All news with #apt28 tag

AI-Powered Cyberattacks Escalate Against Ukraine in 2025

🔍 Ukraine's SSSCIP reported a sharp rise in AI-enabled cyber operations in H1 2025, documenting 3,018 incidents versus 2,575 in H2 2024. Analysts found evidence that attackers used AI not only to craft phishing lures but also to generate malware samples, including a PowerShell stealer identified as WRECKSTEEL. Multiple UAC clusters—such as UAC-0219, UAC-0218, and UAC-0226—deployed stealers and backdoors via booby-trapped archives, SVG attachments, and ClickFix-style tactics. The report also details zero-click exploitation of Roundcube and Zimbra flaws and widespread abuse of legitimate cloud and collaboration services for hosting and data exfiltration.

APT28 Deploys NotDoor: Outlook VBA Backdoor in NATO

🔒 NotDoor is a newly reported Outlook VBA backdoor attributed to the Russian state-sponsored actor APT28 that monitors incoming mail for a trigger phrase and enables data exfiltration, file drops, and remote command execution. S2 Grupo's LAB52 describes deployment via DLL side-loading of onedrive.exe, which loads a malicious SSPICLI.dll, disables macro protections, and runs Base64-encoded PowerShell to establish persistence. The implant watches for a trigger such as "Daily Report" and supports four commands — cmd, cmdno, dwn and upl — sending stolen files via Proton Mail.

Russia-backed APT28 Deploys 'NotDoor' Outlook Backdoor

🛡️ Researchers at S2 Grupo’s LAB52 disclosed NotDoor, a VBA-based Outlook backdoor attributed to Russia-backed APT28 that monitors incoming mail for trigger phrases to exfiltrate data, upload files and execute arbitrary commands. The malware abuses Outlook event-driven macros, employs DLL side-loading via a signed OneDrive.exe to load a malicious SSPICLI.dll, and persists by disabling security prompts and enabling macros. Organizations are advised to disable macros by default, monitor Outlook activity and inspect email-based triggers.