Russia The Russia-aligned APT group Pawn Storm (APT28) is targeting the defense supply chain of Ukraine and its allies with new PRISMEX malware and a Windows zero-day, CVE-2026-21513.

🇷🇺 Russia's APT28 (Pawn Storm) is targeting the defense supply chain with new 'PRISMEX' malware, exploiting a Windows zero-day (CVE-2026-21513). 🛡️ #APT28 #PawnStorm #ZeroDay #CyberWarfare

Pawn Storm Deploys PRISMEX

~Trendmicro~
Pawn Storm exploits zero-days (CVE-2026-21513, CVE-2026-21509) deploying PRISMEX malware against Ukraine & NATO allies.
-
IOCs: wellnesscaremed. com
-
#APT28 #PRISMEX #ThreatIntel

📰 Hacker Militer Rusia APT28 Eksploitasi Celah Zimbra untuk Retas Pemerintah Ukraina

👉 Baca artikel lengkap di sini: ahmandonk.com/2026/03/22/hacker-milite...

#apt28 #beritaTeknologi #hackerRusia #keamananSiber #kerentananXss #op

The Invisible Breach: ‘Operation GhostMail’ Uses Zero-Click XSS to Hijack Ukrainian Webmail Seqrite Labs uncovered Operation GhostMail, a zero-click campaign that leverages an HTML-only email to execute obfuscated JavaScript and intercept webmail sessions without dropping files. Attributed to APT28 and exploiting CVE-2025-66376 in Zimbra, the attack exfiltrates credentials, mailbox data, and contacts from the Ukrainian State Hydrology Agency using DNS and HTTPS channels....

Seqrite Labs reveals Operation GhostMail: a zero-click attack exploiting CVE-2025-66376 in Zimbra to hijack Ukrainian State Hydrology Agency webmail via obfuscated JavaScript in HTML-only emails. #OperationGhostMail #APT28 #Ukraine

APT28 Deploys Enhanced Version of Covenant in Ongoing Threat Activity   In recent months, the contours of cyber warfare have once again become clearer as APT28 - an agent of Russian intelligence that has operated in Ukraine for a number of years - elicits renewed precision and technological sophistication in its operations against Ukrainian defense networks.  Fancy Bear has been referred to by multiple aliases, including Sednit, Forest Blizzard, Unit 26165, and TA422, throughout the cybersecurity community due to its ability to adapt to geopolitical objectives when necessary. With its latest campaign, APT28 has implemented a dual-pronged malware strategy based on innovation and intent.  The company has deployed an undocumented backdoor, BEARDSHELL, alongside a heavily customized implementation of the open-source post-exploitation framework COVENANT, which has been heavily customized.  The development indicates a calculated effort to refine persistence, avoid detection, and gain deeper operational footholds in sensitive military environments by modifying tactics, evading detection, and improving operational capabilities.  Designed specifically for stealth and long-term access, BEARDSHELL works in conjunction with the modified COVENANT toolkit, which has been modified to better suit the group's command-and-control requirements and operational procedures. Combined, these tools represent a growing trend toward modular and adaptable malware ecosystems that can be tailored to specific target and mission requirements.  It is becoming increasingly apparent that as the conflict in Ukraine continues to escalate into the digital realm, state-backed actors are utilizing cyber capabilities in a variety of ways, often invisible but profoundly consequential, to gather intelligence and shape the strategic landscape.  The campaign illustrates a tightly coordinated intrusion chain designed to penetrate Ukrainian military and government networks with minimal friction and maximum persistence based on this operational shift.  Based on the investigations conducted, it has been determined that the activities attributed to APT28 are mainly directed towards central executive bodies, where access to strategic communications and operational data provides a valuable source of information.  As part of the initial compromise, spear-phishing lures are developed that masquerade as routine administrative or defense correspondence, distributed via email as well as encrypted messaging channels such as Signal, which are often distributed using spear-phishing lures. Upon opening the weaponized Office documents, these messages initiate a fileless infection sequence that is designed to evade conventional endpoint defenses.  It is comprised of a memory-resident backdoor derived from a substantially altered variant of the Covenant framework which has been repurposed to serve as a discreet loader for further payloads. During this stage, bespoke implants, such as BeardShell and SlimAgent, are deployed. The latter bears architectural resemblance to the earlier XAgent toolkit developed by the group in the past. The combination of these components creates a robust surveillance environment within compromised systems, facilitating continuous data collection of keystrokes, screen captures, and clipboards.  Exfiltrating intelligence is organized into HTML-based logs that include color-coded segmentation for rapid parsing and prioritization by operators. It is noteworthy that the group has implemented a command-and-control infrastructure that meets their requirements. A number of cloud storage platforms, including pCloud, Koofr, Filen, and Icedrive, are used by the attackers to relay instructions and store stolen data rather than using servers that are easily identifiable.  As a result, malicious activity is blended with routine user activity, resulting in significantly tampering with detection efforts. Based on the forensic analysis of these cloud-linked accounts, it has been determined that certain Ukrainian systems have been continuously monitored for extensive periods of time, demonstrating APT28's ability to collect intelligence in high-value environments in a low-visibility manner.  Moreover, the researchers at ESET have provided additional technical insight into the operation, tracing its deployment to at least April 2024, when a structured, sustained intrusion effort began. According to their findings, the coordinated use of BeardShell and Covenant was not an accident, but intentionally designed to provide prolonged, low-noise surveillance of Ukrainian military personnel and government organizations.  Recent incidents have indicated that the infection chain exploits a vulnerability tracked as CVE-2026-21509, which is embedded within malicious DOC files designed to execute code upon opening. In the end, SlimAgent, a surveillance-focused implant that was identified within a compromised Ukrainian government system, enabled the discovery of this implant, which was capable of collecting keystrokes, clipboard contents, and screen captures systematically without causing immediate suspicion.  According to the subsequent analysis, BeardShell is a modern, modular backdoor that emphasizes stealth and flexibility. Icedrive's infrastructure is utilized to communicate with commands and controls. Remote PowerShell commands are executed within a managed .NET runtime environment using this infrastructure.  An obfuscation method previously associated with Xtunnel, a network pivot utility historically connected to APT28's earlier campaigns is included in its internal design, demonstrating a deliberate reuse of proven techniques. Meanwhile, the Covenant framework is used as the primary operational implant, having been reworked from its original open-source version.  There have also been changes observed in the generation of deterministic identifiers linked to host-specific attributes, in the execution logic intended to bypass behavioral detection engines, as well as the integration of cloud-based communication channels. As part of the group's infrastructure strategy, Koofr and pCloud have gradually been replaced by newer platforms such as Filen beginning mid-2025.  As a result of this architecture, Covenant serves as the primary access mechanism, while BeardShell serves as a contingency tool to ensure operations continue even in cases of partial detection or remediation. Further extending the scope of the analysis, researchers have also highlighted that the threat actor's toolkit reflects a deliberate blend of legacy codebases and newly developed capabilities, reflecting a deliberate combination of heritage codebases and newly developed capabilities.  SLIMAGENT, an implant that was formally disclosed by the CERT-UA in mid-2025 and examined in greater detail by ESET in the following year. With SLIMAGENT, granular data collection is possible through keystroke logging, screenshot capture, and clipboard harvesting, effectively turning compromised systems into persistent intelligence gathering nodes. It is designed for continuous data collection with granular data collection capabilities.  SLIMAGENT is distinguished by more than its functionality; it is also distinguished by its lineage. Based on technical comparisons, SLIMAGENT does not appear to be a completely new development, but rather is an evolution of APT28's earlier XAgent toolset, which was widely deployed by the group during the 2010s.  In support of this assessment, code-level similarities have been identified across multiple samples, including artifacts recovered from early-2018 intrusion campaigns targeting European governmental entities. Moreover, the correlation between the keylogging routines and an XAgent variant observed in late 2014 suggests an ongoing development rather than a one-time invention of the routines, suggesting continuity of development. The structured formatting of exfiltrated data remains one of the most distinctive features across these generations.  The SLIMAGENT surveillance software, like its predecessor, compiles its output into HTML-formatted logs, utilizing a consistent color code scheme to distinguish between application identification numbers, captured keystrokes, and active window titles. As a result of this seemingly inconsequential design choice, operators now benefit from a streamlined interface to speed up the data triage process, thereby reinforcing the campaign's operational efficiency. Additionally, BEARDSHELL's backdoor function as an execution layer within the compromised environment, facilitating remote command delivery via PowerShell within a controlled .NET environment in conjunction with SLIMAGENT's data collection capabilities.  By relying on Icedrive for command-and-control, the group maintains covert access while minimizing detection risk while continuing its emphasis on blending malicious activity with legitimate network traffic. All of these findings reinforce that organizations operating in geopolitical environments characterized by high levels of risk, particularly those within the government and defense sectors, need to recalibrate their defensive posture. There is a need for security teams to adopt behavior-driven monitoring as an alternative to traditional signature-based detection models to identify anomalous processes, in-memory payload delivery, and misuse of legitimate cloud services.  In addition to stricter controls on macro execution and file provenance, it is essential to scrutinize document-based attack vectors, particularly those exploiting known vulnerabilities like CVE-2026-21509.  Meanwhile, the increasing use of trusted cloud platforms for command-and-control activities underscores the significance of maintaining visibility into outbound network traffic and implementing zero-trust principles to restrict lateral movement. A coordinated threat hunt in conjunction with timely intelligence sharing among national and international cybersecurity bodies will be essential in combating such campaigns. With adversaries continuing to combine legacy techniques with modern infrastructure to refine their toolchains, resilience will depend on defenders' abilities to anticipate and adapt to an environment that is becoming increasingly covert and persistent.

APT28 Deploys Enhanced Version of Covenant in Ongoing Threat Activity #AdvancedPersistentThreat #APT28 #BeardShell

Russian hackers exploit Zimbra flaw in Ukrainian govt attacks Hackers part of APT28, a state-backed threat group linked to Russia's military intelligence service (GRU), are exploiting a Zimbra Collaboration Suite (ZCS) vulnerability in attacks targeting Ukrainia...

APT28は、Zimbraのstored XSS脆弱性 CVE-2025-66376 を使って、ウクライナ政府系組織のメール環境を狙っている。重要なのは、添付ファイルも不審リンクも使わず、HTMLメール本文だけで資格情報、セッショントークン、2FAバックアップコード、保存済みパスワード、過去90日分のメールを抜ける点。 

#CyberSecurity #ThreatIntel #APT28 #Zimbra #Ukraine #XSS
www.bleepingcomputer.com/news/securit...

APT28 hackers deploy customized variant of Covenant open-source tool The Russian state-sponsored APT28 threat group is using a custom variant of the open-source Covenant post-exploitation framework for long-term espionage operations.

#APT28 hackers deploy customized variant of #Covenant #OpenSource tool

www.bleepingcomputer.com/news/security/apt28-hack...

#cybersecurity #Russia

Russian hacking group APT28 deploys BEARDSHELL and COVENANT malware to spy on Ukrainian military. #CyberSecurity #APT28 #Ukraine #Malware Link: thedailytechfeed.com/apt28-deploy...

📰 APT28 Gunakan Versi Modifikasi Framework Open-Source Covenant untuk Operasi Spionase

👉 Baca artikel lengkap di sini: ahmandonk.com/2026/03/11/apt28-covenan...

#apt28 #cyberEspionage #cyberSecurity #hacking #keamananSiber #malware

[2/2]
" #APT28, a #Russian state-sponsored hacker group, is leveraging a modified variant of the #Covenant framework for espionage attacks targeting #Ukrainian military personnel."

APT28 hackers deploy customized variant of Covenant open-source tool The Russian state-sponsored APT28 threat group is using a custom variant of the open-source Covenant post-exploitation framework for long-term espionage operations.

" #APT28 hackers deploy customized variant of Covenant open-source tool."
"The Russian state-sponsored APT28 threat group is using a custom variant of the open-source Covenant post-exploitation framework for long-term espionage .../..."
www.bleepingcomputer.com/news/securit... [1/2]

Original post on securityaffairs.com

APT28 conducts long-term espionage on Ukrainian forces using custom malware APT28 used BEARDSHELL and COVENANT malware to spy on Ukrainian military personnel, enabling long-term surveillance since ...

#APT #Breaking #News #Cyber #warfare #Hacking […]

[Original post on securityaffairs.com]

Sednit APT Reloaded

~Eset~
Sednit (APT28) targets Ukrainian military with a new dual-implant toolkit: BeardShell and Covenant.
-
IOCs: CVE-2026-21509, BeardShell, SlimAgent
-
#APT28 #Malware #ThreatIntel

Russian state-sponsored group APT28 targets Ukrainian entities with new malware strains BadPaw and MeowMeow. Stay vigilant against sophisticated cyber threats. #CyberSecurity #APT28 #BadPaw #MeowMeow Link: thedailytechfeed.com/apt28-target...

APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine moderately confidently linked read more about APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine

APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine reconbee.com/apt28-linked...

#APT28 #BadPawloader #MeowMeow #ukraine #cyberattack #cybersecurity

APT28 Deploys BadPaw And MeowMeow In Ukraine
Read More: buff.ly/Lk0YmtC

#APT28 #BadPaw #MeowMeowMalware #RussiaCyber #UkraineCyber #PhishingCampaign #CyberEspionage #ThreatIntel

Russian state-sponsored group APT28 exploited CVE-2026-21513, a critical MSHTML vulnerability, before Microsoft's Feb 2026 Patch Tuesday. Stay vigilant and update your systems. #CyberSecurity #APT28 #MSHTML #ZeroDay Link: thedailytechfeed.com/russian-apt2...

Critical MSHTML zero-day (CVE-2026-21513) exploited by APT28 before Feb 2026 patch. Ensure systems are updated to mitigate risks. #CyberSecurity #APT28 #MSHTML #ZeroDay Link: thedailytechfeed.com/apt28-exploi...

APT28’s Operation MacroMaze Targets Western Europe With Stealthy Macro-Based Attacks  A fresh wave of digital intrusions, tied to Russian operatives known as APT28, emerges through findings uncovered by S2 Grupo’s LAB52 analysts. Throughout late 2025 into early 2026, these efforts quietly unfolded across Western and Central European institutions. Dubbed Operation MacroMaze, the pattern reveals reliance on minimalistic yet precisely timed actions. Instead of complex tools, attackers favored subtle coordination - bypassing alarms by design. Each phase unfolded with restraint, avoiding flashiness while maintaining persistence behind the scenes.  Starting the operation, cyber actors send targeted emails with harmful attachments designed to trick users. Instead of using typical methods, these documents include an XML feature named “INCLUDEPICTURE.” That field points to a JPG stored on webhook[.]site, acting as a hidden reference. As soon as someone views the file, the system pulls the image from that external address. Unlike passive downloads, this transfer initiates a background connection outward. Midway through loading, the request exposes details about the user’s environment automatically. So, without visible signs, attackers receive confirmation plus technical footprints tied to the access event.  Over time, different versions of the documents appeared, spotted by analysts during an extended review period. Each one carried small changes in macro design, though the core behavior stayed largely unchanged. Instead of sticking with automated browser launching, newer samples began mimicking keystrokes through SendKeys functions. This shift may have aimed at dodging detection mechanisms while keeping interactions less obvious to people opening files.  When turned on, it runs a Visual Basic Script pushing the attack forward. A CMD file gets started by the script, setting up ongoing access using timed system jobs before releasing a batch routine. Out of nowhere, a tiny HTML segment encoded in Base64 appears inside Edge running without display. That fragment pulls directives from one online trigger point, carries out those steps on the machine, gathers what happens, then sends everything back - packed into an HTML document - to another web destination.  A different version of the batch script skips headless browsing by shifting the browser window beyond the visible screen area. Following that shift, any active Edge instances are closed - this isolates the runtime setting. Once the created HTML document opens, form submission begins on its own, sending captured command results to a server managed by the attacker, all without engaging the user.  LAB52 points out that the attack shows hackers using ordinary tools - batch scripts, minimal VBS launchers, basic HTML forms - to form a working breach system. Hidden browser tabs become operational zones, letting intrusions unfold without obvious footprints. Webhook platforms, meant for routine tasks, carry commands one way and stolen information the other. Instead of loud breaches, quiet integration with standard processes helps evade detection. The method thrives not on complexity, but on repurposing everyday components in stealthy ways.  What stands out in Operation MacroMaze is how basic tools, when timed precisely, achieve advanced results. Not complexity - but clever order - defines its success. Common programs, used one after another in quiet succession, form an invisible path through defenses. Trusted system features play a central role, slipping past alarms. Persistence emerges not from novelty, but repetition masked as routine. Across several European organizations, the method survives simply by avoiding attention.

APT28’s Operation MacroMaze Targets Western Europe With Stealthy Macro-Based Attacks #APT28 #APT28CyberEspionage #CyberAttacks

APT28 Uses Webhook Macro Malware
Read More: buff.ly/X04DuP0

#APT28 #OperationMacroMaze #MacroMalware #WebhookAbuse #RussiaCyber #SpearPhishing #CyberEspionage #ThreatActors

APT28's Operation MacroMaze reveals the cunning use of webhook-based macro malware to target European entities. Stay informed and secure. #CyberSecurity #APT28 #ThreatIntelligence #OperationMacroMaze Link: thedailytechfeed.com/apt28s-opera...

APT28 Targeted European Entities Using Webhook-Based Macro Malware this technique functions as a beaconing method similar read more about APT28 Targeted European Entities Using Webhook-Based Macro Malware

APT28 Targeted European Entities Using Webhook-Based Macro Malware reconbee.com/apt28-target...

#APT28 #european #macromalware #webhook #cybersecurity #cyberattack

APT28 Deploys Macro Malware in Browser-Based Exfiltration Operation Targeting Europe The APT28 threat group used webhook-based macro malware in Operation MacroMaze to exfiltrate data from European entities.

Full breakdown:
www.technadu.com/apt28-deploy...

Do you think organizations are adequately monitoring outbound traffic to legitimate cloud services? Comment your opinion below.
#CyberEspionage #APT28 #CyberSecurity #MacroMalware #ThreatIntelligence #DataExfiltration

APT28’s Operation MacroMaze used macro-enabled Office docs + webhook. site for data exfil.
Legitimate services as C2 = detection challenge.
Europe targeted.

#CyberEspionage #APT28 #Infosec

APT28 Exploits MSHTML Zero-Day CVE-2026-21513

~Akamai~
Russian state-sponsored actor APT28 is actively exploiting a critical MSHTML vulnerability to bypass security features and execute arbitrary code.
-
IOCs: wellnesscaremed. com
-
#APT28 #CVE202621513 #ThreatIntel

APT28 Targeted European Organizations With Webhook Based Macro Malware - SCtoCS APT28 targeted European entities using webhook based macro malware, highlighting ongoing cyber espionage efforts across the region.

APT28 is using webhook-based macro malware to target European organizations via malicious Office docs that connect back to control servers. Be cautious with attachments!
👉 sctocs.com/apt28-europe...

#Cybersecurity
#sctocs
#APT28
#malware
#ThreatAlert

Russian-linked Fancy Bear exploits Microsoft RTF zero-day (CVE-2026-21509) to deploy malware in Eastern Europe. Targets include Ukraine, Slovakia, and Romania. #CyberSecurity #APT28 #ZeroDay #FancyBear Link: thedailytechfeed.com/fancy-bear-e...

APT28 Weaponizes Office Flaw to Spy on NATO & Military APT28 (Fancy Bear) weaponized CVE-2026-21509 in 24 hours to target NATO. New "BeardShell" and "NotDoor" malware steals emails. Patch Office now.

#APT28 Weaponizes MS Office Flaw to #Spy on #NATO & #Military

#Russia state-sponsored group #FancyBear has launched a sophisticated espionage campaign, striking #Europe #military & #government through a major security vulnerability in #Microsoft #Office.

securityonline.info/apt28-weapon...

Russian APT28 exploits Microsoft Office vulnerability CVE-2026-21509 to target European government agencies. Immediate patching and enhanced security measures are crucial. #CyberSecurity #APT28 #MicrosoftOffice Link: thedailytechfeed.com/apt28-target...

Cybersecurity news update: Russian state hackers are weaponizing Microsoft office documents to gain persistent access to targeted networks. If you’re managing enterprise environments, this should be in your radar.

Source: lnkd.in/eMP-H3a4

#cybersecurity #apt28 #infosec