ESET highlights the 2018 activity of Sofacy, Turla and CozyBear. Sofacy appears to be changing at a structural level and is possibly already being split into different subgroups. Turla has started deploying a new malware called Phoenix, and started using a new framework that we call Phoenix. It has also started using scripting and open source tools for its lateral movement stage. CozyDuke activity was detected during November 2018, apparently targeting diplomatic and governmental entities in Europe, but TTPs do not seem to be those that are usually attributed to this malware being used by a different group.”]
Source: https://securelist.com/apt-review-of-the-year/89117/