All news with #apt28 tag

🛡️ Microsoft confirmed active exploitation of a patched Windows Shell vulnerability, CVE-2026-32202, after correcting its advisory metadata. The flaw is a spoofing/authentication-coercion issue (CVSS 4.3) that can disclose sensitive information and was addressed in April Patch Tuesday. Akamai researcher Maor Dahan links the defect to an incomplete February fix for CVE-2026-21510 and says an APT28 campaign weaponized LNK/CPL/UNC/SMB chains to harvest credentials.

🔍 Trend Micro links a targeted spear-phishing campaign to APT28 that delivers a previously undocumented malware suite called PRISMEX, active since at least September 2025. The operation blends steganography, COM DLL hijacking, and abuse of legitimate cloud services to retrieve and execute in-memory payloads. Researchers observed rapid weaponization of CVE-2026-21509 and CVE-2026-21513, with overlapping infrastructure such as "wellnesscaremed[.]com". The toolkit includes PrismexSheet, PrismexDrop, PrismexLoader and a COVENANT-based stager that has been associated with both espionage and destructive wiper activity.

🔒 Forest Blizzard, tracked as APT28, is compromising home and small-office routers to redirect traffic through attacker-controlled DNS servers and enable post-compromise adversary-in-the-middle (AiTM) attacks. Microsoft observed the actor likely using dnsmasq to answer DNS queries on port 53 and selectively spoof DNS responses to redirect users to malicious infrastructure. Targeted domains included Outlook on the web, where attackers presented invalid TLS certificates to intercept plaintext if users bypassed warnings. Microsoft reports more than 200 organizations and 5,000 consumer devices affected, with government, IT, telecom and energy sectors prioritized.

🛡️ The US Department of Justice and FBI led a court-authorized operation to neutralize a DNS hijacking network run by Russian APT28 that had compromised SOHO routers across 23 US states. Dubbed Operation Masquerade, the effort sent commands to affected routers to collect evidence and reset malicious DNS resolvers to legitimate ISP settings. Agencies say the remediation did not harm router functionality and can be reversed by users via factory reset or web management pages. Authorities urged owners to update firmware, verify DNS settings and replace end-of-life devices.

🔒 Security researchers say hackers linked to Russia’s GRU used known vulnerabilities in end-of-life routers to mass-harvest Microsoft Office authentication tokens. The actor, tracked as Forest Blizzard (aka APT28/Fancy Bear), altered DNS settings on mostly Mikrotik and TP-Link SOHO devices to route traffic through attacker-controlled DNS servers and perform adversary-in-the-middle (AiTM) interception of OAuth tokens and TLS sessions. Microsoft identified more than 200 affected organizations and about 5,000 consumer devices, while Black Lotus Labs observed the campaign touching over 18,000 routers at its December 2025 peak.

🔐 Lumen's Black Lotus Labs and Microsoft linked a campaign named FrostArmada to APT28 (aka Forest Blizzard), which compromised insecure MikroTik and TP‑Link SOHO routers to change DNS settings and route traffic to attacker-controlled resolvers. The actors used DNS hijacking to perform passive reconnaissance and attacker-in-the-middle (AitM) operations to harvest passwords, OAuth tokens, and other credentials without user interaction. The malicious infrastructure has been disrupted in a multi‑agency operation led by the U.S. Department of Justice and FBI with international partners.

🔒 An international law enforcement operation, supported by private researchers, disrupted FrostArmada, an APT28 campaign that hijacked DNS settings on compromised MikroTik and TP-Link routers to intercept Microsoft 365 authentication. The attackers redirected DNS to attacker-controlled VPS nodes acting as AitM proxies and captured logins and OAuth tokens. Microsoft, Lumen Black Lotus Labs, the FBI, the DOJ, and Polish authorities took the malicious infrastructure offline and published indicators and mitigations.

🔒 The UK’s National Cyber Security Centre (NCSC) warns that Russian-linked APT28 has been compromising vulnerable SOHO routers to redirect DNS traffic through attacker-controlled servers and harvest credentials. The actor has modified a list of VPS-hosted DNS servers since 2024 and exploited models including TP-Link (notably the WR841N via CVE-2023-50224) and MikroTik. The campaigns use DHCP DNS tampering and adversary-in-the-middle techniques; the NCSC and Microsoft advise firmware updates, multifactor authentication and network hardening.

🔒 APT28 actors are exploiting a Zimbra Collaboration Suite stored XSS (tracked as CVE-2025-66376) in targeted attacks against Ukrainian government entities. The campaign delivers obfuscated JavaScript in phishing emails that executes when messages are opened in vulnerable Zimbra webmail, enabling remote code execution and server compromise. Researchers report the script harvests credentials, session tokens, 2FA backup codes, and 90 days of mailbox content, exfiltrating data over DNS and HTTPS. CISA has added the flaw to its catalog and ordered federal agencies to remediate affected servers under BOD 22-01.

🛰️ ESET researchers say the Russian state‑sponsored group APT28 has deployed two implants, BEARDSHELL and COVENANT, alongside a keylogger dubbed SLIMAGENT to conduct long‑term surveillance of Ukrainian military personnel since April 2024. BEARDSHELL executes PowerShell commands and uses Icedrive for command‑and‑control, while the group’s modified COVENANT has abused Filen for cloud‑based C2 since July 2025. ESET links SLIMAGENT to older XAgent samples and notes shared obfuscation techniques as evidence of APT28 attribution.

🔒 Since April 2024, Russian state-sponsored APT28 has deployed a customized variant of the open-source Covenant post-exploitation framework alongside a modern implant called BeardShell. The dual-implant approach enabled long-term surveillance of Ukrainian military personnel and central executive bodies, researchers at ESET and CERT-UA report. Attacks exploited the CVE-2026-21509 Microsoft Office vulnerability using malicious DOC files. APT28 modified Covenant with deterministic implant IDs, altered execution flows to evade behavioral detection, and added new cloud-based communication channels.

🔍 Since April 2024 ESET documents the reactivation of Sednit’s advanced implant team, which now deploys paired implants BeardShell and Covenant to maintain resilient command-and-control through distinct cloud providers. A SlimAgent keylogger found in Ukraine shows clear code lineage to the 2010-era Xagent backdoor, while BeardShell executes PowerShell in a .NET runtime and communicates via Icedrive using an obfuscation pattern previously seen in Xtunnel. Covenant is a heavily modified open-source framework adapted for long-term espionage with cloud-backed protocols, and ESET maps observed behaviors to ATT&CK techniques and publishes IoCs.

🐾 ClearSky reports a Russian-linked campaign targeting Ukrainian entities that deploys a .NET loader named BadPaw and a backdoor called MeowMeow. The attack begins with a phishing message that lures victims to download a ZIP archive containing an HTA decoy presenting a Ukrainian border-crossing appeal while executing hidden stages. The HTA extracts a VBScript and a PNG-embedded loader, establishes persistence via a scheduled task, and orchestrates retrieval of the MeowMeow backdoor from a remote C2 server. Researchers attribute the operation to APT28 with moderate confidence based on targeting, lures, and tradecraft overlaps.

🔍 Akamai links the Russia-linked actor APT28 to exploitation of CVE-2026-21513, a high-severity (CVSS 8.8) MSHTML security feature bypass that Microsoft patched in its February 2026 update. The flaw in ieframe.dll mishandles hyperlink navigation and can be weaponized by malicious HTML or LNK files to invoke ShellExecuteExW and run resources outside the browser sandbox. Akamai identified a sample uploaded to VirusTotal on 30 January 2026 tied to infrastructure associated with APT28, while Microsoft and Google intelligence teams reported real-world exploitation.

🔎 S2 Grupo's LAB52 attributes a campaign codenamed Operation MacroMaze to the Russia-linked APT28, active from September 2025 through January 2026. The attackers used spear-phishing documents containing an INCLUDEPICTURE field that points to webhook[.]site URLs to confirm document opens and deploy macros that run VBScript and batch files. Payloads render Base64 HTML in Microsoft Edge, using headless or off-screen browsers to retrieve commands and exfiltrate output to webhook endpoints. LAB52 emphasizes the campaign's operational simplicity and reliance on legitimate services to reduce detection.

🛡️ Security researchers at ZScaler ThreatLabz observed Operation Neusploit in January 2026, days after Microsoft patched CVE-2026-21509. The campaign used weaponized RTF attachments to trigger a critical Microsoft Office vulnerability and fetch dropper DLLs that branched into two distinct infection paths. One path deployed MiniDoor to harvest Outlook email and weaken registry protections, while the other used PixyNetLoader to install a Covenant Grunt implant for persistent .NET-based C2. ZScaler urged immediate patching and published IOCs and analysis to aid detection.

🔎 The Russia-linked threat actor APT28 has been observed exploiting CVE-2026-21509 in targeted Microsoft Office document attacks as part of Operation Neusploit. Zscaler ThreatLabz reported activity beginning on January 29, 2026, using localized lures and server-side geofilters to deliver malicious DLLs only to intended victims in Ukraine, Slovakia, and Romania. The exploit chains employ RTF/Word files that drop two distinct loaders: a C++ email stealer named MiniDoor and a more elaborate PixyNetLoader, which uses steganography and COM hijacking to deploy a Covenant Grunt implant. The campaign demonstrates focused espionage objectives, targeted evasion, and persistent C2 capabilities.

🛡️ Ukraine's CERT warns that Russian state-linked actor APT28 is exploiting the recently patched CVE-2026-21509 in Microsoft Office. Malicious DOC files were observed days after Microsoft's emergency out-of-band update on Jan 26 and deploy a WebDAV download chain, COM hijacking, a malicious DLL (EhStoreShell.dll), shellcode hidden in an image (SplashScreen.png), and a scheduled task named OneDriveHealth. The chain results in the launch of the COVENANT framework, which uses the Filen cloud storage service for command-and-control. Organizations are advised to apply Microsoft's updates for affected Office versions, ensure application restarts where required, and consider blocking or monitoring Filen-related traffic.

🔒 Recorded Future links GRU-affiliated APT28 (aka BlueDelta) to targeted credential-harvesting campaigns in 2025 that hit staff at a Turkish energy and nuclear research agency, a European think tank, and entities in North Macedonia and Uzbekistan. The group used regionally tailored Turkish-language lures and legitimate PDF decoys, deployed spoofed OWA, Google and Sophos VPN pages hosted on services such as Webhook.site, InfinityFree, Byet and ngrok, exfiltrating credentials before redirecting victims to real sites to avoid detection.

🔒 Recorded Future's Insikt Group observed APT28 conducting a sustained credential-phishing campaign targeting users of UKR.net between June 2024 and April 2025. The actor, tracked as APT28 or BlueDelta and assessed as affiliated with the GRU, used UKR.net-themed login pages hosted on legitimate services like Mocky and chained redirects from link shorteners and Blogger subdomains to capture passwords and 2FA codes. Phishing emails delivered PDFs that directed recipients to these pages, and the group has moved from abusing compromised routers to leveraging proxy tunneling services such as ngrok and Serveo.