{ "id": "5078b970-73d1-4d6f-9869-c365ad6612e1", "created_at": "2026-04-06T00:13:44.155269Z", "updated_at": "2026-04-10T03:37:50.168501Z", "deleted_at": null, "sha1_hash": "4a97aa6e3c8a53b1bd43e6f853ad03a288f8549c", "title": "GreyEnergy’s overlap with Zebrocy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 223871, "plain_text": "GreyEnergy’s overlap with Zebrocy\r\nBy Kaspersky ICS CERT\r\nPublished: 2019-01-24 · Archived: 2026-04-05 18:34:04 UTC\r\nIn October 2018, ESET published a report describing a set of activity they called GreyEnergy, which is believed to\r\nbe a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for\r\nhaving been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its\r\npredecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.\r\nKaspersky Lab ICS CERT has identified an overlap between GreyEnergy and a Sofacy subset called “Zebrocy”.\r\nThe Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the\r\npost-exploitation stage of attacks on its victims. Zebrocy’s targets are widely spread across the Middle East,\r\nEurope and Asia and the targets’ profiles are mostly government-related.\r\nBoth sets of activity used the same servers at the same time and targeted the same organization.\r\nDetails\r\nServers\r\nIn our private APT Intel report from July 2018 “Zebrocy implements new VBA anti-sandboxing tricks”, details\r\nwere provided about different Zebrocy C2 servers, including 193.23.181[.]151.\r\nIn the course of our research, the following Zebrocy samples were found to use the same server to download\r\nadditional components (MD5):\r\n7f20f7fbce9deee893dbce1a1b62827d\r\n170d2721b91482e5cabf3d2fec091151\r\neae0b8997c82ebd93e999d4ce14dedf5\r\na5cbf5a131e84cd2c0a11fca5ddaa50a\r\nc9e1b0628ac62e5cb01bf1fa30ac8317\r\nThe URL used to download additional data looks as follows:\r\nhxxp://193.23.181[.]151/help-desk/remote-assistant-service/PostId.php?q={hex}\r\nThis same C2 server was also used in a spearphishing email attachment sent by GreyEnergy (aka FELIXROOT),\r\nas mentioned in a FireEye report. Details on this attachment are as follows:\r\nThe file (11227eca89cc053fb189fac3ebf27497) with the name “Seminar.rtf” exploited CVE-2017-0199\r\n“Seminar.rtf” downloaded a second stage document from: hxxp://193.23.181[.]151/Seminar.rtf\r\n(4de5adb865b5198b4f2593ad436fceff, exploiting CVE-2017-11882)\r\nhttps://securelist.com/greyenergys-overlap-with-zebrocy/89506/\r\nPage 1 of 4\n\nThe original document (Seminar.rtf) was hosted on the same server and downloaded by victims from:\r\nhxxp://193.23.181[.]151/ministerstvo-energetiki/seminars/2019/06/Seminar.rtf\r\nAnother server we detected that was used both by Zebrocy and by GreyEnergy is 185.217.0[.]124. Similarly, we\r\ndetected a spearphishing GreyEnergy document (a541295eca38eaa4fde122468d633083, exploiting CVE-2017-\r\n11882), also named “Seminar.rtf”.\r\n“Seminar.rtf”, a GreyEnergy decoy document\r\nThis document downloads a GreyEnergy sample (78734cd268e5c9ab4184e1bbe21a6eb9) from the following\r\nSMB link:\r\n\\\\185.217.0[.]124\\Doc\\Seminar\\Seminar_2018_1.AO-A\r\nThe following Zebrocy samples use this server as C2:\r\n7f20f7fbce9deee893dbce1a1b62827d\r\n170d2721b91482e5cabf3d2fec091151\r\n3803af6700ff4f712cd698cee262d4ac\r\ne3100228f90692a19f88d9acb620960d\r\nThey retrieve additional data from the following URL:\r\nhxxp://185.217.0[.]124/help-desk/remote-assistant-service/PostId.php?q={hex}\r\nIt is worth noting that at least two samples from the above list use both 193.23.181[.]151 and 185.217.0[.]124 as\r\nC2s.\r\nhttps://securelist.com/greyenergys-overlap-with-zebrocy/89506/\r\nPage 2 of 4\n\nHosts associated with GreyEnergy and Zebrocy\r\nAttacked company\r\nAdditionally, both GreyEnergy and Zebrocy spearphishing documents targeted a number of industrial companies\r\nin Kazakhstan. One of them was attacked in June 2018.\r\nGreyEnergy and Zebrocy overlap\r\nAttack timeframe\r\nhttps://securelist.com/greyenergys-overlap-with-zebrocy/89506/\r\nPage 3 of 4\n\nA spearphishing document entitled ‘Seminar.rtf’, which retrieved a GreyEnergy sample, was sent to the company\r\napproximately on June 21, 2018, followed by a Zebrocy spearphishing document sent approximately on June 28:\r\n‘(28.06.18) Izmeneniya v prikaz PK.doc’ Zebrocy decoy document translation:\r\n‘Changes to order, Republic of Kazakhstan’\r\nThe two C2 servers discussed above were actively used by Zebrocy and GreyEnergy almost at the same time:\r\n193.23.181[.]151 was used by GreyEnergy and Zebrocy in June 2018\r\n185.217.0[.]124 was used by GreyEnergy between May and June 2018 and by Zebrocy in June 2018\r\nConclusions\r\nThe GreyEnergy/BlackEnergy actor is an advanced group that possesses extensive knowledge on penetrating into\r\ntheir victim´s networks and exploiting any vulnerabilities it finds. This actor has demonstrated its ability to update\r\nits tools and infrastructure in order to avoid detection, tracking, and attribution.\r\nThough no direct evidence exists on the origins of GreyEnergy, the links between a Sofacy subset known as\r\nZebrocy and GreyEnergy suggest that these groups are related, as has been suggested before by some public\r\nanalysis. In this paper, we detailed how both groups shared the same C2 server infrastructure during a certain\r\nperiod of time and how they both targeted the same organization almost at the same time, which seems to confirm\r\nthe relationship’s existence.\r\nFor more information about APT reports please contact: intelreports@kaspersky.com\r\nFor more information about ICS threats please contact: ics-cert@kaspersky.com\r\nSource: https://securelist.com/greyenergys-overlap-with-zebrocy/89506/\r\nhttps://securelist.com/greyenergys-overlap-with-zebrocy/89506/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/" ], "report_names": [ "89506" ], "threat_actors": [ { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434424, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4a97aa6e3c8a53b1bd43e6f853ad03a288f8549c.pdf", "text": "https://archive.orkl.eu/4a97aa6e3c8a53b1bd43e6f853ad03a288f8549c.txt", "img": "https://archive.orkl.eu/4a97aa6e3c8a53b1bd43e6f853ad03a288f8549c.jpg" } }