{ "id": "84d0809a-08f0-4e74-bcdf-df2ba1c4a4ad", "created_at": "2026-04-06T01:29:16.896692Z", "updated_at": "2026-04-10T03:37:50.665396Z", "deleted_at": null, "sha1_hash": "abeb7e20379dfd5a942e4935e8e4b45203f1f155", "title": "APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 224587, "plain_text": "APT28 Hacker Group Targeting Europe, Americas, Asia in\r\nWidespread Phishing Scheme\r\nBy The Hacker News\r\nPublished: 2024-03-18 · Archived: 2026-04-06 00:25:25 UTC\r\nThe Russia-linked threat actor known as APT28 has been linked to multiple ongoing phishing campaigns that\r\nemploy lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South\r\nCaucasus, Central Asia, and North and South America.\r\n\"The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security,\r\nmaritime security, healthcare, business, and defense industrial production,\" IBM X-Force said in a report\r\npublished last week.\r\nThe tech company is tracking the activity under the moniker ITG05, which is also known as Blue Athena,\r\nBlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight,\r\nPawn Storm, Sednit, Sofacy, TA422, and UAC-028.\r\nhttps://thehackernews.com/2024/03/apt28-hacker-group-targeting-europe.html?m=1\r\nPage 1 of 4\n\nThe disclosure comes more than three months after the adversary was spotted using decoys related to the ongoing\r\nIsrael-Hamas war to deliver a custom backdoor dubbed HeadLace.\r\nAPT28 has since also targeted Ukrainian government entities and Polish organizations with phishing messages\r\ndesigned to deploy bespoke implants and information stealers like MASEPIE, OCEANMAP, and STEELHOOK.\r\nOther campaigns have entailed the exploitation of security flaws in Microsoft Outlook (CVE-2023-23397, CVSS\r\nscore: 9.8) to plunder NT LAN Manager (NTLM) v2 hashes, raising the possibility that the threat actor may\r\nleverage other weaknesses to exfiltrate NTLMv2 hashes for use in relay attacks.\r\nhttps://thehackernews.com/2024/03/apt28-hacker-group-targeting-europe.html?m=1\r\nPage 2 of 4\n\nThe latest campaigns observed by IBM X-Force between late November 2023 and February 2024 take advantage\r\nof the \"search-ms:\" URI protocol handler in Microsoft Windows to trick victims into downloading malware hosted\r\non actor-controlled WebDAV servers.\r\nThere is evidence to suggest that both the WebDAV servers, as well as the MASEPIE C2 servers, may be hosted\r\non compromised Ubiquiti routers, a botnet comprising which was taken down by the U.S. government last month.\r\nhttps://thehackernews.com/2024/03/apt28-hacker-group-targeting-europe.html?m=1\r\nPage 3 of 4\n\nThe phishing attacks impersonate entities from several countries such as Argentina, Ukraine, Georgia, Belarus,\r\nKazakhstan, Poland, Armenia, Azerbaijan, and the U.S., putting to use a mix of authentic publicly available\r\ngovernment and non-government lure documents to activate the infection chains.\r\n\"In an update to their methodologies, ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to\r\nstage payloads to enable ongoing operations,\" security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr\r\nsaid.\r\nThe climax of APT28's elaborate scheme ends with the execution of MASEPIE, OCEANMAP, and\r\nSTEELHOOK, which are designed to exfiltrate files, run arbitrary commands, and steal browser data.\r\nOCEANMAP has been characterized as a more capable version of CredoMap, another backdoor previously\r\nidentified as used by the group.\r\n\"ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging\r\ncommercially available infrastructure, while consistently evolving malware capabilities,\" the researchers\r\nconcluded.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2024/03/apt28-hacker-group-targeting-europe.html?m=1\r\nhttps://thehackernews.com/2024/03/apt28-hacker-group-targeting-europe.html?m=1\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thehackernews.com/2024/03/apt28-hacker-group-targeting-europe.html?m=1" ], "report_names": [ "apt28-hacker-group-targeting-europe.html?m=1" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438956, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/abeb7e20379dfd5a942e4935e8e4b45203f1f155.pdf", "text": "https://archive.orkl.eu/abeb7e20379dfd5a942e4935e8e4b45203f1f155.txt", "img": "https://archive.orkl.eu/abeb7e20379dfd5a942e4935e8e4b45203f1f155.jpg" } }