#apt28

Russian-linked Fancy Bear actively exploits CVE-2026-21509 in Microsoft Office documents to bypass security controls and deploy malware across Ukrainian and EU organisations.

Source: Infosecurity Magazine

VPNFILTER Woven Throw by Glitch Textiles

https://www.open-vault.com/aptvol1/vpnfilter The design is made by visualizing a section of code from the VPNFILTER advanced multi-stage modular malware created by the APT28 threat actor. VPNFILTER is advanced, state-sponsored malware that targets internet connected routers and networked storage devices common in small office and home networks. It was developed by an Advanced Persistent Threat (APT). APTs are highly skilled and well resources hacking groups that focus on selective targets for a sustained period of time.

Produced by @glitchtextiles for @_openvault's cyber weapons retail pop-up located at 325 Canal St., NYC

“They’re not trying to gather as much traffic as they can. They’re after certain very small things like credentials and passwords“,  Craig Williams

Current U.S. officials and other experts have linked VPNFilter to a hacking group known as APT28, also called “Fancy Bear.” This entity is widely associated with Russia’s Main Intelligence Directorate (GRU) and has been blamed for breaching the Democratic National Committee in 2016.

Court documents suggested last week that Russia had been involved in VPNFilter.

Simply put, VPNFilter is dangerous because it offers the attacker the ability to both destroy data, rendering the device unusable, and covertly spy on specific targets. With Wednesday’s findings, perhaps the most unsettling new capability discovered by Talos is that VPNFilter can also execute a man-in-the-middle attack on incoming Web traffic that passes through infected routers; giving APT28 an avenue to inject malware into legitimate web applications.

“Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Craig Williams, a senior technology leader and global outreach manager at Talos, told Ars Technica reporter Dan Goodin. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”

“They’re looking for very specific things,” Williams said. "They’re not trying to gather as much traffic as they can. They’re after certain very small things like credentials and passwords. We don’t have a lot of intel on that other than it seems incredibly targeted and incredibly sophisticated. We’re still trying to figure out who they were using that on.”

From  Ars Technica

Worth remembering just how big nation state cyber efforts actually are. The focus has been squarely on APT28s DNC related hacks (actually hundreds of individuals and organizations); but simultaneously they deployed an attack against Ukrainian military forces, multiple Asian countries, the WADA hack, maintaining at least one attribution front, developing and updating their core toolchain (although it is more of a migration and cleanup than a redevelopment... they’re clearly sticking with what they know rather than electing for procurement process pain)

The competition between RIS agencies is well documented, but this report suggests internal competition between divisions/units. That’s interesting. Either there is internal politics, or the group is extremely decentralized. Most probably its political jockeying though.

APT28 exploited CVE-2026-21509 in Microsoft Office, deploying Outlook-stealing macros and in-memory loaders to gain persistent access across targeted networks.

Source: Zscaler ThreatLabz

Russian-backed threat actors are leveraging Signal messages to deliver sophisticated malware targeting Ukrainian government systems, highlighting growing risks in encrypted communication platforms.

Una falla en la actualización de seguridad de Microsoft ha dejado una puerta abierta para que hackers vinculados a Rusia ejecuten ataques sin necesidad de interacción del usuario, poniendo en riesgo datos sensibles en toda Europa (Fuente Akamai). La seguridad de Windows se enfrenta a una crisis de confianza tras el descubrimiento de un parche defectuoso. Según un informe de Akamai, una…