APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004. APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 LowAttribution signals
32 mentions · 7 sources"Forest Blizzard is attributed to the military intelligence units within Russia's General Staff Main Intelligence Directorate (GRU)"
"Also known as APT28 and Fancy Bear, Forest Blizzard is attributed to the military intelligence units within Russia's General Staff Main Intelligence Directorate (GRU)"
"We therefore assess with high confidence that both the 2018 samples and the 2024 SlimAgent sample were built from the same codebase."
"Based on these similarities, we believe that SlimAgent is an evolution of the Xagent keylogger module, which has been deployed as a standalone component since at least 2018. Moreover, because Xagent is a custom toolset used exclusively by the Sednit group for more than six years, we attribute SlimAgent to Sednit with high confidence."
"Researchers have analyzed the activity of Russian threat group APT28 (aka Fancy Bear). The group has recently targeted Ukraine as well as its European defense supply chain partners with a toolset dubbed PRIXMES"
"SlimAgent code was derived from Xagent, Sednit's flagship backdoor from the 2010s."
"The flaw was exploited as a zero-day alongside CVE-2026-21513 by TA422 in attacks targeting Ukraine and EU member states beginning in late 2025."
"Active exploitation by APT28"
"APT28 exploits MSHTML flaw: The Russian state-sponsored group leveraged CVE-2026-21513 via malicious Windows Shortcut files for multi-stage payload delivery"
"Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants"
"Zero-day exploitation by Russian state-sponsored actors bypasses Office security features, enabling delivery of email collection implants and backdoors."
"APT28's Operation Neusploit marked January's most sophisticated campaign: Exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files"
Hedge terms observed