{ "id": "bf6fa878-a447-4812-90c2-ec5348bbfb00", "created_at": "2026-04-06T00:12:53.065847Z", "updated_at": "2026-04-10T03:37:49.844634Z", "deleted_at": null, "sha1_hash": "ad4b99ebf17afeda20014a4aad0c2b5c95c7c769", "title": "Dear Joohn: The Sofacy Group’s Global Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1367253, "plain_text": "Dear Joohn: The Sofacy Group’s Global Campaign\r\nBy Bryan Lee, Robert Falcone\r\nPublished: 2018-12-12 · Archived: 2026-04-02 12:44:03 UTC\r\nAs alluded to in our previous blog regarding the Cannon tool, the Sofacy group (AKA Fancy Bear, APT28, STRONTIUM,\r\nPawn Storm, Sednit) has persistently attacked various government and private organizations around the world from mid-October 2018 through mid-November 2018. The majority of targets were NATO-aligned nation states, although several\r\nformer USSR nation states were also targeted. The attacks primarily deployed variants of the Zebrocy tool, which we have\r\npreviously analyzed. A smaller subset of the delivery documents  delivered Cannon or a Zebrocy Delphi variant as reported\r\nby ESET. Since we began tracking the use of Zebrocy going back to mid-2015, we have observed a significant increase in\r\nfrequency of deployment of this tool. Compared to other backdoor tools associated with the Sofacy group, the use of\r\nZebrocy in attack campaigns is far more widespread.\r\nThe cluster of activity we detail in this blog revolves primarily around a common author name used in each of the delivery\r\ndocuments: Joohn. Our initial sample of interest was the delivery document using the crash list(Lion Air Boeing 737).docx\r\nfilename, which delivered the Zebrocy tool. By leveraging our AutoFocus threat intelligence platform in conjunction with\r\nhttps://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nPage 1 of 16\n\ndata collected from VirusTotal, we were able to pivot from artifacts discovered in the metadata and behaviors to discover the\r\nCannon tool, as well as a number of additional delivery documents, payloads, and targets. The attack vector for all of these\r\nattacks appears to be via spear-phishing, using email accounts registered to legitimate email providers instead of spoofed\r\nemail addresses or previously compromised accounts. The account names visually look similar to legitimate government\r\norganization names or other trusted third-party entities. The delivery documents were functionally all the similar, using the\r\nremote template function in Microsoft Word to retrieve a malicious macro from the first stage C2 and ultimately loading and\r\nexecuting an initial payload. The majority of delivery documents contain a generic lure image requesting the victim enable\r\nmacros with no additional content, the adversaries seemingly relying solely on lure filenames to entice victims to launch the\r\nmalicious document.\r\nIn all, we intercepted nine weaponized documents spanning from October 17, 2018 through November 15, 2018 all sharing\r\nthe same Joohn author name and delivering variants of either Zebrocy or Cannon. The target radius of our dataset spans four\r\ncontinents, covering government agencies at the federal level all the way to local government agencies. We also conducted\r\ntimeline analysis using the collected data which allowed us to discover how the Sofacy group timed their attacks in the Dear\r\nJoohn campaign and also how they may have crafted their attacks using automated tools.\r\nAttack Details\r\nBeginning on October 17, 2018, we collected a total of nine delivery documents sent to a multitude of organizations around\r\nthe world. The targets included a foreign affairs organization in North America, foreign affairs organizations in Europe, as\r\nwell as government entities in former USSR states. We also discovered evidence of possible targeting of local law\r\nenforcement agencies around the world, covering North America, Australia, and Europe. Our telemetry also showed possible\r\ntargeting of NGOs, marketing firms, as well as organizations in the medical industry. The attack vector of these attacks was\r\nall via spear-phishing, using email accounts registered to the free email provider Seznam, a popular web services provider\r\nlocated in the Czech Republic. An example can be seen in Figure 1.\r\nFigure 1 Example spear-phishing email delivered in Dear Joohn attacks\r\nIn this campaign, the Sofacy group appears to have relied heavily on filenames to lure victims into launching the\r\nweaponized documents. Filenames ranged from topics alluding to Brexit, the Lion Air crash, and recent rocket attacks in\r\nhttps://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nPage 2 of 16\n\nIsrael. The full list of filenames we were able to collect can be seen in Table 1. Although the filenames appeared to be highly\r\ntargeted and pertinent to the victims, the actual lure content of the documents were far more generic as seen in Figure 2.\r\nFigure 2 Generic lure image\r\nIn November 2018, the adversary shifted tactics and began implementing non-generic lure content for their weaponized\r\ndocuments. We collected three samples heavily targeting NATO-aligned nation states at this time, using three different lures\r\nas seen in Figure 3.\r\nhttps://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nPage 3 of 16\n\nFigure 3 Targeted lure content\r\nIn one of the documents, the victim is presented with what appears to be an obfuscated document with the NATO EOD seal\r\nand text alluding to the targeted nation state. Unpacking the document revealed that the unobfuscated image was a\r\nscreenshot of a cover page regarding a NATO workshop in the targeted nation state. The other two documents had very\r\nsimilar lures to each other, presenting garbled text to the target with instructions for the victim on how to properly view the\r\ndocument. Interestingly, one of them contained instructions in Russian, which may indicate the intended target was a\r\nRussian speaking nation-state.\r\nEach of these weaponized documents used the same tactic for their attacks. Upon opening the document, it leveraged the\r\nability of Microsoft Word to retrieve a remote template to then load a malicious macro document as seen in Figure 4.\r\nhttps://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nPage 4 of 16\n\nFigure 4 Microsoft Word attempting to download the remote template\r\nIf the C2 server is active at the time the document is opened, it will successfully retrieve the malicious macro and load it in\r\nthe same Microsoft Word session. The victim will then see a prompt to Enable Content as with any malicious macro\r\ndocument as seen in Figure 5. If the C2 server is not active at this time, the download will fail and the victim will not receive\r\na prompt to Enable Content as no macro is downloaded.\r\nFigure 5 Remote template document requesting the user to click \"Enable Content\" to run macro\r\nClustering\r\nThe delivery documents used in the October and November waves shared a large number of similarities, as seen in Table 1,\r\nwhich allowed us to cluster the activity together. Most notably, the author name Joohn was used repeatedly in each delivery\r\ndocument. There was a slight deviation in the November grouping, where the three samples we collected still used the Joohn\r\nauthor name for the last modified field but reverted to a default USER/user author name for the creator field.\r\nhttps://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nPage 5 of 16\n\nHash Filename\r\nCreated\r\nBy\r\nLast\r\nModified\r\nBy\r\nRemote Template\r\nLocation\r\nRemote\r\nTemplate\r\nHash\r\nc20e5d56b3.. 1500029.docx Joohn Joohn 185.203.118[.]198 86bb3b00bc..\r\nabfc14f7f7.. Passport.docx Joohn Joohn 185.203.118[.]198 86bb3b00bc..\r\n40318f3593..\r\nDN_325_170428_DEA Basic\r\nNarcotics Investigation Course\r\ninvitation.docx\r\nJoohn Joohn 145.249.105[.]165 2da5a388b8..\r\n5749eb9d7b.. 2018_10_13_17_15_21.docx Joohn Joohn 145.249.105[.]165 0d7b945b9c..\r\n2cfc4b3686..\r\ncrash list(Lion Air Boeing\r\n737).docx\r\nJoohn Joohn 188.241.58[.]170 f1e2bceae8..\r\naf77e845f1.. Заявление.docx Joohn Joohn 188.241.58[.]170 fc69fb278e..\r\n34bdb5b364.. Rocket attacks on Israel.docx user Joohn 109.248.148[.]42 ed8f52cdfc..\r\n79bd5f3486.. 201811131257.docx USER Joohn 109.248.148[.]42 b9f3af84a6..\r\n77ff53211b..\r\nBrexit 15.11.2018.docx\r\nDIP 89 OIC Condemns 14 Nov\r\nAttacks.docx\r\n15.11 attacks.docx\r\nUSER Joohn 109.248.148[.]42 \u003cUnknown\u003e\r\nTable 1 Delivery documents seen in the Dear Joohn attack campaign\r\nThe remote template documents retrieved by the delivery documents in Table 1 also shared a common author name, using\r\nthe string xxx.Table 2 shows the remote templates downloaded by delivery documents in this attack campaign. In the tables\r\nand text of this report, we are referring to samples by a shortened version of their SHA256 hash to improve readability. The\r\nfull hashes and metadata are available in CSV format here.\r\nHash Filename Author Created Last Modified Hosted on IP\r\nf1e2bceae8.. office.dotm xxx 10/31/18 10:52 10/31/18 10:52 188.241.58[.]170\r\n86bb3b00bc.. Note_template.dotm xxx 10/17/18 05:35 10/17/18 05:35 185.203.118[.]198\r\n2da5a388b8.. release.dotm xxx 10/25/18 07:06 10/25/18 07:06 145.249.105[.]165\r\n0d7b945b9c.. message_template.dotm xxx 10/23/18 13:55 10/23/18 13:55 145.249.105[.]165\r\nfc69fb278e.. documents.dotm xxx 11/01/18 05:00 11/01/18 05:06 188.241.58[.]170\r\ned8f52cdfc.. templates.dotm xxx 11/13/18 10:52 11/13/18 10:52 109.248.148[.]42\r\nb9f3af84a6.. attachedTemplate.dotm xxx 11/15/18 05:35 11/15/18 05:35 109.248.148[.]42\r\nTable 2 Remote templates downloaded by Dear Joohn delivery documents\r\nAs seen in Table 1, the delivery documents accessed their respective remote templates from four C2 servers at the following\r\nIP addresses:\r\nhttps://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nPage 6 of 16\n\n185.203.118[.]198\r\n145.249.105[.]165\r\n188.241.58[.]170 \r\n109.248.148[.]42\r\nThese initial C2 IP addresses not only hosted the remote templates that subsequently load the first-stage Zebrocy or Cannon\r\npayloads, but the IP addresses also hosted the C2 server for the first-stage payloads themselves. All C2s used in the Dear\r\nJoohn campaign were IP-based and examining the infrastructure did not provide significant overlap or relationships with\r\nprevious Zebrocy or Sofacy infrastructure. A visual representation of the Dear Joohn campaign can be seen in Figure 6.\r\nFigure 6 Relational diagram of artifacts \r\nWe created a timeline of the activity based off the data we collected, and found that the attack dates were tightly clustered\r\ninto two waves in mid- to late-October and in mid-November as we see in Figure 7 using the timestamps from Table 3.\r\nFilename Created On\r\nLast\r\nModified\r\nFirst Seen\r\nTotal Time (In\r\nDays)\r\nPassport.docx\r\ninstruction.docx\r\n9/11/18 04:22\r\n10/13/18\r\n08:21\r\n10/18/18\r\n07:38\r\n37.1\r\nDN_325_170428_DEA...invitation.docx 9/11/18 04:22\r\n10/13/18\r\n08:21\r\n10/25/18\r\n08:15\r\n44.12\r\ncrash list(Lion Air Boeing 737).docx\r\nБурханов.docx\r\n9/11/18 04:22\r\n10/13/18\r\n08:21\r\n11/01/18\r\n06:50\r\n51.1\r\nЗаявление.docx 9/11/18 04:22\r\n10/13/18\r\n08:21\r\n11/01/18\r\n11:41\r\n51.3\r\n1500029.docx\r\n10/18/18\r\n06:59\r\n10/18/18\r\n07:00\r\n10/18/18\r\n08:47\r\n0.4\r\n2018_10_13_17_15_21.docx\r\n10/18/18\r\n06:59\r\n10/18/18\r\n07:00\r\n10/24/18\r\n07:38\r\n6.2\r\nhttps://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nPage 7 of 16\n\nRocket attacks on Israel.docx\r\n11/13/18\r\n12:17\r\n11/13/18\r\n10:46\r\n11/14/18\r\n05:14\r\n0.7\r\nBrexit 15.11.2018.docx\r\nDIP 89 OIC Condemns 14 Nov\r\nAttacks.docx\r\n15.11 attacks.docx\r\n11/14/18\r\n14:17\r\n11/15/18\r\n04:50\r\n11/15/18\r\n06:28\r\n0.8\r\n201811131257.docx\r\n11/14/18\r\n14:33\r\n11/15/18\r\n04:50\r\n11/15/18\r\n12:31\r\n0.9\r\nTable 3 Timestamps of delivery documents (all times in UTC)\r\nFigure 7 Dear Joohn timeline\r\nBased off the timestamps we have, four delivery documents were initially created on September 11, 2018 04:22 UTC. These\r\nfour were then all modified on the same date and time on October 13, 2018 08:21. Having three different C2 locations\r\nembedded inside these delivery documents while maintaining the exact same timestamping may indicate the use of an\r\nautomated tool. Using a command line based penetration testing toolkit such as Phishery could allow for simple scripting to\r\ngenerate multiple documents all at the same time with different inputs. From there, there was an average of a two-week gap\r\nuntil these documents were first seen in the wild. In total, these four documents had an average of roughly 46 days from\r\ninitial creation to attack. Based on the modular nature of the Dear Joohn campaign attacks, the lengthy amount of time from\r\ninitial creation to attack may suggest the campaign was not yet ready for deployment due to additional development required\r\nfor the remote templates, payloads, or infrastructure. Another possible scenario is that the adversary may have had a certain\r\ntimeframe they desired to execute the attack, and from the timeline it is clear there were two distinct targeting time frames,\r\none from mid to late October 2018 and the other in mid-November 2018. As the campaign progressed, the operational tempo\r\nof the Dear Joohn campaign increased, with the total time from document creation to first seen dropping down to an average\r\nof roughly two days.\r\nWhen comparing the provided timestamps of the delivery documents to the timestamps for the remote template documents\r\nfrom Table 2, we find that the time to attack is directly correlated to the last time the templates are modified. On average,\r\nthere was a 13.8 hour gap between when the template document was last touched by the operator and when the delivery\r\ndocument is first observed in the wild. This leads us to believe that the generation of the delivery documents were indeed\r\npart of a staging effort, first with the initial creation of the document, modification to it to communicate with a C2, then\r\ngenerating a remote template document just prior to launching the actual attack.\r\nAnalysis using timestamps is not always conclusive however. One of the documents we examined with the filename Rocket\r\nattacks on Israel.docx (SHA256: 34bdb5b364..) contained inconsistent creation and last modified timestamps, with the last\r\nhttps://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nPage 8 of 16\n\nmodified timestamp occurring before the creation timestamp. A possible explanation for this is that the document was copied\r\nto another system with an incorrectly set system time, then saved with the incorrect time. This document was also the first of\r\nthe mid-November cluster which used the user/USER author name instead of Joohn, further supporting the scenario of the\r\ndocument being copied between systems.\r\nThe Payloads\r\nThe delivery documents in this attack campaign loaded remote templates whose macros installed a variety of first-stage\r\npayloads. With the notable exception of the Cannon tool, the first-stage tools are all variants of the Zebrocy Trojan. The\r\nZebrocy variants delivered in this campaign were written in several different languages, including Delphi, C# and VB.NET.\r\nInformation on the first-stage payloads delivered in this attack are listed in Table 4.\r\nSHA256 Compiled Variant C2\r\n5173721f30.. 10/23/18 C# Zebrocy 145.249.105[.]165\r\n61a1f3b4fb.. 11/1/18 C# Cannon sahro.bella7[at]post.cz\r\n6ad3eb8b56.. 6/19/92 Delphi Zebrocy 188.241.58[.]170\r\n9a0f00469d.. 10/25/18 C# Zebrocy 145.249.105[.]165\r\nb41480d685.. 6/19/92 Delphi Zebrocy 109.248.148[.]42\r\nc91843a69d.. 6/19/92 Delphi Zebrocy 185.203.118[.]198\r\ne5aece694d.. 11/13/18 VB.NET Zebrocy 109.248.148[.]42\r\nTable 4 Payloads delivered in related attacks\r\nThe Delphi variant of Zebrocy delivered in this attack campaign are very similar to the Delphi downloader discussed in our\r\nprevious Zebrocy research published in June 2018. While this Delphi variant was known, the C# and VB.NET variants\r\ndelivered in this attack campaign were previously unknown. An interesting note on these payloads is that all the Delphi\r\npayloads delivered in this campaign were packed with UPX, while none of the other payloads were packed. While we can\r\nonly speculate on the specific reason, it is likely Sofacy packed only the Delphi variants in an attempt to increase evasion as\r\nthe Delphi variant of Zebrocy is known and has been widely analyzed.\r\nBy collecting and analyzing additional Cannon samples, we believe we have also found a Cannon variant written in Delphi.\r\nWe have seen Sofacy using multiple languages to create variants of the Zebrocy Trojan, so it seems fitting that the group\r\nwould create additional variants of Cannon in multiple programming languages as well.\r\nC# Cannon\r\nSince our initial blog that introduced the Cannon tool, we were able to collect more samples of Cannon to get a better\r\nunderstanding of its origins. It appears that the first known sample of Cannon was created on April 18, 2018 and since then\r\nthere has been at least seven additional samples. Table 5 shows the known Cannon samples, their compilation time and the\r\nemail accounts used for its C2 communications.\r\nSHA256 Compiled C2 account POP3S Account SMTPS Accounts\r\n861b6bc1f9.. 4/18/18 sym777.g kae.mezhnosh\r\nvebek.morozh30\r\ng0r7tsa45s\r\nmarvel.polezha\r\n4405cfbf28.. 5/14/18 sym777.g kae.mezhnosh vebek.morozh30\r\nhttps://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nPage 9 of 16\n\ng0r7tsa45s\r\nmarvel.polezha\r\n174effcdee.. 6/15/18 sym777.g kae.mezhnosh\r\nvebek.morozh30\r\ng0r7tsa45s\r\nmarvel.polezha\r\na23261e2b6.. 6/22/18 sym777.g kae.mezhnosh\r\nvebek.morozh30\r\ng0r7tsa45s\r\nmarvel.polezha\r\n651d5aab82.. 10/19/18 sym777.g kae.mezhnosh\r\nvebek.morozh30\r\ng0r7tsa45s\r\nmarvel.polezha\r\n68df0f924c.. 10/22/18 sym777.g kae.mezhnosh\r\nvebek.morozh30\r\ng0r7tsa45s\r\nmarvel.polezha\r\n61a1f3b4fb.. 11/1/18 sahro.bella7 trala.cosh2\r\nBishtr.cam47\r\nLobrek.chizh\r\nCervot.woprov\r\nTable 5 Gathered C# Cannon samples\r\nAs mentioned in our initial blog, the actor controlled email address acting as the C2 was sahro.bella7[at]post.cz, but all\r\nprevious samples of Cannon used sym777.g[at]post.cz. Also, all previous samples of Cannon used an account name of\r\nkae.mezhnosh to receive emails from the actor, while using the accounts vebek.morozh30, g0r7tsa45s and marvel.polezha to\r\nsend emails to the actor.\r\nAs we reported in our previous analysis of Cannon, the tool logs into an email account using POP3S and checks for emails\r\nwith a specific filename that it will save to the system and execute. The initial sample we analyzed looked for an attachment\r\nwith a filename of auddevc.txt, but other Cannon samples have looked for the following filenames instead:\r\nDelphi Cannon\r\nWhile searching for additional Cannon samples, we discovered another tool that used emails for its C2 communications. The\r\ninitial overlap was based on the filename wmssl.exe, which was seen as an executable name that Cannon would move the\r\nwmssl.txt attachment to install and execute a secondary payload. Initial analysis indicated this may have been a tenuous\r\nconnection; however, after we gathered additional samples of Delphi Cannon, we discovered additional relationships. Table\r\nhttps://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nPage 10 of 16\n\n6 shows Delphi Cannon samples we gathered, including the sample 215f7c08c2.. that is very similar to the Trojan discussed\r\nin ESET’s research.\r\nSHA256 Compiled C2 email POP3S Account SMTPS Accounts\r\n5a02d4e5f6.. 1/23/18 heatlth500@ambcomission[.]com trash023@ambcomission[.]com trasler22@ambcomission[.\r\nd06be83a40.. 2/21/18 heatlth500@ambcomission[.]com trash023@ambcomission[.]com trasler22@ambcomission[.\r\n78adc8e5e4.. 2/28/18 heatlth500@ambcomission[.]com trash023@ambcomission[.]com trasler22@ambcomission[.\r\n054c5aa73d.. 3/3/18 heatlth500@ambcomission[.]com trash023@ambcomission[.]com trasler22@ambcomission[.\r\ncac630c11c.. 4/18/18 N/A N/A N/A\r\necc5805898.. 5/4/18 heatlth500@ambcomission[.]com trash023@ambcomission[.]com trasler22@ambcomission[.\r\n215f7c08c2.. 6/14/18 rishit333@ambcomission[.]com tomasso25@ambcomission[.]com kevin30@ambcomission[.]\r\nTable 6 Gathered Delphi Cannon Samples\r\nThe compilation times in Table 6 suggests that the Delphi variant of Cannon predates the originally reported version, as the\r\nfirst known Delphi sample was compiled in January 2018 and the first known Cannon sample was compiled in April 2018.\r\nThe Delphi variant of Cannon does not use legitimate web-based email services for its C2 communications, instead opting to\r\nuse email accounts at an actor owned domain, ambcomission[.]com. This actor controlled domain links to a larger Sofacy\r\ninfrastructure as reported by ThreatConnect. Even though Delphi Cannon uses POP3S and SMTPS for its C2\r\ncommunications like Cannon, it is arguably easier to defend against as it uses an actor owned domain that defenders can\r\neasily block and not a legitimate email provider such as Seznam.\r\nThe oldest known sample of the Delphi variant (SHA256: 5a02d4e5f6…) provided us a much stronger linkage between this\r\nDelphi Cannon and Cannon, as this sample collects system information and sends it to the C2 email address, which includes\r\nthe path of the running process appended to the string Running place. The screenshot in Figure 8 of the inf method within a\r\nCannon sample (SHA256: 4405cfbf28...) shows the information gathered that is exfiltrated to the C2 via email, specifically\r\nwith RunningPlace and LogicalDrives header strings:\r\nFigure 8 inf method used by Cannon\r\nWhen comparing the two Cannon variants, we found a method within a Delphi Cannon sample (SHA256: 5a02d4e5f6...)\r\nshowing the use of Running place and Logical_Drivers as header strings to the system information it is collecting and\r\nsending to the C2 via email. While not an exact match, Figure 9 shows these similar header strings and strengthens our\r\nhypothesis that the two variants are indeed related:\r\nhttps://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nPage 11 of 16\n\nFigure 9 Similarities of Delphi Cannon and Cannon\r\nAs seen in Table 6, one of the Delphi Cannon samples (SHA256: cac630c11c..) does not have any associated email\r\naddresses, as the sample does not seem to have any C2 functionality. Instead, this sample reads “tasks” from a file named\r\nta.bin that another unknown tool then must write to and handle C2 functionality. It is also interesting that this specific\r\nsample has the same resource name (L30) that contains the same encrypted email addresses as the other samples in Table 6\r\nusing heatlth500@ambcomission[.]com as a C2 email (such as ecc5805898..) but does not contain any code to access the\r\nresource or decrypt its contents.\r\nVB.NET Zebrocy Variant\r\nThe VB.NET variant (SHA256: e5aece694d..) is very similar to other known Zebrocy variants. It includes the storage\r\nvolume serial number within the URL it uses as its C2 beacon, which it obtains using the Scripting.FileSystemObject object\r\nto call GetDriveName from the path stored in Environment.SpecialFolder.LocalApplicationData. It then uses the storage\r\nvolume obtained from the GetDriveName function and calls GetDrive to get the SerialNumber of the storage device. The\r\nVB.NET variant then gathers system information and running processes like other Zebrocy variants by running the\r\nfollowing commands:\r\nsysteminfo \u0026 tasklist\r\nThe URL used to send the system information, running processes and a screenshot to the C2 server is:\r\nhxxp://109.248.148[.]42/agr-enum/progress-inform/cube.php?res=[serial number]\r\nThe VB.NET variant of Zebrocy uses an HTTP POST request to the URL above to transmit the gathered data, of which is\r\nincluded within the HTTP POST data that is structured as follows (notice the spaces before and after ampersand “\u0026”):\r\ndata=[system information and running processes] \u0026 arg=[screenshot in BMP format]\r\nC# Zebrocy Variant\r\nhttps://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nPage 12 of 16\n\nThe C# variant of Zebrocy is similar to other variants in functionality, but also has several unique attributes that are worth\r\ndiscussing. Like other Zebrocy tools, the C# variant gathers the storage volume serial number to use in outbound beacons to\r\nthe C2 server. In this particular variant, the tool uses the Windows API function GetVolumeInformation to get the serial\r\nnumber of the C: drive. This variant of Zebrocy also takes a screenshot that it will transmit to the C2 server in JPEG format.\r\nThe most notable change to this variant of Zebrocy, other than the programming language used, is the way the tool gathers\r\nthe system information and running processes. Instead of using systeminfo and tasklist commands, the C# variant of\r\nZebrocy uses WMI queries to gather this information. The tool runs the following list of WMI queries:\r\nwmic logicaldisk get Caption, Description,VolumeSerialNumber,Size,FreeSpace\r\nwmic diskdrive get Model, SerialNumber\r\nwmic computersystem get Manufacturer, Model, Name, SystemTypec\r\nwmic os get Caption, OSArchitecture, OSLanguage,SystemDrive,MUILanguages\r\nwmic process get Caption,ExecutablePath\r\nThe URL used to send the system information, running processes and a screenshot to the C2 server is:\r\nhxxp://145.249.105[.]165/resource-store/stockroom-center-service/check.php?fm=[serial number]\r\nThe C# variant of Zebrocy uses an HTTP POST request to the URL above to transmit the gathered data, of which is included\r\nwithin the HTTP POST data that is structured as follows:\r\nspp=[system information from WMI queries] \u0026spvg=[screenshot in JPEG format]\r\nConclusion\r\nThe Sofacy group continues their attacks on organizations across the globe using similar tactics and techniques. We\r\nobserved them carrying out attacks via spear-phishing emails in late October through November, often leveraging current\r\nevents within filenames to entice recipients to open the malicious attachments. The group clearly shows a preference for\r\nusing a simple downloader like Zebrocy as first-stage payloads in these attacks. The group continues to develop new\r\nvariations of Zebrocy by adding a VB.NET and C# version, and it appears that they also have used different variants of the\r\nCannon tool in past attack campaigns.\r\nPalo Alto Networks customers are protected by attacks discussed in this blog by:\r\nAll delivery documents and payloads discussed are detected with malicious verdicts in WildFire\r\nTraps blocks the macro laden documents as Suspicious macro detected\r\n C2 URLs have been classified as Command and Control\r\nAutoFocus customers may learn more via the Zebrocy and Cannon tags\r\nIndicators of Compromise\r\nDelivery Hashes\r\n2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f\r\nc20e5d56b35992fe74e92aebb09c40a9ec4f3d9b3c2a01efbe761fa7921dd97f\r\nabfc14f7f708f662046bfcad81a719c71a35a8dc5aa111407c2c93496e52db74\r\n40318f3593bca859673827b88d65c5d2f0d80a76948be936a60bda67dff27be9\r\n5749eb9d7b8afa278be24a4db66f122aeb323eaa73a9c9e52d77ac3952da5e7d\r\naf77e845f1b0a3ae32cb5cfa53ff22cc9dae883f05200e18ad8e10d7a8106392\r\n34bdb5b364358a07f598da4d26b30bac37e139a7dc2b9914debb3a16311f3ded\r\nhttps://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nPage 13 of 16\n\n79bd5f34867229176869572a027bd601bd8c0bc3f56d37443d403a6d1819a7e5\r\n77ff53211bd994293400cb3f93e3d3df6754d8d477cb76f52221704adebad83a\r\nRemote Template Hashes\r\nf1e2bceae81ccd54777f7862c616f22b581b47e0dda5cb02d0a722168ef194a5\r\n86bb3b00bcd4878b081e4e4f126bba321b81a17e544d54377a0f590f95209e46\r\n2da5a388b891e42df4ed62cffbc167db2021e2441e6075d651ecc1d0ffd32ec8\r\n0d7b945b9c912d205974f44e3742c696b5038c2120ed4775710ed6d51fbc58ef\r\nfc69fb278e12fc7f9c49a020eff9f84c58b71e680a9e18f78d4e6540693f557d\r\ned8f52cdfc5f4c4be95a6b2e935661e00b50324bee5fe8974599743ccfd8daba\r\nb9f3af84a69cd39e2e10a86207f8612dd2839873c5839af533ffbc45fc56f809\r\nRemote Template URLs\r\nhxxp://188.241.58[.]170/live/owa/office.dotm\r\nhxxp://185.203.118[.]198/documents/Note_template.dotm\r\nhxxp://185.203.118[.]198/documents/Note_template.dotm\r\nhxxp://145.249.105[.]165/doc/temp/release.dotm\r\nhxxp://145.249.105[.]165/messages/content/message_template.dotm\r\nhxxp://188.241.58[.]170/version/in/documents.dotm\r\nhxxp://109.248.148[.]42/officeDocument/2006/relationships/templates.dotm\r\nhxxp://109.248.148[.]42/office/thememl/2012/main/attachedTemplate.dotm\r\nhxxp://109.248.148[.]42/office/thememl/2012/main/attachedTemplate.dotm\r\nZebrocy Hashes\r\n5173721f3054b92e6c0ff2a6a80e4741aa3639bc1906d8b615c3b014a7a1a8d7\r\n61a1f3b4fb4dbd2877c91e81db4b1af8395547eab199bf920e9dd11a1127221e\r\n6ad3eb8b5622145a70bec67b3d14868a1c13864864afd651fe70689c95b1399a\r\n9a0f00469d67bdb60f542fabb42e8d3a90c214b82f021ac6719c7f30e69ff0b9\r\nb41480d685a961ed033b932d9c363c2a08ad60af1d2b46d4f78b5469dc5d58e3\r\nc91843a69dcf3fdad0dac1b2f0139d1bb072787a1cfcf7b6e34a96bc3c081d65\r\ne5aece694d740ebcb107921e890cccc5d7e8f42471f1c4ce108ecb5170ea1e92\r\nZebrocy C2 URLs\r\nhxxp://188.241.58[.]170/local/s3/filters.php\r\nhxxp://185.203.118[.]198/en_action_device/center_correct_customer/drivers-i7-x86.php\r\nhttps://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nPage 14 of 16\n\nhxxp://145.249.105[.]165/resource-store/stockroom-center-service/check.php\r\nhxxp://109.248.148[.]42/agr-enum/progress-inform/cube.php\r\nCannon Hashes\r\n861b6bc1f9869017c48930af5848930dd037fb70fc506d8a7e43e1a0dbd1e8cb\r\n4405cfbf28e0dfafa9ea292e494f385592383d2476a9c49d12596b8d22a63c47\r\n174effcdeec0b84c67d7dc23351418f6fa4825550d595344214cc746f1a01c1a\r\na23261e2b693750a7009569df96ec4cf61e57acc9424c98d6fe1087ff8c659ce\r\n651d5aab82e53711563ce074c047cbaa0703931673fa3ad20933d6a63c5c3b12\r\n68df0f924ce79765573156eabffee3a7bb0fa972d2b67d12dd91dea3ec255d24\r\n61a1f3b4fb4dbd2877c91e81db4b1af8395547eab199bf920e9dd11a1127221e\r\n5a02d4e5f6d6a89ad41554295114506540f0876e7288464e4a70c9ba51d24f12\r\nd06be83a408f4796616b1c446e3637009d7691c131d121eb165c55bdd5ba50b4\r\n78adc8e5e4e86146317420fa3b2274c9805f6942c9973963467479cb1bbd4ead\r\n054c5aa73d6b6d293170785a82453446429c0efc742df75979b760682ac3026b\r\ncac630c11c4bf6363c067fbf7741eae0ec70238d9c5e60d41f3ed8f65b56c1d1\r\necc5805898e037c2ef9bc52ea6c6e59b537984f84c3d680c8436c6a38bdecdf4\r\n215f7c08c2e3ef5835c7ebc9a329b04b8d5215773b7ebfc9fd755d93451ce1ae\r\nCannon Related Emails\r\nsym777.g[at]post.cz\r\nkae.mezhnosh[at]post.cz\r\nvebek.morozh30[at]post.cz\r\ng0r7tsa45s[at]post.cz\r\nmarvel.polezha[at]post.cz\r\nsahro.bella7[at]post.cz\r\ntrala.cosh2[at]post.cz\r\nBishtr.cam47[at]post.cz\r\nLobrek.chizh[at]post.cz\r\nCervot.woprov[at]post.cz\r\nheatlth500[at]ambcomission[.]com\r\ntrash023[at]ambcomission[.]com\r\ntrasler22[at]ambcomission[.]com\r\nhttps://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nPage 15 of 16\n\nrishit333[at]ambcomission[.]com\r\ntomasso25[at]ambcomission[.]com\r\nkevin30[at]ambcomission[.]com\r\nSource: https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nhttps://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA", "MITRE" ], "references": [ "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" ], "report_names": [ "dear-joohn-sofacy-groups-global-campaign" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434373, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ad4b99ebf17afeda20014a4aad0c2b5c95c7c769.pdf", "text": "https://archive.orkl.eu/ad4b99ebf17afeda20014a4aad0c2b5c95c7c769.txt", "img": "https://archive.orkl.eu/ad4b99ebf17afeda20014a4aad0c2b5c95c7c769.jpg" } }