{ "id": "7be1da7f-6ba8-469a-85c6-63e4964fb69b", "created_at": "2026-04-06T00:17:31.835535Z", "updated_at": "2026-04-10T03:37:50.560806Z", "deleted_at": null, "sha1_hash": "053db4fd0be2e70fe81bd00f4ca83bda24a4360d", "title": "A step-by-step analysis of the new malware used by APT28/Sofacy called SkinnyBoy – CYBER GEEKS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5922529, "plain_text": "A step-by-step analysis of the new malware used by APT28/Sofacy\r\ncalled SkinnyBoy – CYBER GEEKS\r\nPublished: 2021-08-03 · Archived: 2026-04-05 16:48:19 UTC\r\nSummary\r\nThe malware extracts configuration information about the machine that it infects using the systeminfo command, and\r\nthen it retrieves the list of processes by spawning a tasklist process. The content of the following directories, along\r\nwith the processes’ output, is base64-encoded and exfiltrated to the C2 server updaterweb[.]com:\r\nDesktop folder\r\nC:\\Program Files\r\nC:\\Program Files (x86)\r\nC:\\Users\\\u003cUser\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\r\nC:\\Users\\\u003cUser\u003e\\AppData\\Roaming\r\nC:\\Users\\\u003cUser\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Templates\r\nC:\\WINDOWS\r\nC:\\Users\\\u003cUser\u003e\\AppData\\Local\\Temp\r\nThe user agent used during the network communication is set to “Opera”, and the following is the structure of the\r\nPOST request: “id=\u003chostname\u003e#Username#\u003cSerial number in decimal\u003e\u0026current=1\u0026total=1\u0026data=\u003cdata to be\r\nexfiltrated\u003e”. The “cmd=y” command is used to download a DLL file from the C2 server, which is loaded using the\r\nLoadLibraryW API, and the first ordinal function is executed.\r\nAnalyst: @GeeksCyber\r\nTechnical analysis\r\nSHA256: ae0bc3358fef0ca2a103e694aa556f55a3fed4e98ba57d16f5ae7ad4ad583698\r\nThe DLL has 2 exports (DllEntryPoint and RunMod). We have used rundll32.exe to run the DLL by calling the\r\nRunMod function:\r\nFigure 1\r\nThe malware creates an unnamed event object by calling the CreateEventW API:\r\nhttps://cybergeeks.tech/skinnyboy-apt28/\r\nPage 1 of 16\n\nFigure 2\r\nTwo new threads are created by the process using the CreateThread function:\r\nFigure 3\r\nFigure 4\r\nThe GetMessage routine is utilized to retrieve a message from the thread’s message queue:\r\nFigure 5\r\nThe malicious process enumerates all the messages, and it breaks the loop if the message is equal to 0x16\r\n(WM_ENDSESSION – inform the application whether the session is ending):\r\nhttps://cybergeeks.tech/skinnyboy-apt28/\r\nPage 2 of 16\n\nFigure 6\r\nThread activity – StartAddress function\r\nThe malware creates an anonymous pipe using the CreatePipe API:\r\nFigure 7\r\nGetStartupInfoA is used to retrieve the content of the STARTUPINFO structure from when the calling process was\r\ncreated:\r\nFigure 8\r\nhttps://cybergeeks.tech/skinnyboy-apt28/\r\nPage 3 of 16\n\nThe binary creates a new process that runs the systeminfo command, which displays configuration information about\r\nthe computer and its OS:\r\nFigure 9\r\nThe pipe created earlier is used as an inter-process communication mechanism. The output of the systeminfo\r\ncommand is read via a ReadFile function call:\r\nFigure 10\r\nFigure 11\r\nThe list of processes is retrieved by creating a new process that runs the tasklist command:\r\nhttps://cybergeeks.tech/skinnyboy-apt28/\r\nPage 4 of 16\n\nFigure 12\r\nThe output of the tasklist command is transmitted to the main process using the ReadFile API:\r\nFigure 13\r\nFigure 14\r\nThe binary gets the path of the Desktop folder using the SHGetFolderPathW routine:\r\nFigure 15\r\nThe process enumerates the files/directories from the Desktop directory using the FindFirstFileW and\r\nFindNextFileW functions:\r\nFigure 16\r\nFigure 17\r\nThe binary adds 18 characters of “#” before and after the folder name, as following:\r\nhttps://cybergeeks.tech/skinnyboy-apt28/\r\nPage 5 of 16\n\nFigure 18\r\nThe list of files and directories extracted before is concatenated with the above string, as shown in figure 19:\r\nFigure 19\r\nThe following directories are also targeted by the backdoor: “C:\\Program Files”, “C:\\Program Files (x86)”,\r\n“C:\\Users\\\u003cUser\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools”, “C:\\Users\\\r\n\u003cUser\u003e\\AppData\\Roaming”, “C:\\Users\\\u003cUser\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Templates”,\r\n“C:\\WINDOWS” and “C:\\Users\\\u003cUser\u003e\\AppData\\Local\\Temp”. The SHGetFolderPathW function is utilized to\r\nobtain some of these folder names (0x2a = CSIDL_PROGRAM_FILESX86, 0x30 = CSIDL_ADMINTOOLS,\r\n0x1a = CSIDL_APPDATA, 0x15 = CSIDL_TEMPLATES and 0x24 = CSIDL_WINDOWS):\r\nFigure 20\r\nFigure 21\r\nhttps://cybergeeks.tech/skinnyboy-apt28/\r\nPage 6 of 16\n\nFigure 22\r\nFigure 23\r\nFigure 24\r\nThe GetTempPathW API is utilized to retrieve the path of the %TEMP% directory:\r\nFigure 25\r\nThe file initializes the use of the WinINet functions using the InternetOpenW API (the user agent is hard-coded as\r\n“Opera”):\r\nFigure 26\r\nThe send and receive timeouts are set to 600 seconds using the InternetSetOptionW routine (0x6 =\r\nINTERNET_OPTION_CONTROL_RECEIVE_TIMEOUT and 0x5 =\r\nINTERNET_OPTION_CONTROL_SEND_TIMEOUT):\r\nFigure 27\r\nhttps://cybergeeks.tech/skinnyboy-apt28/\r\nPage 7 of 16\n\nFigure 28\r\nThe malicious process establishes a connection to the C2 server updaterweb[.]com on port 443:\r\nFigure 29\r\nThe NetBIOS name of the local computer is retrieved using the GetComputerNameA API:\r\nFigure 30\r\nGetUserNameA is utilized to extract the name of the user associated with the current thread:\r\nFigure 31\r\nThe malware extracts the volume serial number of the root of the current directory via a function call to\r\nGetVolumeInformationW:\r\nFigure 32\r\nThe process decrypts some important strings using the XOR algorithm, the keys being “CEJ\u0026V%$84k839y92m”\r\nand “qpzoamxiendufbtbf3-#$*40fvnpwOPDwdkvn”. The strings “id=%s#%s#%u\u0026cmd=y” and\r\n“id=%s#%s#%u\u0026current=%s\u0026total=%s\u0026data=” have been computed:\r\nhttps://cybergeeks.tech/skinnyboy-apt28/\r\nPage 8 of 16\n\nFigure 33\r\nFigure 34\r\nThe output of the systeminfo command + output of the tasklist command + the list of targeted directories and their\r\ncontent are base-64 encoded using the CryptBinaryToStringA API (0x1 = CRYPT_STRING_BASE64):\r\nFigure 35\r\nhttps://cybergeeks.tech/skinnyboy-apt28/\r\nPage 9 of 16\n\nFigure 36\r\nThe HttpOpenRequestW routine is utilized to create an HTTP POST request handle:\r\nFigure 37\r\nThe malware adds one HTTP request header (“application/x-www-form-urlencoded”) to the HTTP request handle:\r\nFigure 38\r\nThe request is sent to the HTTP server using the HttpSendRequestExW API, as displayed in figure 39:\r\nFigure 39\r\nIn the case of failing to connect to the C2 server on port 443, the process tries to connect on port 80:\r\nhttps://cybergeeks.tech/skinnyboy-apt28/\r\nPage 10 of 16\n\nFigure 40\r\nThe information extracted before is exfiltrated to the C2 server (id=\u003chostname\u003e#Username#\u003cSerial number in\r\ndecimal\u003e\u0026current=1\u0026total=1\u0026data=\u003cbase-64 encoded data computed above\u003e):\r\nFigure 41\r\nThe thread sets the event created earlier to the signaled state:\r\nFigure 42\r\nThread activity – sub_6BD71960 function\r\nThis thread sets the event created earlier now to the nonsignaled state using the ResetEvent routine:\r\nFigure 43\r\nThere is a similar workflow starting with calling the InternetOpenW function up until connecting to the C2 server on\r\nport 443 (or port 80 if the first one is unsuccessful). The POST request is different this time because it contains the\r\n“cmd=y” command that is used to download a DLL file:\r\nFigure 44\r\nThe malware queries the server to determine the amount of data available using the InternetQueryDataAvailable\r\nroutine:\r\nhttps://cybergeeks.tech/skinnyboy-apt28/\r\nPage 11 of 16\n\nFigure 45\r\nThe potential DLL file is read from the handle using the InternetReadFile API (the first 4 bytes would represent the\r\ndata size and there will also be 32 bytes that represent the SHA256 hash value of the content, as we’ll describe in the\r\nupcoming paragraphs):\r\nFigure 46\r\nThe expected DLL is base64-encoded because the process tries to decode it using the CryptStringToBinaryA\r\nfunction (0x1 = CRYPT_STRING_BASE64):\r\nFigure 47\r\nFigure 48\r\nCryptAcquireContextA is utilized to acquire a handle to the Microsoft RSA and AES Cryptographic Provider (0x18\r\n= PROV_RSA_AES):\r\nhttps://cybergeeks.tech/skinnyboy-apt28/\r\nPage 12 of 16\n\nFigure 49\r\nThe CryptCreateHash routine is used to create a handle to a CSP (cryptographic service provider) hash object\r\n(0x800c = CALG_SHA_256):\r\nFigure 50\r\nAfter the base64-encoded DLL file is decoded, then the malware hashes the buffer that is supposed to contain a DLL\r\nfile using the SHA256 algorithm:\r\nFigure 51\r\nThe hash value is extracted by calling the CryptGetHashParam API, as shown in figure 52 (0x2 = HP_HASHVAL):\r\nFigure 52\r\nFigure 53\r\nThe malicious process verifies if the hash value computed above coincides with a 32-byte buffer that comes with the\r\nDLL file (of course that the response is emulated in our case, but we can adjust it to pass the comparison):\r\nhttps://cybergeeks.tech/skinnyboy-apt28/\r\nPage 13 of 16\n\nFigure 54\r\nFigure 55\r\nGetTempPathW is utilized to retrieve the path of the %TEMP% directory:\r\nFigure 56\r\nThe malicious process creates a file called fvjoik.dll in the %TEMP% directory, as shown below:\r\nFigure 57\r\nThe newly created file is populated with the potential DLL downloaded from the C2 server:\r\nFigure 58\r\nThe DLL file is loaded into the address space of the current process using the LoadLibraryW routine:\r\nhttps://cybergeeks.tech/skinnyboy-apt28/\r\nPage 14 of 16\n\nFigure 59\r\nThe malware will execute the exported function with ordinal 1, as highlighted in the next figure:\r\nFigure 60\r\nAfter the function finishes, there is a call to WinExec that deletes the DLL file created earlier:\r\nFigure 61\r\nThe process communicates again with the C2 server, and we believe that it transmits the result of the DLL execution\r\n(we won’t go into too much details here because it’s pretty much the same activity described so far). The parameters\r\nof the request are again as follows: “id=\u003chostname\u003e#Username#\u003cSerial number in\r\ndecimal\u003e\u0026current=1\u0026total=1\u0026data=\u003cdata to be transmitted\u003e”.\r\nMain thread activity\r\nThe main thread sets the event created before to the signaled state:\r\nFigure 62\r\nThe malware retrieves the termination status of the 2 threads using the GetExitCodeThread API:\r\nFigure 63\r\nFigure 64\r\nhttps://cybergeeks.tech/skinnyboy-apt28/\r\nPage 15 of 16\n\nReferences\r\nMSDN: https://docs.microsoft.com/en-us/windows/win32/api/\r\nVirusTotal:\r\nhttps://www.virustotal.com/gui/file/ae0bc3358fef0ca2a103e694aa556f55a3fed4e98ba57d16f5ae7ad4ad583698/detection\r\nFakenet: https://github.com/fireeye/flare-fakenet-ng\r\nCluster25: https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf\r\nINDICATORS OF COMPROMISE\r\nC2 server: updaterweb[.]com\r\nSHA256: ae0bc3358fef0ca2a103e694aa556f55a3fed4e98ba57d16f5ae7ad4ad583698\r\nUser-Agent: Opera\r\nSource: https://cybergeeks.tech/skinnyboy-apt28/\r\nhttps://cybergeeks.tech/skinnyboy-apt28/\r\nPage 16 of 16\n\nThe request is sent Figure 39 to the HTTP server using the HttpSendRequestExW API, as displayed in figure 39:\nIn the case of failing to connect to the C2 server on port 443, the process tries to connect on port 80:\n Page 10 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://cybergeeks.tech/skinnyboy-apt28/" ], "report_names": [ "skinnyboy-apt28" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434651, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/053db4fd0be2e70fe81bd00f4ca83bda24a4360d.pdf", "text": "https://archive.orkl.eu/053db4fd0be2e70fe81bd00f4ca83bda24a4360d.txt", "img": "https://archive.orkl.eu/053db4fd0be2e70fe81bd00f4ca83bda24a4360d.jpg" } }