Fancy Bear spotted using real Kazak government documents in spearpishing campaign | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/fancy-bear-kazakhstan-russia-sekoia\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Fancy Bear spotted using real Kazak government documents in spearpishing campaign\"> <meta property=\"og:description\" content=\"The malware-laced files include draft versions of diplomatic statements, correspondence letters, internal administrative notes and other documents.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/fancy-bear-kazakhstan-russia-sekoia\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-01-13T21:41:42+00:00\"> <meta property=\"article:modified_time\" content=\"2025-01-13T21:41:43+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-5.jpg\"> <meta property=\"og:image:width\" content=\"4096\"> <meta property=\"og:image:height\" content=\"2304\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"mbracken\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1736472020g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1732010462g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ddc036fa194c40cf406f\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83115\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83115\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ffancy-bear-kazakhstan-russia-sekoia%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Ffancy-bear-kazakhstan-russia-sekoia%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83115 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/fancy-bear-kazakhstan-russia-sekoia\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.07223476298\">\n<div class=\"single-article__header-content\" readability=\"35.957943925234\">\n<p> The malware-laced files include draft versions of diplomatic statements, correspondence letters, internal administrative notes and other documents. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83115\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-5.jpg 4096w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-5.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-5.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-5.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-5.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-5.jpg?resize=2048,1152 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-5.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-5.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-5.jpg?resize=1500,843 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"50.970605878824\"><body readability=\"102.6266786034\"><\/p>\n<p>A hacking group linked to Russian intelligence has been observed leveraging seemingly legitimate documents from the Kazakhstan government as phishing lures to infect and spy on government officials in Central Asia, according to researchers at Sekoia.<\/p>\n<p>The files, laced with malware, include draft versions of diplomatic statements, correspondence letters, internal administrative notes and other documents attributed to the Kazakhstan government between 2021 and 2024. In many cases they appear to match real documents or statements put out by Kazakhstan\u2019s Ministry of Foreign Affairs.<\/p>\n<p>The activity is linked to an intrusion set previously identified by the Ukrainian government in 2023, and one that has been attributed by Ukraine\u2019s CERT and by private threat intelligence firm Recorded Future to APT 28. That group, also known as Fancy Bear, is known to use cyber operations to spy on governments on behalf of the Russian government and is believed to be linked to Moscow\u2019s Main Intelligence Directorate (GRU).<\/p>\n<p>According to previous <a href=\"https:\/\/www.recordedfuture.com\/research\/russia-aligned-tag-110-targets-asia-and-europe\">research<\/a> from Recorded Future, the same campaign has ensnared dozens of victims across Central Asia, East Asia and Europe since July 2024, and includes the use of two pieces of malware \u2014 dubbed HATVIBE and CHERRYSPY \u2014 that were previously attributed to Russian cyber espionage campaigns. Ukrainian officials <a href=\"https:\/\/cert.gov.ua\/article\/4697016\">have linked<\/a> the malware to a 2023 compromise of the official email account for the Tajikistan Embassy in Ukraine that was used in follow up attacks targeting entities in Kazakhstan, Kyrgyzstan, Mongolia, Israel, and India.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cAlthough the infection chain was already partially documented, the ten documents identified by Sekoia exhibit a previously unknown malicious code, while retaining a similar execution structure,\u201d Sekoia researchers Amaury G., Maxime Arandel, Erwan Chevalier and Felix Aim\u00e9 wrote.<\/p>\n<p>When opened, the documents execute a chain of malicious macro files in Word that downgrades the victim device\u2019s security settings, saves variables for the HATVIBE on their hard drive and launches a clandestine program designed to run the malware every four minutes.<\/p>\n<figure class=\"wp-block-image\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign.png?w=640&ssl=1\" alt><\/figure>\n<p>Because the chain uses one Word document to open another, the researchers have named the ongoing campaign \u201cDouble-Tap.\u201d<\/p>\n<p>According to Sekoia, the technical details around HATVIBE and its known victim set overlap with ZEBROCY, another backdoor that was used in a similar espionage-minded campaign against Central Asian governments, defense agencies and diplomatic entities. ZEBROCY was also <a href=\"https:\/\/usa.kaspersky.com\/blog\/sofacy-2017-update\/14734\/?srsltid=AfmBOoq6cAYg0NnnS7XNFJ1Xl7rzp4bll7eCOeM6HiTMA5kvQbDZY-1J\">attributed<\/a> to Fancy Bear by Russian cybersecurity firm Kaspersky. Sekoia researchers assessed with medium confidence that the activity they were tracking was also tied to the Russian GRU and Fancy Bear.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>HATVIBE operates as loading malware, calling out to various command and control servers to fetch and execute CHERRYSPY, another piece of malware meant to provide persistent, clandestine backdoor access to the victim\u2019s device.<\/p>\n<p>It\u2019s not clear how APT 28 initially obtained the Kazak government files used in the spearphishing attacks. Sekoia researchers suggest that Kazakhstan and its neighboring Central Asian governments were likely primary targets of the campaign, noting that Kazakhstan\u2019s government has drifted away from Russia\u2019s orbit of influence in recent years on issues like the war in Ukraine.<\/p>\n<p>\u201cThose documents may have been exfiltrated through a cyber operation conducted earlier by the same intrusion set, within the same campaign. Yet, we do not have technical evidence to confirm this possibility,\u201d Sekoia researchers wrote. \u201cThe documents may have also been obtained by another intrusion set through cyber operation, open source collection or by a physical operation (stolen laptop by intelligence agents), and then handed to the operators of this campaign to be weaponized.\u201d<\/p>\n<p>Other recent developments, like Kazakhstan\u2019s emerging role as a key trade partner between China and Europe, and the international competition to build its first nuclear power plant, make it a prime target for cyber espionage. .<\/p>\n<p>\u201cUltimately, Russia\u2019s objectives are to ensure Kazakhstan remains politically aligned, to counter the influence of competing powers, and to secure its own economic and strategic foothold in the region,\u201d the researchers wrote.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>For more information on this campaign, including indicators of compromise and detection rules, read <a href=\"https:\/\/blog.sekoia.io\/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations\/\">the blog on Sekoia\u2019s website<\/a>.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.6992481203008\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<div class=\"popular-stories__stories\">\n<div class=\"popular-stories__cards\">\n<article class=\"post-item post-item--popular-stories-cards \" readability=\"20.286206896552\">\n<figure class=\"post-item__thumbnail\"> <a class=\"post-item__thumbnail-link\" href=\"https:\/\/cyberscoop.com\/ukraine-russia-hacking-apt28-trickbot-follina\/\" tabindex=\"-1\"> <img data-recalc-dims=\"1\" loading=\"lazy\" width=\"505\" height=\"337\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-2.jpg?resize=505%2C337&ssl=1\" class=\"attachment-ratio-16-9-md size-ratio-16-9-md wp-post-image\" alt decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-6.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-6.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-6.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-6.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-6.jpg?resize=1536,1025 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-6.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-6.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-6.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-6.jpg?resize=1012,675 1012w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-6.jpg?resize=1264,843 1264w\" sizes=\"auto, (max-width: 505px) 100vw, 505px\"> <\/a><figcaption class=\"screen-reader-text\"> A general view over the Kyiv skyline and residential buildings after sunset during a curfew on Feb., 2022 in Kyiv, Ukraine. (Photo by Chris McGrath\/Getty Images) <\/figcaption><\/figure>\n<header class=\"post-item__meta\" readability=\"1.40625\">\n<h3 class=\"post-item__title\"> <a class=\"post-item__title-link\" href=\"https:\/\/cyberscoop.com\/ukraine-russia-hacking-apt28-trickbot-follina\/\"> Ukrainian cybersecurity officials disclose two new hacking campaigns <\/a> <\/h3>\n<p> Both efforts relied on malicious documents, officials said. <\/p>\n<\/header>\n<p> <\/article>\n<article class=\"post-item post-item--popular-stories-cards \">\n<figure class=\"post-item__thumbnail\"> <a class=\"post-item__thumbnail-link\" href=\"https:\/\/cyberscoop.com\/google-threat-analysis-group-russia-ukraine-china-belarus-hacking\/\" tabindex=\"-1\"> <img data-recalc-dims=\"1\" loading=\"lazy\" width=\"252\" height=\"168\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-3.jpg?resize=252%2C168&ssl=1\" class=\"attachment-ratio-16-9-sm size-ratio-16-9-sm wp-post-image\" alt decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-7.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-7.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-7.jpg?resize=768,511 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-7.jpg?resize=1024,682 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-7.jpg?resize=1536,1022 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-7.jpg?resize=600,399 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-7.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-7.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-7.jpg?resize=1014,675 1014w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-7.jpg?resize=1266,843 1266w\" sizes=\"auto, (max-width: 252px) 100vw, 252px\"> <\/a><figcaption class=\"screen-reader-text\"> Ukrainian security forces stand guard with shell-damaged buildings in the background in the northwestern Kyiv suburb of Borodyanka, Ukraine, on April 21, 2022. (Photo by Scott Peterson\/Getty Images) <\/figcaption><\/figure>\n<header class=\"post-item__meta\">\n<h3 class=\"post-item__title\"> <a class=\"post-item__title-link\" href=\"https:\/\/cyberscoop.com\/google-threat-analysis-group-russia-ukraine-china-belarus-hacking\/\"> Multiple government hacking groups stay busy targeting Ukraine and the region, Google researchers say <\/a> <\/h3>\n<\/header>\n<p> <\/article>\n<article class=\"post-item post-item--popular-stories-cards \">\n<figure class=\"post-item__thumbnail\"> <a class=\"post-item__thumbnail-link\" href=\"https:\/\/cyberscoop.com\/russia-belarus-china-poland-hack-europe-nato\/\" tabindex=\"-1\"> <img data-recalc-dims=\"1\" loading=\"lazy\" width=\"253\" height=\"168\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-4.jpg?resize=253%2C168&ssl=1\" class=\"attachment-ratio-16-9-sm size-ratio-16-9-sm wp-post-image\" alt decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-8.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-8.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-8.jpg?resize=768,511 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-8.jpg?resize=1024,681 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-8.jpg?resize=1536,1022 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-8.jpg?resize=600,399 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-8.jpg?resize=253,168 253w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-8.jpg?resize=507,337 507w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-8.jpg?resize=1015,675 1015w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign-8.jpg?resize=1267,843 1267w\" sizes=\"auto, (max-width: 253px) 100vw, 253px\"> <\/a><figcaption class=\"screen-reader-text\"> People stand with their luggage as they wait to be relocated from the temporary shelter for refugees in a former shopping center between the Ukrainian border and the Polish city of Przemysl, in Poland, on March 8, 2022. (Photo by LOUISA GOULIAMAKI\/AFP via Getty Images) <\/figcaption><\/figure>\n<header class=\"post-item__meta\">\n<h3 class=\"post-item__title\"> <a class=\"post-item__title-link\" href=\"https:\/\/cyberscoop.com\/russia-belarus-china-poland-hack-europe-nato\/\"> Against backdrop of Russian-Ukraine war, researchers witness flurry of nation-aligned hacking <\/a> <\/h3>\n<\/header>\n<p> <\/article>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/fancy-bear-kazakhstan-russia-sekoia\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Fancy Bear spotted using real Kazak government documents in spearpishing<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3460,1505,466,3461,270,3462,288],"tags":[3463,1508,470,3464,276,3465,294],"class_list":["post-6896","post","type-post","status-publish","format-standard","hentry","category-apt28","category-fancy-bear","category-gru","category-kazakhstan","category-russia","category-sekoia","category-threats","tag-apt28","tag-fancy-bear","tag-gru","tag-kazakhstan","tag-russia","tag-sekoia","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/apt28\/\" rel=\"category tag\">APT28<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/fancy-bear\/\" rel=\"category tag\">Fancy Bear<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/gru\/\" rel=\"category tag\">GRU<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/kazakhstan\/\" rel=\"category tag\">Kazakhstan<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/russia\/\" rel=\"category tag\">Russia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sekoia\/\" rel=\"category tag\">Sekoia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6896","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6896"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6896\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6896"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6896,"date":"2025-01-13T15:41:42","date_gmt":"2025-01-13T21:41:42","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83115"},"modified":"2025-01-13T15:41:42","modified_gmt":"2025-01-13T21:41:42","slug":"fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/13\/fancy-bear-spotted-using-real-kazak-government-documents-in-spearpishing-campaign\/","title":{"rendered":"Fancy Bear spotted using real Kazak government documents in spearpishing campaign"},"content":{"rendered":"