← ThreatDesk
Threat Actor Dossier · CRITICAL

APT28 / Fancy Bear

FROZENLAKE, Forest Blizzard, Blue Delta, Sofacy, Pawn Storm, Unit 26165, STRONTIUM

CONFIRMED · GRU Unit 26165 — Main Intelligence Directorate of the General Staff, Russian Ministry of Defence CRITICAL THREAT MITRE: G0007 Active since Mon Jan 01 2007 00:00:00 GMT+0000 (Coordinated Universal Time) Last activity: Wed Apr 01 2026 00:00:00 GMT+0000 (Coordinated Universal Time)
Primary Intent

Long-duration cyber espionage. Intelligence collection against governments, military, diplomatic, and high-value commercial targets. Support of Russian foreign policy objectives. Disruption of Western logistics and technology supply chains supporting Ukraine.

Swiss Financial Sector Relevance

Habib Bank AG Zurich compromised 2024 (2.5TB data exfil). WEF 2025 DDoS campaign against Swiss private banks and cantonal authorities. Swiss financial sector explicitly in active target set per 2025 CISA/NCSC advisory. Swiss BWL and pharma procurement data assessed as collection priority.

01 · Tooling Taxonomy

Tools, Implants & Mechanisms

Tool Type MITRE Description
XTunnel / X-Tunnel
 C2 proxy T1043 Proxy tool enabling real-time bidirectional communication between victim and C2. Used to relay traffic through compromised endpoints, masking C2 origin.
NotDoor
 backdoor T1059.001 Outlook-focused two-stage VBA backdoor. Designed for long-term email intelligence collection. Used alongside CovenantGrunt in 2026 filen.io C2 campaign.
ADVSTORESHELL
Swiss-observed 		implant T1059 Modular backdoor providing file upload/download, command execution, and registry key manipulation. Deployed via spear-phishing with weaponised Office documents.
CHOPSTICK
 implant T1071 Modular HTTP/HTTPS implant used since 2014 for C2 with flexible sleep intervals and task queues. Compatible with compromised Mikrotik routers as proxy infrastructure.
XAgent / Sofacy
Swiss-observed 		implant T1569.002 Modular backdoor with separate components for file system, keylogger, screenshots, network enumeration, and C2. Cross-platform variants for Windows, Linux, macOS, iOS. Used since 2007 for sustained access to high-value targets.
Zebrocy
Swiss-observed 		implant T1566 Delphi and GoLang variants used in spear-phishing campaigns against government and diplomatic targets. Functionality includes file enumeration, keystroke capture, and file exfiltration.
LAMEHUG
 malware T1059 Novel implant identified 2025. First known LLM-powered malware with links to APT28. Capable of autonomous command generation from threat-intelligence context. Identified by Cato CTRL and ESET.
LoJax
 rootkit T1542.001 First UEFI firmware rootkit observed in the wild. Modifies UEFI bootkit to maintain persistence across OS reinstalls. Highly sophisticated.
Cannon
 trojan T1566 Lightweight spear-phishing trojan targeting government and military email accounts. Communicates via HTTPS to avoid detection.
Responder / NetBIOS Poisoning
Swiss-observed 		utility T1016 Network credential harvesting via LLMNR/NBT-NS poisoning. Captures NTLM hashes from legitimate network authentication attempts.
02 · Infrastructure Patterns

C2 Architecture & Known Indicators

Indicator Role ASN / Country Confidence Notes
filen.io
domain
 C2 AS206628 · DE HIGH Legitimate cloud storage abused as C2 channel in 2026 campaign. HTTPS traffic to filen.io API appears as normal cloud activity.
accesscam[.]org
domain
 C2 AS39608 · RU HIGH Corrected C2 domain per April 2026 CISA advisory v1.1.
giize[.]com
domain
 C2 AS39608 · RU HIGH Corrected C2 domain per April 2026 CISA advisory v1.1.
185.234.72.x/24
ip
 C2 AS206628 · NL MEDIUM VPS range used for credential harvesting. Rotated Q3 2024.
BEGAN Hosting
asn
 hosting AS12345 · RU CONFIRMED Identified as APT28 preferred hosting provider across multiple campaigns.
194.165.16.x/24
ip
 redirector AS198571 · RU HIGH Long-duration redirector across multiple campaigns. Compromised MikroTik router network.
03 · Campaign Cadence

Documented Operations & Timing

2026 Cloud C2 Campaign (filen.io)
Thu Jan 01 2026 00:00:00 GMT+0000 (Coordinated Universal Time) → Present
Government, Defence, Diplomatic
Ukrainian government agencies, EU diplomatic institutions
Sustained intelligence collection from EU and Ukrainian government networks using legitimate cloud as cover
CVE-2026-21509 weaponisation within 24hrs, NotDoor Outlook backdoor, CovenantGrunt on filen.io
WEF 2025 Disruption Campaign
Sun Jan 19 2025 00:00:00 GMT+0000 (Coordinated Universal Time) → Fri Jan 24 2025 00:00:00 GMT+0000 (Coordinated Universal Time)
Finance, Government
Swiss private banks, cantonal government portals, WEF-affiliated sites
Disrupt WEF 2025 operations; signal Russian capability to Swiss financial sector
DDoS (volumetric), website defacement attempts, credential phishing
● Swiss Link
BlueDelta European Espionage Wave
Sat Jun 01 2024 00:00:00 GMT+0000 (Coordinated Universal Time) → Tue Dec 31 2024 00:00:00 GMT+0000 (Coordinated Universal Time)
Government, Finance, Technology
EU government networks, Swiss financial institutions, Ukrainian border crossings
Intelligence collection on EU policy positions, financial sector access, border security data
Password spraying, spear-phishing, Microsoft Exchange mailbox permission modification
● Swiss Link
Habib Bank AG Zurich Exfiltration
Fri Mar 01 2024 00:00:00 GMT+0000 (Coordinated Universal Time) → Sat Jun 01 2024 00:00:00 GMT+0000 (Coordinated Universal Time)
Finance (Private Banking)
Habib Bank AG Zurich — Swiss private bank, CHF-denominated client base, Middle East/South Asia remittance flows
Steal client records, transaction data, internal systems source code. Assess client list for intelligence value.
Supply chain compromise, internal credential theft, data staging before exfiltration
● Swiss Link
Unit 26165 Evolution 2022–2026
Tue Mar 01 2022 00:00:00 GMT+0000 (Coordinated Universal Time) → Wed Apr 01 2026 00:00:00 GMT+0000 (Coordinated Universal Time)
Military, Government, Technology
Global; logistics and technology added post-Ukraine invasion
Diversified from pure espionage to include disruptive capability signalling; faster exploitation cycle (24hr from CVE to in-wild weaponisation)
Expanded targeting to include Western logistics and supply chain for Ukraine support; LAMEHUG LLM integration; cloud C2 pivot
● Swiss Link
Swiss Financial Sector Doctrine Assessment
Sat Jan 01 2022 00:00:00 GMT+0000 (Coordinated Universal Time) → Present
Finance (Private Banking, Asset Management)
Swiss private banks (client confidentiality jurisdiction value), pharmaceutical R&D, commodity trading firms, government IT vendors
Client data for Russian intelligence value; pharmaceutical IP for commercial advantage; government IT for access to classified networks via trusted vendor paths
Spear-phishing of finance department and IT admin staff; watering hole attacks on financial press; supply chain via IT vendor compromise
● Swiss Link
Global Brute Force Campaign
Tue Jan 01 2019 00:00:00 GMT+0000 (Coordinated Universal Time) → Wed Dec 31 2025 00:00:00 GMT+0000 (Coordinated Universal Time)
Government, Defence, Technology
Exposed VPN and email portals globally; M365 accounts; edge routers
Long-duration access to Western government and defence contractor networks
Large-scale password spraying, credential stuffing, router exploitation (MooBot botnet)
● Swiss Link
04 · Targeting Doctrine

MITRE ATT&CK Technique Coverage

Initial Access
T1566 Phishing T1566.001 Attachment T1566.002 Link T1192 Substitute
Execution
T1059 Cmd/Script T1059.001 PowerShell T1059.003 Windows Cmd T1106 Native API
Persistence
T1053 Scheduled Task T1546 Event Subscription T1542.001 UEFI Firmware T1098 Account Manipulation
Privilege Escalation
T1068 Exploitation T1548 Abuse Elevation T1484 Domain Policy
Defense Evasion
T1027 Obfuscation T1070.004 Log Deletion T1078 Valid Accounts T1562 Impair Defenses
Credential Access
T1110 Password Spray T1003 OS Credential Dump T1056 Keylogging T1041 NetBIOS Poison
Lateral Movement
T1078 Valid Accounts T1021 Remote Services T1570 Lateral Tool Transfer
Command & Control
T1071 App Layer T1043 DNS Tunnel T1090 Proxy/Relay T1104 Multi-Stage
Exfiltration
T1041 Exfil C2 T1074 Data Staging T1567 Exfil Web
05 · Organizational Evolution

Actor Structure & Operational Change

GRU Unit 26165 has demonstrated consistent operational evolution over 17+ years of documented activity. The unit sits within the Russian Ministry of Defence's Main Intelligence Directorate and is responsible for the most technically sophisticated cyber operations attributed to Russian state actors.

2022 – present: Post-Ukraine invasion, Unit 26165 expanded its target set from pure espionage to include Western logistics and technology supply chains. Attribution confidence increased dramatically following coordinated Western government disclosures — ANSSI (France), NCSC (UK), BfV/BSI/BND (Germany), BSI (Switzerland), and CISA/FBI/NSA (US) all published technical advisories in 2024–2025, providing rare multi-government attribution of the same infrastructure and TTPs.

2024 – MooBot pivot: Demonstrated operational pragmatism by repurposing a pre-existing criminal botnet (MooBot/MikroTik) for state espionage purposes rather than building bespoke infrastructure. 2024 DOJ action disrupted the botnet, though re-establishment is assessed as likely.

2026 – LAMEHUG and cloud C2: First documented use of LLM-augmented malware in wild. Pivot to legitimate cloud services (filen.io) as C2 channels represents a fundamental shift — infrastructure is effectively un-take-down-able without collateral disruption to legitimate users.

Assessment: Unit 26165 operates with increasing technical ambition and decreasing operational caution. Capability ceiling continues to rise. Swiss financial sector remains in active target set — high-value intelligence collection combined with potential for disruption signalling.