Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actor

STEELHOOK

STEELHOOK is a credential-stealing malware associated in the provided reporting with APT28 / Fancy Bear / Sofacy / Forest Blizzard, publicly attributed to Russia’s GRU Unit 26165. The content consistently describes STEELHOOK as a stealer focused on Chromium-based browser data, including browser-stored credentials. It appears in APT28’s newer toolset used from roughly 2022 onward alongside HeadLace, CredoMap, MASEPIE, and OCEANMAP. Reporting cited in the content links it to espionage activity targeting Ukrainian government organizations, French entities, and broader European targets, and to a Russian state-sponsored campaign against Western logistics entities and technology companies involved in support to Ukraine. The content also states that OceanMap was reportedly deployed through STEELHOOK and MASEPIE in some infection chains. High-confidence behavioral detail in the provided material is limited beyond its role as a browser-data/credential stealer; no standalone STEELHOOK-specific IOCs are directly provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT28

STEELHOOK : PowerShell script targeting Chromium-based browser data.

via sekoia blogblog.sekoia.io
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence2

Spear phishing campaigns or the SedKit exploit kit delivered the Seduploader first stage.

T1566.003Spearphishing via ServiceEvidence1

"The threat actor sent phishing emails to targeted recipients using previously compromised email accounts."

Execution

1 technique
T1059.001PowerShellEvidence1

STEELHOOK : PowerShell script targeting Chromium-based browser data.

Credential Access

1 technique
T1555.003Credentials from Web BrowsersEvidence1

“…OceanMap stealer… relies on the IMAP protocol to exfiltrate the credentials stored on web browsers.”

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
sekoia blogNews
Jun 11, 2026
APT28, an evolution of tradecraft - Sekoia.io Blog

A PowerShell-based stealer focused on collecting data from Chromium-based browsers.

Read more
harfanglab insidethelabNews
Mar 6, 2025
Compromised routers are still leveraged as malicious infrastructure to target government organizations in Europe and Caucasus - HarfangLab

Credential-stealing malware referenced as part of the toolset deployed in the campaign; no additional technical details provided in the content.

Read more
malpediaNews
Feb 1, 2026
APT28 (Threat Actor)

Russian GRU Targeting Western Logistics Entities and Technology Companies STEELHOOK MASEPIE Headlace

Read more
cert ssi scadaNews
Mar 18, 2026

Referenced as a malicious code used to deploy the updated OceanMap stealer; specific functionality is not described in the provided content.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.