APT28 (Fancy Bear): The GRU's Cyber Arm in Europe — A Threat Actor Profile
A profile of APT28, the Russian GRU-affiliated threat group also known as Fancy Bear, Forest Blizzard, and UAC-0001. History, recent 2025-2026 campaigns including Operation MacroMaze and CVE-2026-21509 exploitation, sectors targeted, and what NIS2 and DORA entities should learn from its tradecraft.
APT28 (Fancy Bear): The GRU's Cyber Arm in Europe
Of all the threat actor names that have entered the general public's vocabulary over the last decade, Fancy Bear is among the most memorable — which is a problem, because the name's whimsy has consistently obscured what the group actually is. APT28 is not a brand. It is a unit of Russian military intelligence with two decades of continuous operations against Western governments, Ukrainian institutions, NATO logistics, and — increasingly relevant for European industry — the maritime, transport, and energy sectors that fall squarely under NIS2.
This is the first in a Risk Letters series of threat actor profiles: structured analyses of the groups most consequential for European NIS2 and DORA entities, built on attributable, primary-sourced reporting. We will be specific about what is known, careful about what is assessed, and clear about the difference. For how cyber threat actor activity connects to the regulatory layer, see the pillar guide on NIS2 and DORA.
What is known about APT28
APT28 is the most-tracked Russian-aligned threat group. The names it carries reflect twenty years of overlapping intelligence-vendor and government tracking: APT28 (Mandiant's designation), Fancy Bear (CrowdStrike), Forest Blizzard (Microsoft, post-2023 renaming), Sofacy, Sednit, STRONTIUM, Pawn Storm, BlueDelta, TA422, ITG05, and — used by Ukraine's national CERT in formal attribution language — UAC-0001.
The official attribution comes from multiple Western governments. The group is widely assessed to operate on behalf of Russia's General Staff Main Intelligence Directorate (GRU), and specifically has been linked to Unit 26165 of the GRU. The US Department of Justice indicted seven GRU officers in 2018 for activity attributed to the group; the UK, Netherlands, EU and others have made similar public attributions.
The targeting profile is consistent and recognisable. APT28's operations align with Russian military and foreign policy objectives — Ukrainian government and military entities, European countries supporting Ukraine, NATO allies, defence industries, foreign ministries, and the logistics and transport infrastructure that moves Western aid into the conflict zone. Operations are typically intelligence-collection-first rather than destructive; this is espionage with a long fuse, not sabotage.
The 2025-2026 campaign landscape
What makes APT28 worth profiling now is not historical interest but operational currency. The group has run multiple distinct, attributable campaigns against European targets in late 2025 and into 2026, and the tradecraft tells the story of where European industry's exposure actually sits.
Operation MacroMaze (late 2025 – January 2026)
Between late 2025 and early 2026, S2 Grupo's LAB52 threat intelligence team documented a sustained spear-phishing campaign targeting governmental, diplomatic, and critical infrastructure organisations across Western and Central Europe. The campaign — codenamed Operation MacroMaze — used macro-enabled Microsoft Office documents that exploited webhook-based infrastructure (notably webhook[.]site) for command-and-control and data exfiltration. The technical novelty was its abuse of legitimate webhook services, with multi-stage macro payloads designed to evade signature-based detection.
CVE-2026-21509 exploitation (January-February 2026)
In a 72-hour spear-phishing campaign between 28 and 30 January 2026, APT28 delivered at least 29 distinct emails across nine Eastern European nations, primarily targeting defence ministries (around 40% of the targets) and government and maritime/transport organisations across Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine. The campaign weaponised CVE-2026-21509 — a Microsoft Office security feature bypass vulnerability — within 24 hours of its public disclosure, demonstrating an exploitation capability that few groups in the world possess at that timing.
The technical chain involved a lightweight initial loader, an Outlook VBA backdoor named NotDoor, a custom C++ implant called BeardShell, and a modified Covenant implant ("CovenantGrunt"). For command-and-control, the operators abused the legitimate cloud storage service filen.io, blending malicious traffic into legitimate user activity. CERT-UA officially attributed the January 2026 attacks to UAC-0001 — corresponding to APT28.
Operation Masquerade — SOHO router DNS hijacking (May 2025 – April 2026)
In April 2026 the US Department of Justice announced a court-authorized technical operation, codenamed Operation Masquerade, that disrupted a US portion of an APT28-controlled botnet. The operation revealed that APT28 had been hijacking small-office and home-office routers globally, using them to redirect DNS for targets of intelligence interest. At its peak in December 2025, more than 18,000 unique IP addresses across at least 120 countries were observed communicating with the APT28 infrastructure. The primary targets were government agencies — particularly ministries of foreign affairs and law enforcement — and third-party email and cloud service providers across North African, Central American, Southeast Asian, and European countries.
PRISMEX (September 2025 onwards)
Separately, since September 2025 APT28 has been observed deploying a malware suite called PRISMEX against Ukrainian and allied infrastructure, including defence systems and aid coordination infrastructure. The campaign uses advanced stealth techniques including steganography and COM hijacking, consistent with APT28's emphasis on persistent, low-visibility access for long-term collection.
Recurring tradecraft
Across these campaigns and the longer historical record, several technical patterns recur:
- Rapid exploitation of newly disclosed vulnerabilities — particularly in Microsoft Office and Outlook. APT28 has repeatedly been among the first observed exploiters of Office-class vulnerabilities in the wild.
- Outlook and email-system targeting — both as an initial vector (spear-phishing with weaponised documents) and as a persistence mechanism (mailbox permission abuse, COM hijacking, Outlook VBA backdoors).
- Abuse of legitimate cloud services — webhook[.]site, filen.io, Mocky, and similar — for command-and-control and exfiltration, blending malicious traffic with legitimate user activity.
- Credential access and identity compromise — password spraying, brute force, token theft, mailbox permission abuse as a route to lateral movement.
- SOHO router compromise — used to build operational relay infrastructure and to hijack DNS for targets of interest.
- Tooling diversity — APT28's published toolchain spans loaders, backdoors, credential theft tooling, exfiltration utilities, keyloggers (SLIMAGENT), implants (BEARDSHELL, COVENANT/CovenantGrunt, PRISMEX), and an active capability to weaponise new vulnerabilities.
Why APT28 matters for NIS2 and DORA entities
The European entities targeted in the 2025-2026 campaigns fall directly inside NIS2 scope. Maritime and transport are Annex I essential sectors. Government and defence ministries are essential entities. Third-party email and cloud service providers — caught up in Operation Masquerade — are digital infrastructure under NIS2.
Two specific NIS2 and DORA implications.
Article 23 incident reporting capability matters most against actors like this. APT28 campaigns are designed for persistent, low-visibility access. The moment of awareness — the trigger for the 24-hour NIS2 early warning — may be days or weeks after compromise, especially where the initial vector is a successful spear-phish. The reporting capability that NIS2 demands, covered in NIS2 Incident Reporting: The 24-72-30 Day Timeline, needs to be calibrated for the case where intelligence — vendor advisory, CERT-UA notification, ISAC sharing — produces the first signal of compromise, not the SOC's own telemetry.
Supply chain and third-party exposure is direct. Operation Masquerade specifically targeted "third-party email and cloud service providers" as vehicles for reaching the eventual intelligence target. For NIS2 entities, this is the supply chain measure of Article 21(2)(d) in concrete form — the security posture of your direct service providers is part of your own exposure to actors like APT28. The cross-domain dimension is treated in The Trust Supply Chain: How One ICT Provider Becomes Four Risks at Once.
How you would actually watch this
Three concrete monitoring postures, tuned to APT28's observed behaviour.
Office vulnerability patching as time-critical. APT28's track record of weaponising newly disclosed Microsoft Office vulnerabilities within hours — sometimes within a single day — means standard "Patch Tuesday plus 30 days" cycles are inadequate against this class of actor. Office and Outlook updates flagged as security feature bypasses, OLE/macro-related, or KEV-listed should trigger emergency patching workflows, not be queued for the next maintenance window.
Email-system telemetry beyond inbound filtering. APT28's persistence techniques — Outlook VBA backdoors, mailbox permission abuse, COM hijacking — operate inside the email environment. Detection requires visibility into Outlook rules, mailbox permission changes, and unusual VBA execution, not just inbound mail filtering.
Legitimate-service C2 monitoring. The recurring abuse of webhook[.]site, filen.io, Mocky and similar legitimate cloud services as command-and-control infrastructure means traffic to such services from corporate endpoints should be characterised and baselined. A finance workstation making unusual API calls to a webhook service is a signal that signature-based tools cannot raise.
These are the kind of controls that operate upstream of the regulatory clock — they shorten the awareness gap, which is the most expensive minute in any post-incident timeline.
The honest framing
A note on attribution, because responsible threat actor profiles depend on it.
The attributions cited here come from named sources with stated bases: CERT-UA's formal attribution of January 2026 activity to UAC-0001/APT28; the US Department of Justice's Operation Masquerade announcement; multiple intelligence-vendor analyses (Trellix, S2 Grupo LAB52, Recorded Future Insikt Group, ESET, Microsoft, Mandiant); UK and EU governmental statements. These are not Risk Letters' independent attributions. We report them as the assessments of the named entities, and they are the strongest publicly attributable claims in the field.
What attribution does not tell you is what an individual entity should do about it. Knowing that APT28 targeted maritime entities in a specific 72-hour window in January 2026 does not, by itself, make a Polish or Greek shipping company safer. It does, however, place specific vulnerabilities, specific tradecraft, and specific service-provider categories on a list that European compliance and security teams cannot defensibly ignore.
The takeaway
Three things follow.
- APT28 is operationally active and continuously evolving. The 2025-2026 campaign record demonstrates capability to weaponise zero-days within 24 hours, sustained interest in European maritime/transport/government targets, and a willingness to compromise third-party service providers as routes to intended targets.
- NIS2 reporting capability has to work against actors designed to delay awareness. The Article 23 24-hour clock starts when the entity becomes aware — and APT28's tradecraft is specifically designed to extend that awareness gap. Threat intelligence as an external awareness channel is part of the answer.
- The supply chain measure of Article 21(2)(d) is concrete here. When an actor targets email and cloud service providers specifically as vehicles to reach end-targets, the security posture of your direct service providers is part of your own threat profile.
For the broader cross-domain framing this profile sits within, see The Trust Supply Chain. For the regulatory mechanics of incident reporting, NIS2 Incident Reporting: The 24-72-30 Day Timeline.
Sources & further reading
- Trellix — APT28 / CVE-2026-21509 / NotDoor / BeardShell campaign analysis (February 2026)
- CERT-UA — formal attribution of UAC-0001 to January 2026 spear-phishing activity
- US Department of Justice — Operation Masquerade announcement (April 2026); 2018 GRU indictments
- S2 Grupo LAB52 — Operation MacroMaze analysis (February 2026)
- Rescana — Operation MacroMaze technical write-up (February 2026)
- Recorded Future Insikt Group — APT28 / HeadLace and credential-harvesting analysis
- ESET — Operation RoundPress (APT28 targeting of webmail platforms)
- Microsoft Threat Intelligence — Forest Blizzard tracking
- Industrial Cyber — APT28 European maritime and transport targeting analysis
- Security Affairs — APT28 / PRISMEX analysis (April 2026)
- UK National Cyber Security Centre — APT28 advisories
- The Hacker News — APT28 SOHO router DNS hijacking analysis (April 2026)
Attribution note: APT28's linkage to Russia's GRU and Unit 26165 reflects the stated assessments of multiple Western governments and intelligence-industry firms. Specific campaign attributions cited above derive from named primary sources (CERT-UA, US DOJ, Trellix, S2 Grupo, etc.) and are reported here as their assessments.