APT28 (GRU Unit 26165) tradecraft evolution — LameHug LLM-driven stealer, BeardShell cloud C2, FrostArmada router DNS hijack (Sekoia)

key: campaign:apt28-tradecraft-evolution-2026. Sekoia's tradecraft-evolution retrospective (covered in the 06-14 daily) is worth tracking as a forward indicator rather than a single incident: the 2025–2026 tooling shows LLM-generated payloads (the LameHug stealer), cloud-native command-and-control (BeardShell), and router DNS-hijack persistence (FrostArmada) (Sekoia). The status-update value is the direction of travel: a top-tier Russian state operator is now industrialising LLM-assisted payload generation, which raises the baseline volume and variability of what defenders will see. Single-source (Sekoia TDR) and reported as the actor's TTPs, not new incidents — track it as a capability trend, not an active breach.

Sekoia's Threat Detection & Research team published a tradecraft-evolution retrospective on APT28 (Fancy Bear / Forest Blizzard), and the operationally relevant material is the 2025–2026 tooling (Sekoia TDR, 2026-06-11). Three developments stand out for European defenders. LameHug is the first documented APT28 infostealer that delegates its logic to a large language model: base64-encoded prompts are sent to Alibaba's Qwen 2.5-Coder model via the Hugging Face inference API to generate collection and exfiltration code on the fly, observed against Ukrainian government targets — meaning the malicious behaviour is not statically present in the binary. BeardShell is a C++ backdoor that rotates its command-and-control across consumer cloud-storage providers (Koofr, Icedrive, Filen), defeating domain/IP blocklisting because the traffic is ordinary HTTPS to legitimate services. FrostArmada (April 2026) is a SOHO-router DNS-hijack campaign — 18,000-plus unique IPs across 120-plus countries — that rewrites DHCP/DNS on MikroTik and TP-Link devices to mount adversary-in-the-middle attacks against Microsoft 365 sign-ins (T1557 Adversary-in-the-Middle, T1071.001 Web Protocols for the cloud C2). Sekoia notes APT28's GooseEgg implant (CVE-2022-38028) ran for roughly five years before public disclosure — a reminder that current tools likely carry a similar blind-spot horizon.

Why it matters to us: NATO European ministries, defence suppliers and critical-infrastructure operators are named in the targeting. The detection priorities are concrete and IoC-free: hunt cloud-storage beaconing to Koofr/Icedrive/Filen from non-user workstations, alert on outbound traffic to Hugging Face inference endpoints from Windows hosts, monitor MikroTik/TP-Link DNS-setting changes in network-device logs, and treat Office documents delivered through Signal Desktop as a Mark-of-the-Web bypass risk — Sekoia notes APT28 uses the messenger to deliver Office lures that arrive without the Mark-of-the-Web protection.

ABW's 2025 Annual Report (published 2026-05-07) is the only annual report this week that combines new ground-truth attribution detail with explicit regulatory-coverage-gap framing. The five named municipal water facilities (Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, Sierakowo) all sit below the NIS2 essential-entity headcount threshold. ABW formally attributes initial access and persistence to APT28 (GRU), intelligence-collection overlay at Jabłonna Lacka to APT29 (SVR), and a disinformation overlay (fabricated leak documents purporting contamination data) to UNC1151 (Belarusian, Ghostwriter-affiliated) — granular tri-attribution materially beyond the "pro-Russian hacktivist" framing in initial reporting. ABW is recommending legislative action to extend NIS2 obligations to critical-function entities regardless of headcount. The cross-finding pattern for Swiss / EU public-sector readers: small municipal CI operators sit below regulatory coverage but inside hostile-state targeting; expect more regulator-side movement on this gap in coming weeks (daily 2026-05-09 UPDATE).

Current state: ABW 2025 Annual Report (2026-05-07 publication, covered 2026-05-09) is the formal-attribution development this week. Per SecurityWeek's coverage of the ABW report, the campaign against the five small Polish municipal water facilities is attributed to APT28 (GRU) and APT29 (SVR) — with UNC1151 (Belarusian-linked) named in the same attribution discussion. The granular per-facility breakdown and disinformation-overlay specifics carried in the daily 2026-05-09 UPDATE trace back to the Polish-language ABW report itself rather than the English secondary coverage; defenders relying on the English reporting should treat the actor-cluster trio as attributed jointly without per-facility specificity unless the ABW primary is consulted. The same APT28 cluster is in active operation against EU government ministries via CVE-2026-32202 (Windows Shell NTLM coercion, § 3). Outstanding defender question: whether ABW-recommended NIS2 expansion to critical-function entities below the headcount threshold gains EU-level momentum in coming weeks.

A six-publisher investigative consortium (The Insider, The Guardian, Le Monde, Der Spiegel, VSquare, Frontstory) published more than 2 000 leaked internal documents from Bauman Moscow State Technical University on 2026-05-07 detailing a structured GRU recruitment-and-training pipeline operating under the cover of "Department No. 4 — Special Training" (Meduza (English), 2026-05-07 · The Guardian, 2026-05-07 · Le Monde, 2026-05-07 · Der Spiegel, 2026-05-07 · heise online, 2026-05-07). Each year 10–15 graduates are placed directly into Russian military intelligence units. The 144-hour core curriculum, labelled in the documents "Countering Technical Intelligence", covers password attacks, CVE-driven exploitation using Metasploit against US DoD network architectures by name, custom trojan development, DDoS methodologies, penetration testing against Western targets, computer-virus construction, and propaganda/manipulation training. Candidates are physically assessed at a mandatory training camp; each placement requires explicit GRU approval.

The leaked assignment records explicitly link graduates to GRU Unit 74455 (Sandworm / VoodooBear — responsible for the 2015–2016 Ukraine power-grid attacks, 2017 NotPetya global wiper, and 2023 Kyivstar telecom outage) and to APT28 (Fancy Bear — responsible for the 2016 Bundestag hack and the 2017 Macron campaign breach, with continuing 2025–2026 activity against EU government and election-adjacent targets). For European defenders the salient operational point is that the curriculum trains specifically against Western and US-DoD topologies — meaning the training pipeline is producing operators whose default mental model of a target network is a NATO-aligned environment, not a generic enterprise. The investigation does not change short-term defensive priorities but reframes the long-running attribution debate: GRU cyber units are not ad-hoc-recruited contractors, they are graduates of a structured technical-intelligence training stream with measurable annual throughput.

UPDATE (originally covered 2026-05-08):

Poland's Internal Security Agency (ABW) published its 2025 Annual Report on 2026-05-07, providing materially expanded detail beyond the initial reporting. The report names five municipal water facilities targeted in intrusion attempts during H2 2025 and Q1 2026: Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. All are smaller municipalities (populations 1,500–26,000) with limited IT security staff, consistent with the observed targeting pattern. ABW formally attributes the intrusion campaign to APT28 (Russian GRU) for the initial-access and persistence phase, APT29 (Russian SVR) for the intelligence-collection overlay observed at Jabłonna Lacka, and UNC1151 (Belarusian GRU-affiliated, historically associated with Ghostwriter information operations) for a disinformation component: fabricated leak documents purporting to show contamination data. This represents more granular tri-attribution than the "pro-Russian hacktivist" framing used in initial reporting.

NIS2 Directive context: Poland transposed NIS2 into national law effective 2026-02-01 (Ustawa z dnia 28 listopada 2025 r. o krajowym systemie cyberbezpieczeństwa). Water distribution operators above the 50-employee threshold are now classified as Essential Entities under NIS2, subject to mandatory incident notification to CSIRT GOV (ABW) within 24/72 hours. ABW's annual report explicitly notes that the five named facilities fell below the NIS2 threshold at the time of intrusion, highlighting the coverage gap for small municipal operators. ABW is recommending legislative action to extend NIS2 obligations to critical-function entities regardless of headcount.

A protection mechanism failure (CWE-693) in Windows Shell allows an unauthenticated, network-adjacent attacker to coerce outbound NTLM authentication from a target system after minimal user interaction with a crafted artefact (LNK file or similar Shell shortcut). When a user opens a directory containing the malicious artefact, the Shell resolves it and initiates an SMB connection to an attacker-controlled server, transmitting a NetNTLM credential hash. The attacker relays the hash for same-network lateral movement or cracks it offline to recover plaintext credentials. NVD CVSS is 4.3 (network vector, no privileges required, user interaction required), reflecting the coercion-only impact; in-the-wild exploitation and state-actor attribution make the operational risk materially higher.

Microsoft patched this in the April 2026 Patch Tuesday cycle. CISA added CVE-2026-32202 to KEV on 2026-04-28 with a deadline of 2026-05-12. Threat intelligence attributes active exploitation to APT28 (GRU Unit 26165, "Fancy Bear") targeting EU government ministries. The technique complements APT28's documented use of NTLM relay and pass-the-hash for lateral movement within government networks.

Immediate actions: Apply April 2026 Windows Patch Tuesday; block outbound TCP 445 to non-business internet destinations at the perimeter firewall; enable "Restrict NTLM" Group Policy (set to "Deny all") or migrate authentication to Kerberos-only where operationally feasible; monitor EDR for outbound 445/TCP to internet IPs from workstations.

A crafted Windows Shell artefact (LNK shortcut) placed in a directory causes the victim host to initiate an outbound SMB authentication to an attacker-controlled server when the directory is opened, transmitting NetNTLM hashes. APT28 has weaponised this against EU government ministries. Despite the low NVD CVSS (4.3), KEV listing and state-actor ITW exploitation make this a priority-patch item. Apply April 2026 Windows cumulative updates. CISA KEV deadline: 2026-05-12.