Advanced Persistent Threat 28 – Russian State-Sponsored
Executive Summary
APT28 (also known as Fancy Bear, APT28, Fancy Bear, Sofacy) is a Russian state-sponsored advanced persistent threat group primarily focused on espionage, political operations, and military targeting. This report covers their operations as of 2026, including their recent campaigns, tools, TTPs, and target sectors.
Basic Information
- Name: APT28 (Fancy Bear)
- Aliases: APT28, Fancy Bear, Sofacy, Sofacy, APT28, G0007
- MITRE ATT&CK Group ID: G0007
- Country of Origin: Russia
- Threat Level: CRITICAL
- Primary Motivation: State-sponsored espionage, political influence, military targeting
Recent Operations (2025-2026)
European Government and Military (2025-2026):
- European government targeting
- Military institution operations
- NATO organization compromise
- Defense contractor espionage
Ukraine Conflict Operations (2025-2026):
- Ukraine conflict-related operations
- Information warfare campaigns
- Media outlet compromise
- Political targeting
Technology Sector (2025-2026):
- Technology company targeting
- Research institution operations
- University computer network compromise
- Scientific data theft
Primary Tools:
- Cobalt Strike (primary post-exploitation)
- Custom malware (Fancy Bear framework)
- Spearphishing campaigns
- Zero-day exploitation
- Credential dumping (Mimikatz, BloodHound)
TTPs (MITRE ATT&CK Mapping)
Initial Access:
- Phishing (Spearphishing Link, Spearphishing Attachment)
- Exploit publicly available vulnerabilities
- Supply chain compromise
Execution:
- Browser Execution
- PowerShell
- Command and Scripting Interpreter
Persistence:
- Boot/Logon Autostart
- Accessibility Features
- Lateral Tool Transfer
Privilege Escalation:
- Exploitation for Privilege Escalation
- Abuse Elevation Control Mechanism
Defense Evasion:
- Indicator Removal
- File and Directory Permissions Modification
- Obfuscated Files or Information
Credential Access:
- Credential Dumping (LSASS Memory)
- Remote Service Discovery
Discovery:
- Active Directory Enumeration
- Network Service Discovery
Lateral Movement:
- Remote Services (RDP, SMB)
- Remote Services (SMB)
Collection:
- Data from Local System
- Data from Network
Exfiltration:
- Exfiltration Over C2 Channel
- Exfiltration Over Alternative Protocol
Known Campaigns (2025-2026)
Operation 1 (2025):
- Target: European government and military
- Impact: Political influence, information warfare
- Tools: Cobalt Strike, custom malware
Operation 2 (2025):
- Target: Ukraine conflict operations
- Impact: Information warfare, media targeting
- Tools: Cobalt Strike, spearphishing
Operation 3 (2026):
- Target: Technology sector
- Impact: IP theft, research data compromise
- Tools: Cobalt Strike, Mimikatz
Threat Assessment
Threat Level: CRITICAL
Primary Targets:
- Government and military
- Political entities
- Technology sector
- Research institutions
Capabilities:
- Advanced persistent threat
- Information warfare
- Multi-vector attacks
- Long-term persistence
- Political targeting
Sources
- MITRE ATT&CK G0007
- Trellix Threat Intelligence
- CrowdStrike Reports
- NJCCIC
- Wikipedia
- Infosecurity Magazine
- CISA Advisories
- Brandefense
- FortiGuard Labs
Report Generated: 2026-06-10
Intelligence Freshness: Current (as of June 2026)
Classification: Unclassified