{ "id": "31593709-9a4b-4303-9970-3ea1f3a299ed", "created_at": "2026-04-06T00:19:36.07579Z", "updated_at": "2026-04-10T03:37:49.874398Z", "deleted_at": null, "sha1_hash": "26e918f246c42c6c0bd0c9765fd5ec971351c41b", "title": "A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 692328, "plain_text": "A Zebra in Gopher's Clothing: Russian APT Uses COVID-19\r\nLures to Deliver Zebrocy\r\nBy Joakim Kennedy\r\nPublished: 2020-12-09 · Archived: 2026-04-05 13:09:43 UTC\r\nSummary\r\nIn November, we uncovered COVID-19 phishing lures that were used to deliver the Go version of Zebrocy.\r\nZebrocy is mainly used against governments and commercial organizations engaged in foreign affairs. The\r\nlures consisted of documents about Sinopharm International Corporation—a pharmaceutical company that\r\nCOVID-19 vaccine is currently going through phase three clinical trials—and an impersonated evacuation letter\r\nfrom Directorate General of Civil Aviation.\r\nThe lure was delivered as part of a Virtual Hard Drive (VHD) file that requires victims to use Windows 10 to\r\naccess the files. While the malware samples were heavily obfuscated, it was possible to attribute them to the\r\nSofacy threat actor since they shared genomes with samples used in previous campaigns.\r\nIt appears that the threat actor switched from delivering VHD files with the Delphi version of Zebrocy, to the Go\r\nversion in the middle of November. Given that many COVID-19 vaccines are about to be approved for clinical\r\nuse, it’s likely that APTs (Advanced Persistent Threat) and financially motivated threat actors will use this\r\nmalware in their attacks.\r\nZebrocy Evolution\r\nZebrocy is a malware used by the threat group Sofacy, also known as Sednit, APT28, Fancy Bear, and\r\nSTRONTIUM. Sofacy was one of the groups indicted by the Department of Justice (DOJ) for the compromise of\r\nthe Democratic National Committee (DNC). The Zebrocy toolset was first reported by Kaspersky Labs as part of\r\ntheir APT Trends report in 2017. The malware was first used in 2015 and overlapped with known Sofacy\r\ninfrastructure at the time. Zebrocy operates as a downloader and collects information about the infected host that\r\nis uploaded to the command and control (C\u0026C) server before downloading and executing the next stage.\r\nThe first version of the downloader was written in Delphi and was based on a previous malware used by Sofacy.\r\nOne unique aspect of the operators behind Zebrocy is their choice of evolving the malware. Instead of improving\r\ntheir codebase to add new functionalities and increase their chance of staying undetected, the group has opted to\r\nkeep the malware simple by implementing new versions in different programming languages. Zebrocy samples\r\nwritten in AutoIT, C++, C#, Delphi, Go, and VB.NET have been discovered by the research community.\r\nWhile Zebrocy is known to be used by a subset of the Sofacy threat group, Kaspersky Labs reported in January\r\n2019 that they had discovered infrastructure used both by Zebrocy and GreyEnergy. GreyEnergy was discovered\r\nby ESET and reported on in October 2018. The group is believed to be the successor of BlackEnergy, also known\r\nas Sandworm. Sandworm was recently attributed to Russia’s GRU by the United States government in an\r\nhttps://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/\r\nPage 1 of 9\n\nindictment for the NotPetya and Olympic Destroyer campaigns. Generally speaking, Sofacy and BlackEnergy\r\nhave diverging goals and have been known to go after different targets. In this case, the common infrastructure\r\nand targets between the Sofacy subgroup using Zebrocy and GreyEnergy suggests a relationship between the\r\ngroups.\r\nZebrocy is mainly used against governments and commercial organizations engaged in foreign affairs. Victims\r\nhave been located in: “Afghanistan, Azerbaijan, Bosnia and Herzegovina, China, Egypt, Georgia, Iran, Japan,\r\nKazakhstan, Korea, Kyrgyzstan, Mongolia, Russia, Saudi Arabia, Serbia, Switzerland, Tajikistan, Turkey,\r\nTurkmenistan, Ukraine, Uruguay, and Zimbabwe.” The delivery of Zebrocy is usually via a spear-phishing email.\r\nThe email has contained Microsoft Office documents or archive files.\r\nTechnical Analysis\r\nAt the end of November, we discovered a Virtual Hard Drive (VHD) file (a7b446d79d3fc05a7e1881d6d4abaf55)\r\nnamed 30-22-243.vhd that was uploaded from Azerbaijan to VirusTotal. VHD is the native file format for virtual\r\nhard drives used by Microsoft’s hypervisor, Hyper-V. Windows 10 has native support for the file format and\r\nallows the user to mount the file and access its content. Figure 1 shows what the user would see if they\r\ndownloaded the file to their desktop. According to timestamps stored in the file, the disk was created on\r\nNovember 20, 2020, 10 days before it was uploaded to VirusTotal.\r\nFigure 1: VHD phishing lure.\r\nIf the user double-clicks on the file, Windows will mount the drive and it appears as an external hard drive. Figure\r\n2 shows the content of the VHD.\r\nhttps://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/\r\nPage 2 of 9\n\nFigure 2: Content of the VHD file. It contains two files: A PDF file and an executable that is masquerading as a\r\nMicrosoft Word document.\r\nThe VHD file includes two files, a PDF document and an executable that is masquerading as a Microsoft Word\r\ndocument. The PDF file consists of presentation slides about Sinopharm International Corporation. Figure 3\r\ndisplays a screenshot of the first slide.\r\nhttps://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/\r\nPage 3 of 9\n\nFigure 3: PDF of presentation slides used as part of the lure.\r\nSinopharm International Corporation is a China-based manufacturer of pharmaceutical products. It is one of the\r\ncompanies in China that is currently working on a vaccine for COVID-19. Their vaccine is currently\r\nundergoing phase three clinical trials but it has already been given to nearly one million people. It may not come\r\nas a surprise that the threat group behind Zebrocy is using COVID-19-themed related lures when many vaccines\r\nare about to get approved for use. The group is known to use current events as part of their phishing lures.\r\nThe second file is the malware. By default, Windows hides known file extensions and the user can be easily\r\ntricked into believing that it’s a Word document. The scan results of the executable from VirusTotal is shown in\r\nFigure 4 and Intezer Analyze in Figure 5. Only nine of the 70 antivirus engines detected the file as generic\r\nmalware while Analyze detected the file as malware associated with Sofacy.\r\nhttps://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/\r\nPage 4 of 9\n\nFigure 4: VirusTotal scan results of the binary file with generic detection.\r\nFigure 5: Intezer Analyze detects the file as genetically similar to malware used by Sofacy one year ago.\r\nThe malware is a new sample of Zebrocy written in Go. Earlier this year, QuoIntelligence detected an ongoing\r\ncampaign by Sofacy, assessing with medium-high confidence that the group was targeting Azerbaijan. In that\r\ncampaign, the Delphi version was used. It appears that the threat group has now switched from delivering the\r\nDelphi downloader to the Go downloader.\r\nThe downloader is similar to the original downloader reported by Palo Alto Networks Unit 42. The sample has\r\nbeen obfuscated with gobfuscator, the same tool used by the Blackrota malware. The sample doesn’t collect the\r\nsame amount of information about the infected machine (i.e., running processes, local disk information, and\r\nsystem information from “systeminfo”) as in previous campaigns. Instead, it collects the hostname and the path to\r\nthe user’s TEMP folder. This information is used to generate an identifier by hashing the values with MD5. The\r\nscreenshot functionality is not performed by an imported third-party library. Rather, the malware author has\r\nincluded the screenshot code from the library directly in the main codebase. The malware has some anti-debugging checks. In Figure 6, it can be seen how the malware calls the Windows API function\r\nIsDebuggerPresent. If true is returned, it enters an infinite sleeping loop.\r\nhttps://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/\r\nPage 5 of 9\n\nFigure 6: Logic that checks if the process is being debugged. If true, it enters a sleeping loop.\r\nThe screenshot is uploaded to the C\u0026C located at the URL: hxxps://support-cloud[.]life/managment/cb-secure/technology.php. If the C\u0026C returns a second stage, the file is written to the disk and executed. The URL\r\nscheme for the C\u0026C is similar to the URL scheme used in the original Go\r\nversion (hxxp://89.37.226[.]148/technet-support/library/online-service-description.php). The domain name\r\nwas registered with NameCheap on October 20, 2020, and uses a certificate issued by Let’s Encrypt. The\r\ncertificate was issued on November 2, 2020. The infrastructure is hosted on 80.90.39.24 which is owned by the\r\nLuxembourg-based hosting company, Visual Online. The infrastructure appears to be new.\r\nEarlier Campaigns\r\nUsing the icon resource from the original phishing lure, we found another phishing lure\r\n(395e166af5197967503f45c3ac134ff7) that was uploaded to VirusTotal from Kazakhstan on November 12. This\r\nVHD file was named No.243.CB3-EVACUATION LETTER.vhd. The content of the file is shown in Figure 7.\r\nhttps://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/\r\nPage 6 of 9\n\nFigure 7: Content of No.243.CB3-EVACUATION LETTER.vhd. The disk file includes an executable file and a\r\nPDF file.\r\nThe executable is another Go version of Zebrocy. It uses the same C\u0026C URL. The sample is obfuscated using the\r\nsame technique the group has used for their prior versions. The function names have been mangled and the strings\r\nhave been obfuscated. In this version, the strings are obfuscated by rotating the characters in the string one step.\r\nFor example, A has been rotated to B.\r\nThe PDF file is corrupted. This is not the first time the group is using corrupt files as part of its lures.\r\nCorrupt Microsoft Excel files were used in the campaign uncovered by QuoIntelligence earlier this year. The\r\ntechnique is likely used to trick the user into executing the application rather than just viewing the lure.\r\nBased on the file name, one theory we have is a message from India’s Directorate General of Civil Aviation is\r\nbeing impersonated. It was announced in August that a flight network between India, Russia, and other Central\r\nAsian countries was being developed. While India has suspended international flights due to the pandemic, some\r\nairlines have operated charter flights to “Russia, Uzbekistan, Ukraine, Kazakhstan and Kyrgyzstan.”\r\nIt turns out the same VHD file was uploaded in October to VirusTotal with different content\r\n(855005fee45e71c36a466527c7fad62f); both samples share the same disk ID. The content of this sample is shown\r\nin Figure 8. As with the other VHD files, this also has a PDF file and an executable masquerading as a Microsoft\r\nWord Document. Instead of delivering the Go version of Zebrocy, the Delphi loader was used.\r\nhttps://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/\r\nPage 7 of 9\n\nFigure 8: Content of VHD uploaded to VirusTotal in October.\r\nThe PDF lure is written in Russian. The title is, according to Google Translate: “NATIONAL LIST\r\nINDIVIDUALS AND LEGAL ENTITIES INVOLVED IN TERRORIST AND EXTREMIST ACTIVITIES OR\r\nTHE DISTRIBUTION OF WEAPONS OF MASS DESTRUCTION.” The content of the first page is shown in\r\nFigure 9.\r\nFigure 9: Redacted screenshot of PDF lure written in Russian.\r\nAccording to timestamps, the VHD was created on October 21, the day after the domain (support-cloud[.]life) was\r\nregistered. The domain was used in a spear-phishing attack against a Kazakhstan government ministry the same\r\nhttps://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/\r\nPage 8 of 9\n\nday. The VHD file was uploaded to VirusTotal the next day. On November 11, the same VHD file was reused but\r\nthe lure and payload were changed. This version of the VHD was uploaded to VirusTotal the next day. By\r\napplying this logic to the VHD file used to deliver the Sinopharm-based lure, we can estimate that it was\r\nused around November 20.\r\nConclusion\r\nZebrocy is a malware toolset used by the Sofacy threat group. While the group keeps changing obfuscation and\r\ndelivery techniques, code reuse allowed Intezer to detect and correctly classify this malware. With these recent\r\nphishing lures, it’s clear that COVID-19 themed attacks are still a threat and we might see more as vaccines\r\nbecome available to the general public.\r\nIt’s important that companies use defense-in-depth strategies to protect against threats. Employers should also\r\nensure employees are trained on detecting and reacting to phishing attempts. Phishing attempts do not always\r\noriginate from an external email address; they can also come from a compromised account within the enterprise.\r\nIoCs\r\nNetwork\r\nhxxps://support-cloud[.]life/managment/cb-secure/technology.php\r\nVHD files\r\nd5d9210ef49c6780016536b0863cc50f6de03f73e70c2af46cc3cff0e2bf9353  30-1868.vhd\r\n43c65d87d690aea7c515fe84317af40b7e64b350304b0fc958a51d62826feade  30-22-243.vhd\r\nd444fde5885ec1241041d04b3001be17162523d2058ab1a7f88aac50a6059bc0  No.243.CB3-\r\nEVACUATION LETTER.vhd\r\nZebrocy\r\nf36a0ee7f4ec23765bb28fbfa734e402042278864e246a54b8c4db6f58275662  243_BIO_SINOPHARM.exe\r\n61c2e524dcc25a59d7f2fe7eff269865a3ed14d6b40e4fea33b3cd3f58c14f19  243.CB3.EVACUATION\r\nLETTER.exe\r\n6449d0cb1396d6feba7fb9e25fb20e9a0a5ef3e8623332844458d73057cf04a1  30-1868 20.10.2020.exe\r\nSource: https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/\r\nhttps://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/" ], "report_names": [ "russian-apt-uses-covid-19-lures-to-deliver-zebrocy" ], "threat_actors": [ { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434776, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/26e918f246c42c6c0bd0c9765fd5ec971351c41b.pdf", "text": "https://archive.orkl.eu/26e918f246c42c6c0bd0c9765fd5ec971351c41b.txt", "img": "https://archive.orkl.eu/26e918f246c42c6c0bd0c9765fd5ec971351c41b.jpg" } }