{
	"id": "a9bf9893-d593-473b-92e5-43dce8acb692",
	"created_at": "2026-04-06T00:16:51.586572Z",
	"updated_at": "2026-04-10T03:37:49.999128Z",
	"deleted_at": null,
	"sha1_hash": "ef06a1232ad4fb2fe7020990c7d0ef178ff5181a",
	"title": "A Deep Dive into Zebrocy’s Dropper Docs - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4468835,
	"plain_text": "A Deep Dive into Zebrocy’s Dropper Docs - SentinelLabs\r\nBy Marco Figueroa\r\nPublished: 2021-04-19 · Archived: 2026-04-05 13:53:26 UTC\r\nContributor: Amitai Ben Shushan Ehrlich\r\nSofacy is an APT threat actor that’s been around since 2008 and rose to prominence with the election hacks of\r\n2016. Better known as FancyBear or APT28, this threat actor targets governments, military, and private\r\norganizations and has been known to engage in hack-and-leak operations. In the past couple of years, Sofacy has\r\ndrastically retooled and largely evaded analysts. One of the more consistent subgroups is known as Zebrocy. Their\r\ntargeting appears primarily focused on former Soviet Republics and, more recently, Asia.\r\nIn March 2021, we observed a cluster of activities targeting Kazakhstan with Delphocy – malware written in\r\nDelphi and previously associated with Zebrocy. The Word documents that were observed purport to be from a\r\nKazakhy company named Kazchrome, a mining and metal company and one of the world’s largest producers of\r\nchrome ore and ferroalloys.\r\nIn total, we found six Delphocy Word documents that appear to be related to this cluster, all of which contain the\r\nsame VBA script that drops a PE. Out of the six Word documents, two appear to be authentic uploads to\r\nVirusTotal by victims originating from Kazakhstan. The uploaded files contain what appeared to be the original\r\nfilenames Авансовый отчет(новый).doc and Форма докладной (служебной) записки.doc.\r\nIn this post, we take a deep dive into these samples and share some techniques other analysts can employ to\r\nreverse engineer Delphocy dropper docs. We show how researchers can bypass password-protected macros and\r\ndescribe both how to decompile Delphi using IDR (Interactive Delphi Reconstructor) and how to import the saved\r\nIDC file into Ghidra using dhrake’s plugin.\r\nThe results of our analysis led us to discover further Zebrocy clusters; a list of IOCs and YARA detection rules are\r\nprovided to enable threat hunters to search for these and related artifacts in their environments.\r\nBypassing VBA Macro Password Protection\r\nWhen analyzing Office documents with VBA macros, threat hunters have many different tools and techniques that\r\ndo the job, but I’ve built a habit that I still use when I first started reversing malware to bypass password-protected\r\nmacros manually.\r\nhttps://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/\r\nPage 1 of 11\n\n1. Open up your favorite hex editor. I use HxD.\r\n2. Load the Word Document.\r\n3. Search for the following text:\r\n1. CMG=\r\n2. GC=\r\n3. DPB=\r\n4. Add an x to each of them:\r\n1. CMGx=\r\n2. GCx=\r\n3. DPBx=\r\n5. Save the file with the changes.\r\nhttps://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/\r\nPage 2 of 11\n\nWhen opening the Word document and viewing the macro this time, you can see the script as well as the Forms.\r\nWhen analyzing the function, what immediately sticks out is the ert.DataType = “bin.base64” , showing that\r\nthe UserForm1 is encoded with base64.\r\nWininition UserForm\r\nhttps://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/\r\nPage 3 of 11\n\nWhen selecting on UserForm1, the textbox reveals a base64 encoded string; we know this because of the\r\nfunction we discussed above. The next step is to copy the entire string into a file so it can be decoded.\r\nNow we decode the binary from base64 and save it to disk as wininition.exe .\r\nFollowing that, clean the headers using HxD, and then use PE-Bear to fix the sections headers to move to the next\r\nphase of the analysis.\r\nhttps://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/\r\nPage 4 of 11\n\nWhen triaging a binary, the go-to tool is Hiew to investigate and look for clues for a deeper understanding. With\r\nwininition , I notice the Embarcadero string, which means that this binary was written in Delphi. When\r\nreversing Delphi binaries I’ve always used IDR (Interactive Delphi Reconstructor). IDR is a decompiler of\r\nexecutable files and dynamic libraries (DLL) written in Delphi.\r\nhttps://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/\r\nPage 5 of 11\n\nReversing Delphi Binaries with Ghidra and dhrake\r\nWhen searching for the latest developments with IDR, I came across a fantastic plugin for Ghidra, a collection of\r\nscripts for reverse engineering Delphi binaires in Ghidra using IDR’s output to IDC. It was published over a year\r\nago, but it is a gem if threat hunters are using Ghidra.\r\ndhrake allows you to import the IDC file from IDR into Ghidra. This will import the Symbol names, function\r\nsignatures and create structs for Delphi classes. This plugin extracts and applies the Delphi symbols from the IDC\r\nfile, which is generated by IDR, and attempts to find cases where Ghidra has incorrectly determined the entry\r\npoint of a function. If you’ve never imported a plugin to Ghidra please read this post. I’ve saved the IDC to a\r\nselected folder. I then install the plugin in Ghidra and run the script it prompts for the IDC file and then load it!\r\nhttps://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/\r\nPage 6 of 11\n\nhttps://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/\r\nPage 7 of 11\n\nIn the wininition binary, the first function WinMain has SetWindowsHookExW function, which is a hook\r\nprocedure to monitor a system for certain types of events. The hook procedures low-level keyboard input events is\r\nWH_KEYBOARD_LL , which is the number 13 in the parameter. This hook is a mechanism that intercepts keystroke\r\nevents. All the events are then saved to a log file to be sent to a C2.\r\nThe C2 is obfuscated using hex that can be converted to ascii:\r\n68747470733A2F2F7777772E786268702E636F6D2F646F6D696E61726772656174617369616E6F6479737365792F77702D636F6E74656E7\r\nhxxps://www.xbhp[.]com/dominargreatasianodyssey/wp-content/plugins/akismet/style.php\r\n68747470733A2F2F7777772E63346373612E6F72672F696E636C756465732F736F75726365732F66656C696D732E706870\r\nhxxps://www.c4csa[.]org/includes/sources/felims.php\r\nhttps://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/\r\nPage 8 of 11\n\nNote: These appear to be compromised domains.\r\nConclusion\r\nAnalysis of these documents led us to find other Zebrocy clusters. As Zebrocy continues to evolve its scope,\r\norganizations must have the proper visibilities and detection capabilities to find this threat actor. We hope the\r\ntechniques discussed in this post will be useful to other researchers in analyzing Delphocy dropper docs in\r\nparticular, and documents with password-protected macros in general.\r\nIndicators of Compromise\r\nWord Documents\r\nSHA256\r\n3b548a851fb889d3cc84243eb8ce9cbf8a857c7d725a24408934c0d8342d5811\r\n1dd03c4ea4d630a59f73e053d705185e27e2e2545dd9caedb26a824ac5d11466\r\n1e8261104cbe4e09c19af7910f83e9545fd435483f24f60ec70c3186b98603cc\r\nc213b60a63da80f960e7a7344f478eb1b72cee89fd0145361a088478c51b2c0e\r\n2bf088955007b4f47fe9187affe65fffea234ff16596313a74958a7c85129172\r\nd9e7325f266eda94bfa8b8938de7b7957734041a055b49b94af0627bd119c51c\r\nSHA1\r\nfc0b7ad2ae9347d6d2ababe2947ffb9f7cc73030\r\n71b4b9f105de94090fc36d9226faaa1db6d9f3d1\r\n6a8f63c4491adcf2cf7f76cd1481c5647615a6c9\r\na3ecf1fdc1206e9d3061530fa91775cf3d97f788\r\nae01ca2cf0dc07abb3a7bef9930e38c9212975d5\r\n66b39f4fd1dd51c2f548330e5818f732dad0aa28\r\nVBA\r\nSHA256\r\na442135c04dd2c9cbf26b2a85264d31a5ac4ec5d2069a7b63bc14b64a6dd82b7\r\nSHA1\r\n6ec4eb883752b70db134ac0f4e0d5b4a77196184\r\nWininition\r\nSHA256\r\nee7cfc55a49b2e9825a393a94b0baad18ef5bfced67531382e572ef8a9ecda4b\r\nSHA1\r\nafbdb13d8f620d0a5599cbc7a7d9ce8001ee32f1\r\nURLs\r\nhttps://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/\r\nPage 9 of 11\n\nhxxps://www.xbhp[.]com/dominargreatasianodyssey/wp-content/plugins/akismet/style.php\r\nhxxps://www.c4csa[.]org/includes/sources/felims.php\r\nYara Rules\r\nrule apt_RU_delphocy_encStrings {\r\n meta:\r\n desc = \"Hex strings in Delphocy drops\"\r\n author = \"JAG-S @ SentinelLabs\"\r\n version = \"1.0\"\r\n TLP = \"White\"\r\n last_modified = \"04.09.2021\"\r\n hash0 = \"ee7cfc55a49b2e9825a393a94b0baad18ef5bfced67531382e572ef8a9ecda4b\"\r\n hash1 = \"07b2d21f4ef077ccf16935e44864b96fa039f2e88c73b518930b6048f6baad74\"\r\n strings:\r\n $enc_keylogger2 = \"5B4241434B53504143455D\" ascii wide\r\n $enc_keylogger3 = \"5B5441425D\" ascii wide\r\n $enc_keylogger4 = \"5B53484946545D\" ascii wide\r\n $enc_keylogger5 = \"5B434F4E54524F4C5D\" ascii wide\r\n $enc_keylogger6 = \"5B4553434150455D\" ascii wide\r\n $enc_keylogger7 = \"5B454E445D\" ascii wide\r\n $enc_keylogger8 = \"5B484F4D455D\" ascii wide\r\n $enc_keylogger9 = \"5B4C4546545D\" ascii wide\r\n $enc_keylogger10 = \"5B55505D\" ascii wide\r\n $enc_keylogger11 = \"5B52494748545D\" ascii wide\r\n $enc_keylogger12 = \"5B444F574E5D\" ascii wide\r\n $enc_keylogger13 = \"5B434150534C4F434B5D\" ascii wide\r\n $cnc1 = \"68747470733A2F2F7777772E786268702E636F6D2F646F6D696E61726772656174617369616E6F6479737365\r\n $cnc2 = \"68747470733A2F2F7777772E63346373612E6F72672F696E636C756465732F736F75726365732F66656C696D\r\n condition:\r\n uint16(0) == 0x5a4d and (any of ($cnc*) or all of ($enc_keylogger*))\r\n}\r\nrule apt_RU_Delphocy_Maldocs {\r\n meta:\r\n desc = \"Delphocy dropper docs\"\r\n author = \"JAG-S @ SentinelLabs\"\r\n version = \"1.0\"\r\n TLP = \"White\"\r\n last_modified = \"04.09.2021\"\r\n hash1 = \"3b548a851fb889d3cc84243eb8ce9cbf8a857c7d725a24408934c0d8342d5811\"\r\n hash2 = \"c213b60a63da80f960e7a7344f478eb1b72cee89fd0145361a088478c51b2c0e\"\r\n hash3 = \"d9e7325f266eda94bfa8b8938de7b7957734041a055b49b94af0627bd119c51c\"\r\nhttps://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/\r\nPage 10 of 11\n\nhash4 = \"1e8261104cbe4e09c19af7910f83e9545fd435483f24f60ec70c3186b98603cc\"\r\n strings:\r\n $required1 = \"_VBA_PROJECT\" ascii wide\r\n $required2 = \"Normal.dotm\" ascii wide\r\n $required3 = \"bin.base64\" ascii wide\r\n $required4 = \"ADODB.Stream$\" ascii wide\r\n $author1 = \"Dinara Tanmurzina\" ascii wide\r\n $author2 = \"Hewlett-Packard Company\" ascii wide\r\n $specific = \"Caption     =  \"wininition.exe\"\" ascii wide\r\n $builder1 = \"Begin {C62A69F0-16DC-11CE-9E98-00AA00574A4F} UserForm1\" ascii wide\r\n $builder2 = \"{02330CFE-305D-431C-93AC-29735EB37575}{33D6B9D9-9757-485A-89F4-4F27E5959B10}\" ascii\r\n $builder3 = \"VersionCompatible32=\"393222000\"\" ascii wide\r\n $builder4 = \"CMG=\"1517B95BC9F7CDF7CDF3D1F3D1\"\" ascii wide\r\n $builder5 = \"DPB=\"ADAF01C301461E461EB9E2471E616F01D06093C59A7C4D30F64A51BDEDDA98EC1590C9B191FF\"\"\r\n $builder6 = \"GC=\"4547E96B19021A021A02\"\" ascii wide\r\n condition:\r\n uint32(0) == 0xE011CFD0 and all of ($required*) and (all of ($author*) or $specific or 5 of ($bui\r\n}\r\nSource: https://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/\r\nhttps://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/"
	],
	"report_names": [
		"a-deep-dive-into-zebrocys-dropper-docs"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434611,
	"ts_updated_at": 1775792269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef06a1232ad4fb2fe7020990c7d0ef178ff5181a.pdf",
		"text": "https://archive.orkl.eu/ef06a1232ad4fb2fe7020990c7d0ef178ff5181a.txt",
		"img": "https://archive.orkl.eu/ef06a1232ad4fb2fe7020990c7d0ef178ff5181a.jpg"
	}
}