APT28
MITRE G0007Also known as Fancy Bear, FancyBear, UAC-0001
Reports
10
First seen
Jan 5
Last seen
Jun 22
Motivation
espionage, email collection and persistent access f, military cyberwarfare
Targeting
Sectors
other ×4government ×1
Victim regions
Canada ×1Ukraine ×1
Top ATT&CK techniques
T1190 Exploit Public-Facing Application ×7T1566 Phishing ×6T1486 Data Encrypted for Impact ×5T1059 Command and Scripting Interpreter ×5T1003 OS Credential Dumping ×4T1041 Exfiltration Over C2 Channel ×4T1078 Valid Accounts ×4T1021 Remote Services ×4T1195 Supply Chain Compromise ×3T1598 Phishing for Information ×3T1110 Brute Force ×2T1566.002 Phishing: Spearphishing Link ×2
Indicators
cve ×49ip_v4 ×22filename ×20domain ×9email ×5url ×4hash_sha256 ×2registry_key ×1
Indicator values are available on Pro and via the API.
Associated CVEs
CVE-2026-1340 (exploited)CVE-2026-21509 (exploited)CVE-2026-23760 (exploited)CVE-2026-1281 (exploited)CVE-2026-22769 (exploited)CVE-2025-55182 (exploited)CVE-2021-43798 (exploited)CVE-2021-27065 (exploited)CVE-2021-26855 (exploited)CVE-2023-7102 (exploited)CVE-2024-3400 (exploited)CVE-2025-0282 (exploited)CVE-2025-14174 (exploited)CVE-2025-15517CVE-2023-3519 (exploited)CVE-2021-26858 (exploited)CVE-2025-43529 (exploited)CVE-2025-40551 (exploited)CVE-2023-2868 (exploited)CVE-2025-26399 (exploited)
Recent reports
High