{ "id": "f943077c-3c73-4695-a7ad-20c8f22007c6", "created_at": "2026-04-06T00:10:55.633142Z", "updated_at": "2026-04-10T03:37:50.428453Z", "deleted_at": null, "sha1_hash": "c5c082e9545293bfa698428f08e12219e23bc33f", "title": "Sednit APT Group Meets Hacking Team", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60015, "plain_text": "Sednit APT Group Meets Hacking Team\r\nBy ESET Research\r\nArchived: 2026-04-05 16:53:21 UTC\r\nESET Research\r\nThe infamous Sednit espionage group is currently using the Hacking Team exploits disclosed earlier this week to\r\ntarget eastern European institutions.\r\n10 Jul 2015  •  , 3 min. read\r\nThe infamous Sednit espionage group is currently using the Hacking Team exploits disclosed earlier this week to\r\ntarget eastern European institutions.\r\nMore than 400GB of internal data from the company Hacking Team were released on the Internet last weekend.\r\nAccording to its website, Hacking Team develops and sells ”easy-to-use offensive technology to the worldwide\r\nlaw enforcement and intelligence communities”. The leaked data contain a variety of information, from business\r\nproposals to the source code of the software sold by the company.\r\nIn particular, there are two particularly interesting development projects in the leaked data:\r\n1. A Flash exploit targeting the vulnerability labeled CVE-2015-5119. This vulnerability was patched on\r\nWednesday the 8th of July in Adobe security bulletin APSB15-16, and the exploit was therefore a zero-day\r\nup till then. It allows an attacker to execute arbitrary code remotely, if the attacker can convince the\r\npotential victim to open a specially crafted Flash file. Strikingly, the exploit works against all major\r\nbrowsers and can also be deployed easily in Microsoft Office documents (Word, Excel,\r\nPowerPoint).Hacking Team's leaked data contain various tools for easy manipulation of the Flash exploit,\r\nand therefore it does not come as a surprise that various exploit kits integrated it very rapidly, as reported\r\nby the security researcher Kafeine. A Metasploit module is also now available.\r\n2. A Windows local privilege escalation exploit, which is still unpatched and to which no CVE number has\r\nyet been allocated. This exploit allows an attacker to execute a program with maximum privileges.\r\nHence, the Hacking Team leak provides a complete exploitation chain, starting from a Flash exploit for the\r\ncompromise, to a Windows escalation privilege exploit allowing the payload execution with elevated privileges.\r\nThis week ESET spotted a malicious team that rushed to integrate Hacking Team exploits into its arsenal: the\r\nSednit group. This group, also known as APT28 or Fancy Bear, has been targeting various institutions since 2006\r\nfor espionage purposes. To do so, they develop their own software, including such tools as specialized spying\r\nsoftware and exploit kits.\r\nOn Wednesday the 8th of July 2015 the Sednit group started to use the Hacking Team Flash exploit in their exploit\r\nkit. Targets were then exposed to the following exploitation chain (see our blog post for more details on the\r\nhttp://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/\r\nPage 1 of 3\n\nexploit kit):\r\n1. The target receives a spear-phishing email containing an URL pointing to a domain name mimicking a\r\nlegitimate domain name. In this particular case, we observed the domain “osce-press.org” being used,\r\nwhich mimics “osce.org/press”.\r\n2. If the target opens the URL, the browser hits a landing page with JavaScript code, which collects detailed\r\ninformation on the computer.\r\n3. If the computer matches certain criteria set by the Sednit operators (language, timezone…), the server then\r\nserves an exploit to the target. Since Wednesday, a Flash exploit is delivered under the name\r\n“flash_video_x86.swf”. The decompiled code of the exploit is almost the same as the Hacking Team\r\nexploit – more precisely, the version dubbed “scratch_ie_ff_bytearray” in the leaked data.The only\r\ndifference between the two exploits appears to be that the Sednit version receives the shellcode to execute\r\nin an input parameter in a manner similar to Metasploit exploits, whereas in the Hacking Team version the\r\nshellcode is hardcoded in the Flash file. The following Figures show the Main function in the two cases.\r\nFigure 1 - Hacking Team Flash exploit main function\r\nFigure 2 - Sednit Flash exploit main function\r\n4. If the Flash exploitation works, the victim receives a first-stage backdoor – malware whose purpose is to\r\nmake sure the victim is the intended target. This malware contains Hacking Team's Windows escalation\r\nprivilege exploit. Given the presence of syntactic differences, it appears the Sednit group recompiled the\r\nsource code of the exploit, but without modifying its logic.\r\nIf the privilege escalation exploit works, the malware then sets its persistence on the machine through a scheduled\r\ntask running with the highest privileges.\r\nhttp://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/\r\nPage 2 of 3\n\nThis story shows that advanced groups of attackers also employ opportunistic strategies. It took only a few days\r\nfor the Sednit group to re-use the Hacking Team exploitation chain for their own purpose. The Webky group –\r\nanother APT team – was also reported to have done the same this week. We strongly encourage users to upgrade\r\ntheir Flash software.\r\nIndicators of Compromise\r\nIndicator Value\r\nExploit kit domain name osce-press.org\r\nSednit Flash exploit SHA1 D43FD6579AB8B9C40524CC8E4B7BD05BE6674F6C\r\nSednit first-stage backdoor SHA1 51B0E3CD6360D50424BF776B3CD673DD45FD0F97\r\nPayload persistence script name fvecer.bat\r\nPayload file name api-ms-win-downlevel-profile-l1-1-0.dll\r\nPayload SHA1 B8B3F53CA2CD64BD101CB59C6553F6289A72D9BB\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/\r\nhttp://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "references": [ "http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/" ], "report_names": [ "sednit-apt-group-meets-hacking-team" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434255, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c5c082e9545293bfa698428f08e12219e23bc33f.pdf", "text": "https://archive.orkl.eu/c5c082e9545293bfa698428f08e12219e23bc33f.txt", "img": "https://archive.orkl.eu/c5c082e9545293bfa698428f08e12219e23bc33f.jpg" } }