Authentic Antics: Fancy Bear’s New Credential Stealer
The United Kingdom's National Cyber Security Centre (NCSC) has uncovered a highly targeted and stealthy malware strain, dubbed Authentic Antics, that infiltrates Microsoft Outlook on Windows to trick victims into surrendering their Office login credentials and freshly minted OAuth 2.0 token.
Authentic Antics operates by embedding itself within the legitimate Outlook process, periodically displaying malicious login windows. These fake prompts solicit usernames and passwords but also silently capture OAuth tokens—special access codes that can powerfully unlock services like Exchange Online, SharePoint, and OneDrive NCSC. These stolen tokens and logins are then used to send emails from the victim's own account without appearing in the "Sent" folder, making detection difficult.
Authentic Antics is composed of three primary malware modules. These include a dropper and a C++/.NET DLL that loads a combination of stealth components only when the environment matches intended targets. The second major component is a stealer, a .NET library that is never stored on disk, but loaded in memory, spawns fake login prompts, intercepts credentials and OAuth tokens, then exfiltrates them via Outlook's API. The last major component is a PowerShell script, a fallback mechanism that uses hardcoded credentials to perform the same token theft operation as the stealer.
A notable feature of Authentic Antics is that it employs several techniques to avoid detection, including
Process targeting: It continuously ensures it runs only inside outlook.exe, checking thread windows for specific class names and patient usernames to make the fake prompts seem routine.
Registry unhooking: It scans key Windows system libraries (like ntdll.dll) for monitoring hooks added by security software, and forcibly removes them, ensuring its registry activity goes unnoticed.
Selective execution: The dropper accesses a timestamp stored in the registry to only run the stealer every six days, reducing the risk of generating suspicious alerts.
String obfuscation: The malware hides its behavior via encrypted strings reconstructed in memory, thwarting static analysis.
Environmental keying: The stealer DLL is encrypted and can only be decrypted using machine-specific data (computer GUID or volume serial), ensuring it fails to work on unintended devices.
Legitimate code disguise: The malware imports large parts of Microsoft's official Authentication Library for .NET (MSAL) and appends malicious classes, making its code look more legitimate during cursory inspections.
Once credentials and tokens are in hand, the stolen data is gzipped and encrypted with a victim-specific RSA key, embedded with the malware to hinder analysis. Then, using the stolen access token, the malware executes an authenticated API call to outlook.office.com/api/v2.0/me/sendMail to send an email containing the obfuscated data to an attacker-controlled address. By setting "SaveToSentItems" to false, no trace appears in the victim's mail. Interestingly, there is no traditional Command‑and‑Control mechanism. All communications occur through legitimate Microsoft services, making network detection extremely difficult.
Authentic Antics achieves long-term persistence via COM hijacking, a technique where registry entries for Outlook's COM component (InprocServer32) are rerouted to point to the malicious DLL. The dropper itself does not plant this entry—it is assumed to derive its infection vector from another implant—but once installed in Outlook's boot path, it is reactivated on every launch.
NCSC Attributes Authentic Antics to Fancy Bear
The United Kingdom's National Cyber Security Centre (NCSC) has officially attributed Russian military intelligence, specifically APT 28 or Fancy Bear, to the sophisticated cyberespionage campaign involving Authentic Antics. Investigations by the NCSC, Microsoft, and incident response partners traced its use back to a 2023 compromise, prompting parallel diplomatic actions by the UK, including sanctions against 18 GRU officers and the named malware tool itself.
The UK government, joined by allies in the EU and NATO, condemned this campaign as a deliberate attempt by Moscow to destabilize Europe, threaten Ukrainian sovereignty, and undermine British national security. NCSC Director of Operations Paul Chichester emphasized the malware's sophistication and urged organizations to enhance their defenses, particularly by enabling multifactor authentication, monitoring anomalous API activity, and utilizing NCSC's technical guidance.
Foreign Secretary David Lammy echoed the sentiment, stating that the Kremlin's hybrid threats "will never break [UK] resolve" and reaffirmed commitment to protective action. The announcement coincided with broader sanctions, including those targeting GRU units linked to Russian disinformation and sabotage campaigns, highlighting a coordinated response to ongoing Russian state-led cyber aggression.
Authentic Antics exemplifies how secretive malware leverages legitimate code and services, like Outlook, OAuth tokens, and RSA encryption, to remain invisible while exfiltrating highly sensitive access credentials. Its use of environmental keying, defense evasion via unhooking, and long-dwell token theft makes it one of the more sophisticated credential-stealing tools detailed publicly by the NCSC.
The malware's threat comes down to four factors:
Stealth and clever disguise: By inserting itself into a trusted application (Outlook), using token-based stealth techniques, creating genuine OAuth-like browser prompts, and using legitimate APIs for data exfiltration without alerts, Authentic Antics avoids most traditional defenses.
Long-duration access: The malware's ability to quietly steal refresh tokens grants attackers sustained access, and refresh tokens often remain valid for up to 90 days.
High-value targets: Although highly tailored and unlikely to spread broadly, it is well-suited to high-profile espionage campaigns, especially those aimed at government, defense, or corporate leaders using Microsoft services.
Attribution: While the NCSC report does not directly name the actor, others, including Security on Screen, have attributed the campaign to the Russian GRU-linked group APT28 (Fancy Bear), based on forensic context and known targeting tactics and techniques.
Organizations relying on Microsoft cloud services should adopt layered detection strategies, deploy token usage monitoring, and leverage the NCSC's indicators to root out persistent threats like Authentic Antics before compromised tokens are abused.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion