APT28

Russia's APT28 has deployed LAMEHUG and PROMPTSTEAL malware that queries large language models via Hugging Face to dynamically generate attack commands, marking the first confirmed use of AI-powered malware in active cyber operations.

Russia's APT28 weaponized CVE-2026-21509 within three days of Microsoft's disclosure, deploying MiniDoor email stealers and PixyNetLoader against Ukraine, Slovakia, and Romania.

New additions include CVE-2026-21509 actively exploited by APT28, a Linux kernel flaw from 2018, and SmarterMail vulnerabilities. Federal agencies face February 16 remediation deadline.

CVE-2026-21509 bypasses OLE security mitigations in Microsoft Office. Russia-linked APT28 is exploiting it against targets in Ukraine and the EU. Emergency patches available.

APT28 targets energy, defense, and policy organizations in Turkey, the Balkans, and Central Asia with phishing campaigns using legitimate PDFs from real think tanks and free hosting infrastructure.