Europe’s cyber picture is no longer episodic, it’s continuous, convergent pressure across crime, hacktivism, and state-aligned activity. ENISA’s 2025 Threat Landscape analyzed 4,875 incidents and finds three realities leaders should act on now: phishing is still the front door (≈60%, increasingly AI-scaled), exploits are weaponized within days (≈21.3% of initial access), and hacktivism dominates volume with low direct impact, largely through DDoS noise that drains resilience.
Targets mirror Europe’s dependencies: public administration (38.2%), transport (7.5%), digital infrastructure/services (4.8%), finance (4.5%), manufacturing (2.9%). The playbooks are shared across actors, Russia-, China-, Iran-, and DPRK-nexus sets included, so the question isn’t who, it’s how fast you can detect, contain, and recover.
This post focuses on Russian TTPs because their tempo and visibility are high right now, but the detection rules, hunting queries, and control points below are actor-agnostic by design. Use them to harden identity, compress patch latency, filter DDoS noise, and prove recoverability, turning continuous pressure into manageable operational risk.
The targeting of NATO members and their critical infrastructure by Russian Advanced Persistent Threat (APT) groups is a direct extension of this geopolitical confrontation and the war in Ukraine. These Russian cyber operations, often attributed to groups linked to intelligence services like the GRU such as APT28, APT29, Sandworm,Turla aim to achieve several strategic objectives:
To better understand the cyber operations of Russian APT groups, it’s important to recognize the intelligence agencies that sponsor and direct them. Russia’s offensive cyber ecosystem primarily operates under three major intelligence services:
Notably, Russia’s offensive cyber operations have included major attacks on Ukraine’s power grid, the global NotPetya outbreak in 2017 that caused billions in damages, and various disruptive campaigns targeting NATO networks, all serving as clear examples of how kinetic and cyber operations are increasingly intertwined.
Also recently, ENISA reports that APT29, followed by APT28 and Sandworm were the most active, targeting public administration with a clear emphasis on governmental and diplomatic entities, the defence sector, and digital infrastructure. Their operations affected multiple EU Member States but concentrated geographically on Poland, France, Germany, Belgium and Greece. ENISA assesses that this sectoral and geographic focus is at least partly driven by those countries’ support for Ukraine during Russia’s war of aggression, which began in February 2022.
As the geopolitical tensions escalate with cyber operations becoming a constant feature of the great power competition, the need for robust cybersecurity measures is paramount. To effectively defend against these persistent, state-sponsored threats, organizations across the NATO sphere must stay vigilant and proactively hunt for signs of intrusion.
Below is a structured summary of several high-priority Russian APTs, how they operate, what their objectives are, and recent campaigns or shifts in posture.
|
APT Groups |
Sponsoring org and motives |
Targets and objectives |
Recent activity/trends |
|---|---|---|---|
|
GRU |
Espionage (political, military, defense), disruption, influence ops |
In 2024–2025, APT28 has been linked with phishing campaigns targeting European governments and political parties. They exploited the CVE-2023-23397 Outlook vulnerability in European environments. |
|
|
SVR |
Long-term espionage of diplomatic, government, think tanks, foreign intelligence sectors |
Recent campaigns of APT 29 incorporate sophisticated droppers, modular implants, and supply chain insertion. |
|
|
|
GRU |
Disruption, sabotage, wipers, ICS, critical infrastructure |
Reports show Sandworm renewed interest in destructive capabilities, including wiper malware, firmware/BIOS attacks, and hybrid sabotage campaigns toward infrastructure sectors. |
|
|
Russian FSB / GRU / foreign-intel proxies |
Espionage, long-term stealth footholds, high-value target infiltration |
Turla remains one of Russia’s most sophisticated cyber-espionage units. In 2025, ESET identified collaboration between Turla and Gamaredon, where Gamaredon’s Ptero-based downloaders were used to re-deploy Turla’s Kazuar backdoor on select high-value systems in Ukraine. |
|
|
FSB Espionage and access facilitation for other Russian units |
Primarily Ukrainian government, military, and diplomatic entities; occasionally NATO-aligned states |
According to ESET (2024–2025), Gamaredon intensified large-scale spear-phishing campaigns against Ukrainian institutions using an evolved toolset. Recent campaigns involved malicious archives (RAR, ZIP, 7z), HTML smuggling, and LNK/HTA payloads executing VBScript downloaders such as PteroSand and PteroGraphind . The group also increasingly abused Cloudflare-generated domains and legitimate platforms such as Telegram, Dropbox for C2. |
While distinct, there can be overlaps in targeting and shared intelligence and techniques. The table below summarizes key Tactics, Techniques, and Procedures (TTPs) of Russian state-linked Advanced Persistent Threat (APT) groups. Each tactic is mapped to common techniques and notable observations of their use by specific APT groups.
|
Tactic |
Common techniques |
Observations from APT groups |
|---|---|---|
|
Initial Access |
T1566.001, T1566.002, T1190, T1189, T1195, T1091 |
Russian APTs employ multiple intrusion vectors most prominently spear-phishing, malicious documents, and exploitation of public-facing systems to establish footholds in target environments.
|
|
Execution |
T1059.001, T1059.003, T1218, T1059.005 |
Russian APTs relies on living-off-the-land techniques for code execution to stay covert.
|
|
Persistence
|
T1547.001, T1053, T1543.003, T1556, T1542, T1014 T1078, T1574.001 |
Russian APTs maintain long-term access through both malware implants and abuse of legitimate mechanisms.
|
|
Defense Evasion
|
T1027, T1573, T1036.007, T1070.004, T1568.003, T1055 |
Russian APTs employs significant effort to blend into legitimate activity. They employ obfuscation, masquerading, log cleanup, and living-off-the-land techniques across operations.
|
|
Credential Access |
T1110.003 T1110.001, T1003 T1552.001, T1550, T1056.001, T1555.003 |
Russian APTs conduct large-scale credential theft to enable persistent and stealthy access.
|
|
Discovery |
T1082,T1057, T1007, T1087, T1069, T1083, T1046 |
Once inside victim network, Russian APTs perform extensive internal reconnaissance to map environments and identify valuable targets.
|
|
Lateral Movement |
T1021.002, T1021.001, T1550.002, T1047, T1021.006, T1484.001 |
Russian APTs uses stolen credentials, Windows admin tools, and legitimate IT mechanisms to move laterally and expand access.
|
|
Collection |
T1114.003, T1074, T1056.001, T1560 |
After achieving lateral movement, Russian APTs conduct focused intelligence collection
|
|
Exfiltration |
T1041, T1567.002, T1567.001, T1029 |
Russian threat actors typically exfiltrate stolen data through encrypted channels that mimic legitimate traffic.
|
As these Russian state-sponsored groups continue to evolve their tradecraft, adapting payloads, exploiting legitimate tools, and refining stealth techniques, timely detection becomes more critical than ever. Their operations will likely grow more automated, modular, and cloud-integrated, expanding the challenge for defenders across NATO-aligned networks.
Therefore, early detection and behavioral visibility are essential. In the following sections of this blog, we will outline how these malicious activities can be detected using Logpoint SIEM along with hunting queries. These detections are designed to help analysts identify early indicators of compromise, spot adversary behavior in progress, and accelerate incident triage with actionable insights.
To follow up on below threat hunting and detection approach below log sources must be configured.
All alert rules are included in Logpoint’s latest release as well as Logpoint Help Center. Please ensure you have installed the latest Alert Rules version.
Possible Exploitation of CVE-2023-23397
APT28 has been observed exploiting CVE-2023-23397. When this vulnerability is exploited, Outlook initiates an outbound connection. Before initiating the connection, Outlook accesses the NetworkProvider registry, a step that is not performed during legitimate connections. Therefore, we can use the query below to hunt for such events.
Furthermore, we can use the below query from the sigmahq to hunt for possible exploitation attempt.
Suspicious child process spawned by Microsoft Office product
Malicious documents are a common initial-access vector across all observed Russian APT groups. Analysts can use the alert Suspicious Child Process Spawned by Microsoft Office Product to hunt for Office applications spawning suspicious child processes, which is a strong indicators that a weaponized document is executed.
Macro file creation detected
Likewise, analysts can use the Macro File Creation alert to detect when macro-enabled Office files are created on endpoints, which often indicates that a macro-enabled office file was opened or executed, resulting in the creation of these files as part of the infection chain.
Hunting for HTML smuggling
APT28, APT29 and Gamaredon have all been observed using HTML smuggling to deliver payloads, for example, Gamaredon has used XHTML files to employ HTML Smuggling. A practical first-step hunt is to look for .html files created on endpoints.
After the download and execution of the HTML payload by the user, the .html file will be loaded by the default browsers. We can use the below hunting query to hunt for events where common web browsers such as Internet Explorer, Chrome, Edge, Firefox, or Brave load an HTML file that subsequently drops payloads such as ZIP files onto endpoints.
In observed cases, such as Gamaredon’s campaigns, these HTML files have delivered malicious HTA or LNK payloads containing embedded VBScript downloaders. Analysts can fine-tune the query to identify similar activity, focusing on scenarios where HTML files act as droppers for secondary payloads.
File dropped in suspicious location
Threat actors almost always drop their payloads onto the target system, frequently using writable directories to do so. These paths offer convenient privileges and blend easily with normal application activity. For example, APT28 has been observed placing side-loaded DLLs within the ProgramData directory to establish or maintain persistence. Therefore, the alert File Dropped in Suspicious Location can help analysts hunt for files dropped in suspicious writable locations directories commonly abused by attackers to stage or execute their payloads.
Process Execution from Suspicious Location
Along with that, analysts can use the query below to hunt for process executions originating from these suspicious directories, which often serves as a strong indicator that malware or a dropped payload has been executed from those locations.
Scheduled Task Creation Detected
Threat actors such as APT29 and Gamaredon have been observed using scheduled tasks to maintain persistence within compromised environments. Analysts can use the Scheduled Task Creation Detection alert below to identify newly created scheduled tasks.
Suspicious Scheduled Task Creation
Since the above generic alert Scheduled Task Creation Detection captures every new scheduled task and can generate a large volume of results, analysts can instead use the Suspicious Scheduled Task Creation alert to narrow down and focus on tasks originating from locations that are commonly abused by Threat Actors and malware.
Suspicious Scheduled Task Creation via Masqueraded XML File
According to CISA’s Indicators of Compromise (IOC) section, the threat actor created scheduled tasks using masqueraded XML files. Analysts can detect this specific technique using the Suspicious Scheduled Task Creation via Masqueraded XML File alert.
Autorun Keys Modification Detected
Furthermore, Threat actors have been observed adding entries to Autorun registry keys or placing payloads in the Startup folder, a common persistence technique used by both legitimate applications and malware to launch at Windows startup. Analysts can hunt for this activity using Autorun Keys Modification Detected alert that monitors registry writes to Run locations and file events in Startup directories.
Hunting for DLL Side Loading
DLL side-loading is a common technique observed across several of the threat actors discussed above. In one notable case, APT29 leveraged this method by loading a malicious DLL to execute its WINELOADER malware. Analyst can use the below alert Unsigned DLLs loaded by Windows Utilities to hunt for Unsigned DLL loaded by Windows Utilities. It’s important to note that threat actors frequently abuse legitimate executables to side-load malicious DLLs. Analysts can therefore modify or extend the query to hunt for this behavior, focusing on processes that load unexpected DLLs or execute from unusual directories.
Unsigned DLLs loaded by Windows Utilities
Analysts can also use the query below to hunt for instances where a suspicious process loads an unsigned DLL from uncommon or writable directories. This serves as a strong indicator of potential DLL side-loading activity. Analysts can adjust the directory paths as needed to align with their environment and reduce noise from legitimate software.
Also, Threat actors often use legitimate binaries to load malicious DLLs, a technique designed to evade detection. Analysts can use the following hunting query to hunt for suspicious DLLs loaded from suspicious locations, which may indicate malicious activity.
Mimikatz Command Line Detected
Mimikatz is a widely used credential-dumping tool observed in the arsenals of APT28, APT29, and Sandworm. Analysts can use the alert Mimikatz Command Line Detected to hunt for common mimikatz command-line strings and module names.
LSASS Memory Dump Detected
Likewise, Analyst should also monitor for processes that open lsass.exe with elevated access rights, LSASS stores the critical security context such as tokens, and authentication material, so unauthorized access to it is a strong indicator of in-memory credential theft or token-harvesting activity. Analyst can use the alert LSASS Memory Dump Detected to hunt for process accessing lsass with elevated access.
Reconnaissance using Windows Binaries Detected
All of the above threat actors leverage native Windows binaries to enumerate victim environments. Analysts can use this alert to hunt for such discovery activity by detecting the use of common Windows utilities such as whoami , nltest , net , ipconfiq , systeminfo , quser , and netstat that are frequently abused for internal reconnaissance.
Network Share Discovery
APT28 and APT29 have been observed reusing dumped administrator accounts to authenticate over SMB and explore network shares. Analysts can use the Network Share Discovery Attempts alert below to identify potential reconnaissance activity aimed at mapping available shares.
PsExec Tool Execution Detected
APT28 and APT29 have been observed using PsExec for lateral movement. When PsExec connects, it briefly creates a service named Psexecsvc.exe on the target and removes it when the session ends. Analysts can use below alert PsExec Tool Execution Detected to hunt for the creation and deletion of psexecsvc as an indicator of PsExec.
Impacket’s PsExec like the Sysinternals version creates a temporary service on the target to run its payload. In Impacket’s samples, the service name is a 4-character random string of mixed-case letters and the dropped executable is an 8-character mixed-case filename. Analysts can hunt for Impacket PsExec activity by looking for service creations and binaries that match those length-based regex patterns, Analyst can use query below which uses regex to detect 4-char service names and 8-char executable filenames as indicators of Impacket PsExec usage.
Furthermore, we can use below query to hunt for IPC$ share access and look relative-target naming pattern such as stdin , stdout that remote-exec tools like PsExec create when they open named pipes to forward standard I/O stream.
Network Connection to Suspicious Server
Many threat actors abuse cloud storage and file-sharing services for stealthy data exfiltration; Telegram’s API is also frequently misused. Analysts can use the Network Connection to Suspicious Server alert to hunt for outbound connections to known public file hosts and paste services such as Dropbox, Mega, MediaFire, Pastebin.
Furthermore, Sandworm and Gamaredon have been observed using Dropbox as an exfiltration channel. Analysts can use below query to hunt for data exfiltration and tuning the sent_datasize threshold to flag likely exfiltration activity.
As mentioned in the sections above, these threat actors have frequently abused native Windows utilities such as mshta.exe , rundll32.exe, regsvr32.exe , and certutil.exe to execute malicious code or download payloads under the guise of legitimate system activity. Moving forward, we’ll explore how analysts can detect and hunt for the abuse of these binaries using targeted queries and behavioral indicators.
Suspicious MSHTA Process Pattern
Analysts can use the alert Suspicious MSHTA Process Pattern to hunt for anomalous mshta.exe activity. It flags cases where mshta.exe is launched by non-standard parent process, for example, cmd.exe , powershell.exe, regsvr32.exe , rundll32.exe , explorer.exe or when mshta.exe itself spawns suspicious children for cmd, powershell , wscript , sccript or executes HTA/VBS/HTTP commands.
Regsvr32 Anomalous Activity Detected
Analyst can use the alert Regsvr32 Anomalous Activity to hunt for suspicious regsvr32.exe usage such as, executions from non-system/temp/user paths, invocations with */i, remote http/ftp arguments, launches by scripting/Office parents such as PowerShell, mshta , Excel , or chains that lead to wscript/cscript.
Suspicious CertUtil Command Detected
Analysts can use Suspicious CertUtil Command Detected alert to hunt for suspicious command line of Certutil for file download/encoding tasks often used by attackers.
Suspicious Rundll32 Activity Detected
Analyst can use this alert Suspicious Rundll32 Activity Detected to hunt for suspicious processes related to the RunDLL32 system binary based on its command line arguments.
Suspicious PowerShell Parameter Substring Detected
PowerShell is heavily abused by threat actors and all the APT groups discussed have used it for various stages of their operations. Because of its frequent misuse, organizations should actively monitor PowerShell activity for suspicious command strings. Analyst can use the alert Suspicious PowerShell Parameter Substring Detected to hunts for common malicious PowerShell patterns such as encoded commands, bypass flags, inbound remote script execution, base64 payloads that often indicate an attacker-driven PowerShell chain.
Usage of Web Request Command
Analysts can also hunt for web requests made via PowerShell, a common fileless delivery method observed in APT28 and Gamaredon operations. The alert Usage of Web Request Command flags PowerShell network activity and script-block uses that often indicate remote-download or fileless loader behavior.
Suspicious File Execution Using Wscript or Cscript
Lastly, Analysts can use the Suspicious File Execution Using Wscript or Cscript alert to hunt for script-based execution chains such as JavaScript, VBS, HTA/JSE which has been observed frequently within APT28, APT29 and Gamaredon campaign.
APT29 has persistently targeted Microsoft 365 and Azure, abusing service principals, MFA flows, and audit/logging controls to maintain stealthy access. Analyst can use below alerts to detect or hunt for such behaviors.
Entra ID User Consent Denied for OAuth Application
APT29 has weaponized OAuth by creating or compromising OAuth applications (and even provisioning accounts to grant consent) to obtain app-level mailbox access and long-lived tokens in Microsoft 365. Analysts can use the alert Entra ID User Consent Denied for OAuth Application to look for instances where a user declines an OAuth app’s permission request, a useful indicator because users will often deny consent for unfamiliar or suspicious apps.
Entra ID Suspicious Permission Granted to Application
Furthermore, Analysts can use the alert Entra ID Suspicious Permission Granted to Application to detect when a user has granted consent to an application that requests suspicious privileges. This alert highlights risky permissions for example, read/send mail, read/write files, full application control, role management or privilege escalation abilities, and rights to delete users any of which can indicate OAuth-based compromise and should trigger further investigation.
Entra ID Device Code Authentication Detected
Analysts can use the alert Entra ID Device Code Authentication Detected alert to hunt for suspicious device-flow authentications, a technique APT29 has abused to bypass interactive MFA and obtain OAuth tokens.
If Entra ID sign-in logs are being forwarded through Azure Log Analytics, it becomes possible to detect device code sign-ins more reliably. The following query can be used to identify such events.
Microsoft Purview Audit Disabled
APT29 has been observed tampering with Microsoft 365 audit controls including disabling Purview, Advanced Auditing and Unified Audit Logging to obscure mailbox and Graph API access. Analysts can use the Microsoft Purview Audit Disabled alert to hunt for instances where a user’s Microsoft Purview Audit subscription is disabled.
Microsoft 365 Unified Audit Logging Disabled
Furthermore, Analyst can use the alert Microsoft 365 Unified Audit Logging Disabled to hunt for instance when Unified Audit Log in Microsoft 365 is disabled.
Conduct Security Awareness Training Regularly
Social engineering techniques such as phishing, smishing, pretexting, and baiting deceive employees into downloading and executing malware, disclosing confidential information, or performing unauthorized actions. To combat these threats, organizations should train employees regularly on recognizing and responding to social engineering attacks such as phishing emails, including simulated exercises that mimic real-world scenarios. These simulations assist in identifying susceptible employees, and organizations can provide them with the additional training and support they require in the future to recognize and respond to such threats.
Furthermore, if employees suspect they have been the victim of a social engineering attack, a formal process or path should be provided for them to report it, including alerting the appropriate authorities and taking immediate steps to contain the incident and minimize any potential damage.
Deploy EDR and NDR solutions
Organizations should deploy endpoint detection and response (EDR) agents to continuously monitor system behavior, suspicious processes, and persistence mechanisms, while also leveraging network detection and response (NDR) to surface lateral movement, command-and-control traffic, and data exfiltration that might evade endpoint controls. Integrating both perspectives raises detection coverage and contextual insight.
Adopt a Defense-in-Depth Strategy
Organizations should implement a comprehensive Defense-in-Depth strategy to strengthen overall security posture. This approach layers multiple, independent security controls including endpoint detection and response (EDR), Security Information and Event Management (SIEM), network segmentation, identity and access management, and email or web filtering across the infrastructure. By combining these overlapping defenses, organizations can detect, contain, and mitigate threats at multiple stages of an attack, significantly reducing the likelihood and impact of a successful compromise.
Keep Software Updated.
Organizations must ensure that operating systems, applications, firmware, and security controls are patched routinely, with priority given to vulnerabilities that are actively exploited or pose high risk. In scenarios where patches are delayed, organizations should apply vendor-recommended mitigations or configuration hardening to reduce exposure. Maintaining an accurate software inventory supports timely risk triage and compliance oversight.
Network Segmentation and Zero Trust Architecture
Organizations should design their network architecture following a Zero Trust and micro-segmentation approach, where no user, device, or workload is implicitly trusted. Networks should be divided into logical zones such as user workstations, servers, domain controllers, and backup environments with strict access controls and continuous verification between each segment. High-value assets, including domain controllers, mail servers, and backup repositories, must be isolated behind additional layers of defense such as firewalls, jump hosts, or dedicated management networks. Implementing Zero Trust principles alongside micro-segmentation significantly reduces the lateral movement of threats, ensuring that even if one segment is compromised, the overall impact remains contained.
Implement Strong Password Policies
Organizations should establish and maintain robust password policies to strengthen overall security. These policies should require a minimum password length of at least eight characters and enforce account lockouts after a defined number of failed login attempts. It is advisable to avoid mandating frequent password resets, limiting them to no more than once per year, as excessive resets can lead to weaker password practices. Additionally, organizations should implement controls to validate new passwords against known lists of common or compromised credentials, ensuring that all passwords maintain sufficient strength and integrity.
Enhance Logging and Visibility
Organizations must collect and centralize logs across endpoints, servers, network devices, and cloud environments, with policies to retain data for at least six months or longer if regulatory requirements dictate. Correlated and enriched logs should feed into SIEM or analytics platforms, supporting real-time detection and threat hunting. Structured log retention ensures forensic readiness after incidents.
Exercise incident-response readiness
Organizations should maintain a clearly defined incident response plan to ensure swift and effective action during security incidents. Equally important is the regular execution of incident response exercises and simulations to assess organizational readiness. These drills help identify weaknesses in existing procedures, enhance coordination among response teams, and strengthen the organization’s overall ability to contain and recover from cyber incidents.
