One of Russia's most prolific state hackers has quietly rebuilt the way it operates, trading the heavy custom implants that once defined it for throwaway tools, rented edge hardware, and, in its newest experiments, malware that asks a large language model what to do next. That is the picture researchers at Sekoia paint in a new retrospective on APT28, the GRU military intelligence unit also known as Fancy Bear, Forest Blizzard, Sofacy, and Sednit, and publicly tied to GRU Unit 26165.
The group has spent two decades targeting governments, militaries, diplomats, and critical infrastructure, with a heavy focus on NATO members and Ukraine. Sekoia's Threat Detection and Research team, which says it has been working with the FBI and other agencies to constrain the group, walks through how its tradecraft shifted era by era rather than cataloguing every operation.
From signature tools to disposable modules
In its early years APT28 leaned on recognizable implants such as X-Agent and X-Tunnel, the toolkit behind high-profile breaches including the TV5Monde sabotage, the German Bundestag hack, and the 2016 intrusions into the US Democratic Party. After the 2019 US indictments and the Mueller report, Sekoia says, the group went largely dark for about five years while quietly deploying a custom privilege-escalation tool. When it resurfaced, its arsenal had changed shape: instead of monolithic implants, operators now favor small, single-task modules that are easy to discard once a job is done, making detection and attribution harder.
Living on the edge
A second major shift is infrastructure. Rather than standing up servers that defenders can track, APT28 increasingly relays its operations through compromised edge devices such as small-office routers. Sekoia points to the group's weaponization of a zero-click Microsoft Outlook flaw (CVE-2023-23397) to silently steal Net-NTLMv2 authentication hashes, a kind of cryptographic credential, from NATO ministries and defense targets, relaying them through hijacked EdgeRouters to break into Exchange mailboxes. The group has also abused a Windows Print Spooler weakness (CVE-2022-38028) via its GooseEgg tool.
Malware that talks to an LLM
The most striking change is the most recent. Sekoia describes APT28 tooling that reaches out to a large language model during an operation, a sign the group is experimenting with AI to make its malware more adaptive. The firm frames this as the latest step in a long pattern of reinvention rather than a finished capability.
Why it matters
APT28 carries 33 documented aliases, a reflection of how widely it has been tracked, yet Sekoia assumes a meaningful share of its activity has never been disclosed. The takeaway for defenders is that the group is deliberately shrinking its own footprint: disposable code, borrowed infrastructure, and automation all make the same operator harder to pin down. Organizations in government, defense, and critical infrastructure, especially around Ukraine and NATO, should prioritize patching the Outlook and Print Spooler flaws above, monitor for anomalous traffic to consumer-grade routers, and watch for credential-relay activity against mail systems. You can read the original report from Sekoia's TDR team for the full timeline.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.