May 09 2024

Polish Government Under Sophisticated Cyber Attack From APT28 Hacker Group

Category: APT,Cyber Attackdisc7 @ 8:55 am

The Polish computer emergency response team has issued a warning about an ongoing cyberattack campaign by the notorious APT28 hacking group, also known as Fancy Bear or Sofacy. The campaign is targeting various Polish government institutions with a new strain of malware.

According to the analysis, the attack begins with spear-phishing emails containing malicious attachments or links.

The malware is deployed once the victim opens the attachment or clicks the link, establishing a foothold in the targeted network.

Subject: I solved your problem

Hello Paweł!
I did a little research and found this mysterious Ukrainian woman.
Now she is in Warsaw.
She runs a rather unusual company that sells used underwear.
also has clients from senior authorities in Poland and Ukraine.
All information on this subject is available at this link - ALINA-BOKLAN (Link)

Threat actors are increasingly using free, commonly-used services like and to deliver malware while evading detection.

This technique involves redirecting through these services to obfuscate the final malicious payload. The link first goes to, a free API testing service, which then redirects to for logging requests.

A ZIP archive disguised as an image file (e.g. is downloaded from

With default Windows settings hiding extensions and hidden files, the victim sees the ZIP as an image, potentially leading them to open the malicious payload.

entire attack flow

Using free services reduces costs and makes malicious links harder to flag as they blend in with legitimate developer traffic. This stealthy approach is becoming a trend across many APT groups.

“The malware used in this campaign is a new variant of the X-Agent backdoor, which allows the attackers to execute arbitrary commands, exfiltrate data, and move laterally within the compromised network,” explained in their report. urges all Polish government agencies and critical infrastructure operators to remain vigilant and implement security measures.

APT28 is a highly sophisticated cyber-espionage group believed to be associated with the Russian military intelligence agency GRU.

The group has been active since at least 2007 and has been linked to numerous high-profile cyberattacks, including the 2016 Democratic National Committee email leak and the 2017 NotPetya ransomware outbreak.

This latest campaign highlights the persistent threat posed by state-sponsored hacking groups and the importance of maintaining robust cybersecurity measures, especially for critical government and infrastructure systems.

The report details the attack flow, providing indicators of compromise (IOCs) and recommendations for detecting and mitigating the threat.

The Bear Roars: Russia’s Cyber Spies And Global Threat To Security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: APT28, Hacker Group

Leave a Reply

You must be logged in to post a comment. Login now.