TA422
TA422 is a Russia-linked threat actor that overlaps with activity tracked by third parties as APT28 and Sofacy. The content describes TA422 conducting espionage-oriented phishing and exploitation campaigns primarily against Ukrainian and European government-related targets. Reported targeting includes Ukrainian government agencies and Ukrainian entities, as well as European defense, transportation, and diplomatic organizations and attacks against Ukraine and EU member states. The actor was reported to weaponize newly disclosed Microsoft vulnerabilities rapidly. Within 24 hours of public disclosure in January 2026, TA422 used malicious RTF files exploiting CVE-2026-21509, a Microsoft Office RTF/OLE remote code execution vulnerability. Proofpoint reported that this exploitation chain culminated in deployment of the NotDoor Outlook backdoor and Covenant Grunt implants, and that cloud storage services including filen.io were used as command-and-control infrastructure. TA422 was also reported to have exploited CVE-2026-32202 as a zero-day alongside CVE-2026-21513 in attacks beginning in late 2025 against Ukraine and EU member states. The content also attributes ClickFix-style social engineering activity to TA422 in October 2024. In that activity, TA422 sent phishing emails containing a link mimicking a Google spreadsheet, including lures purportedly sent by CERT-UA. The lure led victims through a reCAPTCHA-themed flow that presented a PowerShell command for execution. CERT-UA reported that the PowerShell created an SSH tunnel and ran Metasploit. Across the cited reporting, TA422’s tradecraft includes phishing, malicious document exploitation, rapid weaponization of public vulnerabilities, PowerShell-based execution, and use of post-exploitation tooling. Known aliases directly mentioned in the content are APT28 and Sofacy.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they're from
Attributed origin per open-source reporting.
- RU
Tradecraft
8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
3 malware families attributed to this actor across reporting.
Associated vulnerabilities
6 CVEs this actor has used in observed campaigns. 6 of them exploited in the wild.
The security vulnerability in question is CVE-2023-23397 (CVSS score: 9.8), a critical privilege escalation bug that could allow an adversary to access a user's Net-NTLMv2 hash that could then be used to conduct a relay attack against another service to authenticate as the user. It was patched by Microsoft in March 2023.
In recent months, it has also been connected to attacks on various organizations in France and Ukraine as well as the abuse of the WinRAR flaw (CVE-2023-38831) to steal browser login data using a PowerShell script named IRONJAW.
CVE-2026-21509 — Microsoft Office (RTF/OLE Code Execution) The more prominent of the two is CVE-2026-21509, a remote code execution vulnerability in Microsoft Office affecting RTF and OLE document processing. Within 24 hours of public disclosure in January 2026, Russia-linked TA422 (APT28) weaponized the flaw in malicious RTF files targeting Ukrainian government agencies and European defense, transportation, and diplomatic entities.
CVE-2026-21510 — Windows Shell Protection Mechanism Failure In two separate campaigns observed by Proofpoint in March and April 2026, DPRK-aligned threat actor TA406 (Opal Sleet) chained CVE-2026-21509 and CVE-2026-21510 within a single attack sequence... invoked CVE-2026-21510 to bypass Windows Shell security controls and execute a DLL payload.
The flaw was exploited as a zero-day alongside CVE-2026-21513 by TA422 in attacks targeting Ukraine and EU member states beginning in late 2025.
1 more CVE tied to this actor tracked in Mallory.
Observables
1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Rapidly weaponized newly disclosed Microsoft Office and Windows vulnerabilities in targeted spear-phishing campaigns against Ukrainian government agencies and European defense, transportation, diplomatic, and EU member state targets.
Uses ClickFix via phishing links masquerading as Google Sheets/Spreadsheets to induce PowerShell execution as part of espionage tradecraft.
Espionage operations targeting Ukrainian entities using ClickFix embedded in phishing lures mimicking CERT-UA/Google Sheets, leading to PowerShell that establishes SSH tunneling and executes Metasploit.
Russian espionage phishing using a Google Sheets lure and reCAPTCHA/ClickFix-style prompt to copy/paste a PowerShell command that establishes an SSH tunnel and runs Metasploit.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.