{"id":13592,"date":"2026-06-13T10:04:02","date_gmt":"2026-06-13T10:04:02","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/13\/fancy-bear-hackers-abuse-edgerouters-and-cloud-services-to-launch-stealthy-cyberattacks\/"},"modified":"2026-06-13T10:04:02","modified_gmt":"2026-06-13T10:04:02","slug":"fancy-bear-hackers-abuse-edgerouters-and-cloud-services-to-launch-stealthy-cyberattacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/13\/fancy-bear-hackers-abuse-edgerouters-and-cloud-services-to-launch-stealthy-cyberattacks\/","title":{"rendered":"Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks"},"content":{"rendered":"<p>    Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">One of the most persistent hacking groups in the world has found a new way to stay hidden. <\/p>\n<p class=\"wp-block-paragraph\">The threat actor known as Fancy Bear, formally tracked as APT28 and attributed to Russia\u2019s military intelligence unit GRU Unit 26165, has been quietly shifting how it runs cyberattack operations. <\/p>\n<p class=\"wp-block-paragraph\">Instead of relying on traditional infrastructure, the group now hijacks home routers and consumer devices to build a shadow network nearly impossible to trace.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d222fa97-34fd-4e8b-81e4-5778ee65b902\/Fancy-Bear-Hackers-Abuse-EdgeRouters-and-Cloud-Services-to-Launch-Stealthy-Cyberattacks.pdf?AWSAccessKeyId=ASIA2F3EMEYES5A534MC&amp;Signature=Lkl9ULXsPW5%2BFzdJWafWSzizC9c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEFAaCXVzLWVhc3QtMSJHMEUCIDtnEeOFj1lQxAdla5KavhzV%2B%2FBJFBp7J%2FNF%2FHLpu3QmAiEAlctpeSaQldKHPIp%2FoMTDTIcUoezGSl22%2B3VRLWnj%2Bawq8wQIGRABGgw2OTk3NTMzMDk3MDUiDNjxfDQVm3X91Y4IlirQBMdwkOLPuUqRZUlLULbDfgkFedPELQgBWe73kuOo6NndpZ00HbH81kvHeC%2FKd%2FyQ8AbyBXPpIrSEmko1gqqDx1JVoVCIPtqWs5Fe4Krk9ynQkkKnm1FKUpZjNeONA8XCE%2FpBiiqgfjr9xKZY2BH47ilazgvBd46P6DjhLQr7dUarNYsgvUZA9Vc2TVZHs5rKEAntMimv%2BmQ69hOboWNVp%2BFD4imDM125EPVnbMRHilj%2Bvo%2BmKzS%2FnrxC0j%2F%2Bq1en7akXqZ2O7sMNOTIO5NKMo8HtznNlrI72y1tbbsfxAVvXHejapfzeB%2BU49NvASBJyQ2fqhtJnwO%2F5wOh5gI4twK5jLMDQ1hZV37VU97S0%2FluGhACjZmXUxKY8OQM3VMMBH6Ke8ZLFfR8AUq0%2FNQuHbSwzuirTMaKzvfX8U03XipQ7Vm1rLL5nM6av9qAqr5YJQuWR2zz3ZKrABIW%2Fp%2FcbcjfAOqOBMbTktVUtr9Fzg8T1pl4O82Y9%2BDJzfXEM0%2B7cG%2Fm6eR%2BkKOLmyESxfbjn2fj8cH5iSoST8VcvvjIXsdvFenT6SuaR2D%2BJb%2BkvHZhnU29RbvO48%2BngqkPxDIuev2sgebaBeUag3h7JQx%2BLBmwU%2FU7PgPyB1ayj5rtoRWTapMX%2Fi%2BjJHPv0QUV9ARtTcbNOnEX%2Ft1nxIrJ7%2B%2BpMNuBY4k079%2BoPlYT7hNd%2BkDJ4LdeLOs%2BhZPw68w4JEDDK12VmMscla4tDegnDfvXG5xtpxTbmVSIbeFDcCHiQgWOXa60udgONEQIZcUI6JX4tqvsw2cmw0QY6mAHOd8OnqTmdiCNyEwg4Ew1UhazTJ1dMypL7jhKu4U0hRf36URLSTS8lEoUPTm786N1ucZWsQKgR8iTDIIuRHXQ2UYIJ9s0voWfNKa1NYAxHNso0l7vec%2B63TA0A65%2BJarKsqCNzxfKaTYZ8AwpADFf3wdpxSNHkqrXbTpBn6f3KcjkhGJdXlaqoWwdzww7I1NLX%2BETnNI5bWw%3D%3D&amp;Expires=1781281452\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">For over two decades, APT28 has targeted government bodies, defense organizations, diplomatic missions, and critical infrastructure, focusing heavily on NATO member states and Ukraine. <\/p>\n<p class=\"wp-block-paragraph\">The group operates under more than 30 known aliases, including Forest Blizzard, Sofacy, Pawn Storm, and Sednit. What makes its latest campaign especially alarming is how invisible it has become, with attack traffic blending into normal internet activity.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d222fa97-34fd-4e8b-81e4-5778ee65b902\/Fancy-Bear-Hackers-Abuse-EdgeRouters-and-Cloud-Services-to-Launch-Stealthy-Cyberattacks.pdf?AWSAccessKeyId=ASIA2F3EMEYES5A534MC&amp;Signature=Lkl9ULXsPW5%2BFzdJWafWSzizC9c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEFAaCXVzLWVhc3QtMSJHMEUCIDtnEeOFj1lQxAdla5KavhzV%2B%2FBJFBp7J%2FNF%2FHLpu3QmAiEAlctpeSaQldKHPIp%2FoMTDTIcUoezGSl22%2B3VRLWnj%2Bawq8wQIGRABGgw2OTk3NTMzMDk3MDUiDNjxfDQVm3X91Y4IlirQBMdwkOLPuUqRZUlLULbDfgkFedPELQgBWe73kuOo6NndpZ00HbH81kvHeC%2FKd%2FyQ8AbyBXPpIrSEmko1gqqDx1JVoVCIPtqWs5Fe4Krk9ynQkkKnm1FKUpZjNeONA8XCE%2FpBiiqgfjr9xKZY2BH47ilazgvBd46P6DjhLQr7dUarNYsgvUZA9Vc2TVZHs5rKEAntMimv%2BmQ69hOboWNVp%2BFD4imDM125EPVnbMRHilj%2Bvo%2BmKzS%2FnrxC0j%2F%2Bq1en7akXqZ2O7sMNOTIO5NKMo8HtznNlrI72y1tbbsfxAVvXHejapfzeB%2BU49NvASBJyQ2fqhtJnwO%2F5wOh5gI4twK5jLMDQ1hZV37VU97S0%2FluGhACjZmXUxKY8OQM3VMMBH6Ke8ZLFfR8AUq0%2FNQuHbSwzuirTMaKzvfX8U03XipQ7Vm1rLL5nM6av9qAqr5YJQuWR2zz3ZKrABIW%2Fp%2FcbcjfAOqOBMbTktVUtr9Fzg8T1pl4O82Y9%2BDJzfXEM0%2B7cG%2Fm6eR%2BkKOLmyESxfbjn2fj8cH5iSoST8VcvvjIXsdvFenT6SuaR2D%2BJb%2BkvHZhnU29RbvO48%2BngqkPxDIuev2sgebaBeUag3h7JQx%2BLBmwU%2FU7PgPyB1ayj5rtoRWTapMX%2Fi%2BjJHPv0QUV9ARtTcbNOnEX%2Ft1nxIrJ7%2B%2BpMNuBY4k079%2BoPlYT7hNd%2BkDJ4LdeLOs%2BhZPw68w4JEDDK12VmMscla4tDegnDfvXG5xtpxTbmVSIbeFDcCHiQgWOXa60udgONEQIZcUI6JX4tqvsw2cmw0QY6mAHOd8OnqTmdiCNyEwg4Ew1UhazTJ1dMypL7jhKu4U0hRf36URLSTS8lEoUPTm786N1ucZWsQKgR8iTDIIuRHXQ2UYIJ9s0voWfNKa1NYAxHNso0l7vec%2B63TA0A65%2BJarKsqCNzxfKaTYZ8AwpADFf3wdpxSNHkqrXbTpBn6f3KcjkhGJdXlaqoWwdzww7I1NLX%2BETnNI5bWw%3D%3D&amp;Expires=1781281452\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Analysts from\u00a0Sekoia, who have been tracking APT28 for several years, identified a significant structural shift in how the group manages its attack infrastructure. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/blog.sekoia.io\/apt28-an-evolution-of-tradecraft\/\" id=\"https:\/\/blog.sekoia.io\/apt28-an-evolution-of-tradecraft\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Sekoia said in a report<\/a> shared with\u00a0Cyber Security News (CSN)\u00a0that APT28 moved large portions of its operations onto compromised SOHO routers and edge devices, replacing rented virtual private servers it previously used as command centers.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d222fa97-34fd-4e8b-81e4-5778ee65b902\/Fancy-Bear-Hackers-Abuse-EdgeRouters-and-Cloud-Services-to-Launch-Stealthy-Cyberattacks.pdf?AWSAccessKeyId=ASIA2F3EMEYES5A534MC&amp;Signature=Lkl9ULXsPW5%2BFzdJWafWSzizC9c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEFAaCXVzLWVhc3QtMSJHMEUCIDtnEeOFj1lQxAdla5KavhzV%2B%2FBJFBp7J%2FNF%2FHLpu3QmAiEAlctpeSaQldKHPIp%2FoMTDTIcUoezGSl22%2B3VRLWnj%2Bawq8wQIGRABGgw2OTk3NTMzMDk3MDUiDNjxfDQVm3X91Y4IlirQBMdwkOLPuUqRZUlLULbDfgkFedPELQgBWe73kuOo6NndpZ00HbH81kvHeC%2FKd%2FyQ8AbyBXPpIrSEmko1gqqDx1JVoVCIPtqWs5Fe4Krk9ynQkkKnm1FKUpZjNeONA8XCE%2FpBiiqgfjr9xKZY2BH47ilazgvBd46P6DjhLQr7dUarNYsgvUZA9Vc2TVZHs5rKEAntMimv%2BmQ69hOboWNVp%2BFD4imDM125EPVnbMRHilj%2Bvo%2BmKzS%2FnrxC0j%2F%2Bq1en7akXqZ2O7sMNOTIO5NKMo8HtznNlrI72y1tbbsfxAVvXHejapfzeB%2BU49NvASBJyQ2fqhtJnwO%2F5wOh5gI4twK5jLMDQ1hZV37VU97S0%2FluGhACjZmXUxKY8OQM3VMMBH6Ke8ZLFfR8AUq0%2FNQuHbSwzuirTMaKzvfX8U03XipQ7Vm1rLL5nM6av9qAqr5YJQuWR2zz3ZKrABIW%2Fp%2FcbcjfAOqOBMbTktVUtr9Fzg8T1pl4O82Y9%2BDJzfXEM0%2B7cG%2Fm6eR%2BkKOLmyESxfbjn2fj8cH5iSoST8VcvvjIXsdvFenT6SuaR2D%2BJb%2BkvHZhnU29RbvO48%2BngqkPxDIuev2sgebaBeUag3h7JQx%2BLBmwU%2FU7PgPyB1ayj5rtoRWTapMX%2Fi%2BjJHPv0QUV9ARtTcbNOnEX%2Ft1nxIrJ7%2B%2BpMNuBY4k079%2BoPlYT7hNd%2BkDJ4LdeLOs%2BhZPw68w4JEDDK12VmMscla4tDegnDfvXG5xtpxTbmVSIbeFDcCHiQgWOXa60udgONEQIZcUI6JX4tqvsw2cmw0QY6mAHOd8OnqTmdiCNyEwg4Ew1UhazTJ1dMypL7jhKu4U0hRf36URLSTS8lEoUPTm786N1ucZWsQKgR8iTDIIuRHXQ2UYIJ9s0voWfNKa1NYAxHNso0l7vec%2B63TA0A65%2BJarKsqCNzxfKaTYZ8AwpADFf3wdpxSNHkqrXbTpBn6f3KcjkhGJdXlaqoWwdzww7I1NLX%2BETnNI5bWw%3D%3D&amp;Expires=1781281452\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The scale of this infrastructure is striking. At its peak in December 2025, researchers observed more than 18,000 unique IP addresses across 120 countries communicating with APT28-controlled servers. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg6EMSuKRz6ZQxvx2uckT-xL4XG7Ogzx8hSNpNNud7R54DXnWXAtKkdS04o-rhDigKgM6vHzjcIcyl2Y_Di6aAY5YWHPku6zFe2cpwq2TBxE7ZhJ-_sxHBv3hntR50vBYIut9-9wKjzDU1pQM3GK-QqdPmNQimJCRlYk6P44yMb83iOFxLUS0kKmqmptzg\/s16000\/Timeline%2520%28Source%2520-%2520Sekoia%29.webp?ssl=1\" alt=\"Timeline (Source - Sekoia)\"><figcaption class=\"wp-element-caption\">Timeline (Source \u2013 Sekoia)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">Around 200 organizations and 5,000 consumer devices were affected, with victims coming primarily from foreign ministries, law enforcement agencies, and IT hosting providers.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d222fa97-34fd-4e8b-81e4-5778ee65b902\/Fancy-Bear-Hackers-Abuse-EdgeRouters-and-Cloud-Services-to-Launch-Stealthy-Cyberattacks.pdf?AWSAccessKeyId=ASIA2F3EMEYES5A534MC&amp;Signature=Lkl9ULXsPW5%2BFzdJWafWSzizC9c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEFAaCXVzLWVhc3QtMSJHMEUCIDtnEeOFj1lQxAdla5KavhzV%2B%2FBJFBp7J%2FNF%2FHLpu3QmAiEAlctpeSaQldKHPIp%2FoMTDTIcUoezGSl22%2B3VRLWnj%2Bawq8wQIGRABGgw2OTk3NTMzMDk3MDUiDNjxfDQVm3X91Y4IlirQBMdwkOLPuUqRZUlLULbDfgkFedPELQgBWe73kuOo6NndpZ00HbH81kvHeC%2FKd%2FyQ8AbyBXPpIrSEmko1gqqDx1JVoVCIPtqWs5Fe4Krk9ynQkkKnm1FKUpZjNeONA8XCE%2FpBiiqgfjr9xKZY2BH47ilazgvBd46P6DjhLQr7dUarNYsgvUZA9Vc2TVZHs5rKEAntMimv%2BmQ69hOboWNVp%2BFD4imDM125EPVnbMRHilj%2Bvo%2BmKzS%2FnrxC0j%2F%2Bq1en7akXqZ2O7sMNOTIO5NKMo8HtznNlrI72y1tbbsfxAVvXHejapfzeB%2BU49NvASBJyQ2fqhtJnwO%2F5wOh5gI4twK5jLMDQ1hZV37VU97S0%2FluGhACjZmXUxKY8OQM3VMMBH6Ke8ZLFfR8AUq0%2FNQuHbSwzuirTMaKzvfX8U03XipQ7Vm1rLL5nM6av9qAqr5YJQuWR2zz3ZKrABIW%2Fp%2FcbcjfAOqOBMbTktVUtr9Fzg8T1pl4O82Y9%2BDJzfXEM0%2B7cG%2Fm6eR%2BkKOLmyESxfbjn2fj8cH5iSoST8VcvvjIXsdvFenT6SuaR2D%2BJb%2BkvHZhnU29RbvO48%2BngqkPxDIuev2sgebaBeUag3h7JQx%2BLBmwU%2FU7PgPyB1ayj5rtoRWTapMX%2Fi%2BjJHPv0QUV9ARtTcbNOnEX%2Ft1nxIrJ7%2B%2BpMNuBY4k079%2BoPlYT7hNd%2BkDJ4LdeLOs%2BhZPw68w4JEDDK12VmMscla4tDegnDfvXG5xtpxTbmVSIbeFDcCHiQgWOXa60udgONEQIZcUI6JX4tqvsw2cmw0QY6mAHOd8OnqTmdiCNyEwg4Ew1UhazTJ1dMypL7jhKu4U0hRf36URLSTS8lEoUPTm786N1ucZWsQKgR8iTDIIuRHXQ2UYIJ9s0voWfNKa1NYAxHNso0l7vec%2B63TA0A65%2BJarKsqCNzxfKaTYZ8AwpADFf3wdpxSNHkqrXbTpBn6f3KcjkhGJdXlaqoWwdzww7I1NLX%2BETnNI5bWw%3D%3D&amp;Expires=1781281452\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">APT28\u2019s tradecraft has also evolved sharply. The group shifted from a stable malware framework to deploying short-lived, single-purpose tools discarded the moment they are exposed. <\/p>\n<p class=\"wp-block-paragraph\">It also experimented with an <a href=\"https:\/\/cybersecuritynews.com\/k2-think-ai-model-jailbroken\/\" id=\"125970\" target=\"_blank\" rel=\"noreferrer noopener\">AI-driven infostealer called LameHug, which queries a live AI model<\/a> to generate attack commands on the fly. <\/p>\n<p class=\"wp-block-paragraph\">This blend of disposable tools, cloud abuse, and router hijacking makes APT28 one of the most capable threat actors active today.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d222fa97-34fd-4e8b-81e4-5778ee65b902\/Fancy-Bear-Hackers-Abuse-EdgeRouters-and-Cloud-Services-to-Launch-Stealthy-Cyberattacks.pdf?AWSAccessKeyId=ASIA2F3EMEYES5A534MC&amp;Signature=Lkl9ULXsPW5%2BFzdJWafWSzizC9c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEFAaCXVzLWVhc3QtMSJHMEUCIDtnEeOFj1lQxAdla5KavhzV%2B%2FBJFBp7J%2FNF%2FHLpu3QmAiEAlctpeSaQldKHPIp%2FoMTDTIcUoezGSl22%2B3VRLWnj%2Bawq8wQIGRABGgw2OTk3NTMzMDk3MDUiDNjxfDQVm3X91Y4IlirQBMdwkOLPuUqRZUlLULbDfgkFedPELQgBWe73kuOo6NndpZ00HbH81kvHeC%2FKd%2FyQ8AbyBXPpIrSEmko1gqqDx1JVoVCIPtqWs5Fe4Krk9ynQkkKnm1FKUpZjNeONA8XCE%2FpBiiqgfjr9xKZY2BH47ilazgvBd46P6DjhLQr7dUarNYsgvUZA9Vc2TVZHs5rKEAntMimv%2BmQ69hOboWNVp%2BFD4imDM125EPVnbMRHilj%2Bvo%2BmKzS%2FnrxC0j%2F%2Bq1en7akXqZ2O7sMNOTIO5NKMo8HtznNlrI72y1tbbsfxAVvXHejapfzeB%2BU49NvASBJyQ2fqhtJnwO%2F5wOh5gI4twK5jLMDQ1hZV37VU97S0%2FluGhACjZmXUxKY8OQM3VMMBH6Ke8ZLFfR8AUq0%2FNQuHbSwzuirTMaKzvfX8U03XipQ7Vm1rLL5nM6av9qAqr5YJQuWR2zz3ZKrABIW%2Fp%2FcbcjfAOqOBMbTktVUtr9Fzg8T1pl4O82Y9%2BDJzfXEM0%2B7cG%2Fm6eR%2BkKOLmyESxfbjn2fj8cH5iSoST8VcvvjIXsdvFenT6SuaR2D%2BJb%2BkvHZhnU29RbvO48%2BngqkPxDIuev2sgebaBeUag3h7JQx%2BLBmwU%2FU7PgPyB1ayj5rtoRWTapMX%2Fi%2BjJHPv0QUV9ARtTcbNOnEX%2Ft1nxIrJ7%2B%2BpMNuBY4k079%2BoPlYT7hNd%2BkDJ4LdeLOs%2BhZPw68w4JEDDK12VmMscla4tDegnDfvXG5xtpxTbmVSIbeFDcCHiQgWOXa60udgONEQIZcUI6JX4tqvsw2cmw0QY6mAHOd8OnqTmdiCNyEwg4Ew1UhazTJ1dMypL7jhKu4U0hRf36URLSTS8lEoUPTm786N1ucZWsQKgR8iTDIIuRHXQ2UYIJ9s0voWfNKa1NYAxHNso0l7vec%2B63TA0A65%2BJarKsqCNzxfKaTYZ8AwpADFf3wdpxSNHkqrXbTpBn6f3KcjkhGJdXlaqoWwdzww7I1NLX%2BETnNI5bWw%3D%3D&amp;Expires=1781281452\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-fancy-bear-hackers-abuse-edgerouters-and-cloud-services\" class=\"wp-block-heading\"><strong>Fancy Bear Hackers Abuse EdgeRouters and Cloud Services<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The most significant tactical shift is APT28\u2019s takeover of consumer-grade routers. The group repurposed a criminal botnet built with the MooBot malware, seizing control of hundreds of Ubiquiti EdgeRouters in April 2022. <\/p>\n<p class=\"wp-block-paragraph\">The botnet served three purposes: relaying stolen authentication hashes toward Microsoft Exchange, hosting phishing pages on residential IP addresses, and running custom Python scripts on the hijacked routers.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d222fa97-34fd-4e8b-81e4-5778ee65b902\/Fancy-Bear-Hackers-Abuse-EdgeRouters-and-Cloud-Services-to-Launch-Stealthy-Cyberattacks.pdf?AWSAccessKeyId=ASIA2F3EMEYES5A534MC&amp;Signature=Lkl9ULXsPW5%2BFzdJWafWSzizC9c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEFAaCXVzLWVhc3QtMSJHMEUCIDtnEeOFj1lQxAdla5KavhzV%2B%2FBJFBp7J%2FNF%2FHLpu3QmAiEAlctpeSaQldKHPIp%2FoMTDTIcUoezGSl22%2B3VRLWnj%2Bawq8wQIGRABGgw2OTk3NTMzMDk3MDUiDNjxfDQVm3X91Y4IlirQBMdwkOLPuUqRZUlLULbDfgkFedPELQgBWe73kuOo6NndpZ00HbH81kvHeC%2FKd%2FyQ8AbyBXPpIrSEmko1gqqDx1JVoVCIPtqWs5Fe4Krk9ynQkkKnm1FKUpZjNeONA8XCE%2FpBiiqgfjr9xKZY2BH47ilazgvBd46P6DjhLQr7dUarNYsgvUZA9Vc2TVZHs5rKEAntMimv%2BmQ69hOboWNVp%2BFD4imDM125EPVnbMRHilj%2Bvo%2BmKzS%2FnrxC0j%2F%2Bq1en7akXqZ2O7sMNOTIO5NKMo8HtznNlrI72y1tbbsfxAVvXHejapfzeB%2BU49NvASBJyQ2fqhtJnwO%2F5wOh5gI4twK5jLMDQ1hZV37VU97S0%2FluGhACjZmXUxKY8OQM3VMMBH6Ke8ZLFfR8AUq0%2FNQuHbSwzuirTMaKzvfX8U03XipQ7Vm1rLL5nM6av9qAqr5YJQuWR2zz3ZKrABIW%2Fp%2FcbcjfAOqOBMbTktVUtr9Fzg8T1pl4O82Y9%2BDJzfXEM0%2B7cG%2Fm6eR%2BkKOLmyESxfbjn2fj8cH5iSoST8VcvvjIXsdvFenT6SuaR2D%2BJb%2BkvHZhnU29RbvO48%2BngqkPxDIuev2sgebaBeUag3h7JQx%2BLBmwU%2FU7PgPyB1ayj5rtoRWTapMX%2Fi%2BjJHPv0QUV9ARtTcbNOnEX%2Ft1nxIrJ7%2B%2BpMNuBY4k079%2BoPlYT7hNd%2BkDJ4LdeLOs%2BhZPw68w4JEDDK12VmMscla4tDegnDfvXG5xtpxTbmVSIbeFDcCHiQgWOXa60udgONEQIZcUI6JX4tqvsw2cmw0QY6mAHOd8OnqTmdiCNyEwg4Ew1UhazTJ1dMypL7jhKu4U0hRf36URLSTS8lEoUPTm786N1ucZWsQKgR8iTDIIuRHXQ2UYIJ9s0voWfNKa1NYAxHNso0l7vec%2B63TA0A65%2BJarKsqCNzxfKaTYZ8AwpADFf3wdpxSNHkqrXbTpBn6f3KcjkhGJdXlaqoWwdzww7I1NLX%2BETnNI5bWw%3D%3D&amp;Expires=1781281452\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The FBI\u2019s Operation Dying Ember dismantled this network in 2024. Even after the takedown, <a href=\"https:\/\/cybersecuritynews.com\/infostealers-to-hijack-legitimate-business-infrastructure\/\" id=\"138553\" target=\"_blank\" rel=\"noreferrer noopener\">more than 350 datacenter servers were still calling back to attacker infrastructure<\/a>, showing just how hard this kind of botnet is to fully uproot.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d222fa97-34fd-4e8b-81e4-5778ee65b902\/Fancy-Bear-Hackers-Abuse-EdgeRouters-and-Cloud-Services-to-Launch-Stealthy-Cyberattacks.pdf?AWSAccessKeyId=ASIA2F3EMEYES5A534MC&amp;Signature=Lkl9ULXsPW5%2BFzdJWafWSzizC9c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEFAaCXVzLWVhc3QtMSJHMEUCIDtnEeOFj1lQxAdla5KavhzV%2B%2FBJFBp7J%2FNF%2FHLpu3QmAiEAlctpeSaQldKHPIp%2FoMTDTIcUoezGSl22%2B3VRLWnj%2Bawq8wQIGRABGgw2OTk3NTMzMDk3MDUiDNjxfDQVm3X91Y4IlirQBMdwkOLPuUqRZUlLULbDfgkFedPELQgBWe73kuOo6NndpZ00HbH81kvHeC%2FKd%2FyQ8AbyBXPpIrSEmko1gqqDx1JVoVCIPtqWs5Fe4Krk9ynQkkKnm1FKUpZjNeONA8XCE%2FpBiiqgfjr9xKZY2BH47ilazgvBd46P6DjhLQr7dUarNYsgvUZA9Vc2TVZHs5rKEAntMimv%2BmQ69hOboWNVp%2BFD4imDM125EPVnbMRHilj%2Bvo%2BmKzS%2FnrxC0j%2F%2Bq1en7akXqZ2O7sMNOTIO5NKMo8HtznNlrI72y1tbbsfxAVvXHejapfzeB%2BU49NvASBJyQ2fqhtJnwO%2F5wOh5gI4twK5jLMDQ1hZV37VU97S0%2FluGhACjZmXUxKY8OQM3VMMBH6Ke8ZLFfR8AUq0%2FNQuHbSwzuirTMaKzvfX8U03XipQ7Vm1rLL5nM6av9qAqr5YJQuWR2zz3ZKrABIW%2Fp%2FcbcjfAOqOBMbTktVUtr9Fzg8T1pl4O82Y9%2BDJzfXEM0%2B7cG%2Fm6eR%2BkKOLmyESxfbjn2fj8cH5iSoST8VcvvjIXsdvFenT6SuaR2D%2BJb%2BkvHZhnU29RbvO48%2BngqkPxDIuev2sgebaBeUag3h7JQx%2BLBmwU%2FU7PgPyB1ayj5rtoRWTapMX%2Fi%2BjJHPv0QUV9ARtTcbNOnEX%2Ft1nxIrJ7%2B%2BpMNuBY4k079%2BoPlYT7hNd%2BkDJ4LdeLOs%2BhZPw68w4JEDDK12VmMscla4tDegnDfvXG5xtpxTbmVSIbeFDcCHiQgWOXa60udgONEQIZcUI6JX4tqvsw2cmw0QY6mAHOd8OnqTmdiCNyEwg4Ew1UhazTJ1dMypL7jhKu4U0hRf36URLSTS8lEoUPTm786N1ucZWsQKgR8iTDIIuRHXQ2UYIJ9s0voWfNKa1NYAxHNso0l7vec%2B63TA0A65%2BJarKsqCNzxfKaTYZ8AwpADFf3wdpxSNHkqrXbTpBn6f3KcjkhGJdXlaqoWwdzww7I1NLX%2BETnNI5bWw%3D%3D&amp;Expires=1781281452\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">In 2026, APT28 broadened the same approach with a campaign called FrostArmada, this time targeting MikroTik and TP-Link routers. The attackers rewrote DNS settings to redirect traffic through their own controlled servers. <\/p>\n<p class=\"wp-block-paragraph\">Every device on affected networks would unknowingly funnel its login requests through APT28 nodes, enabling silent theft of credentials and OAuth tokens for services like Microsoft 365.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d222fa97-34fd-4e8b-81e4-5778ee65b902\/Fancy-Bear-Hackers-Abuse-EdgeRouters-and-Cloud-Services-to-Launch-Stealthy-Cyberattacks.pdf?AWSAccessKeyId=ASIA2F3EMEYES5A534MC&amp;Signature=Lkl9ULXsPW5%2BFzdJWafWSzizC9c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEFAaCXVzLWVhc3QtMSJHMEUCIDtnEeOFj1lQxAdla5KavhzV%2B%2FBJFBp7J%2FNF%2FHLpu3QmAiEAlctpeSaQldKHPIp%2FoMTDTIcUoezGSl22%2B3VRLWnj%2Bawq8wQIGRABGgw2OTk3NTMzMDk3MDUiDNjxfDQVm3X91Y4IlirQBMdwkOLPuUqRZUlLULbDfgkFedPELQgBWe73kuOo6NndpZ00HbH81kvHeC%2FKd%2FyQ8AbyBXPpIrSEmko1gqqDx1JVoVCIPtqWs5Fe4Krk9ynQkkKnm1FKUpZjNeONA8XCE%2FpBiiqgfjr9xKZY2BH47ilazgvBd46P6DjhLQr7dUarNYsgvUZA9Vc2TVZHs5rKEAntMimv%2BmQ69hOboWNVp%2BFD4imDM125EPVnbMRHilj%2Bvo%2BmKzS%2FnrxC0j%2F%2Bq1en7akXqZ2O7sMNOTIO5NKMo8HtznNlrI72y1tbbsfxAVvXHejapfzeB%2BU49NvASBJyQ2fqhtJnwO%2F5wOh5gI4twK5jLMDQ1hZV37VU97S0%2FluGhACjZmXUxKY8OQM3VMMBH6Ke8ZLFfR8AUq0%2FNQuHbSwzuirTMaKzvfX8U03XipQ7Vm1rLL5nM6av9qAqr5YJQuWR2zz3ZKrABIW%2Fp%2FcbcjfAOqOBMbTktVUtr9Fzg8T1pl4O82Y9%2BDJzfXEM0%2B7cG%2Fm6eR%2BkKOLmyESxfbjn2fj8cH5iSoST8VcvvjIXsdvFenT6SuaR2D%2BJb%2BkvHZhnU29RbvO48%2BngqkPxDIuev2sgebaBeUag3h7JQx%2BLBmwU%2FU7PgPyB1ayj5rtoRWTapMX%2Fi%2BjJHPv0QUV9ARtTcbNOnEX%2Ft1nxIrJ7%2B%2BpMNuBY4k079%2BoPlYT7hNd%2BkDJ4LdeLOs%2BhZPw68w4JEDDK12VmMscla4tDegnDfvXG5xtpxTbmVSIbeFDcCHiQgWOXa60udgONEQIZcUI6JX4tqvsw2cmw0QY6mAHOd8OnqTmdiCNyEwg4Ew1UhazTJ1dMypL7jhKu4U0hRf36URLSTS8lEoUPTm786N1ucZWsQKgR8iTDIIuRHXQ2UYIJ9s0voWfNKa1NYAxHNso0l7vec%2B63TA0A65%2BJarKsqCNzxfKaTYZ8AwpADFf3wdpxSNHkqrXbTpBn6f3KcjkhGJdXlaqoWwdzww7I1NLX%2BETnNI5bWw%3D%3D&amp;Expires=1781281452\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-cloud-services-as-a-covert-command-channel\" class=\"wp-block-heading\"><strong>Cloud Services as a Covert Command Channel<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">Beyond router hijacking, APT28 routes malware communications through legitimate cloud platforms to avoid detection. <\/p>\n<p class=\"wp-block-paragraph\">In Operation Phantom Net Voxel, <a href=\"https:\/\/cybersecuritynews.com\/attackers-turn-qemu-into-a-stealth-backdoor\/\" id=\"147947\" target=\"_blank\" rel=\"noreferrer noopener\">the group deployed a custom C++ backdoor called BeardShell<\/a>, which uses a cloud storage API as its command channel. To anyone monitoring the traffic, it looks like a connection to a trusted cloud service.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d222fa97-34fd-4e8b-81e4-5778ee65b902\/Fancy-Bear-Hackers-Abuse-EdgeRouters-and-Cloud-Services-to-Launch-Stealthy-Cyberattacks.pdf?AWSAccessKeyId=ASIA2F3EMEYES5A534MC&amp;Signature=Lkl9ULXsPW5%2BFzdJWafWSzizC9c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEFAaCXVzLWVhc3QtMSJHMEUCIDtnEeOFj1lQxAdla5KavhzV%2B%2FBJFBp7J%2FNF%2FHLpu3QmAiEAlctpeSaQldKHPIp%2FoMTDTIcUoezGSl22%2B3VRLWnj%2Bawq8wQIGRABGgw2OTk3NTMzMDk3MDUiDNjxfDQVm3X91Y4IlirQBMdwkOLPuUqRZUlLULbDfgkFedPELQgBWe73kuOo6NndpZ00HbH81kvHeC%2FKd%2FyQ8AbyBXPpIrSEmko1gqqDx1JVoVCIPtqWs5Fe4Krk9ynQkkKnm1FKUpZjNeONA8XCE%2FpBiiqgfjr9xKZY2BH47ilazgvBd46P6DjhLQr7dUarNYsgvUZA9Vc2TVZHs5rKEAntMimv%2BmQ69hOboWNVp%2BFD4imDM125EPVnbMRHilj%2Bvo%2BmKzS%2FnrxC0j%2F%2Bq1en7akXqZ2O7sMNOTIO5NKMo8HtznNlrI72y1tbbsfxAVvXHejapfzeB%2BU49NvASBJyQ2fqhtJnwO%2F5wOh5gI4twK5jLMDQ1hZV37VU97S0%2FluGhACjZmXUxKY8OQM3VMMBH6Ke8ZLFfR8AUq0%2FNQuHbSwzuirTMaKzvfX8U03XipQ7Vm1rLL5nM6av9qAqr5YJQuWR2zz3ZKrABIW%2Fp%2FcbcjfAOqOBMbTktVUtr9Fzg8T1pl4O82Y9%2BDJzfXEM0%2B7cG%2Fm6eR%2BkKOLmyESxfbjn2fj8cH5iSoST8VcvvjIXsdvFenT6SuaR2D%2BJb%2BkvHZhnU29RbvO48%2BngqkPxDIuev2sgebaBeUag3h7JQx%2BLBmwU%2FU7PgPyB1ayj5rtoRWTapMX%2Fi%2BjJHPv0QUV9ARtTcbNOnEX%2Ft1nxIrJ7%2B%2BpMNuBY4k079%2BoPlYT7hNd%2BkDJ4LdeLOs%2BhZPw68w4JEDDK12VmMscla4tDegnDfvXG5xtpxTbmVSIbeFDcCHiQgWOXa60udgONEQIZcUI6JX4tqvsw2cmw0QY6mAHOd8OnqTmdiCNyEwg4Ew1UhazTJ1dMypL7jhKu4U0hRf36URLSTS8lEoUPTm786N1ucZWsQKgR8iTDIIuRHXQ2UYIJ9s0voWfNKa1NYAxHNso0l7vec%2B63TA0A65%2BJarKsqCNzxfKaTYZ8AwpADFf3wdpxSNHkqrXbTpBn6f3KcjkhGJdXlaqoWwdzww7I1NLX%2BETnNI5bWw%3D%3D&amp;Expires=1781281452\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The group can swap cloud providers easily. Researchers observed the same attack chain reused with a different file-hosting platform months later, confirming that rotating the cloud backend is now routine. <\/p>\n<p class=\"wp-block-paragraph\">A keylogger called Slimagent, found on the same operator infrastructure, was linked to direct code lineage from X-Agent, APT28\u2019s signature implant used over a decade ago.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/d222fa97-34fd-4e8b-81e4-5778ee65b902\/Fancy-Bear-Hackers-Abuse-EdgeRouters-and-Cloud-Services-to-Launch-Stealthy-Cyberattacks.pdf?AWSAccessKeyId=ASIA2F3EMEYES5A534MC&amp;Signature=Lkl9ULXsPW5%2BFzdJWafWSzizC9c%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEFAaCXVzLWVhc3QtMSJHMEUCIDtnEeOFj1lQxAdla5KavhzV%2B%2FBJFBp7J%2FNF%2FHLpu3QmAiEAlctpeSaQldKHPIp%2FoMTDTIcUoezGSl22%2B3VRLWnj%2Bawq8wQIGRABGgw2OTk3NTMzMDk3MDUiDNjxfDQVm3X91Y4IlirQBMdwkOLPuUqRZUlLULbDfgkFedPELQgBWe73kuOo6NndpZ00HbH81kvHeC%2FKd%2FyQ8AbyBXPpIrSEmko1gqqDx1JVoVCIPtqWs5Fe4Krk9ynQkkKnm1FKUpZjNeONA8XCE%2FpBiiqgfjr9xKZY2BH47ilazgvBd46P6DjhLQr7dUarNYsgvUZA9Vc2TVZHs5rKEAntMimv%2BmQ69hOboWNVp%2BFD4imDM125EPVnbMRHilj%2Bvo%2BmKzS%2FnrxC0j%2F%2Bq1en7akXqZ2O7sMNOTIO5NKMo8HtznNlrI72y1tbbsfxAVvXHejapfzeB%2BU49NvASBJyQ2fqhtJnwO%2F5wOh5gI4twK5jLMDQ1hZV37VU97S0%2FluGhACjZmXUxKY8OQM3VMMBH6Ke8ZLFfR8AUq0%2FNQuHbSwzuirTMaKzvfX8U03XipQ7Vm1rLL5nM6av9qAqr5YJQuWR2zz3ZKrABIW%2Fp%2FcbcjfAOqOBMbTktVUtr9Fzg8T1pl4O82Y9%2BDJzfXEM0%2B7cG%2Fm6eR%2BkKOLmyESxfbjn2fj8cH5iSoST8VcvvjIXsdvFenT6SuaR2D%2BJb%2BkvHZhnU29RbvO48%2BngqkPxDIuev2sgebaBeUag3h7JQx%2BLBmwU%2FU7PgPyB1ayj5rtoRWTapMX%2Fi%2BjJHPv0QUV9ARtTcbNOnEX%2Ft1nxIrJ7%2B%2BpMNuBY4k079%2BoPlYT7hNd%2BkDJ4LdeLOs%2BhZPw68w4JEDDK12VmMscla4tDegnDfvXG5xtpxTbmVSIbeFDcCHiQgWOXa60udgONEQIZcUI6JX4tqvsw2cmw0QY6mAHOd8OnqTmdiCNyEwg4Ew1UhazTJ1dMypL7jhKu4U0hRf36URLSTS8lEoUPTm786N1ucZWsQKgR8iTDIIuRHXQ2UYIJ9s0voWfNKa1NYAxHNso0l7vec%2B63TA0A65%2BJarKsqCNzxfKaTYZ8AwpADFf3wdpxSNHkqrXbTpBn6f3KcjkhGJdXlaqoWwdzww7I1NLX%2BETnNI5bWw%3D%3D&amp;Expires=1781281452\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">To reduce exposure, organizations should keep router firmware updated, change default credentials, and disable unused remote management features. <\/p>\n<p class=\"wp-block-paragraph\">Enterprises using cloud services should enforce phishing-resistant multi-factor authentication and regularly audit OAuth token permissions. <\/p>\n<p class=\"wp-block-paragraph\">The FBI\u2019s Internet Crime Complaint Center published a public alert urging home users and small businesses to review router settings after FrostArmada was disclosed.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong> <strong><strong><a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a><\/strong><\/strong>.<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/fancy-bear-hackers-abuse-edgerouters-and-cloud-services\/\">Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/fancy-bear-hackers-abuse-edgerouters-and-cloud-services\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks One of the most persistent hacking groups in the world has found a new way to stay hidden. The threat actor known as Fancy Bear, formally tracked as APT28 and attributed to Russia\u2019s military intelligence unit GRU Unit 26165, has been quietly shifting [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-13592","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13592"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13592"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13592\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13592"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13592"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13592"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}