One of the world’s most persistent hacking collectives has uncovered a new strategy to operate undetected. The group, known as Fancy Bear, or APT28, linked to Russia’s GRU Unit 26165, is changing its cyberattack tactics.
Instead of traditional infrastructure, Fancy Bear now commandeers consumer routers and devices, creating a shadow network that is challenging to trace. This marks a significant evolution in their approach, making them more elusive than ever before.
Historical Targeting and Evolving Tactics
For over twenty years, APT28 has targeted governments, defense sectors, and critical infrastructure with a focus on NATO countries and Ukraine. Operating under numerous aliases, including Forest Blizzard and Sofacy, the group’s latest campaign is notably covert due to its integration with normal internet traffic.
Analysts at Sekoia have observed a substantial shift in APT28’s operational infrastructure. The group has migrated a considerable portion of its activities to compromised SOHO routers and edge devices, moving away from previously utilized rented virtual private servers.
Scale and Impact of the New Infrastructure
In December 2025, researchers recorded over 18,000 unique IP addresses from 120 countries communicating with APT28-controlled servers. Approximately 200 organizations and 5,000 consumer devices were affected, mainly targeting foreign ministries, law enforcement, and IT providers.
APT28’s techniques have evolved significantly. The group now uses fleeting, single-use tools that are immediately discarded when discovered. Additionally, they have introduced an AI-driven infostealer named LameHug, which dynamically generates attack commands.
Router and Cloud Exploitation
The most notable tactic involves taking over consumer routers. In April 2022, APT28 hijacked hundreds of Ubiquiti EdgeRouters using the MooBot malware. This botnet relayed stolen data, hosted phishing pages, and executed custom scripts on compromised routers.
Despite the FBI’s Operation Dying Ember dismantling this network in 2024, the botnet’s remnants persisted. In 2026, APT28 expanded this strategy with a campaign called FrostArmada, targeting MikroTik and TP-Link routers to redirect traffic and steal credentials.
APT28 also uses cloud platforms for malware communication, making detection difficult. Their operation, Phantom Net Voxel, involved a C++ backdoor, BeardShell, exploiting cloud APIs as command channels. This method allows them to easily switch providers and maintain cover.
To mitigate these threats, it is crucial for organizations to update router firmware, change default settings, and disable unused features. Implementing multi-factor authentication and auditing OAuth permissions are recommended for cloud services. The FBI has issued alerts urging vigilance in router management.
