Joint Cybersecurity Advisory (CSA) AA25-141A exposes a sustained and multifaceted cyber-espionage campaign attributed to Russia’s GRU Unit 26165, also known as APT28, Fancy Bear, Forest Blizzard, and a host of other monikers. Since early 2022, this group has relentlessly targeted Western logistics and technology companies involved in supporting Ukraine, exploiting both legacy and zero-day vulnerabilities to gain access and siphon sensitive data. Their operations span credential harvesting, spearphishing, exploitation of public-facing services, and even the compromise of surveillance systems used to track aid shipments.
This blog unpacks the key findings of the advisory and demonstrates how Logpoint’s platform equips security teams with the visibility and tools to detect, investigate, and mitigate such threats across every stage of the attack lifecycle.
By Anish Bogati and Ujwal Thapa; Security Researcher
Russia’s GRU Unit 26165, also known by several aliases, including APT28, is a name synonymous with cyber espionage, having cast a long shadow over the geopolitical landscape for over two decades. Its target sectors, government institutions, militaries, and security organizations, clearly reflect its motives, which are stealing sensitive information for political and military gain. In our previous coverage of APT28, also known as Forest Blizzard, we explored their long-standing espionage capabilities, custom malware arsenal, and disruptive operations across geopolitical hotspots. Our past research outlined how Logpoint empowers defenders to detect this adversary’s toolsets, especially focusing on GooseEgg, multiple credential harvesting techniques.
In this latest update, our focus shifts to GRU’s recent campaigns targeting Western logistics entities and technology companies, as detailed in the CISA Advisory. These attacks are part of a broader post-invasion escalation by GRU Unit 26165, reflecting a strategic effort to compromise supply chains supporting Ukraine. Since the onset of the Ukraine conflict, cyber operations have become a strategic extension of geopolitical aggression. These operations demonstrate a refined and persistent effort to infiltrate organizations that support Ukrainian aid and defense logistics
This blog focuses specifically on post-compromise tactics, techniques, and procedures (TTPs), rather than discussing the initial infection vectors. GRU doesn’t always rely on flashy malware; instead, they move quietly, using built-in tools like PowerShell, PsExec, or RDP to explore the network, harvest credentials, and dig deeper into high-value systems.
What makes these actions dangerous also makes them detectable: they leave behind patterns. Whether it’s suspicious mailbox permission changes, zipped data staged for exfiltration, or logs suddenly being wiped clean, these activities generate signals that defenders can pick up on, with the right visibility. Our goal here is to highlight post-compromise behaviors that are not just common but practical to detect actions that defenders can catch in the real world with good logging, smart rules, and a solid understanding of what normal looks like. For the sake of clarity, we will refer to GRU Unit 26165 as GRU in the following blog.
Required log sources:
To follow up on below threat hunting and detection approach below log sources must be configured.
GRU’s abused an Outlook NTLM flaw: CVE-2023-23397 by sending crafted calendar invites that silently harvest NTLM hashes and user credentials. Check out our blog for a deeper dive into this technique and guidance on how to spot it in your environment.
Adversaries have exploited several Roundcube flaws, namely CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026, to launch arbitrary shell commands via Visual Basic scripts. To catch this behavior in your environment, use the Suspicious File Execution Using Wscript or Cscript alert, which flags any unexpected uses of these script hosts.
GRU has exploited a WinRAR vulnerability (CVE-2023-38831) to gain initial access. To spot this in your environment, look for WinRAR spawning unexpected child processes—for example:
This alert will flag any unusual script or shell hosts launched by WinRAR. For a deep dive into the CVE-2023-38831 flaw and additional detection guidance, check out our blog:
Initial access techniques are countless and constantly evolving—catching every one of them as they hit is like chasing shadows. What really matters is what happens after the attacker lands. By shining a spotlight on post-compromise behaviors—privilege escalation, credential harvesting, lateral movement, data exfiltration—you’ll catch adversaries when they’re most exposed, and stop the attack before real damage is done.
Adversaries frequently lean on built-in Windows tools and popular open-source frameworks, like Impacket and PsExec, to hop laterally through a network. PsExec’s default behavior is to drop an 8-character executable and spin it up as a service with a 4-character name. You can spot this activity with below rule
PsExec sets up a named pipe (usually prefixed with RemCom_) to shuttle commands and their output between hosts. You can spot this from Sysmon logs by looking for pipe creation events. This will catch any RemCom‐style pipes or the common stdin/stdout/stderr pipes PsExec uses.
Most Impacket tools ultimately invoke the command prompt to execute the payload. They’ll often be launched by services or admin processes. Below hunting query can be used to detect such events.
For an in-depth understanding of Impacket and its utilities, refer to our blog.
After moving laterally (often over RDP) onto a Domain Controller, GRU operators use Windows’ built-in ntdsutil.exe to extract the NTDS.dit database. CISA describes the exact steps they take:
For detection, you can leverage our built-in “Active Directory Database Dump Attempt” alert—it’s specifically tuned to catch NTDS.dit dump attempts.
After dumping the NTDS.dit, GRU’s operators employed two key tools, ADExplorer and Certipy, to harvest and exfiltrate directory data. They also installed Python on compromised hosts to run Certipy.
ADExplorer (a Sysinternals utility) can take “snapshots” of the AD hierarchy. You can detect its use with the query below.
Certipy’s command set (e.g., auth, find, relay, shadow), combined with its BloodHound export flags, makes its usage distinct. Detection can be done using an alert, Certipy Tool Execution for AD CS Abuse.
Or a following hunt query can be utilized for Certipy’s activities.
Since Certipy runs under Python, spotting unexpected Python installs or launches can pre-empt its use. For example, detect MSI-based installs or direct Python executables:
According to the Polish Cybercommand blog, the adversary modified folder permissions across mailboxes to gain unfettered access to all users’ mail. In Exchange Online, you can detect this behavior with these alerts:
The GRU routinely used native Windows utilities like wevtutil to wipe event logs after gaining access or escalating privileges. This tactic helped them hide their tracks and delay detection during post-compromise activity.
Detection can be done using an alert, Suspicious Eventlog Clear or Configuration Using Wevtutil Detected.
They have also exploited the way Windows loads DLLs by planting malicious ones in directories that are searched first. This lets them execute code through trusted binaries, bypassing traditional security scans.
Detection can be done using an alert, Safe DLL Search Mode Disabled.
GRU operators rely on tried-and-true persistence methods to maintain access, including scheduled tasks, Run-key modifications, and Startup folder payloads. Here’s how to spot each:
You can leverage the Scheduled Task Creation Detected alert to catch every new scheduled task created in your environment.
Because the generic alert covers every new task (and can yield a high volume of results), you can instead use the Suspicious Scheduled Task Creation alert to pinpoint only those tasks originating from locations commonly abused by malware.
According to CISA’s IOC section, the threat actor created the scheduled task using an XML file so you can detect this specific technique with the Suspicious Scheduled Task Creation via Masqueraded XML File alert.
Adding entries to the Autorun registry keys or dropping payloads into the Startup folder is a widely abused persistence method—used by both legitimate software and malware—to launch programs at Windows startup. You can catch any of these changes with the Autorun Keys Modification Detected alert, which monitors registry writes and file events against the key Run locations and Startup directories.
The GRU employs impact-focused techniques not to destroy systems outright, but rather to erase evidence, disrupt recovery, and maintain stealth during and after their operations. They utilize legitimate Windows utilities such as wevtutil.exe to clear event logs and vssadmin.exe to manipulate volume shadow copies, indicating preparations to disable backup and forensic recovery.
Detects use of system tools like vssadmin, wbadmin, or PowerShell to create or manipulate shadow copies, potentially for staging data or disabling recovery.
In this campaign, the GRU employed various malware families to perform essential post-compromise functions, such as persistence, credential theft, and data exfiltration. Notable among these were HEADLACE, a multi-stage backdoor recognized for its use of headless browser automation and discreet script execution, and MASEPIE, an exfiltration tool that has been previously observed in GRU operations aimed at Ukrainian interests.
Detects use of legitimate utilities with command-line patterns often associated with malicious activity, such as data staging, headless browser automation, or scheduled task creation
Detects command-line patterns and batch scripting behavior used in GRU's HEADLACE malware, including headless browser abuse, system recon, and deletion of local artifacts
Logpoint’s Network Detection and Response (NDR) Muninn can play a vital role in detecting and responding to post-compromise behaviors commonly employed by the GRU. While many of the group’s techniques rely on built-in system tools and credential abuse, they also generate distinct network patterns that can be detected in real-time with the right behavioral analytics.
Some of the notifications listed below can be useful in detecting their presence in the network :