The advanced persistent threat (APT) group known as Fancy Bear and Forest Blizzard continues to target organizations globally. Linked to Russian military intelligence and active since the mid-2000s, the group consistently focuses on governments, defense supply chains, and critical infrastructure. Recent research from Trend Micro, alongside advisories from international security agencies, details the technical methodologies driving their current operations and offers a clear path for defenders to safeguard their networks.
Malware components and vulnerability usage
Trend Micro recently published findings on two distinct APT28 operations. A March 26 report outlined a collection of malware components known as "Prismex," which the group has used to target the defense supply chains of Ukraine and its allies, including the Czech Republic, Poland, Romania, Slovakia, Slovenia, and Turkey. The campaign dates back to at least September 2025 and escalated in January 2026.
The Prismex suite relies on advanced steganography, component object model (COM) hijacking, and the abuse of legitimate cloud services for command and control. The malware includes both espionage functions and destructive sabotage capabilities. To deploy Prismex, the threat actor leverages multiple Windows vulnerabilities, notably CVE-2026-21513, a zero-day vulnerability in the MSHTML framework, and CVE-2026-21509, a Microsoft Office Object Linking and Embedding (OLE) bug.
A separate report detailed the group's use of NTLMv2 hash relay operations between April 2022 and November 2023. In these campaigns, APT28 sent malicious calendar invites via.msg files, capitalizing on CVE-2023-23397, a critical patched vulnerability in Microsoft Outlook. When triggered, the connection forwards the user's Net-NTLMv2 hash to an external Server Message Block (SMB) server. This allows the unauthorized party to authenticate against other systems that support NTLM without requiring the user's actual password.
To obscure their origin during these operations, the group utilized virtual private networks (VPNs), Tor, data center IP addresses, and compromised routers. Feike Hacquebord, a principal threat researcher at TrendAI, noted that the group effectively blends novel methods with decades-old techniques, targeting both high-profile defense ministries and smaller entities like local municipal governments.
Router compromise and DNS redirection
Complementing the malware findings, the FBI and the UK's National Cyber Security Centre (NCSC) issued warnings regarding the group's abuse of small-office home-office (SOHO) routers to help credential theft.
Specifically targeting devices such as TP-Link routers through CVE-2023-50224, as well as MikroTik and EdgeOS systems, the actor alters the devices' Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. This routes traffic through unauthorized DNS resolvers, facilitating adversary-in-the-middle (AitM) operations against encrypted communications. If users click past certificate error warnings, the actor can capture sensitive credentials and OAuth tokens.
In response to this activity, the FBI and the US Department of Justice recently disrupted a network of these compromised SOHO routers to halt the DNS hijacking operations.
Implementing effective defenses
Defending against a well-resourced APT requires a focus on security fundamentals. Denis Calderone, CTO of Suzu Labs, advises that while APT28 exhibits sophisticated post-access tradecraft, their initial access heavily relies on common methods like phishing, weak credentials, and known vulnerabilities.
Foundational practices provide significant protection against these vectors:
Enforcing multifactor authentication (MFA) prevents password spraying and unauthorized credential reuse.
Patching Microsoft Office and Windows environments mitigates the risk of vulnerabilities like CVE-2026-21509 and CVE-2023-23397.
Applying router firmware updates, disabling remote management interfaces, and changing default credentials neutralizes hardware-level initial access.
Conducting ongoing user awareness training reduces the risk of social engineering, such as recognizing deceptive CAPTCHA prompts used in initial access campaigns.
For defense in depth, Vishal Agarwal, CTO of Averlon, recommends implementing zero trust architecture, least-privilege access, strong identity controls, and just-in-time access. These measures severely restrict lateral movement if an initial boundary is bypassed.
Seemant Sehgal, CEO of BreachLock, adds that organizations improve their resilience by continually reducing their external footprint and operating under the assumption that they are a target. By maintaining strong foundational controls and rigorous identity management, security teams deny threat actors the straightforward pathways they rely on, making unauthorized access significantly more difficult to achieve.