Skip to content
Tech News
← Back to articles

Russia's 'Fancy Bear' APT Continues Its Global Onslaught

2026-04-09 | original
read original get Cybersecurity USB Security Stick → more articles
Why This Matters

Fancy Bear, a Russian state-sponsored cyber-espionage group, continues to pose a significant threat to global security through sophisticated attacks targeting governments, defense supply chains, and critical infrastructure. Its persistent operations and evolving tactics underscore the importance of robust cybersecurity measures for organizations worldwide.

Key Takeaways

New research from Trend Micro highlights the immense reach of Fancy Bear, also known as APT28 and Forest Blizzard.

Fancy Bear is a cyber-espionage group believed to be operating at the behest of Russian military intelligence. The group has been operating since the mid-2000s, targeting a wide range of governments and organizations in line with Russian geopolitical interests. Fancy Bear has previously been accused of destructive attacks against Ukrainian critical infrastructure as well as other foreign government targets. It was also attributed to US election interference in 2016.

The group is known for tried-and-true initial access campaigns involving social engineering and phishing as well as sophisticated credential theft campaigns involving critical vulnerabilities, including zero-days.

Trend Micro published two pieces of research relating to the threat group in recent weeks. On March 26, the security vendor said the actor (which it refers to as Pawn Storm), has been using a collection of malware components known as "Prismex" to target the defense supply-chain of Ukraine and its allies including the Czech Republic, Poland, Romania, Slovakia, Slovenia, and Turkey.

Related:Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers

The security vendor followed this up with another blog post on April 3, dedicated to Pawn Storm's use of NTLMv2 hash relay attacks through different methods against a wide range of global targets between April 2022 and November 2023. In these attacks, Pawn Storm intercepted and forwarded authentication credentials between a target system and the victim in order to capture a login without needing the user's exact password.

Between these campaigns and APT28's alleged router attacks reported by governments around the world, APT28's influence remains unmistakable. While many threat clusters come and go — or at least morph — Fancy Bear has remained relevant over the past 10 years.

Two Fancy Bear Campaigns

Prismex leverages multiple Windows vulnerabilities, Trend Micro said in its late March blog post, including "a confirmed Windows zero-day" in CVE-2026-21513 as well as Microsoft Office bug CVE-2026-21509. The campaign described in the blog went at least as far back as September 2025 but picked up steam in January of this year.

"Prismex combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command and control," the blog read. The special malware includes both espionage and sabotage capabilities, with the latter including wiper commands. This matches the more recent MO of APT28, which has included both espionage and more destructive threat activity.

... continue reading

Explore topics: fancy bear apt28 trend micro prismex ntlmv2
Related:
New ‘LucidRook’ malware used in targeted attacks on NGOs, universities
Hackers are turning home routers into tools to spy on Microsoft 365 users
Russia's Forest Blizzard Nabs Rafts of Logins Via SOHO Routers
Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers
Russian state hackers are hijacking TP-Link and MicroTik routers to steal Outlook credentials, cybersecurity center warns — APT28 group targets DNS and redirects traffic to attacker-controlled servers

© 2026 GoKawiil

About | Editorial Policy | Contact