The APT28 group attacked Polish government institutions, which was confirmed by CERT Polska from NASK and CSIRT MON. The attack consisted of several stages. First, they sent emails with links leading to run.mocky.io and then redirecting to webhook.site.

There, victims downloaded a fake ZIP archive pretending to be a collection of photos, but in fact it was script-executing malware. This allowed hackers to obtain the victim's IP address and a list of files on their computer, which helped them assess whether it was a suitable target for an attack. Ultimately, if the victim ran the app, APT28 had free rein to act against them.

Source: instalki.pl