Russias APT28 Launches Nuke-Themed Follina Exploit Campaign

Researchers have spotted the threat group, also known as Fancy Bear and Sofacy, using the Windows MSDT vulnerability to distribute information stealers to users in Ukraine.

Russia’s notorious advanced persistent threat group APT28 is the latest in a growing number of attackers trying to exploit the “Follina” vulnerability in the Microsoft Support Diagnostic Tool (MSDT) in Windows.
Researchers from Malwarebytes this week observed the threat actor — aka Fancy Bear and Sofacy — sending out a malicious document with an exploit for the now-patched flaw (
CVE-2022-30190
) via phishing emails to users in Ukraine. The document was titled “Nuclear Terrorism A Very Real Threat.rtf and appeared designed to prey on fears about the war in Ukraine spiraling into a nuclear holocaust.
Malwarebytes identified the contents of the document as a May 10 article from the Atlantic Council on the potential for Russian President Vladimir Putin to use nuclear weapons in Ukraine.
Users who opened the document ended up having a new version of a previously known .Net credential stealer loaded on their systems via the Follina exploit, which made headlines as a zero-day earlier this month. The malware is designed to
steal usernames, passwords, and URLs
from Chrome and Microsoft Edge browsers. It can also grab all stored cookies in Chrome, Malwarebytes researchers say.
Ukraine’s Computer Emergency Response Team (CERT-UA) separately warned of the same threat. In an advisory, it said it had spotted APT28 using the same malicious document that Malwarebytes reported to try and
distribute the CredoMap credential-stealing malware
to users in Ukraine.
Available telemetry suggests that the adversary has been using the document since at least June 10, CERT-UA says.
“The target, and the involvement of APT28, (a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state,” states Malwarebytes in a report Tuesday on the new activity.
The Follina bug in MSDT exists in all current versions of Windows and can be exploited via malicious Microsoft Office documents. To trigger it, all an attacker needs to do is call MSDT from an Office app, such as Word, using the URL protocol. Attackers can exploit the flaw to gain remote control of vulnerable systems and take a variety of malicious actions on them, including executing malicious code, installing programs, modifying data, and creating new accounts.
Microsoft disclosed the flaw in late May amid
widespread zero-day exploit activity
. The company
finally issued a fix for the vulnerability
in its Patch Tuesday set of monthly security updates for June.
Malwarebytes describes the Ukrainian campaign as the first time it had observed APT28 exploiting Follina. But numerous other groups, including other state-backed actors, have been actively exploiting the vulnerability in recent weeks.
Many of the attacks have targeted Ukrainian entities. Earlier this month, for instance, CERT-UA warned about a threat actor — likely Russia’s Sandworm APT group — using a Follina exploit in a “
massive cyberattack
” targeting media organizations in Ukraine.
And just this week, CERT-UA warned about a threat group it is tracking as UAC-0098, which is
targeting critical infrastructure
facilities in Ukraine with a tax-themed document carrying a Follina exploit. According to the CERT-UA, the attackers in this campaign are exploiting Follina to drop the Cobalt Strike Beacon post-compromise attack tool on compromised systems.
Other reports of Follina-related activity have emerged as well, suggesting the flaw is of high interest to attackers and needs to be addressed quickly. Earlier this month, Proofpoint reported that it had
blocked a likely stated-backed phishing campaign
involving a Follina exploit that targeted a handful of its customers. The phishing email masqueraded as a document about a salary increase, which if opened would have resulted in a PowerShell script being downloaded to the system.
Symantec, too, has reported observing a variety of threat actors exploiting Follina to distribute
different malicious payloads
, including the AsyncRAT remote access Trojan and another unnamed malware for stealing cookies and save login data from browsers such as Chrome, Edge and Firefox.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Russias APT28 Launches Nuke-Themed Follina Exploit Campaign