TREND Micro’s latest research highlights the extensive reach of Fancy Bear, also known as APT28 and Forest Blizzard, with the security vendor describing Pawn Storm as the actor behind Prismex, a malware collection used to target Ukraine’s defence supply chain and allied states. The report notes that Prismex combines steganography, COM hijacking, and legitimate cloud service abuse for command and control, and includes both espionage and sabotage capabilities such as wiper commands.
It also documents NTLMv2 hash relay attacks used against a wide range of targets between 2022 and 2023, including methods that could capture and reuse authentication credentials. In late 2023 and early 2024, APT28’s activities included credential-targeting phishing campaigns against European government entities, with threat actors anonymising themselves via VPNs and compromised EdgeOS routers.
The FBI, according to a PSA, warned that Russia’s GRU via Fancy Bear has been exploiting routers to steal credentials, citing TP-Link devices compromised via CVE-2023-50224, while the UK’s National Cyber Security Centre has shared similar warnings.