{ "id": "54d084d4-c594-48ea-b77e-484f8130614e", "created_at": "2026-04-06T00:19:56.386741Z", "updated_at": "2026-04-10T03:37:49.712268Z", "deleted_at": null, "sha1_hash": "ffa9dc25612e1c5bff65bd65be4f48121d09579d", "title": "Sednit: What’s going on with Zebrocy?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2739894, "plain_text": "Sednit: What’s going on with Zebrocy?\r\nBy ESET Research\r\nArchived: 2026-04-05 18:47:29 UTC\r\nThe Sednit group has been operating since at least 2004, and has made headlines frequently in past years: it is believed to be\r\nbehind major, high profile attacks. For instance, the US Department of Justice named the group as being responsible for the\r\nDemocratic National Committee (DNC) hack just before the US 2016 elections. The group is also presumed to be behind the\r\nhacking of global television network TV5Monde, the World Anti-Doping Agency (WADA) email leak, and many others.\r\nThis group has a diversified set of malware tools in its arsenal, several examples of which we have documented previously\r\nin our Sednit white paper from 2016.\r\nMeanwhile, ESET researchers released a whitepaper on LoJax, a UEFI rootkit we attribute to Sednit, used against\r\norganizations in the Balkans, and Central and Eastern Europe.\r\nIn August 2018, Sednit’s operators deployed two new Zebrocy components, and since then we have seen an uptick in\r\nZebrocy deployments. Zebrocy is a set of downloaders, droppers and backdoors; while downloaders and droppers are doing\r\nreconnaissance, backdoors implement persistence and spying activities against the target. These new components use a an\r\nunusual way to exfiltrate gathered information by using protocols related to mail services such as SMTP and POP3.\r\nThe victims targeted by these new components are similar to victims mentioned in our previous Zebrocy post and by\r\nKaspersky. The targets of such attacks are located in Central Asia, as well as countries in Central and Eastern Europe,\r\nnotably embassies, ministries of foreign affairs, and diplomats.\r\nThe big picture\r\nFor two years now, the Sednit group has primarily used phishing emails as the infection vector for Zebrocy campaigns (Case\r\n1 and Case 2). Once the targets have been compromised, they use different first stage downloaders to gather information\r\nhttps://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/\r\nPage 1 of 12\n\nabout the victims and, should the victims be interesting enough, after a delay of several hours – or even days – they deploy\r\none of their second-level backdoors.\r\nThe classic modus operandi for a Zebrocy campaign is for the victim to receive an archive attached to an email. This archive\r\ncontains two files, one a benign document and one an executable. The operator tries to fool the victim by naming the\r\nexecutable with an apparent document or image file name by incorporating the “double extension” trick..\r\nThis new campaign, depicted as Case 3 in Figure 1, uses a more involved procedure.  We dissect this process below.\r\nDelphi dropper\r\nThe first binary is a Delphi dropper, which is kind of unusual for a Zebrocy campaign. Most of the time it’s a downloader\r\nrather than a dropper that is installed on the victim system as the first stage.\r\nThis dropper contains some tricks to make it more difficult to reverse-engineer. It uses a keyword – liver in the samples we\r\ndescribed here – to mark the start and end of key elements as shown below.\r\n$ yara -s tag_yara.yar SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe\r\nfind_tag SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe\r\n0x4c260:$tag: l\\x00i\\x00v\\x00e\\x00r\\x00\r\n0x6f000:$tag: liver\r\n0x6f020:$tag: liver\r\n0x13ab0c:$tag: liver\r\nThe YARA rule above looks for the string liver. The first liver is the one used in the code and it doesn’t separate anything\r\nfrom anything, while the others separate the key descriptor, the image (hexdump below) and the encrypted payload in the\r\ndropper.\r\n$ hexdump -Cn 48 -s 0x6f000 SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe\r\n0006f000 6c 69 76 65 72 4f 70 65 6e 41 69 72 33 39 30 34 |liverOpenAir3904|\r\n0006f010 35 5f 42 61 79 72 65 6e 5f 4d 75 6e 63 68 65 6e |5_Bayren_Munchen|\r\n0006f020 6c 69 76 65 72 ff d8 ff e0 00 10 4a 46 49 46 00 |liver……JFIF.|\r\nStarting with the image, this is dropped as C:\\Users\\public\\Pictures\\scanPassport.jpg if a file of that name does not already\r\nexist. Interestingly, the dropper's filename, SCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe, also hints at a\r\nphishing scheme revolving around traveling or passport information. This might indicate that the operator knew the phishing\r\nmessage’s target. The dropper opens the image: if the file exists, it stops executing; otherwise, it drops the image, opens it,\r\nand retrieves the key descriptor OpenAir39045_Bayren_Munchen. The image doesn’t seem to display anything while the\r\nfile format is valid; see Figure 2.\r\nhttps://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/\r\nPage 2 of 12\n\nThe key descriptor’s string contains Bayren_Munchen which seems likely to refer to the German soccer team FC Bayern\r\nMunich. Regardless, it is not the content of the key descriptor – but its length –  that matters, with that length used to\r\nretrieve the XOR key used to encrypt the payload.\r\nTo get the XOR key, the dropper looks for the last liver keyword and adds the offset of the key descriptor. The length of the\r\nXOR key – 27 (0x1b) bytes – is the same as that of the key descriptor.\r\nUsing the XOR key and a simple XOR loop, the dropper decrypts the last part – which is the encrypted payload – right after\r\nthe last tag until the end of the file. Notice that the executable payload’s MZ header starts right after the keyword liver and\r\nthe XOR key retrieved from a part of the PE header that is normally a sequence of 0x00 bytes, which are restored once the\r\npayload is decrypted, as seen in Figure 3.\r\nIt drops the payload as C:\\Users\\Public\\Documents\\AcrobatReader.txt and moves the file to\r\nC:\\Users\\Public\\Documents\\AcrobatReader.exe\r\nPerhaps this is an attempt to avoid endpoint protection systems triggering an alert based on a binary dropping a file with a\r\n.exe extension.\r\nOnce again, the operator tries to fool victims in the event that they take a look at the directory, in which case they'll see the\r\nfile displayed as in Figure 4:\r\nhttps://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/\r\nPage 3 of 12\n\nBy default, Windows hides the extension, and this is leveraged by the operator to drop an executable in a Documents\r\ndirectory and it makes it look like a PDF file.\r\nFinally, the dropper executes its freshly-dropped payload, and exits.\r\nMSIL mail downloader\r\nThe payload of the previous dropper is a UPX-packed MSIL downloader. To make the process easier to understand, the main\r\nlogic is described below, followed by source code, then an overview of the dissected control flow.\r\nThe Main method calls Run to start the application, which then creates the form Form1.\r\n{\r\n Application.EnableVisualStyles();\r\n Application.SetCompatibleTextRenderingDefault(false);\r\n Application.Run((Form) new Form1());\r\n}\r\nForm1 initiates a lot of variables, including a new Timer for seven of them.\r\n this.start = new Timer(this.components);\r\n this.inf = new Timer(this.components);\r\n this.txt = new Timer(this.components);\r\n this.subject = new Timer(this.components);\r\n this.run = new Timer(this.components);\r\n this.load = new Timer(this.components);\r\n this.screen = new Timer(this.components);\r\nA Timer object has three important fields:\r\nEnabled: indicates if the timer is active.\r\nInterval: the time, in milliseconds, between elapsed events.\r\nhttps://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/\r\nPage 4 of 12\n\nTick: the callback executed when the timer interval has elapsed and the timer is enabled.\r\nHere these fields are initialized as:\r\n this.start.Enabled = true;\r\n this.start.Interval = 120000;\r\n this.start.Tick += new EventHandler(this.start_Tick);\r\n this.inf.Interval = 10000;\r\n this.inf.Tick += new EventHandler(this.inf_Tick);\r\n this.txt.Interval = 120000;\r\n this.txt.Tick += new EventHandler(this.txt_Tick);\r\n this.subject.Interval = 120000;\r\n this.subject.Tick += new EventHandler(this.subject_Tick);\r\n this.run.Interval = 60000;\r\n this.run.Tick += new EventHandler(this.run_Tick);\r\n this.load.Interval = 120000;\r\n this.load.Tick += new EventHandler(this.load_Tick);\r\n this.screen.Interval = 8000;\r\n this.screen.Tick += new EventHandler(this.screen_Tick);\r\n For each object, it sets an Interval which is from 8 seconds to 2 minutes. A callback is added to the event handler. Notice\r\nthat start is the only one that sets Enabled as true, meaning that after 2 minutes (12000 milliseconds = 120 seconds)\r\nstart_Tick will be called by the event handler.\r\n private void start_Tick(object sender, EventArgs e)\r\n {\r\n try\r\n {\r\n this.start.Enabled = false;\r\n Lenor lenor = new Lenor();\r\n this.dir = !Directory.Exists(this.label15.Text.ToString()) ? this.label16.Text.ToString() + \"\\\" : this.label15\r\n this.att = this.dir + \"audev.txt\";\r\n this._id = lenor.id(this.dir);\r\n this.inf.Enabled = true;\r\n }\r\nThereafter each method has the same behavior: it sets the Enabled variable to false at the beginning of the method. The\r\nmethod occurs, and afterwards sets the Enabled variable of the next object to true, which will activate the next timer. The\r\nEnabled variable is used by the operator to put in place a kind of state machine: if the functions fail, this is a mechanism to\r\nrepeat failed functions until they succeed. The time between the execution of two functions might be an attempt to evade\r\nendpoint protection systems by adding a delay.\r\nNow the structure of each method is defined; the following part will focus on the control flow of the malware.\r\nAs the exchanges happen between different email inboxes, here is an overview of the different steps.\r\nhttps://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/\r\nPage 5 of 12\n\nOne of the early checks made by the malware is for the existence of a specific path used to drop every file used during its\r\nexecution. If possible, it uses C:\\Users\\Public\\Videos\\ -- otherwise it will fall back to C:\\Documents and Settings\\All\r\nUsers\\Documents\\ as its default directory. Notice that the latter path is specific to Windows XP while the former is for Vista\r\nand above.\r\nA 16-byte id is generated by concatenating the C: volume serial number and the UserName,  and stored in the file audev.txt.\r\nThe downloader gathers the following information:\r\ncurrent path of the application\r\noperating system version\r\nsystem directory\r\nuser domain\r\nmachine name\r\nUserName\r\ncurrent time zone\r\ncurrent date\r\nlogical drive list and information about each of them (model, serial number, etc…)\r\ndirectory listing of C:\\Program Files\\ and C:\\Program Files (x86)\\\r\nprocess list\r\nAll this information is stored in the C:\\Users\\Public\\Videos\\si.ini file and sent in an email message, as an attachment, via\r\nSMTPS, using the default port 465. The email body contains the string SI (which probably stands for System Information),\r\nthe recipient is sym777.g@post.cz. For all email exchange, the message's Subject: set to the id.\r\nThe operator chooses to have multiple fallback addresses and sends the same email to two other, different recipients,\r\npresumably in case the main one is not working. Once the email has been sent, the downloader deletes the si.ini file.\r\nFor the first execution of the malware, it creates the file set.txt with {System_Parametrs = 10} inside and creates the\r\nWindows registry entry:\r\nhttps://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/\r\nPage 6 of 12\n\nOne screenshot of the victim’s computer is taken under the name scx.bin and sent as an email attachment with SC (which\r\nprobably stands for Screenshot) in the email’s body.\r\nAfter dispatch, this malware connects to the kae.mezhnosh@post.cz mailbox via POP3 over SSL (port 995) and looks for\r\nmessages with a Subject: that corresponds to its own id. If there is such a message and the body is not empty, the malware\r\nhex decodes it and then sends a message with okey in the body to sym777.g@post.cz. The content of the email previously\r\nretrieved is cleaned and parsed as below:\r\n string[] strArray = this._adr.Replace(\"B\u0026\", \"\").Replace(\"Db\", \"\").Split('%');\r\n string str1 = strArray[0];\r\n string str2 = strArray[1];\r\nTwo strings are obtained: the first one is a password and the second is a username for an email address.\r\nThese new credentials are used to connect to the specified inbox freshly collected, and to also look there for a message with\r\na subject that matches the malware’s id as well as an attachment with the string audev in its filename. If both conditions are\r\nmet, the malware saves the attachment and deletes the message from the server.\r\nAll logging messages are sent to sym777.g@post.cz while messages retrieved via POP3 come from credentials recently\r\nobtained.\r\nThese decisions from the operators make forensics more difficult. First, if you have the downloader with emails, you can’t\r\nconnect to the mailbox that contains the next stage.\r\nSecond, if you retrieve the email credentials, you still can’t get the next payload because it was deleted after retrieval.\r\nOnce the downloader successfully writes the attachment to disk, it sends an email with okey2 in the body and an attachment,\r\nnamed l.txt, containing 090. The same file is overwritten with 000 and the malware tries to retrieve another message. Again\r\n– if it works – the l.txt file is sent with body text of okey3. The content of the attachment is a directory and a filename. The\r\nmalware moves the audev file to this filepath. Finally, the malware sends an email with a body message of okey4 and l.txt as\r\nattachment. It starts the executable — audev.exe and checks in the list of processes to see if one of them contains the string\r\naudev.\r\n Process.Start(this.rn);\r\n foreach (Process process in Process.GetProcesses())\r\n {\r\n if (process.ProcessName.Contains(\"audev\"))\r\n }\r\nIf a process with such a name is found, it sends a last email with okey5 as the body message and l.txt as the attachment.\r\nFinally, it deletes l.txt and set.txt, deletes the Windows registry key it created, and exits.\r\nDelphi mail downloader\r\nThe main role of this downloader is to assess the importance of the compromised system and, if it is deemed important\r\nenough, to download and execute Zebrocy’s last downloader.\r\nThe binary is written in Delphi and packed with UPX. The complete definition of the TForm1 object can be found in its\r\nresource section and contains some configuration parameters used by the malware. The following sections focus on the\r\ninitialization, capabilities, and network protocol of the downloader.\r\nhttps://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/\r\nPage 7 of 12\n\nInitialization\r\nAt the beginning, it decrypts a bunch of strings that are email addresses and passwords. The operator uses the AES ECB\r\nencryption algorithm. Each string is hex-encoded, with the first four bytes corresponding to the final size of the decrypted\r\nstring (the decrypted strings may contain some padding at the end). There are two AES keys in the TForm1 object; the first\r\none is used to encrypt data while the second is used to decrypt.\r\nEmails and passwords are used by the operator to send commands to the malware and also to retrieve information harvested\r\nfrom the victim’s computer. The communication protocols are SMTP and POP3 – both of them over SSL. To use OpenSSL,\r\nthe malware drops and uses two OpenSSL dynamic link libraries (DLLs): libeay32.dll\r\n(98c348cab0f835d6cf17c3a31cd5811f86c0388b) and ssleay32.dll (6d981d71895581dfb103170486b8614f7f203bdc).\r\nNotice that all files are dropped in the malware’s working directory, C:\\Users\\Public\\\r\nThe persistence is done during the first execution of the malware using a well-known technique, the “Logon scripts”. It\r\ncreates a script file registration.bat and writes several strings from the TForm1 object. The final script is:\r\nreg add HKCU\\Environment /v \"UserInitMprLogonScript\" /t REG_EXPAND_SZ /d \"C:\\Users\\Public\\Videos\\audev.exe\" /f\r\ndel C:\\Users\\Public\\Videos\\registr.bat\r\nexit\r\nLast but not least, the malware creates an id, in the same way as seen in previous Zebrocy binaries. It retrieves the\r\nUserName via the GetUserNameW Windows API and prepends the volume serial number of the C:\\ drive.\r\nCapabilities\r\nWhile there are some conditions and order in the execution flow to collect information about the victim, the following\r\nsection describes different gathering capabilities. The scan configuration is stored in the TForm1 object, grouped under\r\nseven different possibilities for retrieving information from the victim’s computer.\r\nStarting with a simple scan, the first information that the malware can collect is related to files with the following\r\nextensions: .docx, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .bmp, .tiff. For each file found on the disk, it retrieves the full path and\r\nthe last modified date of the file. That information is encrypted using the AES key mentioned earlier and stored in the file\r\n0.txt. Another scan targets the extensions .dat, .json, .db and like the previous scan it retrieves the full path and last modified\r\ndate of the file. Then it encrypts them and it stores it under the file 57.txt.\r\nhttps://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/\r\nPage 8 of 12\n\nListing running processes is also one of the capabilities of this malware and it stores that information in the 08.txt file, and\r\nthis looks like the listing below:\r\n======Listing_of_processes=======\r\n[System Process]\r\nSystem\r\nsmss.exe\r\ncsrss.exe\r\nwininit.exe\r\ncsrss.exe\r\nwinlogon.exe\r\nservices.exe\r\nlsass.exe\r\n[…]\r\nIn the file i.txt the malware gathers general information regarding the victim’s computer as well as some information about\r\nthe malware, like the version number and the path where it’s executed, as shown below:\r\nv7.00\r\nC:\\Users\\Public\\Videos\\audev.txt\r\n============================================\r\nLog_Drivers:\r\n C: fixed; size= 102297 Mb, free=83927 Mb S/N: [redacted]\r\n ==================================================\r\n OSV: Windows 7\r\nWinType: 32\r\nWinDir: C:\\Windows\r\nLang: English (United States)\r\nTZ: UTC1:0 Romance Standard Time\r\nHostN: [redacted]-PC\r\nUser: [redacted]\r\n===============S_LIST=====================\r\nC:\\Program Files\\Common Files\r\nC:\\Program Files\\desktop.ini\r\nC:\\Program Files\\DVD Maker\r\nC:\\Program Files\\Internet Explorer\r\nC:\\Program Files\\Microsoft.NET\r\nC:\\Program Files\\MSBuild\r\nC:\\Program Files\\Reference Assemblies\r\nC:\\Program Files\\Uninstall Information\r\nC:\\Program Files\\Windows Defender\r\n[…]\r\nThe malware is capable of taking screenshots, which are stored as 2\\[YYYY-mm-dd HH-MM-SS]-Image_001.jpg, and\r\ngenerates another file 2\\sa.bin, populated with the path listing of all screenshots taken. Its last capability is network\r\nenumeration; the output is found as 4.txt.\r\nNetwork Protocol\r\nThe Delphi Mail Downloader is quite a new addition to Zebrocy’s toolset and it features a new way to exfiltrate data and\r\nretrieve commands from the operator. The exfiltration is quite simple but very noisy on the network, as all the encrypted\r\nfiles gathered previously are sent over SMTPS and each version of the file is sent three times.\r\nSender Recipient\r\nkevin30@ambcomission.com rishit333@ambcomission.com\r\nsalah444@ambcomission.com rishit333@ambcomission.com\r\nkarakos3232@seznam.cz antony.miloshevich128@seznam.cz\r\nhttps://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/\r\nPage 9 of 12\n\nThe Subject: of the mail is the id of the victim and the file is sent as an attachment with a keyword corresponding to the file\r\ncontent. Notice that for each file there is an encrypted version of the file sent.\r\nfiles files encrypted keywords\r\n- 0.txt SCAN\r\n57.txt 58.txt ACC\r\n08.txt 082.txt PrL\r\ni.txt i2.txt SYS_INFO\r\n4.txt 42.txt GET_NETWORK\r\nScreenshots taken and files matching both scans are sent as well but with different keywords.\r\nContent Keywords\r\nscreenshots SC\r\n.docx, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .bmp, .tiff FILEs\r\n.dat, .json, .db D_ACC\r\nWhile the exfiltration uses SMTP, the binary connects to the email address tomasso25@ambcomission.com via POP3 and\r\nparses emails. The body of the email contains different keywords that are interpreted as commands by the malware.\r\nKeywords Purpose Log\r\nscan scan\r\nldfile scan\r\nedit34 execute and delete\r\npKL90 register isreg\r\nprlist process listing\r\nStart23 execute isr\r\nnet40 enumerating network resources\r\nhttps://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/\r\nPage 10 of 12\n\nKeywords Purpose Log\r\ndele5 delete file isd\r\ndele6 delete directory isd\r\ncd25 create directory isc\r\nautodel delete itself\r\nCo55 copy file is_cp\r\nMo00 move file is_m\r\nOnce executed, a debug log and the result of the command, if any, are sent back to the operator. For example, for a scan\r\ncommand, the operator receives a file that contains the list of files matching the scan extensions along with each matching\r\nfile.\r\nWhile this downloader has some backdoor features, it drops a Delphi downloader already associated with the group, and\r\ndescribed in our previous Zebrocy article.\r\nSummary\r\nIn the past, we identified an overlap between Zebrocy and other traditional Sednit malware. We caught Zebrocy dropping\r\nXAgent, the Sednit flagship backdoor. Thus, we attribute Zebrocy to the Sednit group with high confidence.\r\nHowever, the analysis of these binaries shows some mistakes at the language level as well as development decisions that\r\nindicate a different maturity in the development of the toolset. Both downloaders are using mail protocols to exfiltrate\r\ninformation and share common mechanisms to gather the same information. Both are also very noisy on the network and on\r\nthe system, as they create a lot of files and send a lot of them over the network. While analyzing the Delphi mail\r\ndownloader, some features seem to have disappeared but some strings still remain the binary. Thus, while this toolset is\r\nbeing operated by the Sednit group, we are very confident that it is being developed by a different and less experienced\r\nteam, as compared to those who develop the traditional Sednit components.\r\nZebrocy components are fresh add-ons to the Sednit toolset, and the recent events might explain the increasing use of\r\nZebrocy’s binaries rather than the good old Sednit main malware.\r\nIndicators of Compromise (IoCs)\r\nFilename SHA-1 ESET detection\r\nSCANPASS_QXWEGRFGCVT_323803488900X_jpeg.exe 7768fd2812ceff05db8f969a7bed1de5615bfc5a Win32/Sednit.ORQ\r\nC:\\Users\\public\\Pictures\\scanPassport.jpg da70c54a8b9fd236793bb2ab3f8a50e6cd37e2df -\r\nC:\\Users\\Public\\Documents\\AcrobatReader.{exe,txt} a225d457c3396e647ffc710cd1edd4c74dc57152 MSIL/Sednit.D\r\nC:\\Users\\Public\\Videos\\audev.txt a659a765536d2099ecbde988d6763028ff92752e Win32/Sednit.CH\r\n%TMP%\\Indy0037C632.tmp 20954fe36388ae8b1174424c8e4996ea2689f747 Win32/TrojanDownloade\r\n%TMP%\\Indy01863A21.tmp e0d8829d2e76e9bb02e3b375981181ae02462c43 Win32/TrojanDownloade\r\nList of emails\r\nEmails\r\ncarl.dolzhek17@post.cz\r\nshinina.lezh@post.cz\r\nP0tr4h4s7a@post.cz\r\ncarl.dolzhek17@post.cz\r\nhttps://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/\r\nPage 11 of 12\n\nEmails\r\nsym777.g@post.cz\r\nkae.mezhnosh@post.cz\r\ntomasso25@ambcomission.com\r\nkevin30@ambcomission.com\r\nsalah444@ambcomission.com\r\nkarakos3232@seznam.cz\r\nrishit333@ambcomission.com\r\nantony.miloshevich128@seznam.cz\r\nSource: https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/\r\nhttps://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/" ], "report_names": [ "sednit-whats-going-zebrocy" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434796, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ffa9dc25612e1c5bff65bd65be4f48121d09579d.pdf", "text": "https://archive.orkl.eu/ffa9dc25612e1c5bff65bd65be4f48121d09579d.txt", "img": "https://archive.orkl.eu/ffa9dc25612e1c5bff65bd65be4f48121d09579d.jpg" } }