APT28 (GRU Unit 26165) — Sekoia documents a shift to LLM-generated payloads and cloud-native C2 `[SINGLE-SOURCE]`

key: campaign:apt28-tradecraft-evolution-2026. Sekoia's tradecraft-evolution retrospective (covered in the 06-14 daily) is worth tracking as a forward indicator rather than a single incident: the 2025–2026 tooling shows LLM-generated payloads (the LameHug stealer), cloud-native command-and-control (BeardShell), and router DNS-hijack persistence (FrostArmada) (Sekoia). The status-update value is the direction of travel: a top-tier Russian state operator is now industrialising LLM-assisted payload generation, which raises the baseline volume and variability of what defenders will see. Single-source (Sekoia TDR) and reported as the actor's TTPs, not new incidents — track it as a capability trend, not an active breach.