New research from Trend Micro highlights the immense reach of Fancy Bear, also known as APT28 and Forest Blizzard.
Fancy Bear is a cyber-espionage group believed to be operating at the behest of Russian military intelligence. The group has been operating since the mid-2000s, targeting a wide range of governments and organizations in line with Russian geopolitical interests. Fancy Bear has previously been accused of destructive attacks against Ukrainian critical infrastructure as well as other foreign government targets. It was also attributed to US election interference in 2016.
The group is known for tried-and-true initial access campaigns involving social engineering and phishing as well as sophisticated credential theft campaigns involving critical vulnerabilities, including zero-days.
Trend Micro published two pieces of research relating to the threat group in recent weeks. On March 26, the security vendor said the actor (which it refers to as Pawn Storm), has been using a collection of malware components known as “Prismex” to target the defense supply-chain of Ukraine and its allies including the Czech Republic, Poland, Romania, Slovakia, Slovenia, and Turkey.
The security vendor followed this up with another blog post on April 3, dedicated to Pawn Storm’s use of NTLMv2 hash relay attacks through different methods against a wide range of global targets between April 2022 and November 2023. In these attacks, Pawn Storm intercepted and forwarded authentication credentials between a target system and the victim in order to capture a login without needing the user’s exact password.
Between these campaigns and APT28’s alleged router attacks reported by governments around the world, APT28’s influence remains unmistakable. While many threat clusters come and go — or at least morph — Fancy Bear has remained relevant over the past 10 years.
Two Fancy Bear Campaigns
Prismex leverages multiple Windows vulnerabilities, Trend Micro said in its late March blog post, including “a confirmed Windows zero-day” in CVE-2026-21513 as well as Microsoft Office bug CVE-2026-21509. The campaign described in the blog went at least as far back as September 2025 but picked up steam in January of this year.
“Prismex combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command and control,” the blog read. The special malware includes both espionage and sabotage capabilities, with the latter including wiper commands. This matches the more recent MO of APT28, which has included both espionage and more destructive threat activity.
Both espionage and potential sabotage functionality were observed, including wiper commands.
Then there’s the NTLMv2 hash relay attacks. For these, APT28 leveraged critical (patched) Outlook vulnerability CVE-2023-23397. The attacker would send a malicious calendar invite via a .msg file, which would trigger the vulnerable API endpoint. “When the victim connects to the attacker’s SMB server, the connection to the remote server sends the user’s NTLM protocol negotiation message containing the user’s Net-NTLMv2 hash, which the attacker can use for authentication against other systems that support NTLM authentication,” Trend Micro said.
Later in 2023, APT28 engaged in credential-targeting phishing campaigns against European government entities. It has also been observed engaging in other spear-phishing and brute force credential attacks. To anonymize itself, APT28 leveraged VPNs, Tor, data center IP addresses, and compromised EdgeOS routers.
Feike Hacquebord, principal threat researcher at TrendAI, tells Dark Reading that although the research is based on findings from 2024, what is relevant to defenders today is that Pawn Storm’s old methodologies remain effective today. The DNS hijacking network technique, for example, is more than 20 years old.
“It tells us that Pawn Storm doesn’t shy away from old techniques when they are still effective,” Hacquebord says. “Another lesson here is that Pawn Storm targets not only high-profile entities like NATO and the ministries of defense of Western countries but also targets that might be perceived as smaller fish, such as local governments, governments of developing countries, or even smaller companies.”
On the heels of these two research reports, the FBI on Tuesday warned that Russia’s GRU, via Fancy Bear, has been exploiting routers to steal credentials from organizations worldwide. The agency singled out TP-Link routers compromised via CVE-2023-50224. Since at least 2024, GRU actors changed device settings to introduce attacker-controlled DNS resolvers and set up adversary-in-the-middle attacks against encrypted traffic if users navigated through a certificate error warning.
As part of this warning, the FBI said that in tandem with the US Department of Justice, it “recently disrupted a GRU network of compromised small-office home-office (SOHO) routers used to facilitate malicious DNS hijacking operations.”
The UK’s National Cyber Security Centre (NCSC) and other global partners shared similar warnings.
How Can a Defender Keep Up?
Some targets in these campaigns included European and South American military, defense industry organizations around the world including North America, energy sector organizations, and other critical global orgs.
“Although Pawn Storm has been active for two decades, it still retains its aggressiveness and determination to break into the networks and emails of high-profile targets around the world,” Trend Micro’s blog post read.
The big question then is, how is a defender supposed to get ahead? Whether they’re a small organization or even a reasonably resourced government, it’s hard to match a 20-year APT leveraging the full weight of the GRU.
Denis Calderone, CTO and principal of Suzu Labs, tells Dark Reading that such a question assumes one has to match APT28’s level of sophistication, and the answer is, he says, “You don’t.” It’s worth remembering that much of the actor’s sophistication lies in what happens post-initial access, Calderone adds. Before that, it’s much of the same trickery security professionals see from anyone: phishing emails, ClickFix prompts, exploiting weak credentials, and so on. He advises focusing on the basics.
Multifactor authentication “stops password spraying. Patching [Microsoft] Office stops CVE-2026-21509. Updating router firmware and changing default credentials stops FrostArmada. Training users that a real CAPTCHA never asks you to open system tools stops ClickFix.” Calderone says. “Those are all achievable at any budget. The honest caveat is that if those basics fail and APT28 gets inside, a small org without dedicated security operations is going to have a very hard time catching them. That’s where managed detection services or sector-specific ISACs become critical.”
Vishal Agarwal, chief technology officer (CTO) of Averlon, says that even if a threat actor like Fancy Bear gets in, zero trust, least-privilege access, strong identity controls, and just-in-time access can limit how far and fast an attacker can move.
Echoing Calderone, Seemant Sehgal, founder and CEO of BreachLock, argued in favor of denying Fancy Bear the easy wins.
“Fancy Bear’s success isn’t magic; it’s built on exploiting exposed services, weak identity controls, and gaps that most organizations already know exist,” Sehgal says. “The organizations that hold up best aren’t necessarily the biggest or the best funded, but rather those that continuously reduce attack surface, enforce strong identity, and most importantly, wake up every morning assuming they’re already a target.”
Don’t miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here’s Why, where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now!
