The tradecraft of Advanced Persistent Threats has shifted markedly over the past two years. The classic spear-phishing-into-endpoint model now coexists with — and is increasingly displaced by — mass exploitation of network edge appliances, the weaponization of vulnerabilities before vendor disclosure, identity-centric intrusion, supply-chain compromise, and AI-augmented operations.
The single most consequential shift is the targeting of internet-facing edge infrastructure — VPNs, firewalls, routers, gateways. Salt Typhoon breached over 600 organizations across 80+ countries by exploiting exposed Cisco, Ivanti, and Palo Alto appliances. Volt Typhoon leaned on Fortinet and Citrix. Silk Typhoon hit IT supply-chain providers to reach many downstream victims at once. These devices are externally exposed, often unmonitored by endpoint detection, and grant a privileged network position upon compromise.
Where a network position is not the entry point, a credential usually is. Session-token theft sidesteps multi-factor authentication entirely. Once inside, adversaries minimize their forensic footprint by living off the land — PowerShell, WMI, PsExec — so that malicious actions are statistically indistinguishable from routine administration. One documented campaign sustained access for eighteen months, hidden inside legitimate traffic.
The contemporary APT does not break the door down. It walks through an unmonitored side entrance with a borrowed key, and then behaves like staff.