Overview LAB52 has been monitoring a campaign dubbed “Operation MacroMaze”, which, based on its characteristics, can be attributed to APT28, also known as Fancy Bear, Forest Blizzard or FROZENLAKE. The campaign has been active at least since late September 2025 through January 2026, targeting specific entities in Western and Central Europe. The campaign relies on […]
APT
Black Industry: IRGC-Linked offensive OT framework
Actor Background and Tool Distribution A new offensive OT framework has been identified and offered for sale on a platform accessible via the TOR network, promoted by the “APT IRAN” channel. The administrators have indicated that this is the most extensive industrial and military control network framework to date within the Black Industry (BI) ecosystem. […]
Analyzing NotDoor: Inside APT28’s Expanding Arsenal
LAB52, the intelligence team at S2 Grupo, has identified a new backdoor for Outlook attributed to the persistent threat group APT28, which is linked to the Russian intelligence service and has compromised multiple companies from various sectors in NATO member countries. The artefact, dubbed NotDoor due to the use of the word ‘Nothing’ within the […]
DeedRAT Backdoor Enhanced by Chinese APTs with Advanced Capabilities
LAB52, the intelligence team at S2 Group, has uncovered a new phishing campaign deploying DeedRAT—a modular backdoor attributed to Chinese threat actors—through adversary tracking efforts. The campaign leverages the legitimate signed binary MambaSafeModeUI.exe, part of the VIPRE Antivirus Premium software, which is vulnerable to DLL side-loading. This technique allows the attackers to load the DeedRAT […]
Some thoughts about Laundry Bear
Today, Dutch intelligence (AIVD and MIVD) and Microsoft have published two reports unveiling a potential new Russian threat actor: Laundry Bear, or Void Blizzard. This actor was discovered through a recent compromise of the Dutch Police, and it has been targeting Western organizations since at least 2024, including armed forces, government organizations and defense contractors, […]
Very very lazy Lazyscripter’s scripts: double compromise in a single obfuscation
In July of 2021, we identified an infection campaign targeting important European entities. During this investigation we could identify the threat actor behind these attacks as LazyScripter, an emerging APT group pointed by MalwareBytes in February 2021. Through our analysis, we could track their activity with precise dates in 2021 based on their samples. Furthermore, […]