frozenlake

APT28 is a Russian state-sponsored cyber espionage group, attributed to the GRU's Unit 26165. Active since at least 2004, APT28 is known for targeting government, military, defense, and critical infrastructure organizations, particularly in Ukraine, Eastern Europe, the EU, and NATO member states, but also in Africa and South America. The group is highly adaptive, leveraging zero-day and n-day vulnerabilities, especially in webmail platforms such as Roundcube, Zimbra, Horde, and MDaemon, to conduct credential theft, data exfiltration, and persistent access operations. Notable campaigns include Operation RoundPress, which exploited XSS vulnerabilities in webmail servers via spear-phishing emails containing malicious JavaScript payloads. APT28 has also deployed advanced malware such as PROMPTSTEAL (LAMEHUG), which uses LLMs for dynamic command generation, and the BeardShell backdoor, which employs steganography and cloud-based C2. The group has a history of exploiting vulnerabilities in Cisco IOS XE, MDaemon, and other enterprise platforms. APT28 is also known for using AI-driven malware and for evolving its TTPs to evade detection, including the use of cloud services for C2 and the integration of LLMs for real-time code mutation. The group is responsible for high-profile incidents such as the 2016 DNC hack, attacks on WADA, and ongoing campaigns against Ukrainian and EU defense sectors. Known aliases include Fancy Bear, Sednit, Sofacy, Forest Blizzard, and BlueDelta.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app

security online infoNews

Nov 6, 2025

Next-Gen Threat: Google Exposes AI-Enabled Malware That Rewrites Its Own Code with Gemini LLM

APT28 is deploying AI-enabled malware (PROMPTSTEAL) that leverages LLMs in live operations to generate commands for data harvesting and exfiltration, marking a shift to AI-assisted cyber espionage.

securityaffairsNews

Nov 6, 2025

Google sounds alarm on self-modifying AI malware

APT28 is leveraging AI-powered malware, specifically PROMPTSTEAL, to dynamically generate and execute system and file collection commands during live operations, enabling adaptive data exfiltration and evasion.

Nov 5, 2025

Attackers abuse Gemini AI to develop ‘Thinking Robot’ malware and data processing agent for spying purposes

APT28 is conducting data-mining operations using AI-powered malware (PromptSteal) that leverages LLMs to generate commands dynamically during attacks. The malware is being used against Ukraine and is being actively developed to improve obfuscation and command-and-control methods.

sentinelone labsNews

Nov 3, 2025

LABScon25 Replay | LLM-Enabled Malware In the Wild

APT28 has been observed leveraging LLM-enabled malware in campaigns such as LameHug and PROMPTSTEAL, embedding Large Language Model capabilities directly into malicious payloads to generate code at runtime and evade traditional detection methods.

+15 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.