apt28

CISA added CVE-2026-32202 and CVE-2024-1708 to the Known Exploited Vulnerabilities catalog on April 28, giving federal agencies until May 12 to patch a zero-click NTLM coercion flaw whose Patch Tuesday entry carried no exploitation marker.

APT28 compromised 18,000 routers across 120 countries for credential theft while deploying PRISMEX malware against Ukraine and NATO logistics targets.

Russia's APT28 exploited CVE-2026-21509, a Microsoft Office OLE bypass, within 72 hours of disclosure to hit military targets across six NATO-adjacent countries with steganographic loaders and cloud-based C2.