APT28

APT28 is a Russian state-sponsored intrusion set publicly attributed to the GRU’s Unit 26165 and widely tracked under aliases including Fancy Bear, Forest Blizzard, Sofacy, Sednit, Pawn Storm, Strontium, Fighting Ursa, BlueDelta, UAC-0001, and UAC-0028. The group has conducted cyber espionage, credential theft, and influence or hack-and-leak operations for roughly two decades, primarily targeting government, defense, diplomatic, military, critical infrastructure, logistics, transportation, and policy organizations, with a strong focus on NATO member states, Ukraine, Europe, and the United States. The content describes APT28 as one of the most prolific and persistent GRU-linked actors. Reported historic operations include the 2015 German Bundestag intrusion, the TV5Monde sabotage operation conducted under the fake CyberCaliphate persona, the 2016 intrusions into the DCCC, DNC, and Hillary Clinton campaign, and the leak of stolen World Anti-Doping Agency athlete medical records during the 2016 Rio Olympics. The group also used fake personas under the DC Leaks banner to seed stolen information to journalists. APT28 has used spear phishing, exploit delivery, credential harvesting, webmail theft, and edge-device compromise. The content states it exploited CVE-2023-23397 to harvest Net-NTLMv2 hashes from European government, military, energy, and transportation targets, and weaponized CVE-2026-21509 within 24 hours of disclosure in a January 2026 espionage campaign against European military, government, maritime, and transport organizations. That campaign used malicious Office documents with embedded OLE objects and WebDAV-delivered payloads, first-stage loaders including SimpleLoader or SimpleDropper, COM hijacking persistence, and either a steganography-based loader that extracted an in-memory Covenant Grunt implant from PNG files or an Outlook VBA backdoor called NotDoor for long-term mailbox collection and forwarding. The group’s malware and tooling in the content include Seduploader, X-Agent, X-Tunnel, Sedreco, Zebrocy, GooseEgg, HeadLace, CredoMap, MASEPIE, OCEANMAP, STEELHOOK, BeardShell, Slimagent, LameHug, PixyNetLoader, Jaguar Tooth, Covenant/Covenant Grunt, and NotDoor. PixyNetLoader is described as a DLL-based loader active since late 2024 that hides encrypted payloads in PNG image files using steganography and executes a Covenant Grunt implant in memory, with command and control via the FILEN cloud service. ESET reported APT28 using BeardShell and Covenant since April 2024 for long-term surveillance of Ukrainian military personnel, drone manufacturers, and drone research and development organizations, while also targeting logistics and transportation companies outside Ukraine. The content also highlights APT28’s infrastructure shift from rented VPS systems to compromised SOHO and edge devices, including Ubiquiti EdgeRouters, MikroTik, TP-Link, and older Cisco IOS routers. Reported operations include use of a MooBot-based router botnet later disrupted by the FBI’s Operation Dying Ember, the FrostArmada campaign that rewrote DNS settings for adversary-in-the-middle credential and OAuth token theft, and deployment of the custom Cisco IOS malware Jaguar Tooth via CVE-2017-6742 after identifying weak SNMP community strings. The group has also abused legitimate cloud services such as Koofr, Icedrive, and Filen for covert command and control. Victimology in the content includes Ukrainian government and defense targets, Ukrainian military personnel, European foreign ministries, law enforcement, maritime and transport organizations, democratic think tanks, intelligence targets, international sporting organizations, and Western or NATO-country logistics providers, tech companies, and government organizations supporting Ukraine. The content also notes use of targeted lure material for credential harvesting and modules that notify operators when USB mass storage devices are inserted. APT28 is additionally described as using PowerShell, staging captured credentials in files such as pi.log and in C:\ProgramData, and deploying malware that copied itself to the Startup directory for persistence.