DISCLAIMER

Query.ai did not produce this threat report. All credit goes to Sekoia.io’s Threat Detection and Response (TDR) team which published this blog on September 16, 2025. This Threat Hunt is derived from their research, and a portion of the context and background will be copied here for reference, but the original blog can be referenced HERE

Threat Background

In early 2025, a sophisticated spear-phishing campaign, dubbed "Operation Phantom Net Voxel", was identified as the work of the notorious advanced persistent threat (APT) group, APT28. Also known as Fancy Bear, this Russia-nexus group has a long history of targeting government, military, and security organizations. This latest operation specifically targets Ukrainian military administrative and logistics personnel to gather crucial cyber intelligence on frontline combatants. By gaining insights into military units, chains of command, and even the identities of wounded personnel, APT28 aims to assess the operational readiness, attrition rates, and psychological resilience of the Ukrainian forces. This intelligence provides a significant strategic advantage, making the detection and mitigation of this threat a high priority for security teams.

The infection chain of Operation Phantom Net Voxel is multi-staged and employs a variety of clever techniques to evade detection. The initial attack vector is a weaponized Microsoft Office document, often masquerading as a legitimate military administrative form, such as a personnel report or a medical compensation request. These documents are delivered via spear-phishing emails that use social engineering to create a sense of urgency, compelling the recipient to open the file and enable macros. Once the victim opens the document and enables macros, a malicious VBA script executes. This script utilizes a user-level COM hijacking technique to load a malicious DLL into memory. This method is particularly insidious as it leverages a legitimate Windows feature to execute malicious code, making it difficult to detect with traditional security solutions.

The loaded DLL then proceeds to the next stage of the attack, which involves steganography. It extracts a shellcode from an otherwise benign-looking PNG image file. This shellcode, once executed, loads a .NET assembly which is a component of the Covenant command and control (C2) framework. Specifically, it's the GruntHTTPStager, which establishes a covert communication channel with a C2 server. In this campaign, APT28 has been observed using the legitimate cloud storage service, Koofr, for their C2 infrastructure. This allows them to blend their malicious traffic with legitimate network traffic, further complicating detection efforts. Additionally, a custom backdoor known as BeardShell is deployed, providing the attackers with persistent access to the compromised system. Understanding the intricate details of this attack chain is paramount for developing effective threat hunting strategies. The following FSQL queries will provide a practical guide on how to proactively hunt for the tactics, techniques, and procedures (TTPs) associated with APT28's Operation Phantom Net Voxel.

Query Threat Hunting with FSQL

Query uses FSQL (Federated Search Query Language) to hunt for complex threats in an enterprise environment. FSQL's advantage is that it works with the Query Federated Security Data Mesh, so all activity is normalized to a common schema and can access multiple technologies with a single query. This makes hunting for advanced threats like this quicker than traditional hunting methodologies.

All Query Threat Hunting examples follow the Legacy Sqrrl Threat Hunting Maturity Model (THMM) and process. To that end the following hunt fits this category:

Threat Hunting Searches