Groups In DevelopmentRussia49 malware familiesExploits CVEs in the wild

APT28

Also known asAPT28APT28 (Fancy Bear)APT28 (Forest Blizzard)APT28 (Forest/Forrest Blizzard)APT28 (WinRAR usage in campaign)APT28 Nearest Neighbor CampaignAPT29ATG2atk5Blue AthenaBlue KitsuneBlueBravobluedeltaCloaked Ursacozy_bearcozybearCozyDukeCrisisFourDark Halofancy_bearfancy_bearsfancybearfighting_ursaForest BlizzardForest Blizzard (STRONTIUM/APT28/Fancy Bear)Forest Blizzard/STRONTIUMFROZENLAKEg0007GRAPHITEGrizzly SteppeGroup 74GruesomeLarchHELLFIREIRON HEMLOCKIron RitualIRON TWILIGHTitg05Midnight BlizzardNobeliumNobleBaronOperation Pawn StormPawn StormSednitsig40SNAKEMACKERELsofacysofacy_groupSolarStormStellarParticleSTRONTIUMSwallowtailt_apt_12TA421TG-4127The DukesThreat Group-4127Tsar Teamuac_0001uac_0028UAC-0001 (APT28)UAC-0028 (APT28)UNC2452UNC3524YttriumZ-Lom Team

APT28 is a state-sponsored advanced persistent threat group widely attributed in the content to Russia’s GRU military intelligence service. It is also tracked as Fancy Bear, Sofacy, Sednit, STRONTIUM, Pawn Storm, and Forest Blizzard. The content describes APT28 as conducting long-term cyber-espionage operations aligned with Russian strategic interests, particularly against political, military, diplomatic, government, and defense-related targets. Reported targeting in the content includes the 2016 Democratic National Committee breach, Emmanuel Macron’s 2017 presidential campaign, NATO’s Joint Air Power Competence Centre, the German Bundestag, TV5Monde, the World Anti-Doping Agency, the OSCE, Ukraine’s Ministry of Defence, U.S. nuclear facilities, and cybersecurity firms. The content also notes spearphishing against Ukrainian targets, including emails impersonating Ukrainian government officials. Tradecraft directly described in the content includes spear-phishing, credential theft and credential dumping, password spraying against government and defense sectors, deployment of custom malware such as X-Agent, persistence, lateral movement, remote command-and-control activity, and use of malicious Microsoft Office attachments in spear-phishing emails. The content also references a Linux XAgent variant. In specific operations, APT28 is described as using spear-phishing to lure victims into clicking malicious links or opening attachments, harvesting credentials for broader access, deploying X-Agent for remote command execution and file transfer, and moving laterally to reach critical systems. The content also attributes LoJax to APT28, describing it as the first known real-world UEFI malware attack, and states that Russia’s GRU-linked APT28 group used compromised Ubiquiti routers as an espionage relay in a separate operation. The aliases list in the source is noisy and includes names commonly associated with other actors; only the aliases directly supported by the content for this actor are included above.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

69 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics106 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

5 techniques

T1583

Acquire Infrastructure

T1583.004

Server

T1584×2

Compromise Infrastructure

T1584.005

Botnet

T1587

Develop Capabilities

T1587.001

Malware

T1587.003

Digital Certificates

T1588

Obtain Capabilities

T1588.002

Tool

T1650

Acquire Access

TA0001

Initial Access

4 techniques

T1078×3

Valid Accounts

T1078.003

Local Accounts

T1078.004

Cloud Accounts

T1190×3

Exploit Public-Facing Application

T1195

Supply Chain Compromise

T1195.001

Compromise Software Dependencies and Development Tools

T1566×2

Phishing

T1566.001

Spearphishing Attachment

TA0002

Execution

6 techniques

T1047×2

Windows Management Instrumentation

T1053×2

Scheduled Task/Job

T1053.002

T1053.005

Scheduled Task

T1059×4

Command and Scripting Interpreter

T1059.001×4

PowerShell

T1059.006

Python

T1127

Trusted Developer Utilities Proxy Execution

T1203

Exploitation for Client Execution

T1651

Cloud Administration Command

TA0003

Persistence

9 techniques

T1053×2

Scheduled Task/Job

T1053.002

T1053.005

Scheduled Task

T1078×3

Valid Accounts

T1078.003

Local Accounts

T1078.004

Cloud Accounts

T1098

Account Manipulation

T1112

Modify Registry

T1137

Office Application Startup

T1137.001

Office Template Macros

T1542

Pre-OS Boot

T1542.001

System Firmware

T1543

Create or Modify System Process

T1546

Event Triggered Execution

T1546.003

Windows Management Instrumentation Event Subscription

T1547

Boot or Logon Autostart Execution

T1547.009

Shortcut Modification

TA0004

Privilege Escalation

8 techniques

T1053×2

Scheduled Task/Job

T1053.002

T1053.005

Scheduled Task

T1068×8

Exploitation for Privilege Escalation

T1078×3

Valid Accounts

T1078.003

Local Accounts

T1078.004

Cloud Accounts

T1098

Account Manipulation

T1543

Create or Modify System Process

T1546

Event Triggered Execution

T1546.003

Windows Management Instrumentation Event Subscription

T1547

Boot or Logon Autostart Execution

T1547.009

Shortcut Modification

T1548

Abuse Elevation Control Mechanism

T1548.002

Bypass User Account Control

TA0005

Stealth

9 techniques

T1027

Obfuscated Files or Information

T1027.001

Binary Padding

T1027.003

Steganography

T1027.006

HTML Smuggling

T1036

Masquerading

T1070

Indicator Removal

T1070.004

File Deletion

T1078×3

Valid Accounts

T1078.003

Local Accounts

T1078.004

Cloud Accounts

T1127

Trusted Developer Utilities Proxy Execution

T1218

System Binary Proxy Execution

T1218.005

Mshta

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1497.003

Time Based Checks

T1542

Pre-OS Boot

T1542.001

System Firmware

T1620×2

Reflective Code Loading

TA0112

Defense Impairment

1 technique

T1112

Modify Registry

TA0006

Credential Access

5 techniques

T1003

OS Credential Dumping

T1110×2

Brute Force

T1110.003×3

Password Spraying

T1606

Forge Web Credentials

T1606.002

SAML Tokens

T1621×2

Multi-Factor Authentication Request Generation

T1649×2

Steal or Forge Authentication Certificates

TA0007

Discovery

4 techniques

T1016

System Network Configuration Discovery

T1046

Network Service Discovery

T1082

System Information Discovery

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1497.003

Time Based Checks

TA0008

Lateral Movement

1 technique

T1550

Use Alternate Authentication Material

T1550.003

Pass the Ticket

TA0009

Collection

2 techniques

T1005

Data from Local System

T1114×2

Email Collection

TA0011

Command and Control

5 techniques

T1071×2

Application Layer Protocol

T1090

Proxy

T1090.003×2

Multi-hop Proxy

T1090.004

Domain Fronting

T1105×2

Ingress Tool Transfer

T1568

Dynamic Resolution

T1568.002

Domain Generation Algorithms

T1665

Hide Infrastructure

TA0040

Impact

1 technique

T1498

Network Denial of Service

ARSENAL

Associated malware families

49 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BEARDSHELL在"Operation Phantom Net Voxel"行动中,该组织部署了一个名为BeardShell的定制C++后门,使用云存储API作为其命令通道。8Jun 15, 2026

CHOPSTICKThis may indicate the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemitry blindspot in many enterprises, as is with Penquin Turla and APT28’s Linux XAgent variant.8Jun 25, 2026

CovenantAcross 2025 and 2026, Sednit repeatedly deployed BeardShell together with Covenant, a third major piece of its modern toolkit. Sednit heavily reworked this open-source implant to support long-term espionage and to implement a new network protocol based on yet another legitimate cloud provider.6Jun 14, 2026

SlimAgent在同一操作基础设施上发现的名为Slimagent的键盘记录器,与APT28十多年前的标志性植入程序X-Agent有直接代码渊源。6Jun 15, 2026

LamehugAPT28 LAMEHUG has sent spearphishing emails impersonating Ukrainian government officials.5Jun 25, 2026

44 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

35 CVEs this actor has used in observed campaigns. 35 of them exploited in the wild.

CVE-2026-21509Microsoft Office Shell.Explorer.1 OLE Security Feature BypassIn the wildEvidence16

Patching CVE-2026–21509 is necessary, but not sufficient. Malicious .doc → CVE- 2026 - 21509 exploit → LNK shortcut + SimpleLoader DLL → EhStoreShell .dll (steganography loader) → SplashScreen .png (shellcode hidden in PNG image) → CovenantGrunt (in-memory .NET backdoor) → filen .io (C2 communication)

CVE-2026-21513Microsoft MSHTML Framework Security Feature BypassIn the wildEvidence12

These attacks began with a phishing email, purporting to be from Ukraine's hydro-meteorological center, that contained a weaponized LNK file to exploit another vulnerability, CVE-2026-21513. By chaining CVE-2026-21513 with CVE-2026-21510, the Russian spies bypassed Microsoft security features including Defender SmartScreen and remotely executed malicious code on victims' computers.

CVE-2026-21510Windows Shell SmartScreen and Security Prompt Bypass via Malicious LNK/LinkIn the wildEvidence10

CVE-2026-21510 — Windows Shell Protection Mechanism Failure In two separate campaigns observed by Proofpoint in March and April 2026, DPRK-aligned threat actor TA406 (Opal Sleet) chained CVE-2026-21509 and CVE-2026-21510 within a single attack sequence... invoked CVE-2026-21510 to bypass Windows Shell security controls and execute a DLL payload.

CVE-2023-23397Microsoft Outlook for Windows Net-NTLMv2 Hash Leak via Reminder UNC PathIn the wildEvidence9

Leveraging a network scan we ran in February 2022, we found the server 45.138.87[.]250 / ceriossl[.]info... mentioned in a Qianxin blogpost describing a campaign abusing CVE-2023-23397 that attributed it to Sednit.

CVE-2022-38028Windows Print Spooler Elevation of Privilege VulnerabilityIn the wildEvidence5

GooseEgg weaponises CVE-2022-38028 in the Windows Print Spooler service to obtain SYSTEM-level execution.

30 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

398 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

398 IOCsView more in app

Domains

93 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+85

ip.v4

82 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+74

hash.sha256

65 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+57

hash.sha1

61 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+53

hash.md5

45 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+37

uri

45 total

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

medium rabbit knightNews

Jun 27, 2026

Hunting HTML Smuggling with Velociraptor: Setting the Stage. Part 1 | by Rabbit Knight | Jun, 2026 | Medium

Used HTML smuggling to deliver Cobalt Strike beacons in campaigns against European governments.

the hacker newsNews

Jun 22, 2026

Canada’s Spy Agency Used First-of-Its-Kind Warrant to Clean Botnet-Infected Devices

Turned compromised Ubiquiti routers into an espionage relay network to mask operations.

osint team blogNews

Jun 22, 2026

Fancy Bear: Inside the Russian Spy Group That Hacked an Election, a President, and NATO | by Pop123 | Jun, 2026 | OSINT Team

Referenced as a separate Russian threat group detected on the DNC network during the 2016 investigation.

wired com securityNews

Jun 21, 2026

A Critical Deadline Is Approaching for Windows and Linux Security | WIRED

Created and used the LoJax UEFI malware in a real-world firmware-targeting attack, repurposing LoJack anti-theft software to infect UEFI firmware remotely.

+196 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping69

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal49

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs35

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables398

Domains, IPs, and hashes tied to this actor, refreshed continuously.