tldrdailynews.com logo
Tag

Apt28

All articles tagged with #apt28

Windows 0-Click Flaw Bypasses SmartScreen; Patch Leaves NTLM Exposure
cyber-security-news27 days ago

Windows 0-Click Flaw Bypasses SmartScreen; Patch Leaves NTLM Exposure

APT28 exploited a Windows Shell 0-click vulnerability chain (CVE-2026-21510 and CVE-2026-21513) via a weaponized LNK file to bypass Defender SmartScreen and load a CPL component without user interaction; Microsoft patched the RCE path in the April 2026 Patch Tuesday by adding ControlPanelLinkSite and a trust-verification flag, but a residual flaw (CVE-2026-32202) allows NTLM authentication to be triggered during UNC-path resolution when opening a folder containing the LNK, enabling credential exposure. Defenders should apply the April 2026 updates immediately, monitor outbound SMB traffic, enforce NTLMv2 or Kerberos, and perform regression testing to prevent patch regressions.

via CyberSecurityNews|
#apt28#cve-2026-21510#cve-2026-32202
Russian Hackers Exploit Fresh Office Flaw Hours After Patch
security3 months ago

Russian Hackers Exploit Fresh Office Flaw Hours After Patch

Within 48 hours of Microsoft issuing an urgent Office patch for CVE-2026-21509, the Russian-state group APT28 launched a fast, in-memory, fileless campaign that installed new backdoors (BeardShell and NotDoor) via staged spear-phishing across nine countries, targeting defense ministries, transportation operators, and diplomatic entities, with command-and-control hosted on legitimate cloud services to evade detection.

via Ars Technica|
#apt28#cve-2026-21509#cyberespionage
APT28 weaponizes Office flaw in Neusploit to deploy Covenant Grunt
security3 months ago

APT28 weaponizes Office flaw in Neusploit to deploy Covenant Grunt

Russia-linked APT28 is exploiting CVE-2026-21509 in Microsoft Office as part of Operation Neusploit, delivering two droppers through malicious RTFs: MiniDoor, an Outlook email stealer, and PixyNetLoader, which loads Covenant Grunt via a steganography-delivered shellcode loader; attacks target Ukraine, Slovakia, and Romania with region- and UA-based checks, and show overlaps with earlier Phantom Net Voxel activity.

via The Hacker News|
#apt28#covenant-grunt#cve-2026-21509
APT28 weaponizes patched Office flaw to target Ukraine and EU governments
technology3 months ago

APT28 weaponizes patched Office flaw to target Ukraine and EU governments

Russian-linked APT28 is exploiting a patched Microsoft Office zero-day (CVE-2026-21509) to attack Ukraine and EU government targets, deploying malicious Word documents that trigger a WebDAV download chain and COM hijacking to load Covenant via EhStoreShell.dll and a hidden image payload, with C2 through Filen cloud storage. The campaign, which impersonated entities like Ukraine's Hydrometeorological Center and EU COREPER, appears broader than Ukraine. Patch all affected Office versions promptly and restart apps after updates; if patching isn't possible, apply registry mitigations; Defender's Protected View provides additional defense against Internet-origin Office files.

via BleepingComputer|
#apt28#com-hijacking#cve-2026-21509
Russian Spies Exploit Wi-Fi for Unprecedented Network Hopping Hack
cybersecurity1 year ago

Russian Spies Exploit Wi-Fi for Unprecedented Network Hopping Hack

Russian military hackers, part of the GRU, have developed a novel Wi-Fi hacking technique called a "nearest neighbor attack," allowing them to breach networks remotely without leaving Russian soil. This method involves hacking into a nearby network and using its devices to access the target network, as discovered by cybersecurity firm Volexity during a 2022 investigation in Washington, DC. The attack highlights the evolving threat of cyber espionage and the need for enhanced Wi-Fi security measures.

via WIRED|
#apt28#cyber-espionage#cybersecurity
Russian Hackers Disrupted After Targeting Europe and Ukraine with Malware and Phishing
cyber-attack-credential-harvesting2 years ago

Russian Hackers Disrupted After Targeting Europe and Ukraine with Malware and Phishing

The Russian GRU-backed APT28 group, also known as BlueDelta, has been targeting European networks, particularly in Ukraine, with the HeadLace malware and credential-harvesting web pages. The campaigns, running from April to December 2023, utilized spear-phishing emails and sophisticated multi-stage infection sequences. BlueDelta's operations aimed to gather intelligence on military-related entities, employing various techniques including geofencing, legitimate internet services, and compromised Ubiquiti routers. The group's activities reflect a broader strategy to influence military tactics and regional policies amidst ongoing aggression against Ukraine.

via The Hacker News|
#apt28#credential-harvesting#cyber-attack-credential-harvesting
"APT28 Hacker Group's Global Phishing Campaign Exposed"
cybersecurity2 years ago

"APT28 Hacker Group's Global Phishing Campaign Exposed"

APT28, a Russia-linked threat actor, has been conducting widespread phishing campaigns targeting organizations in Europe, the Americas, and Asia by using lure documents imitating government and non-governmental entities. The group, also known as ITG05, has been deploying various malware such as MASEPIE, OCEANMAP, and STEELHOOK to exfiltrate files, run arbitrary commands, and steal browser data. They have been leveraging security flaws in Microsoft Outlook and the "search-ms:" URI protocol handler in Microsoft Windows to trick victims into downloading malware. Additionally, they have been using compromised Ubiquiti routers to host their servers. The phishing attacks impersonate entities from multiple countries and utilize a mix of authentic publicly available government and non-government lure documents to activate the infection chains.

via The Hacker News|
#apt28#cyber-attacks#cybersecurity
"Russian Cyberattacks Unleash OCEANMAP, MASEPIE, and STEELHOOK Malware on Ukraine"
cybersecurity2 years ago

"Russian Cyberattacks Unleash OCEANMAP, MASEPIE, and STEELHOOK Malware on Ukraine"

The Ukrainian Computer Emergency Response Team (CERT-UA) has detected a new phishing campaign by the Russian APT28 group, targeting Ukrainian and Polish entities to distribute novel malware strains OCEANMAP, MASEPIE, and STEELHOOK. These malware tools are designed to steal sensitive information, with MASEPIE enabling file transfers and command execution, STEELHOOK extracting web browser data, and OCEANMAP acting as a backdoor for command execution. The campaign uses deceptive emails to initiate the infection, leveraging PowerShell and the IMAP protocol for control and persistence. This follows recent reports of APT28 exploiting a critical Outlook security flaw and using war-related lures for other cyberattacks.

via The Hacker News|
##apt28#cyberattack
Russian Hackers Exploit Critical Outlook Vulnerability, Microsoft Warns
email-security-vulnerability2 years ago

Russian Hackers Exploit Critical Outlook Vulnerability, Microsoft Warns

Microsoft has warned of Kremlin-backed threat actor APT28, also known as Forest Blizzard, exploiting a critical security flaw in its Outlook email service. The vulnerability, CVE-2023-23397, allowed unauthorized access to victims' accounts within Exchange servers. The goal of the attacks is to gain unauthorized access to mailboxes belonging to public and private entities. The threat actor modifies folder permissions within the victim's mailbox, enabling them to extract valuable information from high-value targets. Microsoft has patched the vulnerability, but APT28 continues to refine its techniques and poses long-term challenges to attribution and tracking.

via The Hacker News|
#apt28#email-security-vulnerability#kremlin-backed
Russian State Hackers Target Critical Networks in France and Europe with Webmail Exploits
cybersecurity2 years ago

Russian State Hackers Target Critical Networks in France and Europe with Webmail Exploits

The Russian APT28 hacking group, also known as Strontium or Fancy Bear, has been targeting critical networks in France since the second half of 2021. The group, believed to be part of Russia's military intelligence service GRU, has been using various techniques, including exploiting vulnerabilities in WinRAR and Microsoft Outlook, compromising peripheral devices, and utilizing legitimate cloud services for command and control infrastructure. The French National Agency for the Security of Information Systems (ANSSI) has published a report detailing the group's activities and recommends a comprehensive approach to security, with a focus on email security.

via BleepingComputer|
#apt28#cyber-espionage#cybersecurity
Russian Hackers Conducting Phishing Attacks in Ukraine, Warns Google TAG.
cybersecurity3 years ago

Russian Hackers Conducting Phishing Attacks in Ukraine, Warns Google TAG.

Google's Threat Analysis Group (TAG) has warned of large-volume phishing campaigns aimed at hundreds of users in Ukraine by elite hackers associated with Russia's military intelligence service. The state-sponsored cyber actor, also tracked as APT28 and FROZENLAKE, has been active since at least 2009, targeting media, governments, and military entities for espionage. The latest intrusion set involved the use of reflected cross-site scripting (XSS) attacks in various Ukrainian government websites to redirect users to phishing domains and capture their credentials. Other threat actors of interest include FROZENBARENTS and PUSHCHA, both of which are known to act on behalf of Russian interests.

via The Hacker News|
#apt28#cybersecurity#frozenlake
"U.S. and U.K. Issue Warnings on Russian Hackers Targeting Infrastructure"
network-security-cyber-espionage3 years ago

"U.S. and U.K. Issue Warnings on Russian Hackers Targeting Infrastructure"

U.S. and U.K. intelligence agencies have warned of Russian hackers exploiting now-patched flaws in Cisco networking equipment to conduct reconnaissance and deploy malware against select targets. The activity has been attributed to APT28, which is affiliated with the Russian General Staff Main Intelligence Directorate (GRU). The threat actor weaponized the vulnerability to deploy a non-persistent malware dubbed Jaguar Tooth on Cisco routers that's capable of gathering device information and enabling unauthenticated backdoor access. The attacks are part of a broader campaign against aging networking appliances and software from a variety of vendors to "advance espionage objectives or pre-position for future destructive activity."

via The Hacker News|
#apt28#cisco#cybersecurity
Western Infrastructure at Risk: US, UK, and Russia Warn of Government Hackers and Cyber Attacks.
cybersecurity3 years ago

Western Infrastructure at Risk: US, UK, and Russia Warn of Government Hackers and Cyber Attacks.

APT28, a Russian state-sponsored hacking group, has been deploying a custom malware named 'Jaguar Tooth' on Cisco IOS routers to gain unauthenticated access to the device. The malware is injected directly into the memory of Cisco routers running older firmware versions and exfiltrates information from the router while providing backdoor access. The threat actors exploit the CVE-2017-6742 SNMP vulnerability to install the malware. Cisco recommends upgrading routers to the latest firmware, switching from SNMP to NETCONF/RESTCONF, and configuring allow and deny lists to restrict access to the SNMP interface.

via BleepingComputer|
#apt28#cisco#cyber-espionage