Russian Unit 26165 Targets Western Logistics and Technology Companies

On May 21, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on the Russian state-sponsored APT group Unit 26165 [1]. The group has intensified its operations against Western logistics providers and technology companies since 2022. Their aim is not random disruption but targeted espionage, gathering intelligence on supply routes and infrastructure that support Ukraine. Unit 26165 is also known by names like APT28, Fancy Bear, Forest Blizzard, and BlueDelta.

In this blog post, we explain the Tactics, Techniques, and Procedures (TTPs) used by Unit 26165 and how organizations can defend themselves against state-sponsored APT attacks.

Simulate APT Attacks with 14-Day Free Trial of Picus Platform

Unit 26165: Russian State-sponsored APT Group

Unit 26165 is a cyber espionage unit within the 85th Main Special Service Center (GTsSS) of the GRU, Russia’s military intelligence service. This group has operated under multiple names, most notably APT28 and Fancy Bear. Over the years, Unit 26165 has built a reputation for targeting political institutions, defense contractors, media organizations, and now, with increased focus, logistics and IT infrastructure. Their main objective is to collect sensitive intelligence that can support Russian military and political objectives.

The group gained notoriety for its alleged interference in the 2016 U.S. elections but has since pivoted its efforts to operationally significant targets related to the war in Ukraine. Specifically, they have sought access to companies and technologies involved in transporting Western military and humanitarian aid to Ukraine. This includes rail operators, air traffic control entities, maritime logistics providers, and industrial control system (ICS) component manufacturers.

Unit 26165’s campaigns are characterized by persistence, strategic reconnaissance, and a deep understanding of enterprise IT environments. Their operations reflect a shift from one-off cyberattacks to sustained espionage efforts targeting the logistical lifeblood of Ukraine’s warfighting capabilities and the tech infrastructure that supports them.

Unit 26165’s Modus Operandi and MITRE ATT&CK TTPs

Unit 26165, also known as APT28 or Fancy Bear, leverages a broad and evolving toolkit aligned with MITRE ATT&CK techniques across multiple stages of the attack lifecycle.

Initial Access

T1190 Exploit Public Facing Applications

Unit 26165 actively exploits known vulnerabilities in internet-facing systems, including VPNs, email servers, and webmail platforms. Organizations are advised to apply patches promptly to mitigate this risk.

T1566 Phishing

Spearphishing remains a preferred entry vector for Unit 26165. The group sends highly targeted emails in the recipient's local language, often themed around business or logistics. These emails include malicious links or attachments designed to steal credentials or deliver malware. Redirectors are used to filter victims by IP geolocation and browser fingerprint before delivering the payload or redirecting to legitimate websites to avoid suspicion.

T1199 Trusted Relationship

Unit 26165 exploits trusted relationships between organizations to extend their access beyond initially compromised networks. After breaching a primary target in the logistics or technology sector, the group identifies connected entities such as vendors or subcontractors and uses those relationships to move laterally. This may involve harvesting shared credentials, exploiting VPN access, or manipulating email forwarding rules. Because these relationships often involve pre-established trust and communication, attacks delivered through them are less likely to raise suspicion.

T1133 External Remote Services

Unit 26165 frequently targets internet-facing remote access services, including VPNs, to gain an initial foothold. By exploiting weak credentials or unpatched vulnerabilities, the group can authenticate into corporate environments without triggering immediate alerts.

T1659 Content Injection

Unit 26165 uses content injection to deliver malware embedded in archive files, exploiting vulnerabilities like CVE-2023-38831 in WinRAR. By manipulating the contents of ZIP files, they create misleading file structures where clicking a seemingly safe file actually triggers malicious code. 

Execution

T1204 User Execution

Unit 26165 tricks users into launching malicious files or scripts embedded in attachments or links. These files install initial-stage malware or drop payloads such as HEADLACE and MASEPIE, enabling the following malicious actions.

• HEADLACE: A backdoor used for credential harvesting and system enumeration. Its deployment often begins with a malicious shortcut (.LNK) file, followed by scripts that prompt users for credentials using fake dialog boxes.

• MASEPIE: A Python-based script used to interact with compromised machines. It supports file upload/download, command execution, and maintains persistence.

T1574.001 DLL Search Order Hijacking

Unit 26165 places a malicious DLL in a directory where a trusted application will load it instead of the legitimate one. This allows their malware, such as HEADLACE, to run without launching new processes, helping avoid detection. Because the technique hijacks normal system behavior, it blends in easily and bypasses many security tools.

T1547.009 Shortcut Modification

Unit 26165 places malicious .LNK files in Windows startup folders. These shortcuts automatically execute malware each time a user logs in. This method ensures the attacker’s code runs without user interaction and blends into normal system behavior. It is an effective way to trigger additional payloads on boot and helps the group retain long-term access while evading basic endpoint detection tools.

T1059 Command and Scripting Interpreter

Unit 26165 uses PowerShell, VBScript, and Python for downloading files, exfiltrating data, executing reconnaissance commands, and launching malware like HEADLACE or Certipy.

Persistence

T1053 Scheduled Tasks and T1547.001 Run Keys/Startup Folder

Unit 26165 uses scheduled tasks to run malware automatically at system startup or user login, ensuring persistent access without user interaction. These tasks blend in with legitimate system processes, making detection difficult. They also employ autostart execution by modifying Windows registry run keys and placing malicious .LNK files in startup folders.

T1098 Account Manipulation

Unit 26165 manipulates account settings to establish long-term access and facilitate data collection. The group modifies Microsoft Exchange mailbox permissions, allowing the attackers to monitor emails without needing repeated logins. They also change folder permissions and MFA configurations to make compromised accounts appear legitimate.

T1556.006 Modify Authentication Process: Multi-Factor Authentication

After gaining access to a user account, Unit 26165 modifies the account’s multi-factor authentication settings. They enroll compromised accounts into MFA using methods such as mobile push notifications or alternate tokens. This tactic increases the perceived legitimacy of the account and makes future logins less suspicious to defenders. 

Defense Evasion

T1070 Indicator Removal on Host

To evade detection and complicate forensic analysis, Unit 26165 deletes evidence of their activity. They use wevtutil to clear event logs, erasing records of their intrusion, and del or PowerShell to remove artifacts such as dropped malware, staging scripts, and temporary data.

Credential Access

T1110 Brute Force

Unit 26165 performs password guessing and spraying attacks against login portals, particularly targeting VPNs, webmail, and administrative interfaces. These attacks are routed through anonymizing services like Tor or compromised routers to hide their origin. They also frequently rotate IP addresses to bypass account lockout thresholds and use TLS encryption to evade detection by network monitoring tools.

T1111 Multi-Factor Authentication Interception

To bypass MFA, Unit 26165 sets up phishing pages that mimic legitimate login portals. These fake sites capture credentials and relay MFA challenges in real time, often using tools that simulate CAPTCHA and MFA interfaces. This allows attackers to capture session tokens or authentication responses before redirecting victims to actual login pages. 

T1056 Input Capture

Unit 26165 collects credentials and other sensitive data directly from the victim’s device. They use a PowerShell script that presents a fake login prompt to users, capturing their entered username and password.

T1187 Forced Authentication

Unit 26165 abuses Microsoft Outlook CVE-2023-23397 vulnerability to trigger forced authentication. By sending specially crafted calendar invites, they cause the victim’s Outlook client to automatically attempt to connect to an attacker-controlled server, leaking the user’s NTLMv2 hash in the process. These hashes can then be relayed or cracked to gain access to other systems.

T1003 OS Credential Dumping

Unit 26165 frequently targets the Active Directory database (NTDS.dit) using ntdsutil, allowing them to extract hashed passwords of domain users. In some cases, they also use tools like Certipy to interact with certificate services and extract additional credentials.

T1552.006 Unsecured Credentials: Group Policy Preferences

Unit 26165 uses the Get-GPPPassword.py script to extract plaintext passwords stored in Group Policy Preferences (GPP). These passwords are often tied to administrative accounts and may be left behind due to poor configuration hygiene. By retrieving and decrypting these credentials, the group gains high-level access to systems or domains without needing to exploit vulnerabilities or guess passwords.

Discovery

T1087.002 Account Discovery: Domain Account

Once inside a network, Unit 26165 conducts extensive account enumeration to understand the environment and identify high-value targets. They use tools like ldap-dump.py to query Active Directory and retrieve lists of domain accounts, including usernames, group memberships, and administrative privileges.

Command and Control (C2)

T1665 Hide Infrastructure

Unit 26165 routes their operations through compromised infrastructure, particularly small office/home office (SOHO) routers. These devices are often located geographically close to the target and serve as proxies, masking the attacker’s real IP address and blending traffic with legitimate network activity. By hijacking devices that are already trusted on the internet, the group avoids detection and makes tracing attacks back to their command-and-control servers more difficult.

T1090 Proxy

Unit 26165 uses external proxies including compromised devices and third-party services like commercial VPNs to relay traffic between victims and their command-and-control servers. In some cases, their malware initiates connections through multiple layers of proxies, creating a multi-hop route that hides the final destination. They also use proxy networks to host phishing infrastructure and credential harvesting sites. These proxies allow attackers to evade geographic IP filtering and maintain operational continuity even if a proxy node is taken down or blocked.

T1573 Encrypted Channel

Unit 26165 typically communicates with C2 servers over encrypted channels, such as TLS, to make their traffic appear legitimate and difficult to inspect. They also encrypt data during exfiltration to further obscure its contents. By using standard encryption protocols and blending into regular web traffic, they reduce the effectiveness of traditional network monitoring tools.

T1104 Multi-Stage Channels

The group employs multi-stage channels during phishing and data exfiltration. In their phishing operations, users are initially directed to redirector sites that assess IP geolocation and browser fingerprinting before serving the final malicious page. These redirectors act as filters, ensuring that only intended targets are exposed to the attack. Multi-stage channels also add resilience, allowing them to quickly change payload delivery infrastructure without altering the phishing lure or primary URL.

Lateral Movement

T1021.001 Remote Services: Remote Desktop Protocol

Unit 26165 frequently uses Remote Desktop Protocol (RDP) to move laterally within networks. RDP provides full interactive access to systems, allowing attackers to perform actions manually or deploy additional tools. They may use RDP to connect to domain controllers, access administrative shares, or explore systems storing logistics or shipment data. To avoid detection, they may tunnel RDP through compromised VPNs or proxies. 

Collection

T1114 Email Collection

Unit 26165 manipulates Exchange mailbox permissions to enable silent monitoring of user accounts, allowing long-term access without triggering user alerts. They then collect emails using protocols like Exchange Web Services (EWS) or IMAP. In some cases, this data includes aid shipment manifests, transport routes, and recipient details.

T1119 Automated Collection

Unit 26165 sets up automated collection routines like scheduled EWS queries to reduce their operational footprint and minimizes the risk of triggering security alerts. This hands-off approach also enables persistent data harvesting over extended periods, particularly useful for tracking changes in logistics operations or identifying new targets based on evolving email content.

T1125 Video Capture

Unit 26165 has conducted large-scale campaigns targeting IP cameras, especially those located near Ukrainian border crossings and critical infrastructure. They send crafted RTSP requests to access live video feeds. Successful exploitation allows them to view and capture footage of aid shipments, troop movements, and facility operations.

T1560 Archive Collected Data

Before exfiltration, the group typically archives collected data into .zip files. This includes stolen credentials, documents, and email files. Tools like PowerShell or Python are used to compress the data, often with minimal or no encryption to reduce detection risk. Archiving also helps them bundle multiple data sources for more efficient exfiltration. These archives are typically stored in temporary directories before being sent to remote servers. This step is key to organizing stolen information and ensuring it can be transmitted with minimal overhead.

T1048: Exfiltration Over Alternative Protocol

Unit 26165 uses alternative protocols like SSH for data exfiltration to avoid detection. They drop custom OpenSSH binaries on infected machines and configure them to send archived data to remote C2 servers. This allows them to bypass common monitoring rules focused on HTTP or FTP traffic. Using protocols like SSH also enables secure transmission, hiding the contents of the data from inspection. This method is especially useful in tightly monitored environments where traditional exfiltration channels might raise alarms.

T1029: Scheduled Transfer

For long-term operations, the group automates data exfiltration using scheduled tasks. These tasks run periodically, collecting new data—especially emails—and sending it to attacker-controlled infrastructure. This method ensures continuous access to updated intelligence with minimal manual effort. Scheduled transfer is combined with automated collection to create a fully autonomous data harvesting pipeline. It enables persistent surveillance while reducing the risk of triggering alerts through frequent or large-volume data transmissions. This tactic reflects the group’s emphasis on maintaining stealth and efficiency.

How Picus Helps Simulate Unit 26165 Attacks?

We also strongly suggest simulating Unit 26165 attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as Lazarus, MuddyWater, and Salt Typhoon, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Unit 26165 aka APT28: 

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Unit 26165 aka APT28 and APT attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Unit 26165 aka APT28:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of the Picus Security Validation Platform.

References

[1] "Russian GRU Targeting Western Logistics Entities and Technology Companies," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a