A new sophisticated stealing campaign named “Steal-It” has been discovered that exfiltrates NTLMv2 hashes using customized versions of Nishang’s Start-CaptureServer PowerShell script. It is believed that the Steal-It campaign may be attributed to APT28 (aka Fancy Bear) based on its similarities with the APT28 cyber attack.
Source: GBHackers