{ "id": "dbcd11b6-2ed4-4e0b-bf0d-923605688e1d", "created_at": "2026-04-06T00:19:14.321202Z", "updated_at": "2026-04-10T03:37:50.569887Z", "deleted_at": null, "sha1_hash": "6a5df1c33e5305770cdab458de74a78f72282c32", "title": "New Sofacy Attacks Against US Government Agency", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 398974, "plain_text": "New Sofacy Attacks Against US Government Agency\r\nBy Robert Falcone, Bryan Lee\r\nPublished: 2016-06-14 · Archived: 2026-04-02 12:28:52 UTC\r\nThe Sofacy group, also known as APT28, is a well-known threat group that frequently conducts cyber espionage\r\ncampaigns. Recently, Unit 42 identified a spear phishing e-mail from the Sofacy group that targeted the United\r\nStates government. The e-mail was sent from a potentially compromised account belonging to the Ministry of\r\nForeign Affairs of another government entity and carried the Carberp variant of the Sofacy Trojan. The developer\r\nimplemented a clever persistence mechanism in the Trojan, one which had not been observed in previous attacks.\r\nThe focus of this blog will be on the attacks and the infrastructure associated with Sofacy using the new\r\npersistence mechanism as a correlation point.\r\nThe Delivery\r\nOn May 28, 2016, attackers sent a spear-phishing e-mail to a U.S. government entity using an email address\r\nbelonging to the Ministry of Foreign Affairs of another country. Analysis of the attack revealed a high likelihood\r\nthat the sender’s email address was not spoofed and is instead a result of a compromised host or account\r\nbelonging to that Ministry.\r\nThe targeted email had a subject of “FW: Exercise Noble Partner 2016”, which is a reference to a joint NATO\r\ntraining effort between the United States and Georgia. The email contained an RTF file as an attachment, with the\r\nfilename \"Exercise_Noble_Partner_16.rtf,” reflecting the same training exercise. We have also seen related\r\ndelivery documents with filenames that have a Russian military theme\r\n(Putin_Is_Being_Pushed_to_Prepare_for_War.rtf and Russian anti-Nato troops.rtf), purportedly targeting\r\norganizations in Poland according to a blog published by Prevenity.\r\nThe RTF file is a weaponized document that attempts to exploit CVE-2015-1641 to drop two files to the system,\r\nspecifically, \"btecache.dll\" and \"svchost.dll\". The “btecache.dll” file is a Trojan that loads and executes\r\n“svchost.dll”, which is a Carberp variant the Sofacy Trojan. Surprisingly, unlike many other espionage actors who\r\ndisplay decoy documents after successful exploitation, this RTF document does not drop or open a decoy\r\ndocument after exploiting the vulnerability.\r\nIn the installation process, we observed the delivery document creating a very interesting registry key that it uses\r\nfor persistence to run the Trojan. The path to the \"btecache.dll\" file is added to the following registry key:\r\nSoftware\\Microsoft\\Office test\\Special\\Perf\\: \"C:\\Users\\[username]\\AppData\\Roaming\\btecache.dll\"\r\nThis registry key is interesting, because unlike traditional methods of maintaining persistence, it does not\r\nautomatically run the “btecache.dll” file at system start up. Instead, this registry key will cause the DLL to load\r\nonly when the user opens any Microsoft Office application, such as Word or Excel. This is the first time Unit 42\r\nhas seen the Sofacy group, or any other threat group for that matter, use this tactic for persistence\r\npurposes. An added benefit for the threat actor to using this specific tactic for persistence is that it requires user\r\nhttps://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/\r\nPage 1 of 6\n\ninteraction to load and execute the malicious payload, which can cause challenges for detection in automated\r\nsandboxes.\r\nThe Carberp variant of Sofacy\r\nThe \"btecache.dll\" file is the loader Trojan that is responsible for loading the \"svchost.dll\" DLL and executing it.\r\nBoth the \"btecache.dll\" and \"svchost.dll\" files contain code from the leaked Carberp source code, specifically the\r\nAPI resolution functions, as well as the RC2 key. The Sofacy group has used the Carberp source code in the past,\r\nspecifically discussed in a blog by F-Secure, which is the reason we call this Trojan the Carberp variant.\r\nThe \"svchost.dll\" file contains the bulk of the functionality of this Trojan, which at a high level is a downloader\r\nthat allows the threat actors to gain an initial foothold on the system. The Trojan sends network beacons to its\r\ncommand and control (C2) serverallowing the threat actors to identify targets of interest. The threat actors can\r\nthen respond to these network beacons to download and execute additional secondary payloads on the system.\r\nThe Trojan delivered in this attack contains two network locations that it will send network beacons to,\r\nspecifically “google.com” and “191.101.31.6”. These beacons are sent to the legitimate website google.com as an\r\nattempt to hide the true C2 beacons sent to the actual C2 server hosted at 191.101.31.6.  The network beacons are\r\nsent using HTTP POST requests with URLs created largely with random characters. There are two exceptions\r\nwhere random characters are not used to construct the URL, specifically the file extension that is randomly chosen\r\nfrom .xml, .pdf, .htm or .zip and the base64 encoded value at the end of the URL. The base64 encoded data is a\r\nstring (\"J04aLsxVhHBkr19CYr0”) hardcoded within the Trojan that it will then encrypt using a custom algorithm.\r\nFigure 1 shows an example beacon sent from the Trojan to the C2 server during analysis.\r\nFigure 1 Network Beacon Sent from Carberp variant of Sofacy\r\nThe POST data seen in the beacon in Figure 1 is base64 encoded and encrypted using the same custom algorithm\r\nused to encrypt the data in the beacon URL. We decrypted the data to determine its purpose and found the\r\ncleartext seen in Figure 2.\r\nhttps://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/\r\nPage 2 of 6\n\n,^Bid=I,;\u003c\u0026w@[System Process]\r\nSystem\r\nsmss.exe\r\ncsrss.exe\r\nwininit.exe\r\ncsrss.exe\r\nwinlogon.exe\r\nservices.exe\r\nlsass.exe\r\nlsm.exe\r\nsvchost.exe\r\nsvchost.exe\r\nsvchost.exe\r\nsvchost.exe\r\nsvchost.exe\r\nsvchost.exe\r\nsvchost.exe\r\nspoolsv.exe\r\nsvchost.exe\r\ntaskhost.exe\r\nuserinit.exe\r\ndwm.exe\r\nexplorer.exe\r\nsvchost.exe\r\ncmd.exe\r\nconhost.exe\r\nreader_sl.exe\r\nsvchost.exe\r\ncmd.exe\r\nconhost.exe\r\nSearchIndexer.exe\r\nSearchProtocolHost.exe\r\nSearchFilterHost.exe\r\nSearchProtocolHost.exe\r\nexplorer.exe\r\nsvchost.exe\r\nsvchost.exe\r\ndisk=IDE\\DiskMAXTOR_HARDDISK_________________________2.2.1___\\5\u00262770a7af\u00260\u00260.0.0\r\nbuild=0x7caa0e19\r\nFigure 2 Decrypted HTTP POST Data Shows System Information\r\nhttps://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/\r\nPage 3 of 6\n\nThe clear text of the data sent in the network beacons contains information regarding the compromised system, as\r\nwell as malware-specific information. The data is comprised of the following fields of data:\r\nid = The serial number of the storage device\r\nw = This parameter (whose name ‘w’ could change to any character between samples) begins with a one byte\r\nvalue denoting the OS version followed by a one byte value for the CPU architecture. These values are\r\nimmediately followed by a new line delimited list of running processes on the system.\r\ndisk = The name of the system's hard drive, obtained from the registry key\r\n\"SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum\\0\"\r\nbuild = The hardcoded build identifier for the Trojan version\r\ninject = (Optional, not displayed in Figure 2) If the Trojan injected its code into other processes to interact with\r\nthe C2 server\r\nThis callback data allows the threat actors to determine if the infected machine is a target of interest, as the beacon\r\ncontains a list of running processes and the name of the storage device that could be used to filter out analysis\r\nsystems or researchers. If the actors believe the system is of interest, they will respond to these network beacons to\r\ndownload and execute additional secondary payloads on the system. The Trojan parses the response to the beacons\r\nfor two actions \"Execute\" and \"Delete\" between the tags \"[file]\" and \"[/file]\", as well as settings labeled\r\n\"FileName\", \"PathToSave\", \"Rundll\" and \"IP\" between the tags \"[settings]\" and \"[/settings]\". This allows the\r\nthreat actors to download additional files to the system, execute both executables and DLLs and delete files.\r\nThe Infrastructure\r\nThe initial analyzed sample in this attack only contained a single malicious command and control location,\r\n191.101.31.6. We have not observed this IP address used by the Sofacy group in any previous attack campaigns,\r\nand examining passive DNS data showed no other correlations to potentially related attacks. The sample also seen\r\nby Prevenity appeared to only have a single primary C2 domain, servicecdp[.]com. This domain also appears to be\r\nnewly created for this specific attack campaign, with no strong links to any previous attacks.\r\nPivoting off the unique registry key used for persistence revealed links to a previously observed Sofacy campaign,\r\nfrom mid-2015. Two additional payloads with recent compile dates of March 7, 2016, were discovered using the\r\nsame persistence mechanism, and analysis of those payloads revealed one primary C2 domain,\r\nmunimonoce[.]com, and three secondary C2 domains, www.wscapi[.]com, www.tabsync[.]net, and storsvc[.]org.\r\nThe secondary C2 domains may appear familiar, as they were widely publicized in a report from iSight Partners in\r\nJuly 2015 as C2 domains related to the Sofacy group aka Tsar Team.\r\nIn addition, the primary C2 domain munimonoce[.]com previously had resolved to the IP 66.172.11.207, which\r\nwas previously identified as a primary C2 IP for a Sofacy payload with a compile timestamp of June 11, 2015.\r\nThis particular sample also happened to use the exact same secondary C2 domains of www.wscapi[.]com,\r\nwww.tabsync[.]net, and storsvc[.]org, but lacked the newly discovered persistence mechanism.\r\nhttps://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/\r\nPage 4 of 6\n\nThe Sofacy group often re-uses infrastructure components across multiple attack campaigns, whether to speed the\r\nflow of attacks, for a lack of available resources committed, or out of sheer laziness. In this case, the newer attack\r\ncampaign appears to use newly created infrastructure, but still maintains some overlap with previous Sofacy-related C2s. We believe this overlap could possibly be due to an oversight when adapting a previous code base\r\nwith the new persistence method discussed in this blog for the new attack campaign.\r\nThe threat appears to be moving toward deployment of one-off infrastructure that can make analysis of attack\r\ncampaigns and correlation more challenging. This shift stresses the importance of analysts and researchers being\r\nable to pivot on all artifacts of a given attack, not simply relying on network indicators. In this case, we were able\r\nuse AutoFocus to pivot on a common registry key unique to this attack campaign to quickly identify where it\r\ncorrelates with characteristics of previous attacks.\r\nConclusion\r\nThe Sofacy group continues its attack campaigns on government organizations, specifically the U.S. government\r\nin this latest spear-phishing example. The threat group added a new persistence mechanism that requires user\r\ninteraction by loading its payload into Microsoft Office applications when opened, which may help the actors to\r\nevade detection. The use of this new persistence method shows the continued development of tactics and\r\ntechniques employed by this threat group, often times in clever ways as we observed in this instance.\r\nPalo Alto Networks customers are protected from the new Sofacy Carberp variant and can gather additional\r\ninformation using the following tools:\r\nWildFire detection of all known samples as malicious\r\nAll known C2s are classified as malicious in PAN-DB\r\nAutoFocus tags have been created SofacyCarberp\r\nIndicators\r\nDelivery Documents\r\n03cb76bdc619fac422d2b954adfa511e7ecabc106adce804b1834581b5913bca (Exercise_Noble_Partner_16.rtf)\r\n12572c2fc2b0298ffd4305ca532317dc8b97ddfd0a05671066fe594997ec38f5\r\nhttps://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/\r\nPage 5 of 6\n\n(Putin_Is_Being_Pushed_to_Prepare_for_War.rtf and Russian anti-Nato troops.rtf)\r\nLoader Trojans\r\nc2551c4e6521ac72982cb952503a2e6f016356e02ee31dea36c713141d4f3785 (btecache.dll)\r\nbe1cfa10fcf2668ae01b98579b345ebe87dab77b6b1581c368d1aba9fd2f10a0 (bitsprex3.dll)\r\nfbd5c2cf1c1f17402cc313fe3266b097a46e08f48b971570ef4667fbfd6b7301 (amdcache.dll)\r\nPayloads\r\n69940a20ab9abb31a03fcefe6de92a16ed474bbdff3288498851afc12a834261 (svchost.dll)\r\naeeab3272a2ed2157ebf67f74c00fafc787a2b9bbaa17a03be1e23d4cb273632 (clconfg.dll)\r\ndfa8a85e26c07a348a854130c652dcc6d29b203ee230ce0603c83d9f11bbcacc (iprpp.dll)\r\n57d230ddaf92e2d0504e5bb12abf52062114fb8980c5ecc413116b1d6ffedf1b (clconfg.dll)\r\nCommand and Control\r\n191.101.31.6\r\nmunimonoce[.]com\r\nwscapi[.]com\r\ntabsync[.]net\r\nstorsvc[.]org\r\nservicecdp[.]com\r\nSource: https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/\r\nhttps://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/" ], "report_names": [ "unit42-new-sofacy-attacks-against-us-government-agency" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434754, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6a5df1c33e5305770cdab458de74a78f72282c32.pdf", "text": "https://archive.orkl.eu/6a5df1c33e5305770cdab458de74a78f72282c32.txt", "img": "https://archive.orkl.eu/6a5df1c33e5305770cdab458de74a78f72282c32.jpg" } }