Threat Intelligence / Actor / APT28 / Fancy Bear

APT28 / Fancy Bear

Nation: Russia · 4 tracked threat(s) · Categories: APT, VULNERABILITY

Also known as: Fancy Bear, Sofacy, Sednit, Forest Blizzard, Pawn Storm, STRONTIUM, UAC-0001, GRU Unit 26165, Iron Twilight, Tsar Team, Group 74, Sofacy Group

Tracked threats

APT28 Router DNS Hijacking for Adversary-in-the-Middle Credential Theft — HIGH
Zimbra Collaboration Suite Stored XSS via CSS @import Active Exploitation (CVE-2025-66376) — Operation GhostMail — HIGH
APT28 (Fancy Bear) Deploys BadPaw Loader and MeowMeow Backdoor Targeting Ukrainian Critical Infrastructure — HIGH
APT28 Microsoft Office Security Feature Bypass (CVE-2026-21509) — CISA KEV, Targeting Ukraine & EU via COREPER-Themed Spear-Phishing — HIGH

Full actor intelligence — infrastructure, IOCs, detection coverage and operator fingerprints — is available via the Threadlinqs MCP server (Purple tier). View plans →

Threadlinqs Intelligence