{ "id": "de1686d7-f4d7-4e00-94b8-7f2fd32873a4", "created_at": "2026-04-06T00:16:53.565387Z", "updated_at": "2026-04-10T03:37:50.283806Z", "deleted_at": null, "sha1_hash": "0130e2ff52d4dc2dfc51c1b0f8ac8ea49587b02d", "title": "Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1529713, "plain_text": "Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue\r\nBy Robert Falcone, Bryan Lee\r\nPublished: 2016-12-15 · Archived: 2026-04-05 14:18:45 UTC\r\nRecently, Palo Alto Networks Unit 42 reported on a new exploitation platform that we called “DealersChoice” in\r\nuse by the Sofacy group (AKA APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit).  As outlined in our\r\noriginal posting, the DealersChoice exploitation platform generates malicious RTF documents which in turn use\r\nembedded OLE Word documents. These embedded OLE Word documents then contain embedded Adobe Flash\r\n(.SWF) files that are designed to exploit Abode Flash vulnerabilities.\r\nAt the time of initial reporting, we found two variants:\r\n1. Variant A: A standalone variant that included Flash exploit code packaged with a payload.\r\n2. Variant B: A modular variant that loaded exploit code on-demand and appeared non-operational at the time.\r\nSince that time, we have been able to collect additional samples of the weaponized documents that the\r\nDealersChoice exploitation platform generates. These latest, additional samples are all Variant B samples. Two of\r\nthese samples were found to have operational command and control servers which allowed us to collect and\r\nanalyze additional artifacts associated with the attack.\r\nIn late October 2016 Adobe issued Adobe Security Bulletin APSB16-36 to address CVE-2016-7855. In early\r\nNovember 2016 Microsoft issued Microsoft Security Bulletin MS16-135 to address CVE-2016-7255.\r\nBoth of these were in response to active exploitation of zero-day vulnerabilities thought by other researchers to be\r\nassociated with the Sofacy group. Additional reporting as well as our own analysis indicates the exploit code for\r\nthe Adobe Flash vulnerability CVE-2016-7855 was indeed delivered using DealersChoice. In-house testing also\r\nreveals customers of Palo Alto Networks Traps end-point agent are protected by the new exploit code.\r\nDeal Me In: Finding Live C2 Servers\r\nIn our previous blog discussing DealersChoice, we identified the steps that Variant B would take once executed on\r\na victim host, but were unable to successfully interact with the command and control (C2) server identified at the\r\ntime.\r\nWe have since discovered two fully operational and active C2 servers (versiontask[.]com and postlkwarn[.]com)\r\nthat followed the exact steps we outlined in the blog; loading the additional Flash exploit code into memory,\r\nfollowing by loading the associated payload also into memory. Figure 1 details the workflow of victim to C2\r\ncommunications.\r\nhttps://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/\r\nPage 1 of 10\n\nFigure 1 Workflow of DealersChoice\r\nThe ActionScript within Variant B will interact with the C2 server, specifically to obtain a malicious SWF file and\r\na payload. This process starts with an initial beacon to the C2 server that contains system information and the\r\nvictim’s Adobe Flash Player version. Figure 2 shows the beacon sent by the ActionScript to the C2 server.\r\nhttps://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/\r\nPage 2 of 10\n\nFigure 2 Initial beacon from DealersChoice to its C2 server\r\nThe C2 responds to the initial beacon with strings that DealersChoice’s ActionScript uses as variables in\r\nupcoming actions, such as additional HTTP requests and the decryption of the responses to those requests. Figure\r\n3 shows the C2 server’s response to the beacon, specifically including  k1, k2, k3 and k4 values.\r\nFigure 3 C2 response to beacon provides DealersChoice tokens and keys needed to decrypt data\r\nThe ActionScript then uses the k1 variable from the C2 response data as a token within the HTTP request sent\r\nback to the C2 server to obtain the malicious SWF file, as seen in Figure 4.\r\nThe C2 server will respond to this request with data that the ActionScript will decrypt using the value of the k3\r\nvariable.\r\nThe active C2 servers provided Variant B with a malicious SWF file that was the same SWF file found within\r\nVariant A samples that exploited CVE-2015-7645 (addressed in October 2016 in Adobe Security Bulletin\r\nAPSA15-05).\r\nc42a0d50eac9399914090f1edc2bda9ac1079edff4528078549c824c4d023ff9\r\n45a4a376cb7a36f8c7851713c7541cb7e347dafb08980509069a078d3bcb1405\r\nhttps://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/\r\nPage 3 of 10\n\nFigure 4 DealersChoice HTTP request to obtain a malicious SWF file to exploit Adobe Flash Player\r\nAfter receiving the malicious SWF file, Variant B will then issue an HTTP request using the k2 variable as a token\r\nto obtain its payload, as seen in Figure 5. The C2 will respond to this request with data that Variant B will decrypt\r\nusing the value in the k4 variable as a key. The resulting decrypted data contains shellcode and a payload that the\r\nshellcode decrypts and executes.\r\nFigure 5 DealersChoice HTTP request to obtain shellcode and payload to execute upon successful exploitation\r\nThe active C2 servers versiontask[.]com and postlkwarn[.]com provided shellcode that decrypts and executes a\r\npayload which in both cases was a loader Trojan that extracts and decrypts an embedded DLL that it saves to the\r\nsystem.\r\n5dd3066a8ee3ab5b380eb7781c85e4253683cd7e3eee1c29013a7a62cd9bef8c\r\nfa8b4f64bff799524f6059c3a4ed5d169e9e7ef730f946ac7ad8f173e8294ed8\r\nhttps://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/\r\nPage 4 of 10\n\nIn both cases, the DLL saved to the system is a variant of Sofacy’s tool that uses the Carberp source code.\r\n82213713cf442716eac3f8c95da8d631aab2072ba44b17dda86873e462e10421\r\n3ff1332a84d615a242a454e5b29f08143b1a89ac9bd7bfaa55ba0c546db10e4b\r\nThe two variants of the Seduploader tool share a common C2 domain of apptaskserver[.]com, with differing\r\nbackup C2 domains of appservicegroup[.]com and joshel[.]com.\r\nAce in the Hole: Analyzing Victim Fingerprinting\r\nIn the process of analyzing Variant B’s active C2 server, we wanted to test our hypothesis that the C2 server would\r\nload different exploit code dependent on victim fingerprinting.  We tested this by providing different responses to\r\nthe C2 server.\r\nFirst, we issued requests to the C2 server from a VPN located in California, USA and the server did not respond to\r\nthe requests. We then connected to another VPN located in the Middle East and issued the same requests, at which\r\npoint the C2 server responded with a malicious SWF and payload. This fact suggests that the Sofacy group uses\r\ngeolocation to filter out requests that originate from locations that do not coincide with the location of their target.\r\nWe then issued several requests to test the C2 and each time the server responded with different k1, k2, k3 and k4\r\nvariables, suggesting that the server randomly chooses these values for each inbound request.\r\nTo further test the C2 server logic we created requests that contained different values for the operating system and\r\nFlash player version. When we sent the HTTP requests to the C2 server with the Adobe Flash Player version set to\r\n23.0.0.185, the most recent Flash version vulnerable to CVE-2016-7855, the server responded with a compressed\r\nSWF file (SHA256: c993c1e10299162357196de33e4953ab9ab9e9359fa1aea00d92e97e7d8c5f2c) that exploited\r\nthat very vulnerability.\r\nFinally, when we issued requests to the C2 server indicating the victim was a macOS system, the C2 server served\r\nthe same malicious SWF file and Windows payload as before, suggesting that the Sofacy group is not using\r\nDealersChoice to check operating system type for its victims at this time.\r\nIn all cases the payload delivered by the C2 server is a loader Trojan (SHA256:\r\n3bb47f37e16d09a7b9ba718d93cfe4d5ebbaecd254486d5192057c77c4a25363) that installs a variant of\r\nSeduploader (SHA256: 4cbb0e3601242732d3ea7c89b4c0fd1074fae4a6d20e5f3afc3bc153b6968d6e), which uses\r\na C2 server of akamaisoftupdate[.]com.\r\nShow Your Hand: Decoy Documents\r\nSix documents were collected for this wave of DealersChoice attacks, all appearing to be Variant B, using similar\r\nlures to what we had observed in the previous wave. The six filenames we discovered were:\r\nOperation_in_Mosul.rtf – an article about Turkish troops in Mosul\r\nNASAMS.doc – a document that is a copy of an article regarding the purchase of a Norwegian missile\r\ndefense system by the Lithuanian Ministry of National Defence\r\nhttps://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/\r\nPage 5 of 10\n\nProgramm_Details.doc – a document that is a copy of the schedule of a cyber threat intelligence conference\r\nin London, targeting a Ministry of Defense of a country in Europe\r\nDGI2017.doc – a document targeted at a Ministry of Foreign Affairs of a Central Asian country regarding\r\nthe agenda for the Defence Geospatial Intelligence gathering in London\r\nOlympic-Agenda-2020-20-20-Recommendations.doc – a document containing details of agreements for\r\nthe 2020 Olympics\r\nARM-NATO_ENGLISH_30_NOV_2016.doc – a document outlining an agreement between the Republic\r\nof Armenia and NATO\r\nFigure 6. Collected decoy documents for current wave of attacks\r\nUnlike the first DealersChoice attacks, these documents used stripped out or forged metadata in order to add in an\r\nadditional layer of obfuscation. Two of the documents, NASAMS.doc and Programm_Details.doc shared a\r\ncommon, unique username pain in the Last Saved By field. Additionally, each of the weaponized documents\r\ncontinued to use the OfficeTestSideloading technique we had previously reported on. This was the technique we\r\nhad discovered the Sofacy group began using over this past summer as a way to sideload DLL files using a\r\nperformance test module built into the Microsoft Office suite as well as maintain persistence on the victim host.\r\nFilename Author\r\nLast\r\nSaved\r\nBy\r\nSubject SHA256\r\nhttps://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/\r\nPage 6 of 10\n\nOperation_in_Mosul.rtf\r\nRobert\r\nTasevski\r\n----\r\nTurkish troops in\r\nMosul\r\nf5d3e827…\r\nNASAMS.doc\r\nАнтон\r\nГладнишки\r\npain\r\nNorwegian missile\r\ndefense system\r\n1f81609d…\r\nProgramm_Details.doc\r\nLaci\r\nBonivart\r\npain\r\nConference\r\nschedule\r\n1579c7a1…\r\nDGI2017.doc\r\nНевена\r\nГамизов\r\nНевена\r\nГамизов\r\nConference\r\nschedule\r\nc5a389fa…\r\nOlympic-Agenda-2020-20-20-\r\nRecommendations.doc\r\nadmin User\r\nRecommendations\r\nfor 2020 Olympics\r\n13718586…\r\nARM-NATO_ENGLISH_30_NOV_2016.doc\r\nUser User NATO agreement 73ea2cce…\r\nThe six first-stage C2 domains for the weaponized documents were all registered by unique registrant emails.\r\nVersiontask[.]com and Uniquecorpind[.]com appear to be completely new infrastructure, not sharing any artifacts\r\nwith previously observed Sofacy group campaigns.\r\nType Domain Date Registered Registrant Email\r\nFirst stage C2 Versiontask[.]com 2016-10-24 dalchi0@europe.com\r\nFirst stage C2 Uniquecorpind[.]com 2016-10-25 yasiner@myself.com\r\nFirst stage C2 Securityprotectingcorp[.]com 2016-08-19 ottis.davis@openmailbox.org\r\nFirst stage C2 Postlkwarn[.]com 2016-11-11 fradblec@centrum.cz\r\nFirst stage C2 adobeupgradeflash[.]com 2016-11-22 nuevomensaje@centrum.cz\r\nFirst stage C2 globalresearching[.]org 2016-11-18 carroz.g@mail.com\r\nSix second stage C2 domains for the Seduploader payloads delivered by DealersChoice were identified.\r\nType Domain Date Registered Registrant Email\r\nSeduploader C2 Joshel[.]com 2016-11-11 germsuz86@centrum.cz\r\nSeduploader C2 Appservicegroup[.]com 2016-10-19 olivier_servgr@mail.com\r\nSeduploader C2 Apptaskserver[.]com 2016-10-22 partanencomp@mail.com\r\nSeduploader C2 Akamaisoftupdate[.]com 2016-10-26 mahuudd@centrum.cz\r\nSeduploader C2 globaltechresearch[.]org 2016-11-21 morata_al@mail.com\r\nhttps://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/\r\nPage 7 of 10\n\nSeduploader C2 researchcontinental[.]org 2016-12-02 Sinkholed\r\nMuch like the first stage C2 domains, the five non-sinkholed second stage C2 domains were registered recently\r\nand used unique registrant email addresses previously unused by the Sofacy group. However, each of these\r\ndomains used nameservers commonly associated with the Sofacy group, ns*.carbon2u[.]com and ns*.ititch[.]com.\r\nThe domain akamaisoftupdate[.]com revealed additional artifacts linking it back to previous Sofacy group\r\ncampaigns. Based off passive DNS data, we discovered akamaisoftupdate[.]com resolving to 89.45.67.20. On the\r\nsame class C subnet, we discovered 89.45.67.189, which previously had resolved to updmanager[.]net, a well\r\nreported domain in use by the Sofacy group.\r\nThe domain securityprotectingcorp[.]com was also found to have links to previous Sofacy group infrastructure. It\r\nwas registered a couple of months prior, but analysis of the registrant email address revealed that it had also been\r\nused to register microsoftsecurepolicy[.]org, which using passive DNS data we found had resolved to\r\n40.112.210.240, a sinkhole with several other Sofacy group associated domains. Several of the corresponding\r\nsinkholed domains have been used over the years for multiple purposes by the Sofacy group, as C2s for multiple\r\ntools such as Azzy or XAgent, or to host phishing sites to gather credentials from targets.\r\nFigure 7 Chart of DealersChoice infrastructure\r\nConclusion\r\nIt appears evident at this time that the Sofacy group is actively using the DealersChoice tool, specifically the\r\nVariant B, to attack targets of interest. As evidenced by the delivery of exploit code for a recently patched \r\nhttps://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/\r\nPage 8 of 10\n\nvulnerability in Flash (which was used in zero-day attacks), we can see how the malware provides flexibility in\r\nexploitation methodology and is truly a platform in itself. New infrastructure does appear to have been created for\r\nDealersChoice, but as we have seen in the past, the Sofacy group has a tendency to reuse artifacts from previous\r\ncampaigns and this is no exception. Palo Alto Networks customers may learn more and are protected via:\r\nCorrectly identify associated samples as malicious in WildFire\r\nDealersChoice domains and C2 traffic are classified as malicious\r\nTraps correctly identifies and prevents exploit code to be executed\r\nA DealersChoice AutoFocus tag may be used to identify and track this malware family\r\nNote that even though CVE-2016-7855 was a zero-day vulnerability, Palo Alto Networks customers would have\r\nbeen protected by our Traps endpoint agent as seen in Figure 8.\r\nFigure 8 Palo Alto Networks Traps blocking exploitation of the CVE-2016-7855 vulnerability\r\nIndicators of Compromise\r\nDocument Hashes:\r\nf5d3e827c3a312d018ef4fcbfc7cb5205c9e827391bfe6eab697cc96412d938e\r\n1f81609d9bbdc7f1d2c8846dcfc4292b3e2642301d9c59130f58e21abb0001be\r\n1579c7a1e42f9e1857a4d1ac966a195a010e1f3d714d68c598a64d1c83aa36e4\r\nc5a389fa702a4223aa2c2318f38d5fe6eba68c645bc0c41c3d8b6f935eab3f64\r\n137185866649888b7b5b6554d6d5789f7b510acd7aff3070ac55e2250eb88dab\r\n73ea2ccec2cbf22d524f55b101d324d89077e5718922c6734fef95787121ff22\r\nDealersChoice C2s:\r\nhttps://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/\r\nPage 9 of 10\n\nVersiontask[.]com\r\nUniquecorpind[.]com\r\nSecurityprotectingcorp[.]com\r\npostlkwarn[.]com\r\nadobeupgradeflash[.]com\r\nresearchcontinental[.]org\r\nSeduploader C2s:\r\nAppservicegroup[.]com\r\nApptaskserver[.]com\r\nAkamaisoftupdate[.]com\r\nJoshel[.]com\r\nglobaltechresearch[.]org\r\nresearchcontinental[.]org\r\nSource: https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/\r\nhttps://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/" ], "report_names": [ "unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434613, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0130e2ff52d4dc2dfc51c1b0f8ac8ea49587b02d.pdf", "text": "https://archive.orkl.eu/0130e2ff52d4dc2dfc51c1b0f8ac8ea49587b02d.txt", "img": "https://archive.orkl.eu/0130e2ff52d4dc2dfc51c1b0f8ac8ea49587b02d.jpg" } }