Sekoia: APT28 (GRU Unit 26165) tradecraft shifts to LLM-generated payloads and cloud-native C2 [SINGLE-SOURCE]

Sekoia's Threat Detection & Research team published a tradecraft-evolution retrospective on APT28 (Fancy Bear / Forest Blizzard), and the operationally relevant material is the 2025–2026 tooling (Sekoia TDR, 2026-06-11). Three developments stand out for European defenders. LameHug is the first documented APT28 infostealer that delegates its logic to a large language model: base64-encoded prompts are sent to Alibaba's Qwen 2.5-Coder model via the Hugging Face inference API to generate collection and exfiltration code on the fly, observed against Ukrainian government targets — meaning the malicious behaviour is not statically present in the binary. BeardShell is a C++ backdoor that rotates its command-and-control across consumer cloud-storage providers (Koofr, Icedrive, Filen), defeating domain/IP blocklisting because the traffic is ordinary HTTPS to legitimate services. FrostArmada (April 2026) is a SOHO-router DNS-hijack campaign — 18,000-plus unique IPs across 120-plus countries — that rewrites DHCP/DNS on MikroTik and TP-Link devices to mount adversary-in-the-middle attacks against Microsoft 365 sign-ins (T1557 Adversary-in-the-Middle, T1071.001 Web Protocols for the cloud C2). Sekoia notes APT28's GooseEgg implant (CVE-2022-38028) ran for roughly five years before public disclosure — a reminder that current tools likely carry a similar blind-spot horizon.

Why it matters to us: NATO European ministries, defence suppliers and critical-infrastructure operators are named in the targeting. The detection priorities are concrete and IoC-free: hunt cloud-storage beaconing to Koofr/Icedrive/Filen from non-user workstations, alert on outbound traffic to Hugging Face inference endpoints from Windows hosts, monitor MikroTik/TP-Link DNS-setting changes in network-device logs, and treat Office documents delivered through Signal Desktop as a Mark-of-the-Web bypass risk — Sekoia notes APT28 uses the messenger to deliver Office lures that arrive without the Mark-of-the-Web protection.