Expanded toolkit of APT28, also known as Russian hackers, includes the 'NotDoor' Outlook backdoor for increased intrusion capabilities.

In the ever-evolving landscape of cybersecurity, two significant developments have caught the attention of experts: the emergence of a new malware named LameHug, and the activities of a notorious hacker group known as APT28.

First detected by the National Computer Emergency Response Team of Ukraine (CERT-UA) in July 2025, LameHug marks one of the first reported instances of AI-powered ransomware. This development signifies a worrying escalation in the sophistication of cyber threats.

APT28, also known by multiple aliases such as Fancy Bear, Forest Blizzard, and Sednit, among others, has been an active player in the cyber threat landscape since at least 2014. The group is associated with Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.

One of APT28's most notable operations was their involvement in the 2016 US presidential election, where they compromised the Hillary Clinton presidential campaign, the Democratic National Committee (DNC), and the Democratic Congressional Campaign Committee (DCCC). This campaign was part of a broader effort to interfere in the election.

APT28's methods are as cunning as they are effective. They use an Outlook backdoor named NotDoor, which operates via a VBA macro embedded through DLL sideloading in legitimate signed files like OneDrive.exe. This allows them to disable macro security and execute commands, enabling covert data exfiltration and command execution through monitored incoming emails.

The use of NotDoor demonstrates APT28's ongoing evolution and ability to bypass established defense mechanisms. MITRE researchers have described LameHug, another tool in APT28's arsenal, as a "primitive" testbed for future AI-powered attacks.

APT28's targets have been wide-ranging, extending to the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), and the Spiez Swiss Chemicals Laboratory, among others. Some of their operations were carried out with support from GRU Unit 74455, also known as the Sandworm Team.

The indictment of five officers from GRU Unit 26165 by the US Department of Justice (DoJ) in 2018 serves as a reminder of the international nature of these cyber threats. As the landscape continues to evolve, it is crucial that nations and organisations remain vigilant in their efforts to counter these threats and protect their digital assets.