identities to obtain remote employment at Western companies and funnel earnings back to the DPRK. The findings suggest the ecosystem is expanding beyond North Korea, with Iranian recruits supporting or integrating into the same infrastructure, including fake personas, intermediaries, and job placement networks. This evolution indicates the operation is becoming more decentralized and scalable, using global talent pools and overlapping illicit networks to sustain revenue generation and access into Western corporate environments.
Assessment
The integration of Iranian personas into the NKITW ecosystem indicates the model is evolving beyond nationality-based identity and toward a scalable, multi-national access framework designed to sustain placement rates under increased scrutiny.
Key Drivers
- Increased industry awareness has reduced effectiveness of traditional NKITW personas.
- Use of non-traditional identities expands the available talent pool and reduces detection tied to nationality-based heuristics.
- Remote hiring and inconsistent identity verification continue to provide scalable entry points for access.
China-linked GopherWhisper blends into enterprise traffic to sustain covert access
On 23 April 2026, ESET researchers disclosed a previously undocumented China-aligned APT group, dubbed GopherWhisper, targeting a Mongolian government entity using a diverse toolkit of primarily Go-based malware. The group deployed several custom backdoors and loaders, while using legitimate platforms like Discord, Slack, M365 Outlook, and file-sharing services for C2 and data exfiltration, allowing activity to blend in with normal network traffic. Analysis of recovered C2 communications provided insight into post-compromise operations, showing a flexible and modular approach to maintaining access and conducting cyberespionage.
Assessment
The use of SaaS platforms for C2 reflects a push toward operating entirely within trusted enterprise ecosystems, where detection requires identifying abnormal behavior within legitimate systems rather than identifying malicious infrastructure alone.
Key Drivers
- Use of SaaS platforms allows C2 to blend into legitimate enterprise traffic.
- Modular tooling enables flexible post-compromise operations and persistence despite partial detection.
- Reliance on common enterprise platforms makes this tradecraft easily adaptable across targets, including US government and DIB environments.
Taken all together, these developments show that adversaries are sustaining access inside trusted systems, shifting the detection workload toward identifying abnormal behavior within legitimate activity.
The Security Brief 
Leave a comment