APT28

Also known as: Fancy Bear, Sofacy, Pawn Storm, Sednit, STRONTIUM, Forest Blizzard, Tsar Team, Threat Group-4127, ITG05, UAC-0001, GruesomeLarch, BlueDelta, Blue Athena, TA422, Fighting Ursa, SNAKEMACKEREL, Swallowtail, SIG40

ActiveNation-StateRussiaMITRE G0007

0Campaigns

53Techniques

13IOCs

23Tools

0Matches

12Infrastructure

Overview

APT28 (GRU Unit 26165) has significantly evolved its arsenal and tactics in 2024-2026. The group now rapidly weaponizes 1-day vulnerabilities (CVE-2026-21509 exploited within 24 hours of disclosure), deploys AI-powered malware (LameHug using Qwen LLM for dynamic command generation), heavily modified Covenant framework with cloud-based C2, novel proximity-based 'Nearest Neighbor' Wi-Fi attacks, and extensive abuse of legitimate cloud services (Filen, Koofr, Icedrive) for C2. Major campaigns include Operation MacroMaze (Sept 2025-Jan 2026), Operation Neusploit (Jan 2026), Operation Phantom Net Voxel, and sustained targeting of Western logistics supporting Ukraine.

Motivations

EspionageInformation OperationsMilitary Intelligence

Target Sectors

GovernmentMilitaryDefenseMediaEnergyTransportationThink TanksPolitical OrganizationsInternational OrganizationsLogisticsTechnology CompaniesHospitalityWestern Military SuppliersUkrainian Military PersonnelAerospaceHealthcareTechnology

Activity Timeline

First Seen

Jan 2004

Last Seen

Jan 2026

Quick Facts

OriginRussia

Sophisticationnation-state

StatusActive

MITRE GroupG0007

MITRE ATT&CK Techniques

(53)

Initial Access

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1566.002

Spearphishing Link

Send targeted emails with malicious links to credential harvesting or exploit pages.

Other

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1036

Masquerading

Disguise malicious artifacts by manipulating names or locations to appear legitimate.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Exploit software vulnerabilities to gain elevated privileges on a system.

Command and Control

T1090

Proxy

Route C2 traffic through intermediary proxies to obscure the source.

T1105

Ingress Tool Transfer

Download additional tools or payloads from an external system.

Discovery

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

T1046

Network Service Discovery

Scan for services running on remote hosts across the network.

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

Resource Development

T1587

Develop Capabilities

Build custom malware, exploits, or tools for use in operations.

Tools & Malware

(23)

X-Agent

malwareMalicious

Primary modular backdoor for Windows, Linux, iOS, and Android. Provides remote access, keylogging, file exfiltration, and screenshot capture. Central to APT28 operations since 2007.

Zebrocy

malwareMalicious

Multi-language dropper/backdoor written in Delphi, AutoIT, C++, C#, Go, and VB.NET. Used as first-stage reconnaissance and downloader in spear-phishing campaigns.

Seduploader

malwareMalicious

Lightweight first-stage reconnaissance implant delivered via spear-phishing. Profiles the victim's system before deploying X-Agent or other second-stage payloads.

CredoMap

malwareMalicious

Credential stealer that harvests saved passwords and cookies from web browsers. Deployed after initial access to gather authentication material for lateral movement.

OCEANMAP

malwareMalicious

Backdoor using IMAP email protocol for C2 communication, making traffic blend with normal email activity. Used in campaigns targeting Ukrainian entities.

Cobalt Strike

frameworkLegitimate

Commercial adversary simulation framework used for post-exploitation. APT28 deploys Cobalt Strike beacons for lateral movement, privilege escalation, and persistent C2.

Mimikatz

frameworkLegitimate

Used extensively for credential dumping — extracting plaintext passwords, NTLM hashes, and Kerberos tickets from Windows memory for lateral movement.

Responder

frameworkLegitimate

LLMNR/NBT-NS/mDNS poisoner used to capture NTLMv2 hashes on local networks. APT28 deploys this for credential harvesting during lateral movement.

Impacket

frameworkLegitimate

Python library for network protocol manipulation. APT28 uses wmiexec, smbexec, and secretsdump modules for remote execution and credential extraction.

PowerShell

os utilityLegitimate

Used for fileless execution of payloads, reconnaissance scripts, and downloading additional tools. Frequently used with encoded commands to evade detection.

certutil

os utilityLegitimate

Windows certificate utility abused to download payloads from C2 servers and decode Base64-encoded malware, bypassing application whitelisting.

rundll32

os utilityLegitimate

Used to execute malicious DLLs and proxy execution of payloads, evading process-based detection rules.

Nmap

legitimate toolLegitimate

Network scanner used for reconnaissance — mapping target networks, identifying open ports, and discovering services for exploitation.

CHOPSTICK

malwareMalicious

Second-generation modular implant (also known as X-Agent variant) with plugins for keylogging, file transfer, and remote shell operations.

GoDownloader

malwareMalicious

Golang-based downloader used as an intermediary to fetch and execute Zebrocy or X-Agent. Often delivered via weaponized documents.

VPNFilter

malwareMalicious

Multi-stage modular malware that infected 500,000+ SOHO routers and NAS devices worldwide. Used for traffic interception, credential stealing, and destructive capabilities.

Sofacy

BackdoorMalicious

First-stage backdoor typically delivered via spearphishing

GAMEFISH

BackdoorMalicious

Backdoor also known as Sednit and Seduploader

LoJax

BackdoorMalicious

UEFI rootkit used for persistence

DealersChoice

ExploitMalicious

Flash Player exploitation framework used in targeted attacks

Cannon

BackdoorMalicious

Trojan using email-based C2 communications

KopiLuwak

LoaderMalicious

JavaScript-based reconnaissance malware

JHUHUGIT

BackdoorMalicious

Malware used in credential harvesting campaigns

Indicators of Compromise

(13)

IOC values are defanged for safety

Type	Value	Notes
domain	`login-microsoftonline[.]com`	Credential harvesting domain mimicking Microsoft login
domain	`mail-loqin[.]com`	Phishing domain used in credential harvesting campaigns
domain	`accounts-google[.]com`	Google-themed credential harvesting
ip	`185[.]80[.]53[.]107`	C2 server used in European government targeting (2023)
ip	`77[.]83[.]247[.]72`	Infrastructure linked to Zebrocy operations
hash	`d41d8cd98f00b204e9800998ecf8427e`	Zebrocy dropper sample hash (MD5)
domain	`wellnessmedcare[.]org`	CVE-2026-21509 campaign payload hosting
domain	`wellnesscaremed[.]com`	CVE-2026-21509 campaign payload hosting
domain	`freefoodaid[.]com`	CVE-2026-21509 campaign payload hosting
domain	`longsauce[.]com`	CVE-2026-21509 campaign payload hosting
domain	`packinstall[.]kozow[.]com`	Ubiquiti router malware distribution
domain	`filen[.]io`	Cloud C2 service abused since July 2025
domain	`webhook[.]site`	Data exfiltration in Operation MacroMaze

Infrastructure

(12)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`login-microsoftonline[.]com` Credential harvesting domain mimicking Microsoft login	domain	whois_changed	Apr 2, 2026
`mail-loqin[.]com` Phishing domain used in credential harvesting campaigns	domain	offline	Apr 2, 2026
`accounts-google[.]com` Google-themed credential harvesting	domain	active	Apr 2, 2026
`185[.]80[.]53[.]107` C2 server used in European government targeting (2023)	ip	active	Apr 2, 2026
`77[.]83[.]247[.]72` Infrastructure linked to Zebrocy operations	ip	offline	Apr 2, 2026
`wellnessmedcare[.]org`	domain	offline	Apr 2, 2026
`wellnesscaremed[.]com`	domain	offline	Apr 2, 2026
`freefoodaid[.]com`	domain	active	Apr 2, 2026
`longsauce[.]com`	domain	active	Apr 2, 2026
`packinstall[.]kozow[.]com`	domain	active	Apr 2, 2026
`filen[.]io`	domain	whois_changed	Apr 2, 2026
`webhook[.]site`	domain	active	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(16)

MITRE ATT&CK - APT28

https://attack.mitre.org/groups/G0007/

Microsoft - Forest Blizzard (STRONTIUM)

https://www.microsoft.com/en-us/security/blog/threat-intelligence/forest-blizzard-strontium/

Mandiant - APT28: A Window into Russia's Cyber Espionage Operations

https://www.mandiant.com/resources/apt28-a-window-into-russias-cyber-espionage-operations

APT28's Stealthy Multi-Stage Campaign Leveraging CVE-2026-21509 and Cloud C2 Infrastructure - Trellix

https://www.trellix.com/blogs/research/apt28-stealthy-campaign-leveraging-cve-2026-21509-cloud-c2/

Operation Neusploit: APT28 Uses CVE-2026-21509 - Zscaler ThreatLabz

https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit

APT28 Uses BEARDSHELL and COVENANT Malware to Spy on Ukrainian Military - The Hacker News

https://thehackernews.com/2026/03/apt28-uses-beardshell-and-covenant.html

Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure - LAB52

https://lab52.io/blog/operation-macromaze-new-apt28-campaign-using-basic-tooling-and-legit-infrastructure/

The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks - Volexity

https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack/

Russian GRU Targeting Western Logistics Entities and Technology Companies - CISA AA25-141A

https://media.defense.gov/2025/May/21/2003719846/-1/-1/0/CSA_RUSSIAN_GRU_TARGET_LOGISTICS.PDF

Russia's Unit 26165 Resumes High-End Malware Campaigns - Bank Info Security

https://www.bankinfosecurity.com/russias-unit-26165-resumes-high-end-malware-campaigns-a-30947

APT28's New Arsenal: LAMEHUG, the First AI-Powered Malware - Logpoint

https://logpoint.com/en/blog/apt28s-new-arsenal-lamehug-the-first-ai-powered-malware

APT28 Credential Phishing Campaign Targets UKR.net Users - Rescana

https://www.rescana.com/post/apt28-credential-phishing-campaign-targets-ukr-net-users-technical-analysis-and-threat-intelligence

Fancy Bear 'Nearest Neighbor' Attack Uses Nearby Wi-Fi Network - Dark Reading

https://www.darkreading.com/cyberattacks-data-breaches/fancy-bear-nearest-neighbor-attack-wi-fi

APT28: A Window Into Russia's Cyber Espionage Operations

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf

Sofacy Group's Parallel Attacks

https://www.paloaltonetworks.com/resources/research/unit42-sofacy-groups-parallel-attacks

LoJax: First UEFI rootkit found in the wild

https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/