APT28’s Toolkit: AI, Wi-Fi Intrusions, Cloud C2

APT28, the Kremlin-linked threat group behind the 2016 DNC hack, is quietly reshaping how state-backed operators run long-term espionage campaigns — blending classic spearphishing with Wi-Fi proximity attacks, cloud abuse, and even using LLM-powered malware. 

APT28 “… consistently adapts its methods, blending proven tradecraft with new capabilities to match each target environment,” said Picus Security researchers.

Based on Picus Security’s analysis of the LLM-powered malware used by APT28, Picus co-founder and VP of Picus Labs, Dr. Süleyman Özarslan, stated that the campaign’s design was unusually clumsy. 

“We have looked at the source code for this ‘LameHug’ campaign and it’s arguably the most inefficient malware design I’ve seen in years,” he said.

According to Özarslan, the attackers even rely on an external LLM API at runtime to produce basic reconnaissance commands. 

“Look at the prompts: the attacker is calling an external LLM API (Qwen-2.5-Coder) at runtime just to generate standard reconnaissance commands like systeminfo, tasklist, and ipconfig.”

He also emphasized that the approach doesn’t represent any kind of advanced AI-driven malware technique. 

“This isn’t ‘dynamic AI generation’; it is hardcoding with extra steps, added latency, and a massive dependency on an external API that could break or hallucinate at any moment,” he explained.

Özarslan contrasted this with what a skilled threat actor would typically do. 

“A competent malware author would have just hardcoded the batch commands. Instead, these actors introduced a massive point of failure just to look cool or because they were too lazy to learn the syntax for dsquery.”

A Historical Look at APT28’s Major Campaigns

For more than a decade, APT28 has targeted political campaigns, ministries of foreign affairs, defense organizations, anti-doping bodies, media outlets, and international institutions. 

APT28’s track record spans more than a decade of high-impact operations. The group was responsible for the takedown of TV5Monde in 2015 and later conducted the DCCC and DNC breaches in 2016. 

It also carried out operations against WADA and the Canadian Centre for Ethics in Sport (CCES). 

In 2018, APT28 attempted a close-access intrusion targeting the OPCW, an effort that was ultimately disrupted. 

The group continued its activity with widescale compromises of Ukrainian government websites in 2023. Most recently, in 2025, it deployed the LameHug malware, which uses large language models (LLMs) to generate system commands from free-form text.

Inside APT28’s Full Attack Chain

APT28’s activity spans every stage of the MITRE ATT&CK lifecycle. 

Reconnaissance includes targeted Wi-Fi scanning from compromised neighboring networks, phishing for organizational details over secure messaging apps like Signal, and predictive domain registration months before infrastructure is activated.

For resource development, the group acquires VPS infrastructure, registers themed domains, and abuses legitimate web services — including Icedrive and Koofr — to host payloads and stage exfiltrated data.

APT28 achieves initial access through multiple vectors, combining technical exploitation with social engineering and proximity-based attacks. 

The group frequently targets XSS and webmail vulnerabilities in platforms such as Roundcube, MDaemon, and Zimbra to gain a foothold in victim environments. 

It also delivers weaponized Office documents via email and Signal Desktop, a method that bypasses Mark-of-the-Web protections and allows malicious macros to execute without restriction. 

Additionally, APT28 employs its distinctive “Nearest Neighbor” Wi-Fi technique, compromising a dual-homed device in a nearby building and using it as a bridge to infiltrate the target’s corporate wireless network.

Execution and persistence rely heavily on native tooling. 

APT28 uses PowerShell and cmd.exe for compression, registry edits, and payload execution, while malware like BeardShell, SlimAgent, and SpyPress persist through logon script changes, COM hijacking, and malicious DLLs that proxy legitimate Windows components.

How APT28 Evades Detection

APT28’s tradecraft is engineered to blend into normal enterprise behavior. 

Privilege escalation has included exploiting CVE-2022-38028 in the Windows Print Spooler service, while the group’s defense-evasion toolkit is broad and sophisticated. 

APT28 hides shellcode within PNG images using steganography, employs DLL proxying to masquerade as trusted Windows libraries, and uses extensive JavaScript and string obfuscation in its webmail implants. 

The group also securely wipes forensic evidence with tools such as cipher.exe /W to hinder investigation and recovery.

On the credential side, the group systematically dumps LSASS memory, exports SAM and SYSTEM hives, targets the Active Directory database (ntds.dit), and runs large-scale password spraying via TOR and commercial VPNs.

Collection is equally comprehensive, covering keylogging, screen capture, clipboard monitoring, mailbox harvesting, and automated email forwarding rules created by SpyPress to ensure persistence even after implants are discovered.

Command-and-control (C2) traffic commonly runs over HTTPS with relaxed certificate checks and is sometimes proxied through guest Wi-Fi or internal port forwarding to reach segmented systems. 

Cloud storage accounts on Icedrive and Koofr act as “dead-drop” mailboxes for the operation. Implants poll these locations for task files and upload results disguised as benign images or archives. 

Essential Security Controls to Counter APT28

Defending against APT28 requires a coordinated, multi-layered strategy to harden identity, endpoints, networks, and cloud environments.

• Harden identity and email by enforcing phishing-resistant MFA, patching webmail platforms, monitoring for password spraying, and restricting legacy authentication.
• Strengthen EDR coverage by blocking unsigned DLL loads, monitoring LOLBins like PowerShell and rundll32, and detecting COM hijacks or unusual persistence mechanisms.
• Improve network segmentation and monitoring by isolating guest and corporate Wi-Fi, enforcing microsegmentation, and inspecting East–West traffic for anomalous HTTPS or DNS activity.
• Lock down Active Directory and credential stores through tiered administration, PAWs, monitoring for LSASS or VSS abuse, and auditing ntds.dit and registry hive access.
• Secure cloud identities and web services by enforcing conditional access, monitoring for unsanctioned OAuth apps, and detecting abnormal access to services like Icedrive or Koofr.
• Enhance detection engineering for APT28-specific behaviors, including SpyPress webmail modifications, image-masqueraded payloads, portproxy tunneling, and suspicious PowerShell ZIP creation.
• Continuously validate controls through breach-and-attack simulation or security validation platforms to emulate APT28 techniques and identify detection and prevention gaps.

These steps help organizations build cyber resilience against APT28 and similar threats.

APT28’s long-running operations underscore its evolution into an adaptive and persistent state-aligned threat group. 

Its reliance on cloud storage for C2, defense-evasion capabilities, and credential theft highlight a mature ecosystem built for long-term access and stealth.  

The ongoing risk posed by adaptable, persistent threat actors underscores the need for organizations to adopt zero-trust principles that operate on the assumption of inevitable compromise.