ALL POSTS

Key Findings APT28, a Russian state-sponsored hacking group, has been observed using a pair of custom malware implants called BEARDSHELL and COVENANT for long-term surveillance of Ukrainian military personnel since April 2024. The malware families showcase the group's continued capabilities in developing advanced custom tools for espionage operations. BEARDSHELL is a C++ backdoor that downloads and executes PowerShell scripts, sending results via the Icedrive cloud storage se

Key Findings: A new Russian cyber campaign has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow. The campaign has been attributed with moderate confidence to the Russian state-sponsored threat actor known as APT28. The attack chain initiates with a phishing email containing a link to a ZIP archive, which leads to the deployment of a .NET-based loader called BadPaw and a sophisticated backdoor called MeowMeow. Background T

Key Findings: Russia-linked APT28 reportedly exploited MSHTML zero-day CVE-2026-21513 (CVSS 8.8) before Microsoft patched it in February 2026 The vulnerability is an Internet Explorer security control bypass that can lead to code execution when a victim opens a malicious HTML page or LNK file Akamai researchers found a malicious sample uploaded to VirusTotal on January 2026 tied to infrastructure linked to APT28 The exploit relies on nested iframes and multiple DOM contexts t

Key Findings Russia-linked APT28 targeted European entities with a webhook-based macro malware campaign called Operation MacroMaze from September 2025 to January 2026. The campaign used spear-phishing emails delivering weaponized documents with an "INCLUDEPICTURE" field pointing to a webhook[.]site URL hosting a JPG. When opened, the file silently retrieves the image, acting as a tracking pixel to alert attackers the document was viewed. Variants dropped modified macros that

Background The Russia-linked state-sponsored threat actor tracked as APT28 has been attributed to a new campaign targeting specific entities in Western and Central Europe. The activity, per S2 Grupo's LAB52 threat intelligence team, was active between September 2025 and January 2026. It has been codenamed Operation MacroMaze. Key Findings The campaign relies on basic tooling and the exploitation of legitimate services for infrastructure and data exfiltration. The attack chain

Key Findings The notorious Russia-linked threat group APT28 (also known as Fancy Bear) has launched a new campaign dubbed "Operation Neusploit" targeting Central and Eastern Europe. The campaign leverages a recently patched Microsoft Office vulnerability, CVE-2026-21509, to deliver custom backdoors against strategic targets in Ukraine, Slovakia, and Romania. The attack uses specially crafted RTF documents as the initial vector, exploiting the vulnerability to initiate a multi

Key Findings Russian state-sponsored threat group APT28 (aka BlueDelta) linked to a fresh wave of credential harvesting attacks Targeting individuals associated with a Turkish energy and nuclear research agency, a European think tank, and organizations in North Macedonia and Uzbekistan Campaign leverages sophisticated phishing techniques to compromise accounts and steal user credentials Background APT28 is associated with the Main Directorate of the General Staff of the Armed

Key Findings: Germany summoned Russia's ambassador over alleged cyberattacks on its air traffic control authority and a disinformation campaign ahead of national elections. The German government has clear evidence linking an August 2024 cyberattack on Deutsche Flugsicherung, the country's air traffic control authority, to the Russia-nexus group APT28 (aka Fancy Bear). Germany also accused Moscow of attempting to influence and destabilize Germany's federal election through a d