← All Threat Actors / APT28
Last updated: April 02, 2026
A
APT28
GRU 85th Main Special Service Center (GTsSS), military unit 26165
πŸ‡·πŸ‡Ί RussiaNation-State● ActiveG0007
Key Intelligence
MITRE ID
G0007
Country
πŸ‡·πŸ‡Ί Russia
Motivation
Espionage, Information Operations, Disruption
Active Since
2004
Last Seen
2025
Techniques
34 across 12 tactics
Attribution
GRU 85th Main Special Service Center (GTsSS), military unit 26165
Also Known As
Fancy BearSofacyPawn StormSednitSTRONTIUMForest BlizzardITG05Blue AthenaTA422Fighting UrsaTsar TeamGroup 74FROZENLAKEGruesomeLarch
Target Profile
Targeted Industries
GovernmentMilitaryDefensePolitical OrganizationsMediaAnti-Doping AgenciesLogisticsTechnology
Targeted Countries
πŸ‡ΊπŸ‡Έ United StatesπŸ‡ΊπŸ‡¦ UkraineπŸ‡©πŸ‡ͺ GermanyπŸ‡«πŸ‡· FranceπŸ‡¬πŸ‡§ United KingdomπŸ‡΅πŸ‡± PolandπŸ‡¬πŸ‡ͺ Georgia🏳️ NATO Members

Overview

APT28 (also tracked as Fancy Bear, Forest Blizzard, STRONTIUM, Pawn Storm, Sednit, and Sofacy) is a Russian military intelligence (GRU) cyber espionage group attributed to Unit 26165 of the 85th Main Special Service Center (GTsSS). Active since at least 2004, APT28 conducts intelligence collection aligned with Russian military and geopolitical objectives. The group is known for sophisticated spearphishing campaigns, zero-day exploitation, and credential harvesting operations targeting government, military, defense, political organizations, media, and anti-doping agencies across NATO member states and former Soviet countries. APT28 gained widespread public attention for its role in the 2016 US presidential election interference, including the DNC breach and subsequent hack-and-leak operations. In recent years, the group has expanded targeting to Western logistics and technology companies supporting Ukraine, as documented in the May 2025 joint advisory (CISA AA25-141A). The group demonstrates sustained evolution in tradecraft, including the development of custom exploit tools (GooseEgg), novel access techniques (Nearest Neighbor Wi-Fi attack), and webmail exploitation campaigns (Operation RoundPress).

Tools & Malware

X-TunnelXAgentZebrocySeduploaderLoJaxKomplexCHOPSTICKGAMEFISHGooseEggGraphiteMimikatzResponderImpacketPowerShell EmpireCobalt StrikeEmpireNmap

Malware & Tool Details

Arsenal attributed to APT28.

X-Tunnel
VPN Tunneling
VPN Tunneling
XAgent
Custom Backdoor
Custom Backdoor
Zebrocy
Custom Downloader
Custom Downloader
Seduploader
Reconnaissance Downloader
Reconnaissance Downloader
LoJax
UEFI Rootkit
UEFI Rootkit
Komplex
macOS Backdoor
macOS Backdoor
CHOPSTICK
Malware / Tool
ATT&CK Software
GAMEFISH
Malware / Tool
ATT&CK Software
GooseEgg
Exploit Tool
Exploit Tool
Graphite
Malware / Tool
ATT&CK Software
Mimikatz
Credential Dumping
Credential Dumping
Responder
NTLM Relay
NTLM Relay

Attack Path DNC Breach (2016)

Following MITRE ATT&CK Flow methodology.

ATTACK FLOWDNC Breach (2016)8 steps | Drag nodes to rearrange

Diamond Model

Caltagirone, Pendergast & Betz (2013) | Drag to rearrange
ADVERSARY
GRU Unit 26165, Russian military intelligence officers
CAPABILITY
Zebrocy, XAgent, X-Tunnel, LoJax UEFI rootkit, GooseEgg, Komplex (macOS)
INFRASTRUCTURE
Dedicated VPS, compromised WordPress sites, X-Tunnel relays, DCLeaks.com
VICTIM
Government agencies, political organizations, military, media, anti-doping agencies

ATT&CK Navigator

Interactive MITRE ATT&CK Navigator layer for APT28 (G0007).

Open Full Navigator

Known CVEs Exploited

CVEYearDescription
CVE-2017-02622017Microsoft Office EPS RCE used in spearphishing campaigns
CVE-2017-02632017Windows kernel privilege escalation paired with EPS exploit
CVE-2022-380282022Windows Print Spooler (GooseEgg) β€” used 2020-2024
CVE-2023-233972023Outlook NTLM relay zero-day exploited against European orgs
CVE-2024-111822024MDaemon XSS zero-day used in Operation RoundPress webmail exploitation
CVE-2023-437702023Roundcube XSS used in webmail compromise campaigns
CVE-2023-388312023WinRAR RCE used in Ukraine-targeting phishing campaigns
CVE-2020-126412020Roundcube RCE exploited for webmail access
CVE-2020-357302020Roundcube XSS exploited for session hijacking
CVE-2017-67422017Cisco SNMP RCE for router compromise and Jaguar Tooth malware

Notable Campaigns

2024
GooseEgg Campaign
Exploitation of Windows Print Spooler vulnerability using GooseEgg tool.
2020
COVID-19 Vaccine Research
Targeting of organizations involved in COVID-19 vaccine development.
2018
WADA/USADA Breach
Compromise of anti-doping agencies and leak of athlete medical records.
2017
NotPetya Precursor
Spearphishing operations against Ukrainian government and military entities.
2016
DNC Hack
Breach of the Democratic National Committee systems and subsequent leak of emails.

Detection Engineering

PowerShell Encoded Command Execution
Monitor for powershell.exe launched with -enc, -encodedcommand, or -e flags containing Base64 payloads. Enable Script Block Logging (Event ID 4104) and Module Logging. Sigma rule: proc_creation_win_susp_powershell_enc_cmd. KQL: DeviceProcessEvents | where FileName == 'powershell.exe' and ProcessCommandLine contains '-enc'
View Detection Rule / Guide
Outlook NTLM Relay (CVE-2023-23397)
Detect outbound SMB connections initiated by Outlook calendar processing. Monitor for Windows Event ID 4648 (logon with explicit credentials) to external IPs. Alert on UNC path access from outlook.exe. KQL: DeviceNetworkEvents | where InitiatingProcessFileName == 'outlook.exe' and RemotePort == 445
View Detection Rule / Guide
LSASS Credential Dumping
Monitor for processes accessing lsass.exe memory. Sysmon Event ID 10 with TargetImage containing lsass.exe and GrantedAccess of 0x1010 or 0x1038. Deploy Credential Guard where possible. Sigma rule: sysmon_cred_dump_lsass_access.
View Detection Rule / Guide
GooseEgg Print Spooler Exploitation (CVE-2022-38028)
Monitor svchost.exe (spoolsv) spawning unexpected child processes like cmd.exe or powershell.exe. Track file modifications in C:\Windows\System32\spool\drivers\. Microsoft published specific detection guidance for GooseEgg exploitation.
View Detection Rule / Guide
Encoded PowerShell via WMI
Monitor for WMI spawning powershell.exe with encoded arguments. Sysmon Event ID 1 with ParentImage wmiprvse.exe. Elastic detection rule: command_and_scripting_interpreter_via_wmi.
View Detection Rule / Guide
Suspicious Outlook Behavior
Monitor for Outlook spawning script interpreters or making outbound SMB connections. ASR rule: Block Office applications from creating executable content. Elastic rule: microsoft_365_exchange_transport_rule_creation.
View Detection Rule / Guide
Registry Autorun Modification
Monitor HKCU\Software\Microsoft\Windows\CurrentVersion\Run for new entries. Sysmon Event ID 13 (Registry value set). Sigma rule: registry_set_asep_reg_keys_modification_currentversion.
View Detection Rule / Guide

Related Threat Actors

Documented in MITRE ATT&CK, vendor intelligence, and government advisories.

Sandworm
Sister GRU unit
Both GRU but different units (26165 vs 74455). Occasional shared infrastructure.
Turla
Russian co-operator
FSB group. Documented cases of Turla piggybacking on APT28 infrastructure.

Defense Recommendations

Mitigations with MITRE ATT&CK IDs. Click badges for implementation guidance.

Deploy phishing-resistant MFA (FIDO2/WebAuthn) for all accounts, prioritizing email and VPN. APT28 credential harvesting bypasses SMS/TOTP MFA.
CISA AA25-141A Section 4
Patch Outlook CVE-2023-23397 and Print Spooler CVE-2022-38028 immediately. Both actively exploited by APT28 in ongoing campaigns.
CISA KEV Catalog
Enable PowerShell Constrained Language Mode and Script Block Logging (Event ID 4104). Block encoded command execution via ASR rules.
NSA/CISA PowerShell Guide
Block outbound NTLM to external IPs at network perimeter. APT28 uses NTLM relay via Outlook calendar invites.
Microsoft CVE-2023-23397 Guidance
Deploy Credential Guard on Windows 10/11 to protect LSASS from memory dumping. Monitor LSASS access via Sysmon Event ID 10.
Microsoft Security Baseline
Segment email infrastructure from Active Directory domain controllers. APT28 pivots from mailboxes to DC via pass-the-hash.
NIST SP 800-41 Rev 1
Enforce DMARC p=reject on all organizational domains to prevent email spoofing in spearphishing campaigns.
CISA BOD 18-01

Attribution Confidence

High
Attribution
Confidence
Evidence Supporting Attribution
DOJ indictment of 12 GRU Unit 26165 officers (July 2018)
https://www.justice.gov/opa/pr/grand-jury-indicts-12-russian
Five Eyes joint attribution (US, UK, CA, AU, NZ)
https://www.cisa.gov/news-events/cybersecurity-advisories/aa
ANSSI France public attribution (2023, 2025)
https://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-007/
Technical overlap across 15+ campaigns
https://attack.mitre.org/groups/G0007/

Threat Assessment

Capability9/10
Intent9/10
Targeting8/10
Critical
Overall Threat Level
Tier 1 nation-state actor with demonstrated zero-day capability, global reach, and destructive intent when aligned with Russian military objectives.

Legal Actions & Sanctions

2018-07
DOJ indicts 12 GRU officers for 2016 election interference
Indictment
https://www.justice.gov/opa/pr/grand-jury-indicts-12-russian-intelligence-officers-hacking-offenses-related-2016-election
2018-10
DOJ charges 7 GRU officers for anti-doping agency hacks
Indictment
https://www.justice.gov/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and
2020-10
EU sanctions GRU officers linked to Bundestag hack
Sanctions
https://www.consilium.europa.eu/en/press/press-releases/2020/10/22/cyber-attacks-council-imposes-sanctions-against-russian-military-intelligence/
2024-02
DOJ disrupts GRU botnet of compromised routers
Disruption
https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian

Recent Reporting

2025-05
CISA AA25-141A: APT28 targeting Western logistics companies supporting Ukraine
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a
2025-05
ESET: Operation RoundPress webmail exploitation campaign
https://www.welivesecurity.com/en/eset-research/operation-roundpress/
2024-11
Volexity: Nearest Neighbor Wi-Fi attack technique
https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack/
2024-04

Emulation Plans & Guidance

PlanSourceTypeDescriptionLink
MITRE Attack Arsenal - APT28 Caldera PlanMITREOpen SourceCaldera-compatible emulation plan with abilities, payloads, and adversary profilesOpen
AttackIQ - CISA AA25-141A ResponseAttackIQCommercialValidation scenario for APT28 logistics targeting campaign TTPsOpen
APT28 Adversary Simulation (S3N4T0R)GitHub / S3N4T0ROpen SourceFull simulation: Excel dropper, CVE-2021-40444, OneDrive C2, credential harvesting targeting government officialsOpen
APT28 BadPaw/MeowMeow Lab to EmulationSCYTHEBlog PostManual lab simulation + SCYTHE continuous emulation for BadPaw steganography loader and MeowMeow RATOpen
APT Digital Weapon - APT28 IOCsRedDrip7Open SourceCollection of IOCs, malware samples, and analysis reports for APT28 campaignsOpen
Fancy Bear APT28 Adversary Simulation WalkthroughS3N4T0R (Medium)Blog PostStep-by-step: Excel dropper with CVE-2021-40444, DLL injection into Word, OneDrive C2 for exfiltrationOpen
S3N4T0R APTs Adversary Simulation CollectionS3N4T0R (GitHub)Open SourceMulti-APT simulation repo with custom C2, backdoors, exploitation chains for APT28 and othersOpen
Panopticon APT28 Intelligence CollectionPanopticon Project (GitHub)Open SourceCurated collection of APT28 campaign reports, IOCs, and analysis referencesOpen

References & Intelligence Sources

Page Contributors

Adversary Village
MITRE ATT&CK Team
BreachSimRange