🇷🇺APT28
🇷🇺 APT28 is a tracked threat actor in the Clankerusecase corpus. Attributed to RU. Primary motivation: State. We map 26 detection use cases to this actor across 154 MITRE ATT&CK techniques, with 9 threat-intel articles citing them. Active in our corpus from 2026-02-13 to 2026-06-12.
crit 8high 1
26Use cases
9Articles
154Techniques
5IOCs
Known aliases
APT28Fancy BearSofacySednitSTRONTIUMForest BlizzardPawn StormTsar TeamGRU Unit 26165IRON TWILIGHTSNAKEMACKERELSwallowtailGroup 74Threat Group-4127TG-4127FROZENLAKEGruesomeLarch
All other tracked techniques
T1001 · Data ObfuscationT1001.001 · Junk DataT1003 · OS Credential DumpingT1003.001 · LSASS MemoryT1003.003 · NTDST1005 · Data from Local SystemT1014 · RootkitT1021.002 · SMB/Windows Admin SharesT1025 · Data from Removable MediaT1027 · Obfuscated Files or InformationT1027.002 · Software PackingT1027.005 · Indicator Removal from ToolsT1027.009 · Embedded PayloadsT1027.013 · Encrypted/Encoded FileT1030 · Data Transfer Size LimitsT1036 · MasqueradingT1036.005 · Match Legitimate Resource Name or LocationT1037.001 · Logon Script (Windows)T1039 · Data from Network Shared DriveT1040 · Network SniffingT1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1053.005 · Scheduled TaskT1055 · Process InjectionT1055.012 · Process HollowingT1056.001 · KeyloggingT1057 · Process DiscoveryT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.005 · Visual BasicT1059.007 · JavaScriptT1068 · Exploitation for Privilege EscalationT1070 · Indicator RemovalT1070.004 · File DeletionT1070.006 · TimestompT1071 · Application Layer ProtocolT1071.001 · Web ProtocolsT1071.003 · Mail ProtocolsT1071.004 · DNST1074.001 · Local Data StagingT1074.002 · Remote Data StagingT1078 · Valid AccountsT1078.002 · Domain AccountsT1078.004 · Cloud AccountsT1082 · System Information DiscoveryT1083 · File and Directory DiscoveryT1087 · Account DiscoveryT1090.002 · External ProxyT1090.003 · Multi-hop ProxyT1091 · Replication Through Removable MediaT1092 · Communication Through Removable MediaT1095 · Non-Application Layer ProtocolT1098 · Account ManipulationT1098.001 · Additional Cloud CredentialsT1098.002 · Additional Email Delegate PermissionsT1102 · Web ServiceT1102.002 · Bidirectional CommunicationT1105 · Ingress Tool TransferT1110 · Brute ForceT1110.001 · Password GuessingT1110.003 · Password SprayingT1113 · Screen CaptureT1114.002 · Remote Email CollectionT1115 · Clipboard DataT1119 · Automated CollectionT1120 · Peripheral Device DiscoveryT1129 · Shared ModulesT1133 · External Remote ServicesT1134.001 · Token Impersonation/TheftT1137.002 · Office TestT1140 · Deobfuscate/Decode Files or InformationT1176 · Software ExtensionsT1189 · Drive-by CompromiseT1195.002 · Compromise Software Supply ChainT1199 · Trusted RelationshipT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1204.004 · Malicious Copy and PasteT1210 · Exploitation of Remote ServicesT1211 · Exploitation for StealthT1213 · Data from Information RepositoriesT1213.002 · SharepointT1218 · System Binary Proxy ExecutionT1218.011 · Rundll32T1219 · Remote Access ToolsT1221 · Template InjectionT1417.002 · T1417.002T1437.001 · T1437.001T1456 · T1456T1480 · Execution GuardrailsT1486 · Data Encrypted for ImpactT1489 · Service StopT1490 · Inhibit System RecoveryT1498 · Network Denial of ServiceT1505.003 · Web ShellT1528 · Steal Application Access TokenT1539 · Steal Web Session CookieT1542.003 · BootkitT1543.003 · Windows ServiceT1546.015 · Component Object Model HijackingT1546.016 · Installer PackagesT1547.001 · Registry Run Keys / Startup FolderT1550 · Use Alternate Authentication MaterialT1550.001 · Application Access TokenT1550.002 · Pass the HashT1552.001 · Credentials In FilesT1555.003 · Credentials from Web BrowsersT1556 · Modify Authentication ProcessT1557.004 · Evil TwinT1558 · Steal or Forge Kerberos TicketsT1558.003 · KerberoastingT1559.002 · Dynamic Data ExchangeT1560 · Archive Collected DataT1560.001 · Archive via UtilityT1562.001 · T1562.001T1562.002 · T1562.002T1562.004 · T1562.004T1562.006 · T1562.006T1562.009 · T1562.009T1564 · Hide ArtifactsT1564.001 · Hidden Files and DirectoriesT1564.003 · Hidden WindowT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1566.004 · Spearphishing VoiceT1567 · Exfiltration Over Web ServiceT1567.002 · Exfiltration to Cloud StorageT1568.002 · Domain Generation AlgorithmsT1569.002 · Service ExecutionT1573.001 · Symmetric CryptographyT1573.002 · Asymmetric CryptographyT1574.002 · T1574.002T1583.001 · DomainsT1583.003 · Virtual Private ServerT1583.006 · Web ServicesT1584.008 · Network DevicesT1586.002 · Email AccountsT1587.001 · MalwareT1588.002 · ToolT1588.007 · Artificial IntelligenceT1589.001 · CredentialsT1591 · Gather Victim Org InformationT1595.002 · Vulnerability ScanningT1596 · Search Open Technical DatabasesT1598 · Phishing for InformationT1598.003 · Spearphishing LinkT1646 · T1646T1649 · Steal or Forge Authentication CertificatesT1660 · T1660T1669 · Wi-Fi NetworksT1684.001 · ImpersonationT1685.005 · Clear Windows Event Logs
Detection use cases (26)
APT28 (Forest Blizzard) Outlook NTLM coercion via CVE-2023-23397 — outbound SMB from outlook.exe to non-corporate IPs APT28 (Forest Blizzard) GooseEgg post-compromise loader — spoolsv.exe spawning scripting hosts with wayzgoose / execute.bat artifacts (CVE-2 Asset exposure — vulnerability matches article CVE(s) Network connections to article IPs / domains File hash IOCs — endpoint file/process match NoName057(16) DDoSia client check-in (/client/login, /client/get_targets) World Cup 2026 themed lookalike / typosquat domain resolution by corporate hosts Beaconing — periodic outbound to small set of destinations Infostealer — non-browser process accessing browser cookie/login DBs Phishing-link click correlated to endpoint execution Email attachment opened from external sender Office app spawning script/LOLBin child process Microsoft Teams external-tenant chat from unverified IT-helpdesk impersonator RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard 1Password activity from Tor exit node 1Password failed sign-in burst 1Password impossible-travel sign-in Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains Developer package install spawning script-host with non-registry C2 within 5 minutes Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request Install-Triggered Registry Publish or Git Push (Supply-Chain Worm Self-Propagation) Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit)Threat-intel articles (9)
high Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks · 2026-06-12
crit ESET APT Activity Report Q4 2025–Q1 2026 · 2026-05-28
crit GopherWhisper: A burrow full of malware · 2026-04-23
crit EDR killers explained: Beyond the drivers · 2026-03-19
crit Sednit reloaded: Back in the trenches · 2026-03-10
Tracked indicators
Domains (4)
freefoodaid.com longsauce.com wellnesscaremed.com wellnessmedcare.orgIP addresses (1)
43.231.113.50CVEs (3)
CVE-2022-26923 CVE-2023-50224 CVE-2026-21509