Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
APT28 (Fancy Bear)
APT28 September 2025 Activity
Overview of APT28
APT28 (also known as Fancy Bear, Sofacy, Sednit, BlueDelta, Forest Blizzard and other aliases) is a long‑running Russian advanced persistent threat (APT) group. Multiple governments and cybersecurity organisations attribute APT28 to the Main Intelligence Directorate (GRU) of Russia (specifically Military Unit 26165). The intrusion set has been active since at least 2004 and is linked to numerous high‑profile operations, including cyber espionage during conflicts in Ukraine (2015–2017, 2022) and interference in the 2016 U.S. and 2017 French elections.
APT28 is known for its evolving toolset and multi‑stage infection chains that often exploit legitimate services (e.g., Microsoft Outlook, OneDrive, Signal, Koofr, Filen, Icedrive) for command and control (C2) and data exfiltration. The group commonly uses spear‑phishing lures with malicious documents and exploits to gain initial access and leverages DLL side‑loading, macro abuse and living‑off‑the‑land techniques to evade defences.
This week’s activity (late September 2025) highlights two continuing APT28 campaigns:
- NotDoor Outlook backdoor – a VBA macro backdoor that abuses Microsoft Outlook to execute commands and exfiltrate data. NotDoor is delivered via DLL side‑loading (malicious
SSPICLI.dll) by the signedOneDrive.exeto bypass macro protections, then implants a VBA project that monitors inbound emails for trigger words and runs Base64‑encoded PowerShell commands . This campaign targets companies in NATO countries. - Operation Phantom Net Voxel / BEARDSHELL – spear‑phishing using weaponized Office documents delivered over Signal chat. The documents drop a malicious DLL and PNG file; the DLL uses COM‑hijacking to load a C# stager that communicates with the Koofr cloud API and downloads the Covenant/BeardShell malware. This campaign targets Ukrainian government agencies and military personnel and leverages public cloud services (Koofr, Icedrive, Filen) for C2.
NotDoor Infection Chain
Net Voxel Infection Chain
NotDoor Tactics, Techniques & Procedures (TTPs)
| MITRE ATT&CK tactic | Key techniques observed | Description and sources |
|---|---|---|
| Initial Access | Phishing (Spear‑phishing attachment – T1566.001) | Malicious Word documents containing VBA macros are delivered via phishing emails |
| Execution | DLL side‑loading (T1574.001) | Signed OneDrive.exe loads a rogue SSPICLI.dll to bypass macro protections |
| Execution | VBA Macro (T1059.005) | Macro implants a VBA project into Outlook and monitors incoming emails |
| Persistence | Registry modification (T1112) | Macro alters registry keys to enable macros silently and persist across reboots |
| Defense Evasion | Obfuscated/Encoded Commands (T1027) | The macro executes Base64‑encoded PowerShell commands and randomizes function names to avoid detection |
| Command & Control | Exfiltration via E-mail (T1041) | Outlook is used as the C2 channel; commands and responses travel via email attachments |
| Data Exfiltration | Exfiltration via e‑mail (T1041) | Stolen data is saved in %TEMP% and sent as attachments to ProtonMail addresses |
Net Voxel Tactics, Techniques & Procedures (TTPs)
| MITRE ATT&CK tactic | Key techniques observed | Description and sources |
|---|---|---|
| Initial Access | Phishing (Spear‑phishing attachment – T1566.001) | Weaponised Office documents with malicious macros are delivered via Signal chat |
| Execution | COM Hijacking (T1546.015) | Dropped DLL hijacks COM to load shellcode from a PNG file and launch a .NET stager |
| Execution | VBA Macro (T1059.005) | Macro drops ctec.dll and windows.png, then schedules their execution |
| Persistence | Boot/Logon Autostart (T1547) | Registry keys are modified so the malicious DLL is loaded when Explorer.exe starts |
| Defense Evasion | Use of Legitimate Services (T1102) | Exploits trusted services and encrypted cloud APIs to blend into normal network traffic |
| Command & Control | Web Protocols / Cloud Storage (T1071.001 / T1105) | The stager and BeardShell backdoor communicate with Koofr and Icedrive APIs; numerous Filen domains are used for C2 |
Indicators of Compromise (IOCs)
NotDoor File hashes
The following hashes are associated with APT28’s recent campaigns. Organisations should block or quarantine these artifacts and search logs for their presence.
| Hash type | Hash value | Context |
|---|---|---|
| MD5 | 15e9255a3e3401e5f6578d2ac45b7850 | NotDoor backdoor DLL hash |
| MD5 | f8d9b7c864fb7558e8bad4cfb5c8e6ff | NotDoor backdoor DLL |
| SHA‑256 | 5a88a15a1d764e635462f78a0cd958b17e6d22c716740febc114a408eef66705 | NotDoor backdoor |
| SHA‑256 | 8f4bca3c62268fff0458322d111a511e0bcfba255d5ab78c45973bd293379901 | NotDoor backdoor |
| SHA‑1 | 3b80a13199564e3d8a9d26e14defabee136638f8 | NotDoor backdoor |
| SHA‑1 | a45ab1a9dec488278ee9682735d42d61dfc38b9e | NotDoor backdoor |
Net Voxel File Hashes
| Hash type | Hash value | Context |
|---|---|---|
| MD5 | 915179579ab7dc358c41ea99e4fcab52 | Weaponised document Акт.doc used in Phantom Net Voxel |
| MD5 | f21b63ddd7d2a773eb21a065015cdd01 | Weaponised document lorem.doc |
| MD5 | bbfb92161cb71825a16e49e2aa4d2750 | Weaponised document zrazok‑raport‑matdopomoga‑forma‑dla‑zapovnennya‑v3.doc |
| MD5 | 608877a9e11101da53bce99b0effc75b | Weaponised document СЛУЖБОВА ХАРАКТЕРИСТИКА.doc |
| MD5 | 7de7febec6bed06c49efb4e2c3dd23e1 | Weaponised document attachment.doc |
| MD5 | 1498f1df4ca0e9cf23babe00cf34ed3d | Weaponised document lorem.doc (2025‑04‑01) |
| MD5 | b6e3894c17fb05db754a61ac9a0e5925 & 2632fa8fc67dd2fd5c5a6275465dcc95 | Temporary files (tmsnrb41da2y867.tmp) used in Phantom Net Voxel |
| MD5 | 2338f420d66ef191c5a419353da2c12b | Second‑stage DLL used in Phantom Net Voxel |
| MD5 | 766a89de96c50df2e33b42f05218c22e | Additional second‑stage DLL |
| MD5 | 889b83d375a0fb00670af5276816080e | SLIMAGENT screenshot tool used alongside BeardShell |
Domains and infrastructure
APT28 leverages legitimate cloud services and customised subdomains as C2 endpoints. Monitor DNS and proxy logs for outbound connections to these domains.
| Service | Domain / endpoint | Notes |
|---|---|---|
| Webhook[.]site | webhook[.]site | Used by NotDoor via DNSHook for command‑and‑control |
| Koofr | app.koofr[.]net | Koofr file‑storage API used by Phantom Net Voxel & BeardShell |
| Icedrive | api.icedrive[.]net | Cloud storage API used for exfiltration in BeardShell campaigns. |
| Filen | gateway.filen[.]io, gateway.filen[.]net, gateway.filen‑1[.]net gateway.filen‑6[.]net | Filen cloud service endpoints used for C2. |
| Filen (egest) | egest.filen[.]io, egest.filen[.]net, egest.filen‑1[.]net egest.filen‑6[.]net | Egest endpoints (upload). |
| Filen (ingest) | ingest.filen[.]io, ingest.filen[.]net, ingest.filen‑1[.]net ingest.filen‑6[.]net | Ingest endpoints (download). |
| Cloudflare‑like phishing domains | findcloudflare[.]com, cloudflare.redirectpartners[.]com | Domains impersonating Cloudflare used in APT29’s device‑code phishing campaign; included here as they were reused by APT28 operators in some lures. |
Threat Hunting & Detection Guidance
The following queries and detection tips are provided as guidance; they should be adapted to your specific logging sources (e.g., Splunk, Elastic, Microsoft Sentinel). Use them to hunt for activity associated with APT28 campaigns.
- DLL side‑loading via OneDrive
- Objective: Detect
OneDrive.exeloading an unexpectedSSPICLI.dllfrom a non‑system directory.
index=sysmon EventID=7 Image="*OneDrive.exe" ImageLoaded="*SSPICLI.dll"
| where NOT (ImageLoaded="C:\Windows\System32\SSPICLI.dll")
This query searches Sysmon event 7 logs for OneDrive.exe loading SSPICLI.dll from any location other than %SystemRoot%\System32, which can indicate NotDoor’s DLL sideloading.
- Suspicious Outlook macro execution
- Objective: Identify Outlook spawning PowerShell or command interpreters, which is unusual and indicative of macro abuse.
index=sysmon EventID=1 ParentImage="*OUTLOOK.EXE"
(Image="*powershell.exe" OR Image="*cmd.exe")
Outlook rarely launches child processes; any such occurrence should be investigated. Combine with detection of Base64‑encoded command lines (look for -EncodedCommand) to catch obfuscated payloads.
- Network connections to Koofr/Icedrive/Filen endpoints
- Objective: Hunt for unusual outbound connections to cloud‑storage domains used by APT28.
index=proxy OR index=network
| search dest_domain IN ("app.koofr.net", "api.icedrive.net", "gateway.filen.io", "gateway.filen.net", "egest.filen.io", "ingest.filen.io")
Flag any devices communicating with these domains outside of sanctioned usage.
- Webhook[.]site detection
- Objective: Detect DNS or HTTP requests to
webhook[.]site, which is abused in NotDoor campaigns.
index=dns OR index=proxy
| search query="*.webhook.site" OR dest_domain="webhook.site"
- Registry modifications enabling macro execution
- Objective: Monitor for registry changes that relax VBA macro security or enable COM hijacking.
index=sysmon EventID=13 TargetObject LIKE "%\\Software\\Microsoft\\Office%\\Security%" \\
RegistryValueName IN ("VBAWarnings", "AccessVBOM")
Changes to VBAWarnings or AccessVBOM keys lower macro protections; these changes are consistent with APT28’s TTPs.
- COM hijacking by explorer.exe or taskhostw.exe
- Objective: Detect COM hijacking used by BeardShell to persist.
index=sysmon EventID=7 Image="*taskhostw.exe" ImageLoaded!="C:\Windows\System32\*.dll"
| where ImageLoaded matches regex ".*AppData.*"
Taskhostw.exe loading DLLs from user‑controlled locations is unusual and may indicate COM hijacking.
- DNS queries with double‑encoded paths
- Objective: Detect exploitation of Cisco IOS XE vulnerabilities by searching for double‑encoded WSMA endpoints (observed in parallel APT28 operations). Although not directly part of this week’s campaign, including this detection helps defend against broader APT28 activity.
index=proxy OR index=network
| search uri_path="/%2577eb%2575i_%2577sma_*" OR uri_path="/%2577eb%2575i%2577sma_*"
The presence of %2577eb%2575i_%2577sma_* indicates double‑encoded WSMA requests exploited in 2023 – 2024 campaigns.
Mitigation & Recommendations
- Disable or restrict VBA macros in Outlook and other Office applications. Use Group Policy to block macros from the internet and enable Microsoft Defender Attack Surface Reduction rules to prevent Office from spawning child processes.
- Monitor signed binaries for anomalous behaviour. Use application whitelisting (e.g., Windows Defender Application Control or AppLocker) to prevent
OneDrive.exeorOutlook.exefrom loading untrusted DLLs. - Implement network egress controls to block unauthorised connections to webhook.site, Koofr, Icedrive and Filen domains. Alert on unusual traffic to these services.
- Educate users about spear‑phishing and the risks of enabling macros. Encourage reporting of suspicious messages, including those received via Signal or other chat platforms.
- Regularly patch and update third‑party software, network edge devices and email servers. APT28 frequently exploits publicly known vulnerabilities (e.g., Cisco IOS XE, Roundcube, etc.).
Conclusion
APT28 continues to evolve its toolkit, combining macro‑enabled malware, DLL side‑loading and cloud‑storage C2 to evade traditional defences. Recent campaigns—including the NotDoor Outlook backdoor and Operation Phantom Net Voxel/BEARDSHELL—highlight the group’s focus on stealth and persistence. Defenders should prioritise monitoring of macro usage in email clients, DLL side‑loading activity, and network traffic to sanctioned cloud services. Continuous intelligence gathering, coupled with proactive hunting and strict macro policies, remains key to detecting and mitigating APT28 intrusions.
