^[15][16]

^[17]

^[12]

^[18]

This designation has been used in reporting both to refer to the threat group and its associated malwareJHUHUGIT.^{[8][7][19][4]}

This designation has been used in reporting both to refer to the threat group and its associated malware.^{[6][7][5][20][4][18]}

^[7][20][21]

^{[5][19][20][4][18][12][22][2]}

^{[19][20][23][24][21][2]}

^[20][18][18]

^[7]

^[7]

^[25]

^[26]

^[27]

APT28 Nearest Neighbor Campaign was conducted byAPT28 from early February 2022 to November 2024.^[27]

APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.^[28]

APT28 has used a Powershell cmdlet to grant theApplicationImpersonation role to a compromised account.^[2]

APT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations.^[6][14][29]

APT28 hosted phishing domains on free services for brief periods of time during campaigns.^[26]

APT28 has used newly-created Blogspot pages for credential harvesting operations.^[29]

APT28 has performed large-scale scans in an attempt to find vulnerable servers.^[30]

APT28 has used a Wi-Fi Pineapple to set up Evil Twin Wi-Fi Poisoning for the purposes of capturing victim credentials or planting espionage-oriented malware.^[14]

Later implants used byAPT28, such asCHOPSTICK, use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration.^[6][2]

APT28 has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims.^[6][2]

APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.^[3]

APT28 has used a variety of utilities, including WinRAR, to archive collected data with password protection.^[2]

DuringAPT28 Nearest Neighbor Campaign,APT28 used built-in PowerShell capabilities (Compress-Archive cmdlet) to compress collected data.^[27]

APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.^[3]

APT28 has deployed malware that has copied itself to the startup directory for persistence.^[21]

AnAPT28 loader Trojan adds the Registry keyHKCU\Environment\UserInitMprLogonScript to establish persistence.^[31]

APT28 can perform brute force attacks to obtain credentials.^[30][21][32]

APT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.^[24]APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks.^[2]

APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.^[24][32]APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.^[2]

DuringAPT28 Nearest Neighbor Campaign,APT28 performed password-spray attacks against public facing services to validate credentials.^[27]

APT28 downloads and executes PowerShell scripts and performs PowerShell commands.^[11][21][2]

DuringAPT28 Nearest Neighbor Campaign,APT28 used PowerShell cmdletGet-ChildItem to access credentials, among other PowerShell functions deployed.^[27]

AnAPT28 loader Trojan uses a cmd.exe and batch script to run its payload.^[31] The group has also used macros to execute payloads.^{[18][33][17][21]}

DuringAPT28 Nearest Neighbor Campaign,APT28 usedcmd.exe for execution.^[27]

APT28 uses a tool that captures information from air-gapped computers via an infected USB and transfers it to network-connected computer when the USB is inserted.^[34]

APT28 has used compromised email accounts to send credential phishing emails.^[29]

APT28 compromised Ubiquiti network devices to act as collection devices for credentials compromised via phishing webpages.^[26]

APT28 has collected files from various information repositories.^[2]

APT28 has collected information from Microsoft SharePoint services within target networks.^[35]

APT28 has retrieved internal documents from machines inside victim environments, including by usingForfiles to stage documents before exfiltration.^{[36][3][30][2]}

APT28 has collected files from network shared drives.^[2]

AnAPT28 backdoor may collect the entire contents of an inserted USB device.^[34]

APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.^[6]

APT28 has stored captured credential information in a file named pi.log.^[34]

DuringAPT28 Nearest Neighbor Campaign,APT28 staged captured credential information in theC:\ProgramData directory.^[27]

APT28 has staged archives of collected data on a target's Outlook Web Access (OWA) server.^[2]

APT28 has split archived exfiltration files into chunks smaller than 1MB.^[2]

AnAPT28 macro uses the commandcertutil -decode to decode contents of a .txt file storing the base64 encoded payload.^[37][11]

DuringAPT28 Nearest Neighbor Campaign,APT28 unarchived data using the GUI version of WinRAR.^[27]

DuringAPT28 Nearest Neighbor Campaign,APT28 accessed volume shadow copies through executingvssadmin in order to dump the NTDS.dit file.^[27]

DuringAPT28 Nearest Neighbor Campaign,APT28 used the native Microsoft utilitycipher.exe to securely wipe files and folders – overwriting the deleted data usingcmd.exe /c cipher /W:C.^[27]

APT28 has compromised targets via strategic web compromise utilizing custom exploit kits.^[16]APT28 used reflected cross-site scripting (XSS) against government websites to redirect users to phishing webpages.^[26]

APT28 has collected emails from victim Microsoft Exchange servers.^[3][2]

APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.^[13]

APT28 has used COM hijacking for persistence by replacing the legitimateMMDeviceEnumerator object with a payload.^[38][13]

APT28 has exfiltrated archives of collected data previously staged on a target's OWA server via HTTPS.^[2]

APT28 can exfiltrate data over Google Drive.^[21]

DuringAPT28 Nearest Neighbor Campaign,APT28 exfiltrated data over public-facing webservers – such as Google Drive.^[27]

APT28 has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on vulnerable Microsoft Exchange; they have also conducted SQL injection attacks against external websites.^[14][2]

APT28 has exploited Microsoft Office vulnerability CVE-2017-0262 for execution.^[22]

APT28 has used CVE-2015-4902 to bypass security features.^[39][34]

APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263, and CVE-2022-38028 to escalate privileges.^{[39][34][22][27]}

APT28 exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.^[6][40][41]

APT28 has usedTor and a variety of commercial VPN services to route brute force authentication attempts.^[2]

APT28 has usedForfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.^[36][3]

APT28 has harvested user's login credentials.^[32]

APT28 has used large language models (LLMs) to gather information about satellite capabilities.^[42][43]

APT28 has saved files with hidden file attributes.^[18][18]

APT28 has used the WindowStyle parameter to concealPowerShell windows.^[11][44]

DuringAPT28 Nearest Neighbor Campaign,APT28 added rules to a victim's Windows firewall to set up a series of port-forwards allowing traffic to target systems.^[27]

APT28 has cleared event logs, including by using the commandswevtutil cl System andwevtutil cl Security.^[5][3]

APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.^[3]

APT28 has performed timestomping on victim files.^[5]

APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.^{[39][31][17][21][2]}

APT28 has used tools to perform keylogging.^[34][3][21]

APT28 has deliveredJHUHUGIT andKoadic by executing PowerShell commands through DDE in Word documents.^[44][45][11]

APT28 has renamed the WinRAR utility to avoid detection.^[2]

APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.^[2]

In 2016,APT28 conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.^[14]

APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.^[6][40]APT28 close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.^[14]

APT28 encrypted a .dll payload using RTL and a custom encryption algorithm.APT28 has also obfuscated payloads with base64, XOR, and RC4.^{[39][37][11][18][17]}

APT28 has obtained and used open-source tools likeKoadic,Mimikatz, andResponder.^[11][22][40]

APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry keyHKCU\Software\Microsoft\Office test\Special\Perf to execute code.^[46]

APT28 regularly deploys both publicly available (ex:Mimikatz) and custom password retrieval tools on victims.^[47][3][14]

APT28 regularly deploys both publicly available (ex:Mimikatz) and custom password retrieval tools on victims.^[47][3] They have also dumped the LSASS process memory using the MiniDump function.^[2]

DuringAPT28 Nearest Neighbor Campaign,APT28 used the following commands to dump SAM, SYSTEM, and SECURITY hives:reg save hklm\sam, reg save hklm\system, andreg save hklm\security.^[27]

APT28 has used the ntdsutil.exe utility to export the Active Directory database for credential access.^[2]

DuringAPT28 Nearest Neighbor Campaign,APT28 dumped NTDS.dit through creating volume shadow copies viavssadmin.^[27]

APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.^[34]

APT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments.^{[37][10][11][3][22][17][21][16]}

APT28 has used spearphishing to compromise credentials.^[32][16]

APT28 has conducted credential phishing campaigns with links that redirect to credential harvesting sites.^{[29][3][13][14][16]}

APT28 has deployed a bootkit along withDowndelph to ensure its persistence on the victim. The bootkit shares code with some variants ofBlackEnergy.^[20]

AnAPT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.^[31]

DuringAPT28 Nearest Neighbor Campaign,APT28 used the built-innetsh portproxy command to create internal proxies on compromised systems.^[27]

APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router.APT28 has also used a machine to relay and obscure communications betweenCHOPSTICK and their server.^[6][39][3]

APT28 has routed traffic overTor and VPN servers to obfuscate their activities.^[21]

DuringAPT28 Nearest Neighbor Campaign,APT28 used RDP for lateral movement.^[27]

APT28 has mapped network drives usingNet and administrator credentials.^[2]

DuringAPT28 Nearest Neighbor Campaign,APT28 leveraged SMB to transfer files and move laterally.^[27]

APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.^[34]

APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known asLoJax.^[12][48]

APT28 has used tools to take screenshots from victims.^{[47][49][3][16]}

APT28 has used large language models (LLMs) to assist in script development and deployment.^[42][43]

APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target's Outlook Web Access (OWA) server.^[2]

APT28 has used several malicious applications to steal user OAuth access tokens including applications masquerading as "Google Defender" "Google Email Protection," and "Google Scanner" for Gmail users. They also targeted Yahoo users with applications masquerading as "Delivery Service" and "McAfee Email Protection".^[50]

APT28 executedCHOPSTICK by using rundll32 commands such asrundll32.exe "C:\Windows\twain_64.dll".APT28 also executed a .dll for a first stage dropper using rundll32.exe. AnAPT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.^{[5][39][11][31][13][2]}

DuringAPT28 Nearest Neighbor Campaign,APT28 collected information on wireless interfaces within range of a compromised system.^[27]

APT28 used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro.^[51]

OnceAPT28 gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network.^[3]

APT28 has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.^[50]

APT28 has used pass the hash for lateral movement.^[34]

APT28 has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.^[14][16]

APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.^[37][17][16]

APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder.^{[52][3][23][2]}

APT28 has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes.^[2]

APT28 has used Google Drive for C2.^[21]

APT28 has exploited open Wi-Fi access points for initial access to target devices using the network.^[27][53]

DuringAPT28 Nearest Neighbor Campaign,APT28 established wireless connections to secure, enterprise Wi-Fi networks belonging to a target organization for initial access into the environment.^[27]