🇷🇺

APT 28

APT Group Information theft and espionage 102 zero-day CVEs ETDA ✓

Also Known As 29 names

APT-C-20 ATK5 Blue Athena BlueDelta Fancy Bear FROZENLAKE Fighting Ursa Forest Blizzard G0007 Grey-Cloud Grizzly Steppe Group 74 Group-4127 GruesomeLarch IRON TWILIGHT ITG05 Pawn Storm SIG40 SNAKEMACKEREL STRONTIUM Sednit Sofacy Swallowtail T-APT-12 TA422 TG-4127 Tsar Team UAC-0028 APT 28

Target Countries 53

Countries highlighted in red

Afghanistan Armenia Australia Azerbaijan Belgium Bulgaria Brazil Belarus Canada Switzerland Chile China Cyprus Czech Republic Germany Spain France United Kingdom Georgia Greece Croatia Hungary Ireland India Iraq Islamic Republic of Iran Italy Jordan Japan Republic of Korea Kazakhstan Latvia Montenegro Mongolia Mexico Malaysia Netherlands Norway Peru Pakistan Poland Romania Saudi Arabia Sweden Slovakia Thailand Tajikistan Turkey Ukraine Uganda United States Uzbekistan South Africa

Sectors Targeted

Engineering Business, Professional, Labor, Political, and Similar Organizations 8139 NGOs Travel Telecommunications 517 Oil and gas Translation and Interpretation Services 54193 Think Tanks Healthcare Data Processing, Hosting, and Related Services 51821 Spectator Sports 7112 Internet Publishing and Broadcasting and Web Search Portals 51913 Grantmaking and Giving Services 8132 Employment Placement Agencies and Executive Search Services 56131 Computer Systems Design Services 541512 Business Schools and Computer and Management Training 6114 Embassies Construction Oil and Gas Extraction 211 Insurance Carriers and Related Activities 524 Computer Systems Design and Related Services 5415 Airlines Education IT Industrial Energy Motor Vehicle Parts Manufacturing 3363 Defense Financial Human Resources Consulting Services 541612 Hospitals 622 Civic and Social Organizations 8134 Commercial Banking 52211 Periodical Publishers 51112 Business to Business Electronic Markets 42511 Satellite Military National Security and International Affairs 9281 Computer Systems Design and Related Services 54151 Automotive Intelligence organizations Research and Development in the Social Sciences and Humanities 54172 Chemical Motion Picture and Video Production 51211 Architectural Services 541310 Aerospace Media Aviation Government

Details

Origin 🇷🇺 RU
Last Updated 24 Sep 2025

Malware Families 35

sakula_rat
evilquest
arguepatch
sedreco
havex_rat
fusiondrive
dreambot
computrace
snifula
pocodown
grunt
houdini
agent_tesla
agent_btz
zhmimikatz
ldr4
apk.rat_on
turla_ff_ext
stealler
pas
driveocean
eternal_petya
unidentified_078
nodejs_ransom
unidentified_114
saigon
zebrocy_au3
credomap
vawtrak
xagent
mocky_lnk
PhantomCard
dbatloader
gozi
seduploader

MITRE ATT&CK 262

G0007 T1001 - Data Obfuscation T1001.001 T1001.003 - Protocol Impersonation T1002 T1003 - OS Credential Dumping T1003.001 T1003.002 T1003.003 T1005 - Data from Local System T1006 T1012 - Query Registry T1014 - Rootkit T1016 - System Network Configuration Discovery T1016.002 T1018 - Remote System Discovery T1020 - Automated Exfiltration T1021 - Remote Services T1021.001 T1021.002 T1021.004 - SSH T1024 T1025 - Data from Removable Media T1027 - Obfuscated Files or Information T1027.013 T1030 - Data Transfer Size Limits T1033 - System Owner/User Discovery T1036 - Masquerading T1036.004 T1036.005 - Match Legitimate Name or Location T1037 - Boot or Logon Initialization Scripts T1037.001 T1039 - Data from Network Shared Drive T1040 - Network Sniffing T1041 - Exfiltration Over C2 Channel T1043 T1045 - Software Packing T1046 - Network Service Scanning T1047 - Windows Management Instrumentation T1048 - Exfiltration Over Alternative Protocol T1048.002 T1049 - System Network Connections Discovery T1053 - Scheduled Task/Job T1053.003 - Cron T1053.005 - Scheduled Task T1055 - Process Injection T1056 - Input Capture T1056.001 T1056.002 - GUI Input Capture T1056.003 - Web Portal Capture T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 - Windows Command Shell T1059.005 - Visual Basic T1059.006 - Python T1059.007 - JavaScript T1060 - Registry Run Keys / Startup Folder T1064 - Scripting T1067 T1068 - Exploitation for Privilege Escalation T1069 - Permission Groups Discovery T1070 - Indicator Removal on Host T1070.001 T1070.004 - File Deletion T1070.006 T1071 - Application Layer Protocol T1071.001 - Web Protocols T1071.003 T1071.004 - DNS T1074 - Data Staged T1074.001 - Local Data Staging T1074.002 T1075 T1078 - Valid Accounts T1078.004 T1081 - Credentials in Files T1082 - System Information Discovery T1083 - File and Directory Discovery T1085 T1086 - PowerShell T1087 - Account Discovery T1087.003 - Email Account T1090 - Proxy T1090.001 T1090.002 T1090.003 T1091 - Replication Through Removable Media T1092 - Communication Through Removable Media T1095 - Non-Application Layer Protocol T1096 - NTFS File Attributes T1098 - Account Manipulation T1098.001 - Additional Cloud Credentials T1098.002 T1099 T1102 - Web Service T1102.001 - Dead Drop Resolver T1102.002 T1102.003 - One-Way Communication T1104 - Multi-Stage Channels T1105 - Ingress Tool Transfer T1106 - Native API T1107 - File Deletion T1110 - Brute Force T1110.001 T1110.003 - Password Spraying T1111 - Two-Factor Authentication Interception T1112 - Modify Registry T1113 - Screen Capture T1114 - Email Collection T1114.002 - Remote Email Collection T1114.003 - Email Forwarding Rule T1115 - Clipboard Data T1119 - Automated Collection T1120 - Peripheral Device Discovery T1122 T1124 T1127 - Trusted Developer Utilities Proxy Execution T1129 - Shared Modules T1132 - Data Encoding T1132.001 - Standard Encoding T1133 - External Remote Services T1134 - Access Token Manipulation T1134.001 T1136 T1137 - Office Application Startup T1137.001 - Office Template Macros T1137.002 T1140 - Deobfuscate/Decode Files or Information T1143 - Hidden Window T1158 - Hidden Files and Directories T1173 T1176 - Browser Extensions T1185 - Man in the Browser T1187 - Forced Authentication T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1192 - Spearphishing Link T1193 T1195 - Supply Chain Compromise T1199 - Trusted Relationship T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204 - User Execution T1204.001 - Malicious Link T1204.002 - Malicious File T1210 - Exploitation of Remote Services T1211 - Exploitation for Defense Evasion T1212 - Exploitation for Credential Access T1213 - Data from Information Repositories T1213.002 T1218 - Signed Binary Proxy Execution T1218.011 T1219 - Remote Access Software T1221 - Template Injection T1328 T1346 T1480 - Execution Guardrails T1482 - Domain Trust Discovery T1485 T1486 - Data Encrypted for Impact T1489 - Service Stop T1490 - Inhibit System Recovery T1497 - Virtualization/Sandbox Evasion T1497.001 - System Checks T1498 - Network Denial of Service T1505 - Server Software Component T1505.003 T1518 - Software Discovery T1527 T1528 - Steal Application Access Token T1529 T1530 - Data from Cloud Storage Object T1531 T1534 - Internal Spearphishing T1539 - Steal Web Session Cookie T1542 - Pre-OS Boot T1542.003 T1543 - Create or Modify System Process T1543.002 - Systemd Service T1546 - Event Triggered Execution T1546.015 T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1550 - Use Alternate Authentication Material T1550.001 T1550.002 T1552 T1553 - Subvert Trust Controls T1555 T1555.003 - Credentials from Web Browsers T1556 - Modify Authentication Process T1557 - Man-in-the-Middle T1557.004 T1559 - Inter-Process Communication T1559.002 T1560 - Archive Collected Data T1560.001 T1561 T1561.001 T1562 - Impair Defenses T1562.001 - Disable or Modify Tools T1562.004 T1564 - Hide Artifacts T1564.001 - Hidden Files and Directories T1564.003 - Hidden Window T1565 - Data Manipulation T1566 - Phishing T1566.001 - Spearphishing Attachment T1566.002 - Spearphishing Link T1567 - Exfiltration Over Web Service T1568 - Dynamic Resolution T1568.002 - Domain Generation Algorithms T1569 - System Services T1571 - Non-Standard Port T1573 - Encrypted Channel T1573.001 T1574 - Hijack Execution Flow T1574.002 - DLL Side-Loading T1583 - Acquire Infrastructure T1583.001 - Domains T1583.002 - DNS Server T1583.003 T1583.006 - Web Services T1584 - Compromise Infrastructure T1584.008 T1585 - Establish Accounts T1586 - Compromise Accounts T1586.002 - Email Accounts T1587 - Develop Capabilities T1588 - Obtain Capabilities T1588.002 T1588.007 T1589 - Gather Victim Identity Information T1589.001 T1591 T1592 - Gather Victim Host Information T1593 - Search Open Websites/Domains T1595 - Active Scanning T1595.002 T1596 T1598 - Phishing for Information T1598.003 T1608 - Stage Capabilities T1608.001 - Upload Malware T1608.005 - Link Target T1609 - Container Administration Command T1613 - Container and Resource Discovery T1669 T1684 T1684.001 T1685 T1685.005 T1686 T1686.003 TA0002 - Execution TA0003 - Persistence TA0004 - Privilege Escalation TA0005 - Defense Evasion TA0006 - Credential Access TA0007 - Discovery TA0011 - Command and Control

Related Zero-Days 102

CVE-2016-5195 CVE-2017-0199 CVE-2017-5638 CVE-2019-0708 CVE-2019-11510 CVE-2020-6418 CVE-2021-26855 CVE-2021-26857 CVE-2021-26858 CVE-2021-27065 CVE-2021-37973 CVE-2021-40449 CVE-2021-40539 CVE-2021-44228 CVE-2022-26134 CVE-2022-3236 CVE-2022-41128 CVE-2023-20198 CVE-2023-2033 CVE-2023-2136 CVE-2023-22515 CVE-2023-27350 CVE-2023-2868 CVE-2023-3079 CVE-2023-34048 CVE-2023-41991 CVE-2023-41992 CVE-2023-41993 CVE-2023-46604 CVE-2023-46805 CVE-2023-4762 CVE-2024-0012 CVE-2024-12356 CVE-2024-21287 CVE-2024-21412 CVE-2024-21887 CVE-2024-24919 CVE-2024-37079 CVE-2024-38112 CVE-2024-38178 CVE-2024-38193 CVE-2024-43461 CVE-2024-4610 CVE-2024-4671 CVE-2024-47575 CVE-2024-49039 CVE-2024-50623 CVE-2024-5274 CVE-2024-8963 CVE-2024-9680 CVE-2025-0282 CVE-2025-0283 CVE-2025-0994 CVE-2025-10035 CVE-2025-10585 CVE-2025-13223 CVE-2025-14174 CVE-2025-20333 CVE-2025-20337 CVE-2025-20362 CVE-2025-20363 CVE-2025-21043 CVE-2025-21391 CVE-2025-21418 CVE-2025-22224 CVE-2025-22225 CVE-2025-22226 CVE-2025-22457 CVE-2025-2783 CVE-2025-29824 CVE-2025-32709 CVE-2025-33053 CVE-2025-37164 CVE-2025-38352 CVE-2025-40551 CVE-2025-41244 CVE-2025-43300 CVE-2025-43529 CVE-2025-48543 CVE-2025-49704 CVE-2025-52691 CVE-2025-53770 CVE-2025-53771 CVE-2025-55182 CVE-2025-59287 CVE-2025-61757 CVE-2025-61932 CVE-2025-6218 CVE-2025-62221 CVE-2025-6554 CVE-2025-6558 CVE-2025-68645 CVE-2025-7775 CVE-2025-8088 CVE-2025-8110 CVE-2025-9491 CVE-2026-20045 CVE-2026-20805 CVE-2026-21509 CVE-2026-21513 CVE-2026-24423 CVE-2026-24858