CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Amazon Disrupts GRU-Affiliated APT44 Campaign Targeting Critical Infrastructure

First reported
Last updated
4 unique sources, 15 articles

Summary

Hide ▲

Amazon has disrupted a years-long Russian state-sponsored campaign targeting Western critical infrastructure, including energy sector organizations and cloud-hosted network infrastructure. The campaign, attributed to the GRU-affiliated APT44 group, initially leveraged vulnerabilities in WatchGuard Firebox and XTM, Atlassian Confluence, and Veeam to gain initial access. However, starting in 2025, APT44 shifted its tactics to target misconfigured network edge devices, reducing their exposure and resource expenditure. The group targeted enterprise routers, VPN concentrators, network management appliances, and cloud-based project management systems to harvest credentials and establish persistent access. Amazon's intervention led to the disruption of the campaign, highlighting the ongoing threat posed by state-sponsored cyber actors. APT44, also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear, has been active since at least 2021. The group exploited vulnerabilities in WatchGuard Firebox and XTM (CVE-2022-26318), Atlassian Confluence (CVE-2021-26084, CVE-2023-22518), and Veeam (CVE-2023-27532) to compromise network edge devices. The campaign involved credential replay attacks and targeted energy, technology/cloud services, and telecom service providers across North America, Western and Eastern Europe, and the Middle East. Amazon's threat intelligence team identified and notified affected customers, disrupting active threat actor operations. Additionally, APT28, another GRU-affiliated group, has been conducting a sustained credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine. The campaign, observed between June 2024 and April 2025, involves deploying UKR[.]net-themed login pages on legitimate services like Mocky to entice recipients into entering their credentials and 2FA codes. Links to these pages are embedded within PDF documents distributed via phishing emails, often shortened using services like tiny[.]cc or tinyurl[.]com. In some cases, APT28 uses subdomains created on platforms like Blogger (*.blogspot[.]com) to launch a two-tier redirection chain leading to the credential harvesting page. The campaign is part of a broader set of phishing and credential theft operations targeting various institutions in pursuit of Russia's strategic objectives. APT28's recent campaign targeted Turkish renewable energy scientists with a climate change policy document from a real Middle Eastern think tank. The group used phishing emails themed to match their intended targets and written in the targets' native tongues. Victims were redirected to a login page mimicking a legitimate online service after following a link in a phishing email. APT28 used regular hosted services rather than custom tools and infrastructure for their attacks. The targets included an IT integrator based in Uzbekistan, a European think tank, a military organization in North Macedonia, and scientists and researchers associated with a Turkish energy and nuclear research organization. The campaign was highly selective and consistent with GRU collection priorities, aligning with geopolitical, military, or strategic intelligence objectives. APT28 has been targeting organizations associated with energy research, defense collaboration, and government communication in a new credential-harvesting campaign. The group used phishing pages impersonating Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. Victims were redirected to legitimate domains after entering their credentials. APT28 relied heavily on free hosting and tunneling services such as Webhook.site, InfinityFree, Byet Internet Services, and Ngrok to host phishing content, capture user data, and manage redirections. In February 2025, APT28 deployed a Microsoft OWA phishing page and used the ShortURL link-shortening service for the first-stage redirection. The group employed a webhook relying on HTML to load a PDF lure document in the browser for two seconds before redirecting the victim to a second webhook hosting the spoofed OWA login page. In July, APT28 deployed a spoofed OWA login portal containing Turkish-language text and targeting Turkish scientists and researchers. In June, APT28 deployed a spoofed Sophos VPN password reset page hosted on InfinityFree infrastructure. In September, APT28 hosted two spoofed OWA expired password pages on an InfinityFree domain. In April, Recorded Future discovered a spoofed Google password reset page in Portuguese, hosted on a free apex domain from Byet Internet Services. APT28 abused Ngrok's free service to connect servers behind a firewall to a proxy server and expose that server to the internet without changing firewall rules. APT28's ability to adapt its infrastructure and rebrand credential-harvesting pages suggests it will continue to abuse free hosting, tunneling, and link-shortening services to reduce operational costs and obscure attribution. Recently, APT28 exploited CVE-2026-21509, a recently patched vulnerability in multiple versions of Microsoft Office. The attacks involved malicious DOC files themed around EU COREPER consultations in Ukraine and impersonated the Ukrainian Hydrometeorological Center. The malicious document triggers a WebDAV-based download chain that installs malware via COM hijacking, a malicious DLL (EhStoreShell.dll), shellcode hidden in an image file (SplashScreen.png), and a scheduled task (OneDriveHealth). The scheduled task execution leads to the termination and restart of the explorer.exe process, ensuring the loading of the EhStoreShell.dll file. This DLL executes shellcode from the image file, which launches the COVENANT software (framework) on the computer. COVENANT uses the Filen (filen.io) cloud storage service for command-and-control (C2) operations. APT28 used three more documents in attacks against various EU-based organizations, indicating that the campaign extends beyond Ukraine. APT28 has also been linked to the exploitation of CVE-2026-21513, a high-severity security feature bypass in the MSHTML Framework, as a zero-day before it was patched in February 2026. The vulnerability allows an attacker to bypass security features by manipulating browser and Windows Shell handling, leading to potential code execution. The group used a malicious Windows Shortcut (LNK) file that embeds an HTML file to exploit CVE-2026-21513, initiating communication with the domain wellnesscaremed[.]com. The exploit leverages nested iframes and multiple DOM contexts to manipulate trust boundaries, bypassing Mark-of-the-Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC). The technique allows execution of malicious code outside the browser sandbox via ShellExecuteExW. The vulnerable code path can be triggered through any component embedding MSHTML, suggesting additional delivery mechanisms beyond LNK-based phishing should be expected. APT28, also known as Fancy Bear, Forest Blizzard, Strontium, and Sednit, has been using a custom variant of the open-source Covenant post-exploitation framework for long-term espionage operations. Since April 2024, APT28 has used two implants named BeardShell and Covenant in their attacks. BeardShell leverages the legitimate cloud storage service Icedrive for command-and-control (C2) communication and can execute PowerShell commands in a .NET runtime environment. BeardShell uses a unique obfuscation technique previously seen in Xtunnel, a network-pivoting tool that APT28 used in the 2010s. APT28 has modified the Covenant framework with deterministic implant identifiers tied to host characteristics, modified execution flow to evade behavioral detection, and new cloud-based communication protocols. Since July 2025, APT28 has used the Filen cloud provider with Covenant, previously using Koofr and pCloud services. Covenant is used as the primary implant, and BeardShell serves as the fallback tool. ESET believes that APT28's advanced malware development team returned to activity in 2024, giving the threat group new long-term espionage capabilities. The technical similarities with 2010-era malware indicate continuity in the threat group's development team. APT28 has been observed using a pair of implants dubbed BEARDSHELL and COVENANT to facilitate long-term surveillance of Ukrainian military personnel. The two malware families have been put to use since April 2024. APT28's malware arsenal consists of tools like BEARDSHELL and COVENANT, along with another program codenamed SLIMAGENT that's capable of logging keystrokes, capturing screenshots, and collecting clipboard data. SLIMAGENT was first publicly documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025. SLIMAGENT has its roots in XAgent, another implant used by APT28 in the 2010s to facilitate remote control and data exfiltration. This is based on code similarities discovered between SLIMAGENT and previously unknown samples deployed in attacks targeting governmental entities in two European countries as far back as 2018. It's assessed that the 2018 artifacts and the 2024 SLIMAGENT sample originated from XAgent, with ESET's analysis uncovering overlaps in the keylogging between SLIMAGENT and an XAgent sample detected in the wild in late 2014. SLIMAGENT emits its espionage logs in the HTML format, with the application name, the logged keystrokes, and the window name in blue, red, and green, respectively. Also deployed in connection with SLIMAGENT is another backdoor referred to as BEARDSHELL that's capable of executing PowerShell commands on compromised hosts. It uses the legitimate cloud storage service Icedrive for command-and-control (C2). A noteworthy aspect of the malware is that it utilizes a distinctive obfuscation technique referred to as opaque predicate, which is also found in XTunnel (aka X-Tunnel), a network traversal and pivoting tool used by APT28 in the 2016 Democratic National Committee (DNC) hack. The tool provides a secure tunnel to an external C2 server. A third major piece of the threat actor's toolkit is COVENANT, an open-source .NET post-exploitation framework that has been "heavily" modified to support long-term espionage and to implement a new cloud-based network protocol that abuses the Filen cloud storage service for C2 since July 2025. Previously, APT28's COVENANT variant was said to have used pCloud (in 2023) and Koofr (in 2024-2025). This is not the first time the adversarial collective has embraced the dual-implant strategy. In 2021, Trellix revealed that APT28 deployed Graphite, a backdoor that employed OneDrive for C2, and PowerShell Empire in attacks targeting high-ranking government officials overseeing national security policy and individuals in the defense sector in Western Asia.

Timeline

  1. 09.01.2026 09:00 1 articles · 2mo ago

    APT28 targets organizations in Balkans, Middle East, and Central Asia

    APT28 conducted a credential-harvesting campaign targeting specific organizations in the Balkans, the Middle East, and Central Asia. The campaign involved phishing emails themed to match the intended targets and written in their native tongues. Victims were redirected to login pages mimicking legitimate online services after following links in the phishing emails. APT28 used regular hosted services rather than custom tools and infrastructure for their attacks. The targets included an IT integrator based in Uzbekistan, a European think tank, a military organization in North Macedonia, and scientists and researchers associated with a Turkish energy and nuclear research organization. The campaign was highly selective and consistent with GRU collection priorities, aligning with geopolitical, military, or strategic intelligence objectives.

    Show sources
    Open in new tab
  2. 17.12.2025 17:30 9 articles · 2mo ago

    APT28 conducts sustained credential-harvesting campaign targeting UKR[.]net users

    APT28 targeted Turkish renewable energy scientists with a climate change policy document from a real Middle Eastern think tank. The group used phishing emails themed to match their intended targets and written in the targets' native tongues. Victims were redirected to a login page mimicking a legitimate online service after following a link in a phishing email. APT28 used regular hosted services rather than custom tools and infrastructure for their attacks. The targets included an IT integrator based in Uzbekistan, a European think tank, a military organization in North Macedonia, and scientists and researchers associated with a Turkish energy and nuclear research organization. The campaign was highly selective and consistent with GRU collection priorities, aligning with geopolitical, military, or strategic intelligence objectives. APT28 has been targeting organizations associated with energy research, defense collaboration, and government communication in a new credential-harvesting campaign. The group used phishing pages impersonating Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. Victims were redirected to legitimate domains after entering their credentials. APT28 relied heavily on free hosting and tunneling services such as Webhook.site, InfinityFree, Byet Internet Services, and Ngrok to host phishing content, capture user data, and manage redirections. In February 2025, APT28 deployed a Microsoft OWA phishing page and used the ShortURL link-shortening service for the first-stage redirection. The group employed a webhook relying on HTML to load a PDF lure document in the browser for two seconds before redirecting the victim to a second webhook hosting the spoofed OWA login page. In July, APT28 deployed a spoofed OWA login portal containing Turkish-language text and targeting Turkish scientists and researchers. In June, APT28 deployed a spoofed Sophos VPN password reset page hosted on InfinityFree infrastructure. In September, APT28 hosted two spoofed OWA expired password pages on an InfinityFree domain. In April, Recorded Future discovered a spoofed Google password reset page in Portuguese, hosted on a free apex domain from Byet Internet Services. APT28 abused Ngrok's free service to connect servers behind a firewall to a proxy server and expose that server to the internet without changing firewall rules. APT28's ability to adapt its infrastructure and rebrand credential-harvesting pages suggests it will continue to abuse free hosting, tunneling, and link-shortening services to reduce operational costs and obscure attribution. Recently, APT28 exploited CVE-2026-21509, a recently patched vulnerability in multiple versions of Microsoft Office. The attacks involved malicious DOC files themed around EU COREPER consultations in Ukraine and impersonated the Ukrainian Hydrometeorological Center. The malicious document triggers a WebDAV-based download chain that installs malware via COM hijacking, a malicious DLL (EhStoreShell.dll), shellcode hidden in an image file (SplashScreen.png), and a scheduled task (OneDriveHealth). The scheduled task execution leads to the termination and restart of the explorer.exe process, ensuring the loading of the EhStoreShell.dll file. This DLL executes shellcode from the image file, which launches the COVENANT software (framework) on the computer. COVENANT uses the Filen (filen.io) cloud storage service for command-and-control (C2) operations. APT28 used three more documents in attacks against various EU-based organizations, indicating that the campaign extends beyond Ukraine. APT28 has also been linked to the exploitation of CVE-2026-21513, a high-severity security feature bypass in the MSHTML Framework, as a zero-day before it was patched in February 2026. The vulnerability allows an attacker to bypass security features by manipulating browser and Windows Shell handling, leading to potential code execution. The group used a malicious Windows Shortcut (LNK) file that embeds an HTML file to exploit CVE-2026-21513, initiating communication with the domain wellnesscaremed[.]com. The exploit leverages nested iframes and multiple DOM contexts to manipulate trust boundaries, bypassing Mark-of-the-Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC). The technique allows execution of malicious code outside the browser sandbox via ShellExecuteExW. The vulnerable code path can be triggered through any component embedding MSHTML, suggesting additional delivery mechanisms beyond LNK-based phishing should be expected. APT28, also known as Fancy Bear, Forest Blizzard, Strontium, and Sednit, has been using a custom variant of the open-source Covenant post-exploitation framework for long-term espionage operations. Since April 2024, APT28 has used two implants named BeardShell and Covenant in their attacks. BeardShell leverages the legitimate cloud storage service Icedrive for command-and-control (C2) communication and can execute PowerShell commands in a .NET runtime environment. BeardShell uses a unique obfuscation technique previously seen in Xtunnel, a network-pivoting tool that APT28 used in the 2010s. APT28 has modified the Covenant framework with deterministic implant identifiers tied to host characteristics, modified execution flow to evade behavioral detection, and new cloud-based communication protocols. Since July 2025, APT28 has used the Filen cloud provider with Covenant, previously using Koofr and pCloud services. Covenant is used as the primary implant, and BeardShell serves as the fallback tool. ESET believes that APT28's advanced malware development team returned to activity in 2024, giving the threat group new long-term espionage capabilities. The technical similarities with 2010-era malware indicate continuity in the threat group's development team. APT28 has been observed using a pair of implants dubbed BEARDSHELL and COVENANT to facilitate long-term surveillance of Ukrainian military personnel. The two malware families have been put to use since April 2024. APT28's malware arsenal consists of tools like BEARDSHELL and COVENANT, along with another program codenamed SLIMAGENT that's capable of logging keystrokes, capturing screenshots, and collecting clipboard data. SLIMAGENT was first publicly documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2025. SLIMAGENT has its roots in XAgent, another implant used by APT28 in the 2010s to facilitate remote control and data exfiltration. This is based on code similarities discovered between SLIMAGENT and previously unknown samples deployed in attacks targeting governmental entities in two European countries as far back as 2018. It's assessed that the 2018 artifacts and the 2024 SLIMAGENT sample originated from XAgent, with ESET's analysis uncovering overlaps in the keylogging between SLIMAGENT and an XAgent sample detected in the wild in late 2014. SLIMAGENT emits its espionage logs in the HTML format, with the application name, the logged keystrokes, and the window name in blue, red, and green, respectively. Also deployed in connection with SLIMAGENT is another backdoor referred to as BEARDSHELL that's capable of executing PowerShell commands on compromised hosts. It uses the legitimate cloud storage service Icedrive for command-and-control (C2). A noteworthy aspect of the malware is that it utilizes a distinctive obfuscation technique referred to as opaque predicate, which is also found in XTunnel (aka X-Tunnel), a network traversal and pivoting tool used by APT28 in the 2016 Democratic National Committee (DNC) hack. The tool provides a secure tunnel to an external C2 server. A third major piece of the threat actor's toolkit is COVENANT, an open-source .NET post-exploitation framework that has been "heavily" modified to support long-term espionage and to implement a new cloud-based network protocol that abuses the Filen cloud storage service for C2 since July 2025. Previously, APT28's COVENANT variant was said to have used pCloud (in 2023) and Koofr (in 2024-2025). This is not the first time the adversarial collective has embraced the dual-implant strategy. In 2021, Trellix revealed that APT28 deployed Graphite, a backdoor that employed OneDrive for C2, and PowerShell Empire in attacks targeting high-ranking government officials overseeing national security policy and individuals in the defense sector in Western Asia.

    Show sources
    Open in new tab
  3. 16.12.2025 14:27 5 articles · 2mo ago

    APT44 targets Western critical infrastructure with misconfigured network edge devices

    The campaign targeted critical organizations in North America, Europe, and the Middle East, with a notable focus on the energy sector. Attackers targeted enterprise routers, routing infrastructure, VPN concentrators, network management appliances, collaboration platforms, and cloud-based project management systems. The shift toward targeting misconfigured network edge devices began gradually between 2021 and 2025. In 2021, the threat cluster exploited WatchGuard flaw CVE-2022-26318. Between 2022 and 2023, threat actors targeted Confluence vulnerabilities CVE-2021-26084 and CVE-2023-22518. In 2024, attackers targeted Veeam flaw CVE-2023-27532. The primary credential extraction mechanism appeared to be packet capture and traffic analysis. Amazon identified and notified customers with compromised network appliances, enabled remediation of compromised EC2 resources, shared intelligence with partners and affected vendors, and reported observations to network appliance vendors.

    Show sources
    Open in new tab
  4. 29.08.2025 16:22 2 articles · 6mo ago

    Amazon disrupts APT29 watering hole campaign targeting Microsoft device code authentication

    The campaign targeted Microsoft 365 accounts and data. APT29 has previously targeted European embassies, Hewlett Packard Enterprise, and TeamViewer. Amazon's threat intelligence team discovered the domain names used in the watering hole campaign. The campaign used a cookie-based system to prevent the same user from being redirected multiple times. Amazon isolated the EC2 instances used by the threat actor and partnered with Cloudflare and Microsoft to disrupt the identified domains. APT29 attempted to move its infrastructure to another cloud provider and registered new domain names. The campaign reflects an evolution in APT29's technical approach, no longer relying on domains that impersonate AWS or social engineering attempts to bypass multi-factor authentication (MFA).

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Malicious Go Crypto Module Exploits Namespace Confusion to Deploy Rekoobe Backdoor

A malicious Go module named github[.]com/xinfeisoft/crypto impersonates the legitimate "golang.org/x/crypto" codebase to steal passwords and deploy the Rekoobe Linux backdoor. The module exploits namespace confusion to inject malicious code that exfiltrates secrets entered via terminal password prompts and executes a shell script that creates persistent access via SSH and loosens firewall restrictions. The campaign targets high-value boundaries like ReadPassword() and uses GitHub Raw as a rotating pointer for infrastructure rotation. The package remains listed on pkg.go.dev but has been blocked by the Go security team. The Rekoobe backdoor, known since 2015, is capable of receiving commands to download more payloads, steal files, and execute a reverse shell. It has been used by Chinese nation-state groups like APT31.

Open in new tab

UNC2814 Campaign Targeting Telecom and Government Networks

A suspected Chinese threat actor, tracked as UNC2814, has conducted a global espionage campaign since at least 2017, targeting telecom and government networks. The campaign has impacted 53 organizations in 42 countries, with suspected infections in at least 20 more. The actor deployed a new C-based backdoor named GRIDTIDE, which abuses the Google Sheets API for command-and-control (C2) operations. The initial access vector is unknown, but previous exploits involved flaws in web servers and edge systems. GRIDTIDE performs host reconnaissance and supports commands for executing bash commands, uploading, and downloading files. Google, Mandiant, and partners disrupted the campaign by terminating associated Google Cloud projects and disabling known infrastructure. Organizations impacted by GRIDTIDE were notified, and support was offered to clean the infections. Google expects UNC2814 to resume activity using new infrastructure in the near future.

Open in new tab

Infostealer Malware Targets OpenClaw Configuration Files

Infostealer malware has been observed stealing OpenClaw configuration files containing API keys, authentication tokens, and other sensitive secrets. This marks the first known instance of such attacks targeting the popular AI assistant framework. The stolen data includes configuration details, authentication tokens, and persistent memory files, which could enable full compromise of the victim's digital identity. The malware, identified as a variant of the Vidar infostealer, executed a broad file-stealing routine that scanned for sensitive keywords. Researchers predict increased targeting of OpenClaw as it becomes more integrated into professional workflows. Additionally, security issues with OpenClaw have prompted the maintainers to partner with VirusTotal to scan for malicious skills uploaded to ClawHub, establish a threat model, and add the ability to audit for potential misconfigurations.

Open in new tab

Vulnerabilities in Cloud-Based Password Managers Enable Full Vault Compromise

Researchers from ETH Zurich and USI discovered 27 vulnerabilities in Bitwarden, LastPass, Dashlane, and 1Password that could allow attackers to view and modify stored passwords. The flaws challenge the 'zero-knowledge encryption' claims of these services, with attacks ranging from integrity violations to complete vault compromise. The vulnerabilities were disclosed to the vendors, and remediation is underway. The researchers developed attack scenarios exploiting key escrow, vault encryption, sharing, and backwards compatibility features. Bitwarden was found to have a critical flaw in its organization onboarding process, allowing malicious auto-enrolment attacks. 1Password's use of a high-entropy cryptographic key provides it with a security advantage. Dashlane patched a downgrade attack vulnerability in November 2025. Bitwarden is addressing seven issues and accepting three as intentional design decisions. LastPass is working to enhance integrity guarantees.

Open in new tab

Lotus Blossom Hacking Group Exploits Notepad++ Hosting Breach to Deploy Chrysalis Backdoor

The China-linked Lotus Blossom hacking group exploited a hosting provider breach to deliver a previously undocumented backdoor, Chrysalis, to Notepad++ users. The attack, which occurred between June and December 2025, involved hijacking update traffic and exploiting insufficient update verification controls in older versions of the software. The group used a multi-layered shellcode loader and integrated undocumented system calls to enhance stealth and resilience. The breach was discovered and mitigated in December 2025, with Notepad++ migrating to a new hosting provider and rotating all credentials. The Chrysalis backdoor is a feature-rich implant capable of gathering system information, executing commands, and maintaining persistence. It communicates with a command-and-control (C2) server to receive additional instructions. The C2 server is currently offline, but the malware's capabilities suggest ongoing development and adaptation by the threat actor.

Open in new tab