{
	"id": "1b6a5c45-97ec-4090-9f14-1b3a24a01bfe",
	"created_at": "2026-04-06T00:07:49.20476Z",
	"updated_at": "2026-04-10T03:37:50.510251Z",
	"deleted_at": null,
	"sha1_hash": "f62a15cac5079e3b0a6227c5ea32f9e410395aa4",
	"title": "[Research Summary]: Zebrocy Malware - Brandefense",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 129939,
	"plain_text": "[Research Summary]: Zebrocy Malware - Brandefense\r\nPublished: 2022-09-28 · Archived: 2026-04-05 19:03:14 UTC\r\nThis blog post comes from the “Zebrocy Technical Analysis Report” by the Brandefense CTI Analyst\r\nTeam. For more details about the analysis, download the report.\r\nExecution Summary\r\nIn this report prepared by the Brandefense cyber intelligence team, we analyzed malware toolkits belonging to an\r\nadvanced cyber threat group, Sofacy (other security providers have called it APT28, Fancy Bear, STRONTIUM,\r\nPawn Storm, and Sednit). In the report, malicious software sets belonging to the Sofacy group were shared in\r\nmore than one version.\r\nYou should not consider these anti–malware precautions unique to only Zebrocy and any other malware toolkit.\r\nThe behavior of groups with a high threat profile, such as Sofacy, must be understood. The techniques we have\r\ndescribed explain what they need to do if one becomes the target of a future offensive campaign.\r\nWe consider that the report’s attack methods and malware investigations should create cyber security awareness.\r\nIn addition, TTP findings used by threat actors will contribute by feeding cybersecurity teams.\r\nGeneral Description \u0026 Motivation\r\nZebrocy is malware that falls into the Trojan category, which the threat actor group APT28/Sofacy has used since\r\n2015. Zebrocy malware consists of 3 main components; Backdoor, Downloader, and Dropper. The Downloader\r\nand Dropper take responsibility for discovery processes and downloading the main malware on the systems. At\r\nthe same time, Backdoor undertakes the duties such as persistence in the system, espionage, and data extraction.\r\nThis malware, which is not considered new, has variants in many languages from the past to the present. These\r\ninclude programming languages such as Delphi, C#, Visual C++, VB.net, and Golang. Furthermore, we know\r\nadvanced threat actors and groups revise their malicious software among their toolkits at certain time intervals\r\nusing different languages and technologies.\r\nIt includes many social engineering techniques that direct its victims to open the attached files with a thematic\r\nfake mail trending at the malware distribution point.\r\nThe sectors targeted by the malware are as follows;\r\nMinistries of Energy and Industry\r\nScience and Engineering Centers\r\nMinistry of Foreign Affairs\r\nNational Security and Intelligence Agencies\r\nPress Services\r\nEmbassies and Consulates\r\nhttps://brandefense.io/zebrocy-malware-technical-analysis-report/\r\nPage 1 of 2\n\nThe threat group’s focus is espionage activities aimed at critical and strategic points of states and organizations.\r\nThese targets are located in countries in the Middle East, Europe, and North America.\r\nOnce the Zebrocy malware had infiltrated the target system, it first has initiated the discovery phase. Then, it starts\r\nsome actions within the system within the framework of specific rules with metadata of the compromised system\r\nand a screenshot.\r\nAfter the discovery phase, it transmits the files listed below to the command and control server to extract data.\r\nRelated file extensions:\r\n.doc, .docx\r\n.xls, .xlsx\r\n.ppt, .pptx\r\n.exe\r\n.zip, .rar\r\nWe could make a general definition: The Zebrocy malware serves as a target–oriented attack campaign and\r\ncontains the functions necessary for espionage activities. Furthermore, it is thought that malware is in a structure\r\nthat is updated periodically and is structured to increase its capabilities with the addition of new modules to the\r\nmalware.\r\nThis blog post comes from the “Zebrocy Malware Technical Analysis Report” by the Brandefense CTI\r\nAnalyst Team. For more details about the analysis, download the report.\r\nFigure 1: Zebrocy Variant Chart Published by Kaspersky Researchers\r\nSource: https://brandefense.io/zebrocy-malware-technical-analysis-report/\r\nhttps://brandefense.io/zebrocy-malware-technical-analysis-report/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://brandefense.io/zebrocy-malware-technical-analysis-report/"
	],
	"report_names": [
		"zebrocy-malware-technical-analysis-report"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434069,
	"ts_updated_at": 1775792270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f62a15cac5079e3b0a6227c5ea32f9e410395aa4.pdf",
		"text": "https://archive.orkl.eu/f62a15cac5079e3b0a6227c5ea32f9e410395aa4.txt",
		"img": "https://archive.orkl.eu/f62a15cac5079e3b0a6227c5ea32f9e410395aa4.jpg"
	}
}