Russia’s Fancy Bear APT doubles down on global secrets theft

One of the world’s most capable threat actors has been carrying out seriously simple, inexpensive credential harvesting attacks against specific organizations in the Balkans, the Middle East, and Central Asia.

APT 28 — popularly known as Fancy Bear and linked to the Russian Federation’s Main Directorate of the General Staff of the Armed Forces (GRU) — was the single most notorious advanced persistent threat (APT) of the mid-2010s. Its attacks against Ukraine, American and European elections, and organizations involved in the Olympics were so seismic that they overshadowed its other large-scale attacks against Western media and government institutions. At its peak, only Anonymous can claim to have been more influential in driving discourse around cybersecurity in the Western world.

In comparison, Fancy Bear’s more recent activity might feel underwhelming. It’s all rather standard fare spearphishing, aimed at global governments or any organizations of some strategic value to Russia. And its latest campaign very much continues this trend. Recorded Future found that from February to September 2025, the APT it tracks as BlueDelta was targeting credentials from at least a handful of specific organizations spread across the center of the world map. To get those credentials, it used little more than neat phishing pages and off-the-shelf infrastructure.

Read more at Dark Reading