APT28 — the threat group assessed with high confidence to operate under Russian General Staff intelligence (GRU) direction — has increased the tempo of its operations against European government networks over the first half of 2026. The activity follows a well-established pattern but has incorporated new credential harvesting infrastructure and more refined spear-phishing lure documents targeting ministerial staff, parliamentary researchers, and NATO working group members.
Current Campaign Characteristics
Intelligence from multiple European national CERTs and Microsoft’s Threat Intelligence Centre identifies a campaign using phishing lures themed around ongoing European policy matters — energy security, defence procurement, and EU institutional processes. The targeting is narrow and precisely researched: recipients are individuals whose public profiles indicate direct responsibility for the subject matter of the lure.
The lures are delivering two primary payloads in this campaign:
Credential harvesting via lookalike domains. APT28 has registered a cluster of domains mimicking European government single sign-on portals and NATO Outlook Web Access interfaces. Victims directed to these pages are prompted to re-authenticate; captured credentials are used for subsequent access to genuine government systems.
MASEPIE and OCEANMAP backdoors. For recipients who execute lure attachments, APT28 is deploying MASEPIE (a Python-based backdoor using IMAPS for C2 communication) and OCEANMAP (a .NET-based backdoor) — tooling attributed to APT28 in late 2023 Ukrainian targeting and now observed in broader European government campaigns.
Why the Election Timing Matters
Multiple EU member states and the UK face significant electoral events in 2026. APT28 has a documented history of conducting intelligence collection operations against political parties and candidates before elections — accumulating data rather than deploying it immediately, with material selectively leaked through secondary channels at strategically damaging moments.
The 2016 French election targeting (En Marche leaks), the 2017 Bundestag intrusion, and the 2024 targeting of German CDU systems all follow the same pattern: access established months ahead of a vote, data collected at scale, leaks timed for maximum disruption during the campaign period.
The current European targeting posture is consistent with preparation for similar operations rather than immediate disruptive intent.
Recommended Actions
- Brief ministerial and senior staff on current lure themes. Generic phishing awareness training is insufficient against this level of targeting. Staff handling defence, energy, or EU affairs should be specifically briefed on active campaigns.
- Enforce phishing-resistant MFA on all government access. MASEPIE and OCEANMAP can only persist if initial credential theft or code execution succeeds. Hardware keys or passkeys eliminate the credential-harvesting attack path.
- Verify domain monitoring. Ensure your organisation has visibility over lookalike domain registrations targeting your SSO or OWA infrastructure. Services including NCSC’s Check Your Cyber capability provide this.
- Review IMAPS egress. MASEPIE uses IMAP over port 993 for C2. Monitoring and restricting outbound IMAPS connections from workstations is a meaningful detection control for this specific toolset.