{
	"id": "76507d48-29a0-41d0-900c-04602091ebea",
	"created_at": "2026-04-06T00:14:47.231301Z",
	"updated_at": "2026-04-10T03:37:50.292704Z",
	"deleted_at": null,
	"sha1_hash": "03ba8914efd5d49287d365341eebeb50d15ee0c8",
	"title": "Russian hackers use fake NATO training docs to breach govt networks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2600379,
	"plain_text": "Russian hackers use fake NATO training docs to breach govt networks\r\nBy Ax Sharma\r\nPublished: 2020-09-22 · Archived: 2026-04-05 17:39:07 UTC\r\nA Russian hacker group known by names, APT28, Fancy Bear, Sofacy, Sednit, and STRONTIUM, is behind a targeted\r\nattack campaign aimed at government bodies.\r\nThe group delivered a hard-to-detect strand of Zebrocy Delphi malware under the pretense of providing NATO training\r\nmaterials. \r\nResearchers further inspected the files containing the payload and discovered these impersonated JPG files showing NATO\r\nimages when opened on a computer.\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nImpersonates NATO training materials\r\nIn August this year, Qi'anxin Red Raindrops team reported discovering an APT28 campaign which delivered Zebrocy\r\nmalware disguised as NATO training course materials.\r\nHowever, threat intelligence company QuoIntelligence had alerted its customers in the government sector of this\r\ncampaign as early as August 8th, before information on this campaign was made public.\r\nQuoIntelligence researchers have provided BleepingComputer with further analysis and deduced with medium-high\r\nconfidence that the campaign targeted at least one Middle Eastern country Azerbaijan, among other NATO countries.\r\n\"Although Azerbaijan is not a NATO member, it closely cooperates with the North-Atlantic organizations and participates in\r\nNATO exercises. Further, the same campaign very likely targeted other NATO members or countries cooperating with\r\nNATO exercises,\" stated the company.\r\nOn discovering the malicious activity, QuoIntelligence had reported their findings to the French law enforcement bodies.\r\nMore than an image, dangerously so\r\nThe malicious file distributed by APT28 is titled, \"Course 5 – 16 October 2020.zipx\" \r\nNaturally, to an unsuspecting user, this would appear to be a ZIP bundle containing course materials. \r\nIn our test, BleepingComputer further noticed when renamed to \".jpg,\" the ZIP archive behaves almost like a\r\nlegitimate image file. \r\nThis is because, as QuoIntelligence researchers have explained, the file comprises a legitimate JPG image with a ZIP archive\r\nappended to it.\r\nWhen renamed to a JPG, the ZIP archive behaves entirely as an image\r\nSource: BleepingComputer\r\nThe file metadata and properties also show an \"image/jpeg\" MIME type with references to \"JPEG image data.\"\r\n\"This technique works because JPEG files are parsed from the beginning of the file and some Zip implementations parse Zip\r\nfiles from the end of the file (since the index is located there) without looking at the signature in the front,\" the researchers\r\nexplain.\r\nAt the time of analyses by both Qi'anxin Red Raindrops team and QuoIntelligence, the malware sample had a very low\r\ndetection rate of 3/61 on VirusTotal.\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/\r\nPage 3 of 6\n\nEven today, less than half of the known antivirus engines are flagging the infection on VirusTotal, as observed by\r\nBleepingComputer:\r\nEven today the malware sample showed a 24/60 detection rate on VirusTotal\r\nSource: BleepingComputer\r\n\"The technique is also used by threat actors to evade AVs, or other filtering systems since they might mistake the file for a\r\nJPEG and skip it.\"\r\nWhen extracted the ZIP contains a corrupted Excel (.xls) file and another file with the same name \"Course 5 - 16 October\r\n2020\" but an EXE extension.\r\nOn Windows systems, the \"Course 5 - 16 October 2020.exe\" file shows a PDF icon (executables allow usage of custom file\r\nicons on Windows).\r\nQuoIntelligence researchers hypothesize this might be an intentional tactic employed by the hacking group, and similar\r\ntechniques to bypass email gateways have been seen in the past.\r\nBy providing course materials in a ZIP file that has a deliberately corrupted XLS file may tempt the user into double-clicking what looks like a PDF—the EXE file.\r\nSteals and uploads private data to the server\r\nZebrocy, used by this campaign, is a persistent malware infection and a backdoor known to carry multiple capabilities, such\r\nas system reconnaissance, file creation/modification, taking screenshots on the infected machine, arbitrary command\r\nexecution, and creating Windows scheduled tasks.\r\nThe sample is also known to drop multiple files on an infected system making it \"quite loud\" as in, its activities raise alarms\r\nof leading security products.\r\nIn this case, Zebrocy payload (present in \"Course 5 - 16 October 2020.exe\") works by replicating itself into\r\n\"%AppData%\\Roaming\\Service\\12345678\\sqlservice.exe\" and further adds a randomized 160-byte blob to the newly\r\ngenerated file. The padded data makes hash-based detection by signature-based antivirus engines hard by altering the\r\nresulting file's checksum.\r\nFurther, the malware created a Windows scheduled task which runs every minute posting stolen data to the Command \u0026\r\nControl (C2) server, state the researchers:\r\n\"The task runs regularly and tries to POST stolen data (e.g. screenshots) to hxxp://194.32.78[.]245/protect/get-upd-id[.]php\"\r\nThe data transmitted by the malware appeared to have obfuscated and encrypted bytes but a numerical ID (12345678 in this\r\nexample) remained constant between requests.\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/\r\nPage 4 of 6\n\nRequest showing data transferred by the malware\r\nSource: QuoIntelligence\r\nThe researchers suspect this is a unique identifier of the infected machine included in every request by the malware.\r\nSuspicion: Azerbaijan government targeted\r\nQuoIntelligence suspects this malware targeted Azerbaijan government bodies based on a previous ReconHellcat campaign\r\nanalyzed by the company.\r\nThe three similarities between these samples provide medium-high confidence to the researchers that this attack was aimed\r\nat a specific government organization, at least in Azerbaijan: \r\nBoth the compressed Zebrocy malware and the OSCE-themed lure used to drop the BlackWater backdoor were\r\nuploaded the same day, on 5 August.\r\nBoth samples were uploaded by the same user in Azerbaijan and are highly likely by the same organization.\r\nBoth attacks happened in the same timeframe.\r\nA complete list of Indicators of Compromise (IOCs),  IDS detection rule(s), and detailed research findings have been\r\nprovided by QuoIntelligence.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/\r\nPage 5 of 6\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/"
	],
	"report_names": [
		"russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434487,
	"ts_updated_at": 1775792270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/03ba8914efd5d49287d365341eebeb50d15ee0c8.pdf",
		"text": "https://archive.orkl.eu/03ba8914efd5d49287d365341eebeb50d15ee0c8.txt",
		"img": "https://archive.orkl.eu/03ba8914efd5d49287d365341eebeb50d15ee0c8.jpg"
	}
}