APT28 Remains One of the World's Most Active Threat Groups
Russia's Fancy Bear — also tracked as APT28, Forest Blizzard, and Pawn Storm — continues to demonstrate why it is considered one of the most dangerous and persistent cyber-espionage groups operating today. Two new pieces of research from Trend Micro, combined with a fresh warning from the FBI, paint a picture of a threat actor that has lost none of its aggression after more than two decades of operations.
Fancy Bear is widely assessed to be operating under the direction of Russian military intelligence, the GRU. The group has been active since the mid-2000s and has been implicated in attacks against Ukrainian critical infrastructure, interference in the 2016 US presidential election, and sustained espionage campaigns against NATO governments and Western defense industries. Its toolkit spans sophisticated phishing, credential theft, exploitation of critical vulnerabilities — including zero-days — and, more recently, destructive sabotage capabilities.
Two Recent Campaigns Dissected by Trend Micro
Operation Prismex: Targeting the Defense Supply Chain
On March 26, Trend Micro published a blog post describing a malware framework it calls Prismex, which APT28 has deployed against the defense supply chains of Ukraine and several of its allies, including the Czech Republic, Poland, Romania, Slovakia, Slovenia, and Turkey.
Prismex is a multi-component toolkit that leverages two Microsoft vulnerabilities: a confirmed Windows zero-day tracked as CVE-2026-21513 and a Microsoft Office bug identified as CVE-2026-21509. The campaign was observed as far back as September 2025 and intensified in January 2026. According to Trend Micro, "Prismex combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command and control."
Beyond standard espionage capabilities, Prismex also contains sabotage functionality, including wiper commands. This dual-use design is consistent with APT28's more recent operational pattern, which blends intelligence collection with the ability to cause direct disruption or destruction.
NTLMv2 Hash Relay Attacks Against Global Targets
A follow-up Trend Micro blog post published on April 3 focused on Pawn Storm's use of NTLMv2 hash relay attacks, carried out between April 2022 and November 2023 against a broad set of global targets. In these attacks, APT28 intercepted and relayed authentication credentials between a target system and a victim in order to capture logins without requiring the user's actual password.
The mechanism relied on a critical Outlook vulnerability, CVE-2023-23397, which has since been patched. Attackers sent victims a malicious calendar invite via a .msg file, triggering a vulnerable API endpoint. As Trend Micro explained: "When the victim connects to the attacker's SMB server, the connection to the remote server sends the user's NTLM protocol negotiation message containing the user's Net-NTLMv2 hash, which the attacker can use for authentication against other systems that support NTLM authentication."
Later in 2023, APT28 also conducted credential-targeting phishing campaigns against European government entities, alongside spear-phishing and brute-force attacks. To obscure its origins, the group made use of VPNs, Tor, data center IP addresses, and compromised EdgeOS routers.
FBI and Global Partners Warn of Router Hijacking
On Tuesday, the FBI issued a warning that Russia's GRU, acting through Fancy Bear, has been exploiting routers to steal credentials from organizations around the world. The agency specifically called out TP-Link routers compromised via CVE-2023-50224. Since at least 2024, GRU-linked actors have altered device configurations to introduce attacker-controlled DNS resolvers and set up adversary-in-the-middle attacks against encrypted traffic, particularly when users bypassed certificate error warnings.
The FBI also announced that, in coordination with the US Department of Justice, it "recently disrupted a GRU network of compromised small-office home-office (SOHO) routers used to facilitate malicious DNS hijacking operations." The UK's National Cyber Security Centre (NCSC) and other international partners issued similar advisories.
The Breadth of APT28's Targeting
The sectors and entities caught in APT28's crosshairs are strikingly diverse. Trend Micro's research identified victims including:
- European and South American military organizations
- Defense industry entities across North America and beyond
- Energy sector organizations
- Local and national governments, including those of developing countries
- Smaller private-sector companies
Feike Hacquebord, principal threat researcher at TrendAI, told Dark Reading that while some of the research is based on 2024 findings, the lessons are directly relevant for defenders today. Pawn Storm's DNS hijacking network technique, for instance, is more than 20 years old, yet it remains effective. "It tells us that Pawn Storm doesn't shy away from old techniques when they are still effective," Hacquebord said. "Another lesson here is that Pawn Storm targets not only high-profile entities like NATO and the ministries of defense of Western countries but also targets that might be perceived as smaller fish, such as local governments, governments of developing countries, or even smaller companies."
Practical Advice: You Don't Have to Match Their Sophistication
Given APT28's two-decade track record and the full institutional backing of Russian military intelligence, how is any defender — especially a smaller organization — supposed to keep up? According to several security experts, the question itself may be misleading.
Denis Calderone, CTO and principal of Suzu Labs, told Dark Reading that the assumption one must match APT28's level of sophistication is flawed. "You don't," he said. Much of the group's sophistication is deployed post-initial access. Before that point, the tactics it uses are largely the same as those seen from far less capable threat actors: phishing emails, ClickFix prompts, and weak credential exploitation.
Calderone laid out a set of achievable defensive measures:
- Multifactor authentication to stop password spraying
- Patching Microsoft Office to address CVE-2026-21509
- Updating router firmware and changing default credentials to counter the FrostArmada threat cluster
- User awareness training to prevent ClickFix attacks, since "a real CAPTCHA never asks you to open system tools"
He did acknowledge a sober caveat: "The honest caveat is that if those basics fail and APT28 gets inside, a small org without dedicated security operations is going to have a very hard time catching them. That's where managed detection services or sector-specific ISACs become critical."
Zero Trust as a Last Line of Defense
Vishal Agarwal, chief technology officer of Averlon, emphasized that even if APT28 manages to achieve initial access, a well-implemented zero-trust architecture can significantly limit the damage. Zero trust, combined with least-privilege access, strong identity controls, and just-in-time access, can slow or stop lateral movement inside a network.
Seemant Sehgal, founder and CEO of BreachLock, echoed this philosophy, arguing that denying Fancy Bear easy wins is itself a winning strategy. "Fancy Bear's success isn't magic; it's built on exploiting exposed services, weak identity controls, and gaps that most organizations already know exist," Sehgal said. "The organizations that hold up best aren't necessarily the biggest or the best funded, but rather those that continuously reduce attack surface, enforce strong identity, and most importantly, wake up every morning assuming they're already a target."
A Threat That Shows No Signs of Slowing
Trend Micro's research summed up the challenge plainly: "Although Pawn Storm has been active for two decades, it still retains its aggressiveness and determination to break into the networks and emails of high-profile targets around the world." With new malware frameworks, persistent credential theft operations, and ongoing exploitation of consumer-grade network hardware, APT28 continues to evolve even as it recycles proven techniques. For defenders, the message is consistent across all expert guidance: patch aggressively, enforce strong identity, and treat compromise as an assumption rather than a distant possibility.
Source: Dark Reading