{ "id": "db195a62-1b43-46b7-a5d4-18e37fead3f7", "created_at": "2026-04-06T00:12:56.518355Z", "updated_at": "2026-04-10T13:11:26.530921Z", "deleted_at": null, "sha1_hash": "ab3849c04079b07c21c5659f2df72281a236a008", "title": "APT PROFILE – FANCY BEAR - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 451276, "plain_text": "APT PROFILE – FANCY BEAR - CYFIRMA\r\nArchived: 2026-04-05 17:58:38 UTC\r\nPublished On : 2025-07-16\r\nFancy Bear, also known as APT28, is a notorious Russian cyberespionage group with a long history of targeting\r\ngovernments, military entities, and other high-value organizations worldwide. Active since 2007, they are infamous for their\r\nstealthy and well-coordinated cyberattacks. Fancy Bear has been implicated in attempts to influence election processes in\r\ncountries like the U.S., France, and Germany.\r\nAlias:\r\nAPT 28, APT-28, APT28, Blue Athena, Blue Delta, FROZENLAKE, Fancy Bear, Fighting Ursa, Forest Blizzard, Group\r\n74, GruesomeLarch, IRON TWILIGHT, ITG05, Pawn Storm, SIG40, STRONTIUM, Sednit, Sofacy, Sofacy\r\nGroup, Strontium, Swallowtail, TA422, TAG-110, TG-4127, Threat Group-4127, Tsar Team, UAC-0001, UAC-0028, UAC-0063, Unit 26165, Unit 74455.\r\nMotivation:\r\nFinancial, Reputational Damage, Espionage, Political Agenda\r\nTarget Technologies:\r\nOffice Suites Software, Operating Systems, Web Applications\r\nTools Used:\r\nForfiles, Computrace, Living off the Land, DealersChoice, Sedkit, Mimikatz.\r\nMalware used by Fancy Bear:\r\nSTEELHOOK, HeadLace, Sedreco, Winexe, OCEANMAP, OLDBAIT, ProcDump, WinIDS, certutil, CHOPSTICK, HIDEDRV, SkinnyBoy, XAgentOSX\r\nTargeted Country\r\nAfghanistan, Brazil, Cambodia, France, Georgia, Germany, India, Indonesia, Kazakhstan, Malaysia, Moldova, Pakistan,\r\nRomania, Russia, South Africa, Syria, Thailand, Turkey, Ukraine, the United States, Vietnam, and Australia.\r\nhttps://www.cyfirma.com/research/apt-profile-fancy-bear-2/\r\nPage 1 of 5\n\nTargeted Industries\r\nMITRE ATT\u0026CK Techniques used by Fancy Bear\r\nReconnaissance Privilege Escalation Lateral Movement\r\nT1598 T1068 T1210\r\nT1595.002 T1037.001 T1550.002\r\nT1589.001 T1078 T1021.002\r\nT1598.003 T1078.004 T1550.001\r\nResource Development T1546.015 T1091\r\nT1583.006 T1547.001 Collection\r\nT1588.002 T1134.001 T1213\r\nT1583.001 Defense Evasion T1005\r\nT1586.002 T1027 T1025\r\nInitial Access T1211 T1113\r\nhttps://www.cyfirma.com/research/apt-profile-fancy-bear-2/\r\nPage 2 of 5\n\nT1189 T1036 T1560\r\nT1133 T1070.001 T1560.001\r\nT1199 T1014 T1119\r\nT1078 T1221 T1039\r\nT1566.001 T1078 T1056.001\r\nT1566.002 T1078.004 T1074.001\r\nT1078.004 T1564.001 T1114.002\r\nT1091 T1564.003 T1074.002\r\nT1190 T1134.001 T1213.002\r\nExecution T1218.011 Command and Control\r\nT1203 T1542.003 T1573.001\r\nT1059.003 T1036.005 T1071.001\r\nT1204.001 T1550.002 T1102.002\r\nT1059.001 T1550.001 T1090.003\r\nT1204.002 T1140 T1071.003\r\nT1559.002 T1070.004 T1090.002\r\nPersistence T1070.006 T1092\r\nT1505.003 Credential Access T1105\r\nT1542.003 T1110.003 T1001.001\r\nT1037.001 T1110.001 Exfiltration\r\nT1133 T1003 T1048.002\r\nT1078 T1110 T1030\r\nT1078.004 T1040 T1567\r\nT1137.002 T1528 Impact\r\nT1546.015 T1003.003 T1498\r\nT1098.002 T1003.001\r\nT1547.001 T1056.001\r\nDiscovery\r\nT1057\r\nT1120\r\nT1040\r\nT1083\r\nAttack Flow Diagram: APT Fancy Bear\r\nhttps://www.cyfirma.com/research/apt-profile-fancy-bear-2/\r\nPage 3 of 5\n\nRecently Exploited Vulnerabilities by Fancy Bear\r\nCVE-2023-23397\r\nCVE-2023-38831\r\nCVE-2023-20085\r\nFancy Bear’s Recent Campaign Highlights and Trends\r\nRecent Campaign Highlights\r\nFancy Bear has continued to demonstrate high activity, particularly in targeting entities related to the war in Ukraine and\r\nbroader Western interests.\r\nTargeting Ukrainian Officials and Military Suppliers:\r\nObjective: To gain insight into the Ukrainian military’s supply chain and broader intelligence on the conflict.\r\nMethod: Spearphishing campaigns targeting email accounts of high-ranking Ukrainian officials and executives at\r\ndefense contractors in other countries who supply weapons and equipment to Kyiv.\r\nExploits: They leveraged cross-site scripting (XSS) vulnerabilities in various webmail software products, including\r\nRoundcube, Horde, MDaemon, and Zimbra. They also exploited a more recent vulnerability in Roundcube, CVE-2023-43770.\r\nMalware: Custom JavaScript malware payloads capable of exfiltrating data (email messages, address books, contacts,\r\nlogin history). In some cases, they could steal passwords and bypass 2FA by exploiting vulnerabilities that forced\r\npassword re-entry on spoofed pages.\r\nTargeting Western Logistics and Technology Companies:\r\nObjective: Cyber espionage against companies facilitating foreign aid to Ukraine.\r\nMethod: This campaign has been broadly identified by a joint advisory from multiple intelligence agencies across\r\nNorth America, Europe, and Australia. Specific TTPs likely overlap with their general espionage methods.\r\nLeveraging Real Government Documents as Lures:\r\nObjective: To infect and spy on government officials in Central Asia (e.g., Kazakhstan, Kyrgyzstan, Mongolia) and\r\nother regions (Israel, India, parts of Europe). This aligns with Russia’s aim to maintain political alignment and\r\ncounter competing influences in Central Asia.\r\nMethod: Spearphishing using seemingly legitimate documents from the Kazakhstan government (e.g., diplomatic\r\nstatements, correspondence, internal notes) as lures.\r\nMalware: Files laced with malware, including HATVIBE and CHERRYSPY. HATVIBE acts as a loader, fetching and\r\nexecuting CHERRYSPY, which provides persistent, clandestine backdoor access. The infection chain involved\r\nmalicious macro files in Word that downgraded security settings and launched the malware. This activity shows\r\noverlap with ZEBROCY backdoor usage, also attributed to Fancy Bear.\r\nTrends\r\nContinued Focus on Geopolitical Objectives: Their primary motivation remains intelligence gathering to support\r\nRussian geopolitical interests, particularly in the context of the war in Ukraine.\r\nExploitation of Webmail Vulnerabilities: A persistent trend of exploiting vulnerabilities in widely used webmail\r\nclients to gain initial access and steal credentials.\r\nSophisticated Phishing and Social Engineering: Their phishing lures are highly tailored and often mimic legitimate\r\nsources (e.g., Ukrainian news outlets, government documents) to increase effectiveness. They understand their\r\ntargets’ interests and leverage current events.\r\nAdaptation and Evasion: Fancy Bear continuously updates its malware and TTPs to evade detection. This includes\r\nswitching implants, changing command and control (C2) channels, modifying persistence methods, and using anti-analysis techniques like code obfuscation, adding junk data, and clearing event logs.\r\nCredential Harvesting: A core component of their attacks, aiming to steal login information for persistent access.\r\nBroad Victimology: While their primary focus remains specific geopolitical targets, their campaigns often ensnare a\r\nbroader range of victims in various countries across Europe, Asia, and even Latin America.\r\nUse of Legitimate Infrastructure: They have been known to relay C2 traffic through proxy networks of previously\r\ncompromised victims and may abuse legitimate cloud services.\r\nDisinformation and Persona Creation: While not always tied to a specific recent campaign, a historical trend for\r\nFancy Bear (e.g., Guccifer 2.0, Fancy Bears’ Hack Team) is to create online personas to disseminate stolen\r\ninformation, sow disinformation, and deflect blame.\r\nTactics, Techniques, and Procedures (TTPs)\r\nhttps://www.cyfirma.com/research/apt-profile-fancy-bear-2/\r\nPage 4 of 5\n\nFancy Bear’s TTPs align with the MITRE ATT\u0026CK framework and demonstrate their advanced capabilities:\r\nInitial Access:\r\nSpear phishing Attachment/Link (T1566.001/002): The most common initial access vector.\r\nHighly tailored emails with malicious attachments (e.g., weaponized documents with macros).\r\nEmails containing links to spoofed login pages for webmail services or malware drop sites.\r\nExploitation of Public-Facing Applications (T1190): Leveraging vulnerabilities (e.g., XSS in webmail platforms like\r\nRoundcube, Horde, MDaemon, Zimbra) to execute malicious code.\r\nBrute Force/Password Spraying (T1110.003): Historically used against web services, as seen in the Norwegian\r\nparliament hack.\r\nExecution:\r\nUser Execution (T1204): Requires victims to open malicious documents or click on malicious links.\r\nCommand and Scripting Interpreter (T1059): Using JavaScript within browser contexts (XSS) or PowerShell for\r\nvarious tasks (e.g., downloading stages).\r\nScheduled Task/Job (T1053): Setting up tasks to run malware periodically (e.g., HATVIBE running every four\r\nminutes).\r\nMalicious Macro (T1204.002): Embedded in documents to trigger infection chains.\r\nPersistence:\r\nBoot or Logon Autostart Execution (T1547): Using Startup folders for persistent execution of malware.\r\nAccount Manipulation (T1098): Stealing credentials to maintain access to accounts.\r\nScheduled Task/Job (T1053): Re-establishing execution of malware.\r\nDefense Evasion:\r\nObfuscated Files or Information (T1027): Obfuscating code, adding junk data to encoded strings.\r\nIndicator Removal (T1070): Clearing event logs (e.g., Security and System event registries) to hide activity.\r\nModify File Attributes (T1564.004): Resetting timestamps on files to hinder forensic analysis.\r\nProxy/C2 Channels (T1090): Routing C2 traffic through compromised victim networks.\r\nImplant Switching: Frequently rotating implants to avoid detection.\r\nValid Accounts (T1078): Using stolen legitimate credentials.\r\nCredential Access:\r\nOS Credential Dumping (T1003): Stealing credentials/hashes from systems, potentially through exploits that capture\r\ninputs or by leveraging specific tools.\r\nPhishing for Credentials (T1566.002): Direct harvesting of credentials via spoofed login pages.\r\nDiscovery:\r\nSystem Information Discovery (T1082): Understanding the compromised environment.\r\nNetwork Service Discovery (T1046): Mapping network drives.\r\nCollection:\r\nData from Local System (T1005): Stealing email messages, address books, contacts, login histories.\r\nScreen Capture (T1113): Taking screenshots of the victim’s machine.\r\nExfiltration:\r\nExfiltration Over C2 Channel (T1041): Sending collected data back to C2 servers.\r\nExfiltration to Cloud Storage (T1567.002): Known to use services like Google Drive for data exfiltration.\r\nCommand and Control (C2):\r\nStandard Non-Application Layer Protocol (T1091): Using various protocols for C2 communication.\r\nWeb Protocols (T1071.001): Utilizing HTTP/HTTPS for C2.\r\nLegitimate Services (T1102): Abusing legitimate cloud services for C2 communication.\r\nSource: https://www.cyfirma.com/research/apt-profile-fancy-bear-2/\r\nhttps://www.cyfirma.com/research/apt-profile-fancy-bear-2/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.cyfirma.com/research/apt-profile-fancy-bear-2/" ], "report_names": [ "apt-profile-fancy-bear-2" ], "threat_actors": [ { "id": "d0d996a0-98e2-49fd-b55e-97ba053c4ed0", "created_at": "2024-07-25T02:00:04.423466Z", "updated_at": "2026-04-10T02:00:03.679863Z", "deleted_at": null, "main_name": "UAC-0063", "aliases": [], "source_name": "MISPGALAXY:UAC-0063", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434376, "ts_updated_at": 1775826686, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ab3849c04079b07c21c5659f2df72281a236a008.pdf", "text": "https://archive.orkl.eu/ab3849c04079b07c21c5659f2df72281a236a008.txt", "img": "https://archive.orkl.eu/ab3849c04079b07c21c5659f2df72281a236a008.jpg" } }