APT28 Expands Financial Targeting with Custom Loader + Banking Trojans
Category:Threat Intelligence / APT
APT28 (Fancy Bear) ran a sophisticated spearphishing campaign against financial institutions from January 15 to March 31, 2023, reportedly compromising dozens of systems. What's notable: the campaign integrated a custom malware loader alongside established banking trojans like Gozi and TrickBot—elevated operational sophistication. Highly tailored spearphishing emails bypassed conventional security, delivering malware that exploited CVE-2023-1234 and CVE-2023-5678 for initial footholds. The custom loader provided persistent backdoor access and facilitated deployment of additional payloads. Mandiant analysis suggests objectives extended beyond typical credential harvesting—attackers specifically targeted proprietary trading data, indicating strategic interest in market intelligence or potential financial manipulation.
CORTEX Protocol Intelligence Assessment
The two-month campaign duration gave APT28 ample time for reconnaissance and data exfiltration. What's interesting: combining custom tooling with known banking trojans shows they're leveraging both bespoke development and proven malware ecosystems. The focus on proprietary trading data rather than just customer credentials suggests possible market manipulation goals or intelligence collection for state benefit. This follows APT28's established pattern of financial sector targeting.
Strategic Intelligence Guidance
- Campaign timeline: January 15 – March 31, 2023 (two-month operation)
- Initial vector: highly tailored spearphishing emails bypassing conventional filters
- Exploits leveraged: CVE-2023-1234, CVE-2023-5678 for initial access
- Malware combination: custom loader + Gozi + TrickBot
- Primary targets: customer banking credentials, proprietary trading data
CVEs
Threats
Targets
Impact
Financial:dozens of systems
Intelligence Source: APT28 Expands Financial Sector Targeting with Advanced Phishing and Custom Malware | Nov 1, 2025