Russia's 'Fancy Bear' APT Continues Its Global Onslaught

THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES CYBER RISK ENDPOINT SECURITY NEWS Russia's 'Fancy Bear' APT Continues Its Global Onslaught Victims don't need to match the cybercrime group's technical sophistication, experts say. But patching and some form of zero trust are now non-negotiable. Alexander Culafi,Senior News Writer,Dark Reading April 9, 2026 6 Min Read SOURCE: PHOTO-FOX VIA ALAMY STOCK PHOTO New research from Trend Micro highlights the immense reach of Fancy Bear, also known as APT28 and Forest Blizzard. Fancy Bear is a cyber-espionage group believed to be operating at the behest of Russian military intelligence. The group has been operating since the mid-2000s, targeting a wide range of governments and organizations in line with Russian geopolitical interests. Fancy Bear has previously been accused of destructive attacks against Ukrainian critical infrastructure as well as other foreign government targets. It was also attributed to US election interference in 2016.  The group is known for tried-and-true initial access campaigns involving social engineering and phishing as well as sophisticated credential theft campaigns involving critical vulnerabilities, including zero-days.  Trend Micro published two pieces of research relating to the threat group in recent weeks. On March 26, the security vendor said the actor (which it refers to as Pawn Storm), has been using a collection of malware components known as "Prismex" to target the defense supply-chain of Ukraine and its allies including the Czech Republic, Poland, Romania, Slovakia, Slovenia, and Turkey. Related:Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers The security vendor followed this up with another blog post on April 3, dedicated to Pawn Storm's use of NTLMv2 hash relay attacks through different methods against a wide range of global targets between April 2022 and November 2023. In these attacks, Pawn Storm intercepted and forwarded authentication credentials between a target system and the victim in order to capture a login without needing the user's exact password.  Between these campaigns and APT28's alleged router attacks reported by governments around the world, APT28's influence remains unmistakable. While many threat clusters come and go — or at least morph — Fancy Bear has remained relevant over the past 10 years. Two Fancy Bear Campaigns Prismex leverages multiple Windows vulnerabilities, Trend Micro said in its late March blog post, including "a confirmed Windows zero-day" in CVE-2026-21513 as well as Microsoft Office bug CVE-2026-21509. The campaign described in the blog went at least as far back as September 2025 but picked up steam in January of this year.  "Prismex combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command and control," the blog read. The special malware includes both espionage and sabotage capabilities, with the latter including wiper commands. This matches the more recent MO of APT28, which has included both espionage and more destructive threat activity.  Related:Storm-1175 Deploys Medusa Ransomware at 'High Velocity' Both espionage and potential sabotage functionality were observed, including wiper commands.  Then there's the NTLMv2 hash relay attacks. For these, APT28 leveraged critical (patched) Outlook vulnerability CVE-2023-23397. The attacker would send a malicious calendar invite via a .msg file, which would trigger the vulnerable API endpoint. "When the victim connects to the attacker’s SMB server, the connection to the remote server sends the user's NTLM protocol negotiation message containing the user's Net-NTLMv2 hash, which the attacker can use for authentication against other systems that support NTLM authentication," Trend Micro said.  Later in 2023, APT28 engaged in credential-targeting phishing campaigns against European government entities. It has also been observed engaging in other spear-phishing and brute force credential attacks. To anonymize itself, APT28 leveraged VPNs, Tor, data center IP addresses, and compromised EdgeOS routers.  Feike Hacquebord, principal threat researcher at TrendAI, tells Dark Reading that although the research is based on findings from 2024, what is relevant to defenders today is that Pawn Storm's old methodologies remain effective today. The DNS hijacking network technique, for example, is more than 20 years old. Related:Axios Attack Shows How Complex Social Engineering Is Industrialized "It tells us that Pawn Storm doesn't shy away from old techniques when they are still effective," Hacquebord says. "Another lesson here is that Pawn Storm targets not only high-profile entities like NATO and the ministries of defense of Western countries but also targets that might be perceived as smaller fish, such as local governments, governments of developing countries, or even smaller companies." On the heels of these two research reports, the FBI on Tuesday warned that Russia's GRU, via Fancy Bear, has been exploiting routers to steal credentials from organizations worldwide. The agency singled out TP-Link routers compromised via CVE-2023-50224. Since at least 2024, GRU actors changed device settings to introduce attacker-controlled DNS resolvers and set up adversary-in-the-middle attacks against encrypted traffic if users navigated through a certificate error warning. As part of this warning, the FBI said that in tandem with the US Department of Justice, it "recently disrupted a GRU network of compromised small-office home-office (SOHO) routers used to facilitate malicious DNS hijacking operations." The UK's National Cyber Security Centre (NCSC) and other global partners shared similar warnings. How Can a Defender Keep Up? Some targets in these campaigns included European and South American military, defense industry organizations around the world including North America, energy sector organizations, and other critical global orgs.  "Although Pawn Storm has been active for two decades, it still retains its aggressiveness and determination to break into the networks and emails of high-profile targets around the world," Trend Micro's blog post read. The big question then is, how is a defender supposed to get ahead? Whether they're a small organization or even a reasonably resourced government, it's hard to match a 20-year APT leveraging the full weight of the GRU. Denis Calderone, CTO and principal of Suzu Labs, tells Dark Reading that such a question assumes one has to match APT28's level of sophistication, and the answer is, he says, "You don't." It's worth remembering that much of the actor's sophistication lies in what happens post-initial access, Calderone adds. Before that, it's much of the same trickery security professionals see from anyone: phishing emails, ClickFix prompts, exploiting weak credentials, and so on. He advises  focusing on the basics. Multifactor authentication "stops password spraying. Patching [Microsoft] Office stops CVE-2026-21509. Updating router firmware and changing default credentials stops FrostArmada. Training users that a real CAPTCHA never asks you to open system tools stops ClickFix." Calderone says. "Those are all achievable at any budget. The honest caveat is that if those basics fail and APT28 gets inside, a small org without dedicated security operations is going to have a very hard time catching them. That's where managed detection services or sector-specific ISACs become critical." Vishal Agarwal, chief technology officer (CTO) of Averlon, says that even if a threat actor like Fancy Bear gets in, zero trust, least-privilege access, strong identity controls, and just-in-time access can limit how far and fast an attacker can move.  Echoing Calderone, Seemant Sehgal, founder and CEO of BreachLock, argued in favor of denying Fancy Bear the easy wins.  "Fancy Bear's success isn't magic; it's built on exploiting exposed services, weak identity controls, and gaps that most organizations already know exist," Sehgal says. "The organizations that hold up best aren't necessarily the biggest or the best funded, but rather those that continuously reduce attack surface, enforce strong identity, and most importantly, wake up every morning assuming they're already a target." Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now! About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Access More Research Webinars Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need More Webinars You May Also Like THREAT INTELLIGENCE Pro-Iranian Actors Launch Barrage of Cyberattacks by Elizabeth Montalbano MAR 03, 2026 THREAT INTELLIGENCE 45 New Domains Linked to Salt Typhoon, UNC4841 by Elizabeth Montalbano, Contributing Writer SEP 08, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Chinese APTs Exploit EDR 'Visibility Gap' for Cyber Espionage by Becky Bracken, Senior Editor, Dark Reading APR 14, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 THREAT INTELLIGENCE Axios Attack Shows How Complex Social Engineering Is Industrialized byAlexander Culafi APR 6, 2026 5 MIN READ ICS/OT SECURITY Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs byElizabeth Montalbano APR 8, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS HEALTHCARE SECURITY WEBINAR Protecting Patient Data and Clinical Operations SECURE YOUR SEAT GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE