{ "id": "1797bbbb-6783-44ad-bfa3-62253f56a9de", "created_at": "2026-04-29T08:23:09.256361Z", "updated_at": "2026-04-29T10:41:07.644202Z", "deleted_at": null, "sha1_hash": "4c20de61ce7cc692c19049f8ab3e82454e27f032", "title": "APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1063295, "plain_text": "APT28 Delivers Zebrocy Malware Campaign using NATO Theme as\r\nLure\r\nBy Allison Ebel\r\nPublished: 2020-09-22 · Archived: 2026-04-29 07:17:52 UTC\r\n Executive Summary\r\nOn 9 August, QuoIntelligence detected an ongoing APT28 campaign, which likely started on 5 August.\r\nThe malware used in the attack was the Zebrocy Delphi version. All the artifacts had very low Anti-Virus (AV)\r\ndetection rates on VirusTotal when they were first submitted.\r\nAt the time of the discovery, the C2 infrastructure hosted in France was still live.\r\nThe campaign used NATO’s upcoming trainings as a lure.\r\nThe campaign targeted a specific government body in Azerbaijan, however; it is likely that attackers also\r\ntargeted NATO members or other countries involved in NATO exercises.\r\nAnalysis revealed interesting correlations with ReconHell/BlackWater attack, which we uncovered in August.\r\nAs part of our responsible disclosure, we reported our findings to French authorities for taking down the C2,\r\nand to NATO for their awareness.\r\nIntroduction\r\nOn 9 August, QuoIntelligence disseminated a Warning to its government customers about a new APT28 (aka Sofacy,\r\nSednit, Fancy Bear, STRONTIUM, etc.) campaign targeting government bodies of NATO members (or countries\r\ncooperating with NATO). In particular, we found a malicious file uploaded to VirusTotal, which ultimately drops a\r\nZebrocy malware and communicates with a C2 in France. After our discovery, we reported the malicious C2 to the\r\nFrench law enforcement as part of our responsible disclosure process.\r\nZebrocy is a malware used by APT28 (also known as Sofacy), which was reported by multiple security firms[1][2][3]\r\n[4][5][6] in the last two years.\r\nFinally, our investigation concluded that the attack started on 5 August and targeted at least a government entity\r\nlocated in the Middle East. However, it is highly likely that NATO members also observed the same attack.\r\nTechnical Analysis\r\nFile Name Course 5 – 16 October 2020.zipx\r\nSHA256 e6e19633ba4572b49b47525b5a873132dfeb432f075fbba29831f1bc59d5885d\r\nhttps://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/\r\nPage 1 of 7\n\nFile Name Course 5 – 16 October 2020.zipx\r\nFirst\r\nSubmission\r\nto VT\r\n2020-08-05T12:28:27\r\nFirst AV\r\ndetetction\r\nrate\r\nReally Low (3/61)\r\nAt a first look, the sample seems to be a valid JPEG image file: \r\nIn fact, if the file is renamed as a JPG, the Operating System will show the logo of the Supreme Headquarters Allied\r\nPowers Europe (SHAPE), which is the NATO’s Allied Command Operations (ACO) located in Belgium.\r\nHowever, further analysis revealed the sample as having a Zip file concatenated. This technique works because JPEG\r\nfiles are parsed from the beginning of the file and some Zip implementations parse Zip files from the end of the file\r\n(since the index is located there) without looking at the signature in the front.\r\nThe technique is also used by threat actors to evade AVs, or other filtering systems since they might mistake the file for\r\na JPEG and skip it. Interestingly, in order to trigger the decompression of the file on Windows after the user clicks on\r\nit, the following conditions need to be met:  a) the file must be correctly named .zip(x); b) the file needs to be opened\r\nwith WinRAR. The file will show an error message claiming it is corrupted if the targeted victim uses WinZip or the\r\ndefault Windows utility.\r\nAfter decompressing the appended ZIP file, the following two samples are dropped:\r\nhttps://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/\r\nPage 2 of 7\n\nCourse 5 – 16 October 2020.exe (Zebrocy malware)                                  SHA256: \r\naac3b1221366cf7e4421bdd555d0bc33d4b92d6f65fa58c1bb4d8474db883fec  \r\n Course 5 – 16 October 2020.xls (Corrupted file)                                               SHA256:\r\nb45dc885949d29cba06595305923a0ed8969774dae995f0ce5b947b5ab5fe185\r\nConsidering the lure uses a NATO image, the attackers likely picked the filenames in order to leverage upcoming\r\nNATO courses in October 2020. Additionally, the Excel file (XLS) is corrupted and cannot be opened by Microsoft\r\nExcel, it contains – what seems to be – information about military personnel involved in the military mission “African\r\nUnion Mission for Somalia”. The long list of information includes names, ranks, unit, arrival/leave dates, and more.\r\nTo note, QuoIntelligence was not able to determine if the information contained in the file is legitimate or not.\r\nOne of the hypotheses explaining the corrupted file is an intentional tactic of the attacker. The rationale could be that\r\nthe attacker makes the user attempt to first open the XLS file, and then open the .exe with the same filename as a\r\nsecond try. The .exe file has a PDF icon, so if file extensions are not shown, targeted users might be lured into opening\r\nthe executable.\r\nhttps://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/\r\nPage 3 of 7\n\nFile Name Course 5 – 16 October 2020.exe\r\nSHA256 aac3b1221366cf7e4421bdd555d0bc33d4b92d6f65fa58c1bb4d8474db883fec\r\nFirst\r\nSubmission\r\nto VT\r\n2020-08-05T18:33:39\r\nFirst AV\r\ndetection\r\nrate\r\nReally Low (9/70)\r\nThe sample analyzed is a Delphi executable. Since 2015, multiple researchers have already covered Zebrocy Delphi\r\nversions in-depth. Interestingly, last Zebrocy observations seemed to suggest a discontinuity of the Delphi versions in\r\nfavor of a new one written in Go language.\r\nBehavior Analysis\r\nOnce executed, the sample copies itself into %AppData%\\Roaming\\Service\\12345678\\sqlservice.exe by adding 160\r\nrandom bytes to the new file. This padding is used to evade hash-matching security controls, since the dropped\r\nmalware will always have a different file hash value.\r\nNext, the malware creates a new scheduled task, and it is executed with the /s parameter\r\nThe task runs regularly and tries to POST stolen data (e.g. screenshots) to hxxp://194.32.78[.]245/protect/get-upd-id[.]php\r\nhttps://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/\r\nPage 4 of 7\n\nAt a first glance, the data seems to be obfuscated and encrypted. Another request looks like this:\r\nThe heading number 12345678 (the original eight digits were redacted) seems to be constant, suggesting its use as a\r\nunique ID of the infected machine. Notably, the same number is also used by the malware while creating the folder that\r\ncontains sqlservice.exe\r\nLetting the sample talk to its actual C2 on the Internet did not change its actual behavior during our analysis. The\r\nmalware sends POST requests about once per minute without getting a response back. Additionally, the server closes\r\nthe connection after waiting for about 10 more seconds. It is possible that this unresponsive behavior is due to the C2\r\ndetermining the infected machine as not interesting.\r\nLastly, the network traffic generated to the C2 triggers the following Emerging Threats (ET) IDS rule:\r\nET TROJAN Zebrocy Screenshot Upload” (SID: 2030122)\r\nVictimology and Attribution\r\nQuoIntelligence concludes with medium-high confidence that the campaign targeted a specific government body, at\r\nleast in Azerbaijan. Although Azerbaijan is not a NATO member, it closely cooperates with the North-Atlantic\r\norganizations and participates in NATO exercises. Further, the same campaign very likely targeted other NATO\r\nmembers or countries cooperating with NATO exercises.\r\nBy analyzing the Tactics, Techniques and Procedures (TTPs), the targeting, and the theme used as a lure, we have high\r\nconfidence in attributing this attack to the well-known APT28/Zebrocy TTPs disclosed by the security community in\r\nthe last year.\r\nAn Interesting Coincidence?\r\nAlthough we could not find any strong causation link yet or solid technical link between the two attacks, it should be\r\nnoted the following points correlating with the ReconHellcat campaign we uncovered on August 11:\r\nBoth the compressed Zebrocy malware and the OSCE-themed lure used to drop the BlackWater backdoor were\r\nuploaded the same day, on 5 August.\r\nBoth samples were uploaded by the same user in Azerbaijan and are highly likely by the same organization.\r\nBoth attacks happened in the same timeframe.\r\nOSCE and NATO are both organizations that have been targeted (directly or indirectly) by APT28 in the past.\r\nThe victimology we identified for the ReconHellcat campaign is in line with the one targeted by the Zebrocy\r\nattack (i.e. similar type of government bodies). The type of organizations targeted by both attacks is also in line\r\nwith known APT28 victimology.\r\nhttps://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/\r\nPage 5 of 7\n\nWe assessed ReconHellcat as a high-capability APT group, like APT28.\r\nCitations\r\n[1] ESET, A1, April 2018, Sednit update: Analysis of Zebrocy\r\n[2] Palo Alto, B1, June 2018, Sofacy Group’s Parallel Attacks\r\n[3] Kaspersky, A1, October 2018, Shedding Skin – Turla’s Fresh Faces\r\n[4] Kaspersky, A1, Janurary 2019, A Zebrocy Go Downloader\r\n[5] Kaspersky, A1, January 2019, GreyEnergy’s overlap with Zebrocy\r\n[6] Kaspersky, A1, June 2019, Zebrocy’s Multilanguage Malware\r\nAppendix I – IOCs\r\nhxxp://194.32.78.245/protect/get-upd-id.php\r\nCourse 5 – 16 October 2020.zipx\r\n6e89e098816f3d353b155ab0f3377fe3eb3951f45f8c34c4a48c5b61cd8425aa\r\nCourse 5 – 16 October 2020.xls (Corrupted file)\r\nb45dc885949d29cba06595305923a0ed8969774dae995f0ce5b947b5ab5fe185\r\nCourse 5 – 16 October 2020.exe (Zebrocy malware)\r\naac3b1221366cf7e4421bdd555d0bc33d4b92d6f65fa58c1bb4d8474db883fec\r\nAdditional Zebrocy malware variants on VT \r\nfae335a465bb9faac24c58304a199f3bf9bb1b0bd07b05b18e2be6b9e90d72e6\r\n eb81c1be62f23ac7700c70d866e84f5bc354f88e6f7d84fd65374f84e252e76b\r\nMITRE ATT\u0026CK\r\nTACTIC TECHNIQUE\r\nExecution T1047: Windows Management Instrumentation\r\nDefense Evasion T1140: Deobfuscate/Decode Files or Information\r\nhttps://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/\r\nPage 6 of 7\n\nTACTIC TECHNIQUE\r\nDiscovery\r\nT1083: File and Directory Discovery                                                T1135: Network Share\r\nDiscovery\r\nT1120: Peripheral Device Discovery\r\nT1057: Process Discovery\r\nT1012: Query Registry                                                                      T1082: System\r\nInformation Discovery\r\nT1016: System Network Configuration Discovery                        T1049: System Network\r\nConnections Discovery\r\nT1033: System Owner/User Discovery                                            T1124: System Time\r\nDiscovery\r\nCollection\r\nT1560: Archive Collected Data\r\nT1119: Automated Collection\r\nT1113: Screen Capture\r\nCommand and\r\nControl\r\nT1105: Ingress Tool Transfer\r\nExfiltration T1041: Exfiltration Over C2 Channel\r\nDo you want to stay informed of cyber and geopolitical threats targeting your organization? Are you interested in\r\nreceiving exclusive and unpublished intelligence?\r\nSource: https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/\r\nhttps://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/" ], "report_names": [ "apt28-zebrocy-malware-campaign-nato-theme" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-29T10:39:54.720606Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-29T10:39:53.178167Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-29T10:39:55.583083Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-29T10:39:53.055345Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "VENOMOUS Bear", "Group 88", "Pacifier APT", "IRON HUNTER", "ATK13", "ITG12", "Uroburos", "KRYPTON", "Blue Python", "UAC-0024", "TAG_0530", "Hippo Team", "Popeye", "SIG23", "MAKERSMARK", "G0010", "UNC4210", "Waterbug", "Pfinet", "Secret Blizzard", "UAC-0144", "UAC-0003" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-29T10:39:54.673315Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-29T10:39:53.053551Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "FANCY BEAR", "ITG05", "T-APT-12", "UAC-0001", "Fancy Bear", "STRONTIUM", "Group 74", "G0007", "Fighting Ursa", "Blue Athena", "FROZENLAKE", "Forest Blizzard", "GruesomeLarch", "Pawn Storm", "Sednit", "SNAKEMACKEREL", "TG-4127", "SIG40", "ATK5", "APT-C-20", "Sofacy", "Tsar Team", "IRON TWILIGHT", "Grizzly Steppe", "TA422", "UAC-0028", "BlueDelta" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-29T10:39:54.568619Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-29T10:39:54.685688Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "LAMEHUG", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-29T10:39:55.531334Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777450989, "ts_updated_at": 1777459267, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4c20de61ce7cc692c19049f8ab3e82454e27f032.pdf", "text": "https://archive.orkl.eu/4c20de61ce7cc692c19049f8ab3e82454e27f032.txt", "img": "https://archive.orkl.eu/4c20de61ce7cc692c19049f8ab3e82454e27f032.jpg" } }