APT28

APT28 is a Russian state-sponsored threat group publicly linked to Russia’s GRU military intelligence, including reporting that associates it with GRU Military Unit 26165. It is widely tracked under aliases including Fancy Bear, Sednit, Sofacy, STRONTIUM, Forest Blizzard, Fighting Ursa, BlueDelta, Pawn Storm, UAC-0001, and UAC-0028. The group has conducted cyber espionage, credential theft, and influence operations, and has repeatedly targeted governments, military organizations, defense-related entities, logistics and transportation providers, policy organizations, and democratic institutions across Europe, the United States, and Ukraine-related ecosystems. Recent reporting in the provided content describes APT28 targeting European military and government entities, especially maritime, transport, logistics, and diplomatic organizations in countries including Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine. In a January 2026 campaign, the group weaponized Microsoft Office vulnerability CVE-2026-21509 within 24 hours of public disclosure, using spear-phishing emails with malicious RTF and DOC attachments, embedded OLE objects, and WebDAV-delivered payloads. That intrusion chain used a first-stage loader referred to as SimpleLoader, followed by either a steganography-based loader that extracted and launched a modified Covenant implant in memory, or an Outlook VBA backdoor called NotDoor for persistent email collection. The campaign abused filen.io for command and control over HTTPS. Reporting also links APT28 to PixyNetLoader, used in campaigns exploiting CVE-2026-21509 to extract a COVENANT Grunt implant. The content also states that Sednit deployed Covenant and BeardShell implants against Ukrainian military personnel, drone manufacturers, and organizations involved in drone research and development, while also targeting logistics and transportation companies outside Ukraine. ESET reporting cited here says APT28 used BEARDSHELL and COVENANT since April 2024 for long-term surveillance of Ukrainian military personnel. Tradecraft and malware capabilities mentioned in the content include spear-phishing, credential harvesting, long-term surveillance, use of compromised accounts for delivery, use of victim infrastructure as proxies and hop points, proxy tooling to relay command traffic, PowerShell execution, timestomping, Startup-folder persistence, staging captured credentials in files such as pi.log and in C:\ProgramData, staging archives of collected data on Outlook Web Access servers, use of Google Drive for command and control, and monitoring USB mass storage insertion. The group has also been described as intentionally deleting files to cover its tracks. The content further attributes VPNFilter activity to APT28, describing it as advanced IoT malware with persistence, RAT and plugin architecture, destructive capability, traffic inspection, Tor communications, and the ability to search for ICS-related Modbus traffic. Separate joint government reporting in the content states that APT28 deployed Jaguar Tooth, a custom non-persistent Cisco IOS malware installed via exploitation of CVE-2017-6742 on older Cisco routers, providing unauthenticated backdoor access and exfiltrating device information over TFTP. Historically referenced activity in the content includes targeting of democratic think tanks ahead of European voting, credential harvesting in the international sporting sector, use of fake personas under the DC Leaks banner to seed stolen information to journalists in 2016, and the leak of stolen World Anti-Doping Agency athlete medical records around the Rio 2016 Olympics. The content consistently characterizes APT28 as a Russia-aligned espionage actor focused heavily on Ukraine and Western or NATO-linked targets.