GRU-Linked APT28 Adopts New Cyber Tactics Utilizing MooBot Botnet and Compromised EdgeRouters
A significant operational shift has been observed in the cyber activities of the GRU-linked hacker group APT28, commonly referred to by various names including Fancy Bear, Sofacy, Forest Blizzard, and Pawn Storm. This evolution in strategy merges the capabilities of the MooBot botnet with compromised EdgeRouters, thereby enabling the group to mount more resilient cyber operations.
This pivot highlights APT28’s enduring focus on targets pertinent to NATO, Ukraine, and critical infrastructure. By transferring essential capabilities away from traditional cloud Virtual Private Servers (VPS) and conventional hosting models to the network edge, the group harnesses compromised consumer and small-office routers. These infected routers serve as discreet and geographically widespread platforms for a variety of malicious activities, including credential harvesting, proxy operations, and the hosting of harmful payloads.
Analysis conducted from 2022 to 2026 reveals that APT28 has adeptly repurposed the MooBot family, initially known as a criminal botnet impacting Ubiquiti EdgeRouter devices, to serve as an operational substrate. Infected EdgeRouters act as enduring footholds and service nodes for the intrusion set, enabling them to relay harvested Net-NTLMv2 hashes that are captured through a weaponized Outlook zero-click exploit chain.
The group has also developed sophisticated techniques to manipulate proxy authentication flows, facilitating mailbox takeovers. They host credential-phishing landing pages on residential IPs, a strategy designed to evade reputation filters, while lightweight Python scripts are employed to scrape webmail or bypass second-factor authentication requirements.
The Threat Detection & Research (TDR) team at Sekoia has been closely monitoring APT28’s activity for several years. Comprised of experts in cyber threats, the team recognizes this intrusion set as a significant concern, particularly because it is publicly attributed to the GRU’s Unit 26165—a branch of Russia’s military intelligence.
In response to heightened scrutiny, the FBI-led operation known as Dying Ember attempted to disrupt APT28’s activities. Advisories from this operation uncovered a multitude of compromised EdgeRouters; however, subsequent telemetry from private cybersecurity vendors indicated that many of these devices remained exploited. This reality underscores the challenges associated with completely eradicating edge-based infrastructures from malicious control.
At the same time, APT28 expanded upon its edge-related strategies through the FrostArmada campaign, targeting MikroTik and TP-Link devices. The adversary has been observed to rewrite DHCP and DNS settings on these routers, redirecting clients to DNS resolvers under their control. This maneuver enables an adversary-in-the-middle (AitM) scenario for services such as Microsoft 365.
Such DNS hijacking practices facilitate the funneling of authentication traffic through APT28’s nodes where OAuth tokens and other authentication data can be extracted. This method provides long-term access to compromised networks without the necessity for deploying overly cumbersome implants.
Telemetry data from Lumen Black Lotus Labs and Microsoft in 2026 identified tens of thousands of unique IPs connected to hundreds of affected organizations, emphasizing the scale that can be achieved when adversaries weaponize common Consumer Premises Equipment (CPE) devices.
The shift to an edge-centric operational posture offers several tactical advantages. One of the primary benefits is that residential and small-business IP addresses blend seamlessly with legitimate internet traffic, complicating detection mechanisms that rely on IP-blocking and other abuse-based mitigation strategies.
Furthermore, techniques employed directly on routers minimize forensic footprints on compromised hosts, allowing the group to intercept authentication flows while employing lightweight automation for credential extraction. The distributed nature of this operational framework enhances resilience against law enforcement intervention. Even after portions of the MooBot infrastructure are disrupted, APT28 continues to sustain its operations with actor-controlled VPS, various botnets, and improperly secured consumer devices.
The technical evolution of these edge tactics undeniably ties back to APT28’s historical methods. Their use of zero-click exploits to garner Net-NTLMv2 hashes and the subsequent relaying of this data through compromised routers continues to echo earlier tactics that involved leveraging intermediary infrastructure for data exfiltration.
Recent campaigns, including Operation Phantom Net Voxel, RoundPress, and the LameHug LLM-assisted infostealer, illustrate APT28’s dual approach. The group combines robust in-house implants with ephemeral, mission-oriented components, further enhancing their operational efficacy.
The techniques associated with EdgeRouters and the FrostArmada initiative serve to multiply these capabilities, allowing APT28 to create scalable interception and proxy layers that complement various activities, including spear-phishing, server-side webmail cross-site scripting (XSS) intrusions, and specialized backdoors like BeardShell and Slimagent.
Given these developments, organizations and network owners must prioritize securing their CPE. Ensuring the use of strong router credentials, applying frequent vendor firmware updates, and disabling unnecessary remote management features are essential. Additionally, vigilance in monitoring for peculiar outbound SMB/NTLM authentications, unanticipated DNS resolver changes, and the presence of residential IPs facilitating credential collection is crucial.
Collaboration among vendors, national Computer Emergency Response Teams (CERTs), and law enforcement agencies remains imperative. Past cooperative efforts, such as those involving the FBI, NSA, and Microsoft, have led to takedowns and security advisories. However, these actions have not completely eliminated the ongoing threat posed by APT28, highlighting the necessity for continuous vigilance and proactive measures within the cybersecurity landscape.