APT28 is believed to be a state sponsored group that has been active since 2007. The majority of the APT 28 malware was compiled between Monday – Friday from 8 a.m. – 6 p.m. in UTC+4. This parallels working hours in Eastern Europe, Moscow, and Saint Petersburg. Over half the malware contained portable executable information that indicated that it was programmed with Russian keyboard settings, while the remaining samples were coded using English or Neutral keyboard settings. APT28 is also associated with names Fancy Bear, Tsar Team, Sofacy group, Sednit group.

Unlike Russian cyber-criminal groups, APT28 does not exfiltrate financial information from targets and it does not sell the information that it gathers for profit. Instead, APT 28 gathers geopolitical information that would be specifically relevant to Russia and it uses the information to leverage future attacks. APT 28 uses spear phishing campaigns, sophisticated malware, and zero-day exploits to infiltrate systems belonging to European governments, NATO affiliates, militaries, security organizations, and media organizations with the intent of exfiltrating state information that could be used to influence policy decisions, public opinion, or geopolitical issues. Most of the activity has centered on targets “of specific interest to a European government,” focusing on the Caucasus region and countries along the eastern European border.

APT28 relies upon spear phishing emails or zero-day vulnerabilities to initially compromise victim systems. APT28 spear phishing emails often originate from a typo-squatted mail server and they typically contain either a decoy document relevant to the target or the link to a typo-squatted malicious domain. The least sophisticated aspect of APT28’s more popular attack vectors is its reliance on user error to deploy its malware. Unsuspecting users must be tricked into opening the attachment or following the malicious link. Decoy documents are tailored to the target and they often contain a user specific title, to entice the user to open the attachment, or confidential information, likely obtained through previous breaches, to lend credibility to the document. In fact, the titles of the decoy documents submitted or found online are so specific that the targets can often be retroactively guessed by security firms, such Trend Micro, using only contextual information. Variations in the distributed decoy documents suggest that the actors are fluent in multiple languages (at least Russian and English) however; grammatical mistakes indicate that English is not their native language. While all signs in the malware indicate that Russian is the actors’ native language some Russian researchers at the 2013 PHDays conference in Moscow argued that the dialect is not native Russian. APT28 uses specialized information about its targets to focus its attacks and limit detection. Only a limited number of personnel of the target organization receive the decoy documents. In one notable case, spear phishing emails were sent to only three employees of a billion-dollar multinational firm, whose email addresses were not publicly available or advertised online.

The Sednit platform consists of the SOURFACE/ CORESHELL downloader, the EVILTOSS backdoor, and the CHOPSTICK modular implant. SOURFACE (also known as Sofacy) or CORESHELL performs runtime checks and reverse engineering counter operations before verifying that the infected machine matches the system profile of the target. If the target is verified, then the SOURFACE/CORESHELL dropper obtains a second stage backdoor from the C2 server and installs it on the victim’s system. The backdoor, EVILTOSS, is used to steal credentials and execute shellcode. EVILTOSS uploads an RSA public key and encrypts the stolen data. Then the data is sent via email as an attachment. EVILTOSS then delivers CHOPSTICK to the victim’s system and installs it. CHOPSTICK is comprised of custom implants and tools that are tailored to the target system. CHOPSTICK actively monitors the victim’s system by logging keystrokes, taking screenshots, and monitoring network traffic.

Type: Nation State Sponsored APT

APT28 Status: Active

APT28 Other Names: Fancy Bear/ Sofacy Group/ Sednit Group/ Tsar Team/ Strontium/ Operation Russian Doll/ Anger Bear/ Berserk Bear

APT28 Active Since/Discovered: 2007

APT28 Targets:

  • United States, Eastern European government and military institutions (notably Georgia), NATO affiliates, Defense industry
  • Believed responsible for attacks against Bundestag, EFF, TV5 Monde, the DNC, the Olympics, Georgia Ministry of Defense

APT28 Target Sectors: Geopolitical, Government

APT28 Malware:

  • CORESHELL/ coreshell.dll / SOURFACE– installs other components and Sends out system information to remote server
    • Trickler –  Automatic download software designed to install or reinstall software by downloading slowly in the background so the download is less noticeable
    • Can download and execute files
    • Binary padding
    • File/ Information obfuscation
    • collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server
    • C2 messages are Base64-encoded
    • C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys
    • Performs runtime checks
    • Reverse engineering counter operations
    • Verifies that the infected machine matches the system profile of the target
    • Drops EVILTOSS
  • EVILTOSS/ ADVSTORESHELL, NETUI, AZZY, Sedreco  – Backdoor (used 2012-2016)
    • achieve persistence by registering the payload as a Shell Icon Overlay handler COM object
    • Steals credentials
    • Executes shellcode
    • uploads an RSA public key and encrypts the stolen data
    • Delivers CHOPSTICK
    • encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed, then encoded with Base64 encoding
      • API function names are reversed to avoid detection in memory
    • connects to port 80 of a C2 server using Wininet API
    • Keylogging
    • List running processes, enumerate registry, create remote shell, run commands, list connected devices, store output, exfiltrate data
  • CHOPSTICK/ Xagent/ X-Agent/ webhp/ SPLM – modular 2nd stage backdoor
    • custom implants and tools that are tailored to the target system
    • actively monitors the victim’s system by logging keystrokes, taking screenshots, and monitoring network traffic
    • Executed by running rundll32 commands
    • Uses HTTP and other legitimate channels for C2 communication, depending on module configuration
    • checks for anti-virus, forensics, and virtualization software
    • may store RC4 encrypted configuration information in the Windows Registry
    • C2 over HTTP, SMTP, and POP3
  • Sednit/ JHUHUGIT/ Seduploader/ JKEYSKW/ GAMEFISH – Reconnaissance malware
    • Based on Carberp source code
    • executed using rundll32.exe
    • performs code injection injecting its own functions to browser processes
    • deletes itself from the victim
    • used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process
    • registered itself as a service to establish persistence and as a scheduled task to run at log in
  • Winexe- s Backdoor.Pointex.B, and  also part of the nyxem remote access trojan
  • OLDBAIT – credential harvester
    • collects credentials from Internet Explorer, Mozilla Firefox, Eudora, and several email clients
    • obfuscates internal strings and unpacks them at startup
    • can use HTTP or SMTP for C2
    • installs itself in %ALLUSERPROFILE%Application DataMicrosoftMediaPlayerupdatewindws.exe;
      • the directory name is missing a space
      • the file name is missing the letter “o.”
  • XTunnel – VPN-like network proxy tool that can relay traffic between a C2 server and a victim
  • Mimikatz- credential dumper
  • HIDEDRV – rootkit
  • WinIDS
  • Foozer
  • DownRange
  • Sedreco- Dropper
  • Komplex
  • DealersChoice
  • USBStealer- used to extract information from air gapped networks
  • Sedkit
  • HideDrv – Rootkit
  • Bootkit- modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR)
    • Ensures persistence
    • Shares code with BlackEnergy
  • Downdelph- first-stage downloader written in Delphi (used 2013-2015)

APT 28 Preferred Attack Vector:  Spear-phishing campaigns, sophisticated malware, and zero-day exploits

APT28 IoCs:

  • Malware compiled between Monday – Friday from 8 a.m. – 6 p.m. in UTC+4
  • Russian keyboard settings
  • Spear-phishing email from typo-squatted domains
  • Tailored decoy documents or lure documents obtained via prior breach
  • Adds “junk data” to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm
  • Uses other victims as proxies to relay command traffic
    • Used Georgia Ministry of Defense as hop point for NATO targets
  • Uses SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims
  • Cleared event logs using the commands wevtutil cl System and wevtutil cl Security
  • Timestomps victim files
  • CVE-2015-3043
  • CVE-2010-3333
  • CVE-2012-0158
  • CVE-2014-1761
  • CVE-2013-1347
  • CVE-2013-3897
  • CVE-2014-1776
  • CVE-2015-1701


  • Posed as the “Cyber Caliphate” in at least the attack against TV5 Monde
  • Exfiltrates state information that could be used to influence policy decisions, public opinion, or geopolitical issues
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google