Try in Splunk Security Cloud


CERT-UA has unveiled a cyberattack on Ukraine’s energy infrastructure, orchestrated via deceptive emails. These emails, once accessed, lead to a multi-stage cyber operation downloading and executing malicious payloads. Concurrently, Zscaler’s “Steal-It” campaign detection revealed striking similarities, hinting at a shared origin - APT28 or Fancy Bear. This notorious group, linked to Russia’s GRU, utilizes legitimate platforms like Mockbin, making detection challenging. Their operations underline the evolving cyber threat landscape and stress the importance of advanced defenses.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2023-09-11
  • Author: Michael Haag, Splunk
  • ID: 2c1aceda-f0a5-4c83-8543-e23ec1466958


APT28, also known as Fancy Bear, blends stealth and expertise in its cyber operations. Affiliated with Russia’s GRU, their signature move involves spear-phishing emails, leading to multi-tiered cyberattacks. In Ukraine’s recent breach, a ZIP archive’s execution triggered a series of actions, culminating in information flow redirection via the TOR network. Simultaneously, Zscaler’s “Steal-It” campaign pinpointed similar tactics, specifically targeting NTLMv2 hashes. This campaign used ZIP archives containing LNK files to exfiltrate data via Mockbin. APT28’s hallmark is their “Living Off The Land” strategy, manipulating legitimate tools and services to blend in, evading detection. Their innovative tactics, coupled with a geofencing focus on specific regions, make them a formidable cyber threat, highlighting the urgent need for advanced defense strategies.


Name Technique Type
CHCP Command Execution Command and Scripting Interpreter TTP
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
CertUtil With Decode Argument Deobfuscate/Decode Files or Information TTP
Headless Browser Mockbin or Mocky Request Hidden Window TTP
Headless Browser Usage Hidden Window Hunting
Windows CertUtil Decode File Deobfuscate/Decode Files or Information TTP
Windows CertUtil URLCache Download Ingress Tool Transfer TTP
Windows Curl Download to Suspicious Path Ingress Tool Transfer TTP


source | version: 1