Agent - Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 13:27:25 UTC
 Tool: X-Agent
Names
X-Agent
Xagent
Popr-d30
SPLM
CHOPSTICK
fysbis
Backdoor.SofacyX
webhp
Category Malware
Type Backdoor, Keylogger, Info stealer, Tunneling
Description
CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used
since at least 2012 and is usually dropped on victims as second-stage malware, though it has
been used as first-stage malware in several cases. It has both Windows and Linux variants. It
is tracked separately from the X-Agent for Android.
Information
MITRE ATT&CK https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d4eb88ba-57f3-4528-bda2-5c05b113e924
Page 1 of 2

Malpedia
AlienVault OTX Last change to this tool card: 30 December 2022
Download this tool card in JSON format
All groups using tool X-Agent
Changed Name Country Observed
APT groups
 Sofacy, APT 28, Fancy Bear, Sednit 2004-Apr 2025
1 group listed (1 APT, 0 other, 0 unknown)
↑
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d4eb88ba-57f3-4528-bda2-5c05b113e924
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d4eb88ba-57f3-4528-bda2-5c05b113e924
Page 2 of 2