{
	"id": "ed731736-cb1f-480a-bef9-64590f9e5a53",
	"created_at": "2026-04-06T00:08:54.673304Z",
	"updated_at": "2026-04-10T03:33:12.609857Z",
	"deleted_at": null,
	"sha1_hash": "9c4347638352435a04833229db1f24a390fab4f5",
	"title": "Rewterz Threat Intel - IndigoZebra APT Group Targeting Central Asia - Active IOCs - Rewterz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60707,
	"plain_text": "Rewterz Threat Intel - IndigoZebra APT Group Targeting Central\r\nAsia - Active IOCs - Rewterz\r\nPublished: 2021-07-02 · Archived: 2026-04-05 19:06:16 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nRecently discovered an ongoing spear-phishing campaign targeting the Afghan government. Further investigation\r\nrevealed this campaign was a part of a long-running activity targeting other Central-Asia countries, including\r\nKyrgyzstan and Uzbekistan, since at least 2014. The actor suspected of this cyber-espionage operation is an APT\r\ngroup dubbed “IndigoZebra“, previously attributed by researchers to China. The technical details of the operation\r\nwere not publicly disclosed before. It discusses the tools, TTPs, and infrastructure used by the attacker during the\r\nyears of its activity. We will also provide technical analysis of the two different strains of the previously publicly\r\nundescribed backdoor xCaon, including its latest version we dubbed BoxCaon which uses the legitimate cloud-storage service Dropbox to act as its Command and Control server.\r\nImpact\r\nCredential theft\r\nFinancial loss\r\nExposure of sensitive data\r\nIndicators of Compromise\r\nMD5\r\nb9973b6f9f15e6b20ba1c923540a3c9b\r\n974201f7895967bff0b018b95d5f5f4b\r\n3ecfc67294923acdf6bd018a73f6c590\r\n35caae29c47dfb570773f6d5fd37e625\r\n3562bf97997c54d74f58d4c1ad84fcea\r\nc00f6268075e3af85176bf0b00c66c13\r\n85ea346e74c120c83db7a89531f9d9a1\r\n5a8783783472be67c09926cc139d5b27\r\nb3d11e570da4a66f4b8520bc6107283b\r\nfdcae752f64245c159ab0f4d585c5bf8\r\nbb521918d08a4480699e673554d7072c\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-intel-indigozebra-apt-group-targeting-central-asia-active-iocs\r\nPage 1 of 4\n\nc5406e7e161c758e863eb63001861bb1\r\n4d6e93d2416898ea3a4f419aa3a438e3\r\n6dfd06f91060e421320b6ebd63c957f0\r\n0b10ac9bf6d2d31cbce06b09f9b0ae75\r\nb831a48e96e2f033d09d7ad5edd1dc67\r\na875112c66da104c35d0eb43385d7094\r\n1a28c673b2b481ba53e31f77a27669e7\r\nef3383809fdf5a895b42e02bf06f5aa3\r\naa107be86814d9c86911a2a7874d38a0\r\n45d8cfe3450562564a1eb00a1aa0db83\r\ncdd7bfa36c6e47730fad94113aba7070\r\n06d72a4d99fcd76a3502432657f3c999\r\n5a91ccabd2b12ac56ba5170cf9ff8343\r\n33f42e9678ee91369d11ef344bbd5a0d\r\n84575619a690d3ef1209b7e3a7e79935\r\n16e61624827d7785740b17c771a052e6\r\nccc7f88b72c286fd756e76309022e9f8\r\ne98031cf43bfed73db0bce43918a608c\r\n5ea42089cf91464b9c0c42292c18ba4c\r\ncff6d9f5d214e3366d6b4ae31c413adc\r\nc74711de8aa68e7d97f501eda328d032\r\nSHA-256\r\n8be3b10406f690ae5cf46c1dba18cb9a1c75bf646defcc9cab81d40fe0e0cc1b\r\nd0b88ab321a05fc94505620c9d02baec4cb1de7bb3b0067de4f8c0d3ba8548b2\r\n489fca69a622195328302e64e29b6183feac90826dce198432d603202ca4d216\r\n6395c4a8495d3bff293a8a55ca3c5ebf68a616ee212b2a7284610b0a3f7bb5d4\r\n6ffe81c2883c298a65477ba2bc7ba1063315ad6b26f0188e3361d0fa924575ae\r\ne9013f35ce11fc4c5eb2c21827bdc459202d362365d6ea5b724dee4fe0088bd1\r\n42e781f5e9c00d09cb5f7697a7b2fc9b04d77cc7978dcca8098f77d57693ca6c\r\n15633871c3630a559dd4e2c7a9b93b02d17dd64ee60a2d7ba340ebd14d13ffac\r\n05f3293dc1f22b1a4b15b8cacce8d4205decb8615627d11f1301ff3871e64015\r\nf5ba2676ddb81f29c69867556fa261563d68a5905252bb94090e0db05b048cc8\r\nadb2cf3550ff3c3ed841f672e8b6f7f01ec502c563e0a3a0472ce2be0995f4d8\r\naaacaff803623414b7ee1ee6130b08380722752d97d1659f67fe6763f208f315\r\n16c5bfcd1c454de1d0d55e41d1a8c35f78bab94acff4d09ecaa8faff9770a373\r\nd31e440e0d6f98209a9c9c7b4e332f417e41030a4bf4a4ae99d326cec24807af\r\n0180d1ef09fcd684e0f496ecca21b11bc5142fe068f10ad5699027fbd7688103\r\n39ec0cab03888c8f77dc5b989abe26b1997ad8e87849b9c1374902b908e78b6a\r\n4122bb06352410a9b4bef4bc2bcf249265c14f1332df4fe1256a1281bd53bf22\r\n984041fcf46bf0d275bf5f7eed649b3e2968e005e6a59829e4b9a51b875c7ef9\r\n7bd75383dfab3948ce06a7f533870946934c87fb1c7b8035b69b4f2a166bd5b0\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-intel-indigozebra-apt-group-targeting-central-asia-active-iocs\r\nPage 2 of 4\n\n295b987c8926399c063ff20d2484477fe31cd2188b604a919dbfa11d9c34b988\r\n86a0761fa0f6b15d9d5342882e09992270358766d5c11ef1b8d848c7f4075c79\r\n935051367363838fcadd8856e08575e740bdf8af0d2271b81e6ba4d231b3a531\r\n27312973aefcfa2511573a28ff42ef12ecbfcf56db42bf4d1371b0a1f1f2732c\r\n78e7c41458e1ddf336f0d2e9625abbdc0b3e86db18aee7377af5711bc927da35\r\n52a53e7e250fa9faa823d26421ca8af42ac40c27bac1d5af65b452c8987cda72\r\nab1983217880dad9c0481aab5b06e1fe4b9caaf8d56d8a03bf794aca18f2e4c6\r\nfc3cdc3932d69c05c735040245f94fafe22b79cd865bb7d23c4364a3f4e8c774\r\ne683c86fd40eac23bc6435f479518ea5d80f90da294d5ad21d024dd7acc8a6ac\r\nc82e0a487203457026e61b77d1becb97e8e0d2d8a30ee17d1d8827f9ece87607\r\n784cf7d224974f7e2c43cf10580c42a2521556608a5dd4a11247d09a77f5c8df\r\nc0082f8f1e49c0805c4eaacf5cf5b99ae30eeea585fd77cbd50904927052a18c\r\nf6942682162769091569d0129f0b77dd7176672b0e978a29416efe3d3859d0f9\r\nSHA-1\r\n22e327a5e2beba5b52358dbe9cd11727a7ddde91\r\n5c027de1a7883f78e508ebf85847d0b32bf3c9a0\r\n3557d162828baab78f2a7af36651a3f46d16c1cb\r\n6519a71c64aa216673f3582da1338e22c4ad78a8\r\n5a08e5bce797142c6d46675a6c070e503e987dd7\r\na3343f4cd3eb8415d3b787ff442074180d108d3a\r\ndf8201f67beb99d7c6094e9d67f3a54c94809dda\r\n4ea195fd2af0a4fa0ce2a9b052ca380206ad6fe6\r\nd14b84a15a4673c24c666d938a34232676e69df6\r\nd280f33f6d6e748313d3b637591525383ea749fe\r\nd71c7966d2c4ae8beb742c0f9152f1699703a601\r\n3c6a4db19321a10f563e5c2a018e3a72b243a276\r\nd367676de8f100ea9592021a7997a08d07a0dd0f\r\n10d3f7e7376c88429d829ed084974966462ecbfc\r\n0c061ec90fbc61a868c2ce7aaac4fe79b42cc6c0\r\n730c4d0cde7316c0b5cde69254c8b1cbe8af9a91\r\ne5cafc60a76cb8cd738d6133ff562f735712542e\r\n9c9f1dfa79575a212023233ef5a3db4e7a250278\r\n42bab3bc85c72864592a8ca3ae2351399e0efde1\r\n8cfd45f1364f569522399d1e246039cffbde6d82\r\n6bbdc51640ea88fdd15e58e60c1e7e4a27fcc5f0\r\n245259780d59c3f4eb2d873f05ad86673c88815d\r\n9976e5121c264a2b0dcf09ddd6c8cb53fdd964f8\r\n24ffb24a73e68e6f5c23ab090f9ce5ac5dd41a8e\r\n8b8a5ed2f2921d355d82e342595b1e73f5ed2560\r\nf2ee686c24eddea9ca495cfbb790798e6b6d451b\r\n3fa8f0de425317407a540c359dfcb5e87fc02abf\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-intel-indigozebra-apt-group-targeting-central-asia-active-iocs\r\nPage 3 of 4\n\n4f2ba5c8848ec94835f4070acb92dcad46769995\r\nde83c07a3311b5ecb908b7ae8c78766da383d1da\r\n88927e4d9a6a1ce5e656c599c0b0f462af97ba57\r\n6305784544936d4b1b2f7ede4028c33094ddcea2\r\ne5608c6d7436e5697feef61ba4cddd9be0a37b96\r\nRemediation\r\nBlock all threat indicators at their respective controls.\r\nLook for IOCs in your environment.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-intel-indigozebra-apt-group-targeting-central-asia-active-iocs\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-intel-indigozebra-apt-group-targeting-central-asia-active-iocs\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.rewterz.com/rewterz-news/rewterz-threat-intel-indigozebra-apt-group-targeting-central-asia-active-iocs"
	],
	"report_names": [
		"rewterz-threat-intel-indigozebra-apt-group-targeting-central-asia-active-iocs"
	],
	"threat_actors": [
		{
			"id": "62f2206e-d8c6-49bb-86fc-63118ac2bf40",
			"created_at": "2022-10-25T16:07:23.725942Z",
			"updated_at": "2026-04-10T02:00:04.728159Z",
			"deleted_at": null,
			"main_name": "IndigoZebra",
			"aliases": [
				"G0136"
			],
			"source_name": "ETDA:IndigoZebra",
			"tools": [
				"Dropbox"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "abb4a645-181b-4237-825f-447ac9b0c16d",
			"created_at": "2022-10-25T15:50:23.764656Z",
			"updated_at": "2026-04-10T02:00:05.40558Z",
			"deleted_at": null,
			"main_name": "IndigoZebra",
			"aliases": [
				"IndigoZebra"
			],
			"source_name": "MITRE:IndigoZebra",
			"tools": [
				"xCaon",
				"BoxCaon",
				"PoisonIvy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f33ce87f-9514-447c-aba2-ff3e4e9e5b71",
			"created_at": "2023-11-07T02:00:07.097748Z",
			"updated_at": "2026-04-10T02:00:03.406698Z",
			"deleted_at": null,
			"main_name": "IndigoZebra",
			"aliases": [],
			"source_name": "MISPGALAXY:IndigoZebra",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434134,
	"ts_updated_at": 1775791992,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c4347638352435a04833229db1f24a390fab4f5.pdf",
		"text": "https://archive.orkl.eu/9c4347638352435a04833229db1f24a390fab4f5.txt",
		"img": "https://archive.orkl.eu/9c4347638352435a04833229db1f24a390fab4f5.jpg"
	}
}