APT28 Hacker Group Attacking Europe, Americas, and Asia In Phishing Campaigns

APT28, a Russia-connected threat actor, has been linked to many ongoing phishing efforts. It includes luring papers and impersonating government & non-governmental organizations (NGOs). This actor impersonates organizations throughout Europe, the South Caucasus, Central Asia, and North and South America.

According to an IBM X-Force report released last week, "The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production."

The technology business under the name ITG05 tracked the behavior. It is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (previously Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028.

The revelation comes more than three months after the enemy was caught. Later on, it employed decoys related to the ongoing Israel-Hamas conflict to deploy a proprietary backdoor prominent as HeadLace.

APT28 has subsequently targeted Ukrainian government bodies. Along with this, Polish enterprises with phishing emails. These emails were aimed at deploying tailored exploits and information stealers such as MASEPIE, OCEANMAP, and STEEL HOOK.

Further campaigns have used security holes in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to steal NT LAN Manager (NTLM) v2 hashes. It suggests the likelihood that the threat actor would exploit further issues. The main purpose of doing so is to exfiltrate NTLMv2 hashes for use in relay attacks.


IBM X-Force discovered the most recent campaigns between late November 2023 and February 2024. For this,  it used the "search-ms:" URI protocol handler in Microsoft Windows. By doing so, it achieves success in fooling users into downloading malware housed on actor-controlled WebDAV servers.

There are indications that both the WebDAV servers and the MASEPIE C2 servers may be housed on hacked Ubiquiti routers. These devices were part of a botnet that the US authorities shut down last month.

The phishing attempts spoof institutions from a range of nations. These nations are - Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the United States. Furthermore, it employs a combination of real publicly available government and non-government lure documents to trigger infection chains.

Security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr said, "In an update to their methodologies, ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads to enable ongoing operations."

The culmination of APT28's intricate plan is the execution of MASEPIE, OCEANMAP, and STEEL HOOK. In reality, they are intended to exfiltrate files, conduct arbitrary commands, and collect browser data. In the meantime, OCEANMAP has been described as a more competent version of CredoMap. In reality, it is a prior backdoor that was reported as employed by the organization.

The authors of the study said, "ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities."