APT28, also known as Fancy Bear and linked to GRU Unit 26165, has evolved over two decades from the X-Agent/X-Tunnel implant era into fragmented disposable modules, edge-router infrastructure, cloud-based C2, and even an LLM-driven infostealer. The report highlights major campaigns such as Operation Phantom Net Voxel, RoundPress, FrostArmada, and LameHug, showing sustained targeting of Ukrainian, NATO, government, defense, and critical-infrastructure victims. #APT28 #FancyBear #GRUUnit26165 #OperationPhantomNetVoxel #RoundPress #FrostArmada #LameHug
Keypoints
- APT28 has operated for more than two decades and is publicly attributed to GRU Unit 26165.
- Its early tradecraft centered on the X-Agent and X-Tunnel toolkit, used in major intrusions such as TV5Monde, Bundestag, and the 2016 US election-related breaches.
- The group popularized a hack-and-leak playbook, using fake personas like Cyber Berkut to amplify political damage.
- Between 2022 and 2024, APT28 shifted to disposable single-purpose implants and exploited Outlook CVE-2023-23397 to steal Net-NTLMv2 hashes.
- The actor increasingly used compromised edge devices, including Ubiquiti, MikroTik, and TP-Link routers, for proxying, phishing, and credential harvesting.
- Operation Phantom Net Voxel marked a return to custom implants, cloud-based command-and-control, and direct lineage to older APT28 tooling.
- LameHug shows APT28 experimenting with AI-assisted malware that delegates command generation to an LLM.
MITRE Techniques
- [T1566.001] Spearphishing Attachment â Delivered malware and lures through malicious email attachments and documents, including Office files and PDFs (âspear phishing campaigns⌠delivered the Seduploader first stageâ and âweaponised Office documents through private Signal Desktop chatsâ).
- [T1190] Exploit Public-Facing Application â Used webmail XSS flaws and Outlook flaws to gain access or trigger exfiltration (âweaponized XSS flaws in widely-deployed webmail platformsâ and âweaponised the zero-click Outlook flaw CVE-2023-23397â).
- [T1055] Process Injection â Deployed Covenant in memory during the Phantom Net Voxel chain (âstages a customised Covenant framework deployment in memoryâ).
- [T1021.006] Remote Services: Windows Remote Management / SMB-based authentication abuse â Forced Outlook clients to authenticate to attacker-controlled SMB shares and relayed hashes (âCrafted Outlook reminders force the client to authenticate to attacker-controlled SMB sharesâ).
- [T1110] Brute Force â Harvested and reused credentials at scale through credential-stealing operations (âcredential harvesting campaignâ and âharvesting credentials for later reuseâ).
- [T1003] OS Credential Dumping â Used Mimikatz and harvested Net-NTLMv2 hashes and browser credentials (âMimikatz for credential theftâ and âcapture Net-NTLMv2 hashesâ).
- [T1041] Exfiltration Over C2 Channel â Exfiltrated stolen data, inbox contents, and credentials to attacker infrastructure (âsilently exfiltrate inboxes, contacts, and credentialsâ and âexfiltrated over SFTP or HTTPâ).
- [T1027] Obfuscated Files or Information â Used encoded prompts and multi-language rewrites to conceal payload logic (âbase64-encoded natural-language promptsâ and ârewritten across many languagesâ).
- [T1090] Proxy â Relayed traffic and hashes through compromised routers and EdgeRouters (ârelaying them via compromised EdgeRoutersâ and âtraffic proxyingâ).
- [T1098] Account Manipulation â Enabled IMAP and stored app passwords after 2FA bypass (âvalidates the second factor, enables IMAP, stores the new app passwordâ).
- [T1105] Ingress Tool Transfer â Downloaded and staged components such as loaders, backdoors, and Python scripts (âPython downloaderâ and âstaging custom Python scriptsâ).
- [T1546.007] Event Triggered Execution: Netsh Helper DLL / WMI? â Not explicitly present; omitted.
- [T1053] Scheduled Task/Job â Not explicitly mentioned in the article; omitted.
Indicators of Compromise
- [Malware / Tool names ] APT28 implant and loader families â X-Agent, X-Tunnel, and GooseEgg
- [Malware / Tool names ] Disposable modules and newer tooling â MASEPIE, STEELHOOK, OceanMap, CredoMap, HeadLace, SpyPress, Covenant, BeardShell, Slimagent, LameHug
- [Vulnerabilities ] Exploited flaws and CVEs â CVE-2023-23397, CVE-2022-38028
- [Cloud / Web services ] C2, exfiltration, and collection endpoints â Koofr, icedrive, Filen, Hugging Face Inference API, Pipedream, Webhook.site
- [Router / edge infrastructure ] Abused devices and platforms â Ubiquiti EdgeRouters, MikroTik routers, TP-Link routers
- [Organizations / platforms ] Targeted services and organizations â UKR.NET, Microsoft Exchange, Outlook, Roundcube, Horde, MDaemon, Zimbra
- [Campaign names ] Named operations â Operation Phantom Net Voxel, Operation RoundPress, FrostArmada, Operation Dying Ember
- [File / artifact names ] Delivered or referenced artifacts â Office documents, PDFs, TXT documents, PDF with shortened URLs
Read more: https://blog.sekoia.io/apt28-an-evolution-of-tradecraft/