G0007: APT28

APT28 has used the ntdsutil.exe utility to export the Active Directory database for credential access.[2]

APT28 has harvested user's login credentials.CitationMicrosoft Targeting Elections September 2020

APT28 has used large language models (LLMs) to gather information about satellite capabilities.CitationMSFT-AICitationOpenAI-CTI

APT28 has saved files with hidden file attributes.[15][15]

APT28 hosted phishing domains on free services for brief periods of time during campaigns.[16]

APT28 has used large language models (LLMs) to assist in script development and deployment.CitationMSFT-AICitationOpenAI-CTI

APT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations.[6][14]CitationGoogle TAG Ukraine Threat Landscape March 2022

APT28 has performed timestomping on victim files.[5]

APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server.[6]CitationBitdefender APT28 Dec 2015[3]

APT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments.CitationUnit 42 Sofacy Feb 2018[10][11][3][17][18][19][20]CitationCato LAMEHUG JUL 2025

APT28 downloads and executes PowerShell scripts and performs PowerShell commands.[11][19][2]

APT28 has exfiltrated archives of collected data previously staged on a target's OWA server via HTTPS.[2]

APT28 has deployed malware that has copied itself to the startup directory for persistence.[19]

APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.CitationBitdefender APT28 Dec 2015CitationUnit 42 Sofacy Feb 2018[11][15][18]

APT28 has exploited Microsoft Office vulnerability CVE-2017-0262 for execution.[17]

APT28 has used compromised email accounts to send credential phishing emails.CitationGoogle TAG Ukraine Threat Landscape March 2022

APT28 has collected emails from victim Microsoft Exchange servers.[3][2]

APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target's Outlook Web Access (OWA) server.[2]

APT28 compromised Ubiquiti network devices to act as collection devices for credentials compromised via phishing webpages.[16]

APT28 has used pass the hash for lateral movement.CitationMicrosoft SIR Vol 19

An APT28 loader Trojan adds the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.CitationUnit 42 Playbook Dec 2017

APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.[11][17]CitationFireEye APT28 Hospitality Aug 2017

APT28 has used the WindowStyle parameter to conceal PowerShell windows.[11] CitationMcAfee APT28 DDE1 Nov 2017

APT28 has routed traffic over Tor and VPN servers to obfuscate their activities.[19]

APT28 can exfiltrate data over Google Drive.[19]

APT28 has used tools to perform keylogging.CitationMicrosoft SIR Vol 19[3][19]

APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.CitationÜberwachung APT28 Forfiles June 2015[3]

APT28 has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on vulnerable Microsoft Exchange; they have also conducted SQL injection attacks against external websites.[14][2]

APT28 has exploited open Wi-Fi access points for initial access to target devices using the network.[22]CitationDOJ GRU Charges 2018

APT28 has collected files from network shared drives.[2]

APT28 has used tools to take screenshots from victims.CitationESET Sednit Part 2CitationXAgentOSX 2017[3][20]

APT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.[23] APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks.[2]

APT28 has used newly-created Blogspot pages for credential harvesting operations.CitationGoogle TAG Ukraine Threat Landscape March 2022

An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.CitationUnit 42 Playbook Dec 2017

APT28 has compromised targets via strategic web compromise utilizing custom exploit kits.[20] APT28 used reflected cross-site scripting (XSS) against government websites to redirect users to phishing webpages.[16]

APT28 has performed large-scale scans in an attempt to find vulnerable servers.CitationTrendMicro Pawn Storm 2019

APT28 has used COM hijacking for persistence by replacing the legitimate MMDeviceEnumerator object with a payload.CitationESET Sednit Part 1[13]

Once APT28 gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network.[3]

APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.CitationMicrosoft SIR Vol 19

An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.CitationUnit 42 Playbook Dec 2017 The group has also used macros to execute payloads.[15]CitationUnit42 Cannon Nov 2018[18][19]

APT28 has used a Wi-Fi Pineapple to set up Evil Twin Wi-Fi Poisoning for the purposes of capturing victim credentials or planting espionage-oriented malware.[14]

In 2016, APT28 conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.[14]

APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.[3]

APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[3]

APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.CitationBitdefender APT28 Dec 2015CitationUnit 42 Playbook Dec 2017[18][19][2]

APT28 has used spearphishing to compromise credentials.CitationMicrosoft Targeting Elections September 2020[20]

APT28 has delivered JHUHUGIT and Koadic by executing PowerShell commands through DDE in Word documents.CitationMcAfee APT28 DDE1 Nov 2017CitationMcAfee APT28 DDE2 Nov 2017[11]

APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.[2]

APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[3]

APT28 has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes.[2]

APT28 used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro. CitationUnit42 Sofacy Dec 2018

APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before exfiltration.CitationÜberwachung APT28 Forfiles June 2015[3]CitationTrendMicro Pawn Storm 2019[2]

APT28 has collected information from Microsoft SharePoint services within target networks.CitationRSAC 2015 Abu Dhabi Stefano Maccaglia

APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder.CitationTrend Micro Pawn Storm April 2017[3][25][2]

An APT28 backdoor may collect the entire contents of an inserted USB device.CitationMicrosoft SIR Vol 19

Later implants used by APT28, such as CHOPSTICK, use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration.[6][2]

APT28 has collected files from various information repositories.[2]

APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe “C:\Windows\twain_64.dll”. APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.[5]CitationBitdefender APT28 Dec 2015[11]CitationUnit 42 Playbook Dec 2017[13][2]

APT28 has used a variety of utilities, including WinRAR, to archive collected data with password protection.[2]

An APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.CitationUnit 42 Sofacy Feb 2018[11]

APT28 has conducted credential phishing campaigns with links that redirect to credential harvesting sites.CitationGoogle TAG Ukraine Threat Landscape March 2022[3][13][14][20]

APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.[24]