SYMBOLCOMMON_NAMEaka. SYNONYMS

Sofacy  (Back to overview)

aka: APT 28, APT28, Pawn Storm, PawnStorm, Fancy Bear, Sednit, SNAKEMACKEREL, TsarTeam, Tsar Team, TG-4127, Group-4127, STRONTIUM, TAG_0700, Swallowtail, IRON TWILIGHT, Group 74, SIG40, Grizzly Steppe, apt_sofacy

The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.

Associated Families
apk.popr-d30 elf.xagent ios.xagent osx.komplex osx.xagent win.cannon win.computrace win.coreshell win.downdelph win.downrage win.driveocean win.lojax win.oldbait win.pocodown win.sedreco win.seduploader win.unidentified_078 win.xagent win.xp_privesc win.xtunnel win.xtunnel_net win.zebrocy_au3 win.koadic win.zebrocy
References
2021-02-25IntezerIntezer
@techreport{intezer:20210225:year:eb47cd1, author = {Intezer}, title = {{Year of the Gopher A 2020 Go Malware Round-Up}}, date = {2021-02-25}, institution = {Intezer}, url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf}, language = {English}, urldate = {2021-02-25} } Year of the Gopher A 2020 Go Malware Round-Up
WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim Ransomware NjRAT Quasar RAT WellMess Zebrocy
2021-02-24MalwarebytesHossein Jazi
@techreport{jazi:20210224:lazyscripter:433f4bc, author = {Hossein Jazi}, title = {{LazyScripter: From Empire to double RAT}}, date = {2021-02-24}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf}, language = {English}, urldate = {2021-02-25} } LazyScripter: From Empire to double RAT
Octopus Koadic
2021-01-13AlienVaultTom Hegel
@techreport{hegel:20210113:global:72b7b9d, author = {Tom Hegel}, title = {{A Global Perspective of the SideWinder APT}}, date = {2021-01-13}, institution = {AlienVault}, url = {https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf}, language = {English}, urldate = {2021-01-18} } A Global Perspective of the SideWinder APT
8.t Dropper Koadic SideWinder
2020-12-17Trend MicroFeike Hacquebord, Lord Alfred Remorin
@online{hacquebord:20201217:pawn:0e42861, author = {Feike Hacquebord and Lord Alfred Remorin}, title = {{Pawn Storm’s Lack of Sophistication as a Strategy}}, date = {2020-12-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html}, language = {English}, urldate = {2020-12-19} } Pawn Storm’s Lack of Sophistication as a Strategy
DriveOcean
2020-12-09IntezerJoakim Kennedy
@online{kennedy:20201209:zebra:1c73168, author = {Joakim Kennedy}, title = {{A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy}}, date = {2020-12-09}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/}, language = {English}, urldate = {2020-12-10} } A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy
Zebrocy
2020-11-28pat_h/to/filepat_h/to/file
@online{pathtofile:20201128:hunting:21f38be, author = {pat_h/to/file}, title = {{Hunting Koadic Pt. 2 - JARM Fingerprinting}}, date = {2020-11-28}, organization = {pat_h/to/file}, url = {https://blog.tofile.dev/2020/11/28/koadic_jarm.html}, language = {English}, urldate = {2020-12-08} } Hunting Koadic Pt. 2 - JARM Fingerprinting
Koadic
2020-10-29US-CERTUS-CERT
@online{uscert:20201029:malware:8122496, author = {US-CERT}, title = {{Malware Analysis Report (AR20-303B): ZEBROCY Backdoor}}, date = {2020-10-29}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b}, language = {English}, urldate = {2020-11-02} } Malware Analysis Report (AR20-303B): ZEBROCY Backdoor
Zebrocy
2020-10-23360360 Threat Intelligence Center
@online{center:20201023:apt28:099c6cd, author = {360 Threat Intelligence Center}, title = {{APT28携小众压缩包诱饵对北约、中亚目标的定向攻击分析}}, date = {2020-10-23}, organization = {360}, url = {https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g}, language = {Chinese}, urldate = {2020-10-26} } APT28携小众压缩包诱饵对北约、中亚目标的定向攻击分析
Zebrocy
2020-09-22QuoScientQuoIntelligence
@online{quointelligence:20200922:apt28:9bfda0c, author = {QuoIntelligence}, title = {{APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure}}, date = {2020-09-22}, organization = {QuoScient}, url = {https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/}, language = {English}, urldate = {2020-09-23} } APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure
Zebrocy Sofacy
2020-09-22Bleeping ComputerAx Sharma
@online{sharma:20200922:russian:c3158b2, author = {Ax Sharma}, title = {{Russian hackers use fake NATO training docs to breach govt networks}}, date = {2020-09-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/}, language = {English}, urldate = {2020-09-24} } Russian hackers use fake NATO training docs to breach govt networks
Zebrocy Sofacy
2020-09-10MicrosoftMicrosoft Threat Intelligence Center (MSTIC)
@online{mstic:20200910:strontium:eeaafcd, author = {Microsoft Threat Intelligence Center (MSTIC)}, title = {{STRONTIUM: Detecting new patterns in credential harvesting}}, date = {2020-09-10}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/}, language = {English}, urldate = {2020-09-15} } STRONTIUM: Detecting new patterns in credential harvesting
Sofacy
2020-09-10Kaspersky LabsGReAT
@online{great:20200910:overview:f751b73, author = {GReAT}, title = {{An overview of targeted attacks and APTs on Linux}}, date = {2020-09-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/}, language = {English}, urldate = {2020-10-05} } An overview of targeted attacks and APTs on Linux
Cloud Snooper Dacls DoubleFantasy MESSAGETAP Penquin Turla Tsunami elf.wellmess X-Agent
2020-09-01Twitter (@Vishnyak0v)Alexey Vishnyakov
@online{vishnyakov:20200901:sample:cbed5e0, author = {Alexey Vishnyakov}, title = {{Tweet on sample discovery}}, date = {2020-09-01}, organization = {Twitter (@Vishnyak0v)}, url = {https://twitter.com/Vishnyak0v/status/1300704689865060353}, language = {English}, urldate = {2020-09-01} } Tweet on sample discovery
Unidentified 078 (Zebrocy Nim Loader?)
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-01360360 Threat Intelligence Center
@online{center:20200701::fc5fdee, author = {360 Threat Intelligence Center}, title = {{游走在东欧和中亚的奇幻熊}}, date = {2020-07-01}, organization = {360}, url = {https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og}, language = {Chinese}, urldate = {2020-10-26} } 游走在东欧和中亚的奇幻熊
Zebrocy
2020-06-09Kaspersky LabsCostin Raiu
@online{raiu:20200609:looking:3038dce, author = {Costin Raiu}, title = {{Looking at Big Threats Using Code Similarity. Part 1}}, date = {2020-06-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/big-threats-using-code-similarity-part-1/97239/}, language = {English}, urldate = {2020-08-18} } Looking at Big Threats Using Code Similarity. Part 1
Penquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-03-20BitdefenderLiviu Arsene
@online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } 5 Times More Coronavirus-themed Malware Reports during March
ostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-09Github (zerosum0x0)zerosum0x0
@online{zerosum0x0:20200109:koadic:2b6e0c1, author = {zerosum0x0}, title = {{Koadic}}, date = {2020-01-09}, organization = {Github (zerosum0x0)}, url = {https://github.com/zerosum0x0/koadic}, language = {English}, urldate = {2020-01-09} } Koadic
Koadic
2020SecureworksSecureWorks
@online{secureworks:2020:gold:0d8c853, author = {SecureWorks}, title = {{GOLD DRAKE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-drake}, language = {English}, urldate = {2020-05-23} } GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:8d36ac3, author = {SecureWorks}, title = {{COBALT TRINITY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-trinity}, language = {English}, urldate = {2020-05-23} } COBALT TRINITY
POWERTON pupy Imminent Monitor RAT Koadic Nanocore RAT NetWire RC PoshC2 APT33
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:e50c4e9, author = {SecureWorks}, title = {{COBALT ULSTER}}, date = {2020}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/cobalt-ulster}, language = {English}, urldate = {2020-05-27} } COBALT ULSTER
POWERSTATS Koadic MuddyWater
2020SecureworksSecureWorks
@online{secureworks:2020:iron:48c68a0, author = {SecureWorks}, title = {{IRON TWILIGHT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-twilight}, language = {English}, urldate = {2020-05-23} } IRON TWILIGHT
X-Agent X-Agent X-Agent Computrace HideDRV Sedreco Seduploader X-Agent XTunnel Zebrocy Zebrocy (AutoIT)
2019-12-05Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20191205:apt28:aa3defd, author = {Marco Ramilli}, title = {{APT28 Attacks Evolution}}, date = {2019-12-05}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/}, language = {English}, urldate = {2019-12-17} } APT28 Attacks Evolution
Sofacy
2019-10-24MeltX0R SecurityMeltX0R
@online{meltx0r:20191024:10242019:6438b53, author = {MeltX0R}, title = {{10/24/2019 - APT28: Targeted attacks against mining corporations in Kazakhstan}}, date = {2019-10-24}, organization = {MeltX0R Security}, url = {https://meltx0r.github.io/tech/2019/10/24/apt28.html}, language = {English}, urldate = {2020-01-07} } 10/24/2019 - APT28: Targeted attacks against mining corporations in Kazakhstan
Zebrocy
2019-09-24ESET ResearchESET Research
@online{research:20190924:no:a84b64a, author = {ESET Research}, title = {{No summer vacations for Zebrocy}}, date = {2019-09-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/}, language = {English}, urldate = {2019-11-14} } No summer vacations for Zebrocy
Zebrocy
2019-08-28CylanceCylance Threat Research Team
@online{team:20190828:inside:c3051c2, author = {Cylance Threat Research Team}, title = {{Inside the APT28 DLL Backdoor Blitz}}, date = {2019-08-28}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html}, language = {English}, urldate = {2020-01-06} } Inside the APT28 DLL Backdoor Blitz
PocoDown
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2019-07-10CylanceCylance Threat Research Team
@online{team:20190710:flirting:dbf23d3, author = {Cylance Threat Research Team}, title = {{Flirting With IDA and APT28}}, date = {2019-07-10}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html}, language = {English}, urldate = {2020-01-06} } Flirting With IDA and APT28
PocoDown
2019-06-03Kaspersky LabsGReAT
@online{great:20190603:zebrocys:25be7a9, author = {GReAT}, title = {{Zebrocy’s Multilanguage Malware Salad}}, date = {2019-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/zebrocys-multilanguage-malware-salad/90680/}, language = {English}, urldate = {2019-12-20} } Zebrocy’s Multilanguage Malware Salad
Zebrocy
2019-05-22ESET ResearchESET Research
@online{research:20190522:journey:0627ad7, author = {ESET Research}, title = {{A journey to Zebrocy land}}, date = {2019-05-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/}, language = {English}, urldate = {2019-11-14} } A journey to Zebrocy land
Zebrocy
2019-05-20Check PointBen Herzog
@online{herzog:20190520:malware:dac1524, author = {Ben Herzog}, title = {{Malware Against the C Monoculture}}, date = {2019-05-20}, organization = {Check Point}, url = {https://research.checkpoint.com/malware-against-the-c-monoculture/}, language = {English}, urldate = {2019-10-14} } Malware Against the C Monoculture
AdWind jRAT GhostMiner Zebrocy
2019-05-18Twitter (@cyb3rops)Florian Roth
@online{roth:20190518:yara:b6d66a4, author = {Florian Roth}, title = {{Tweet on YARA and APT28}}, date = {2019-05-18}, organization = {Twitter (@cyb3rops)}, url = {https://twitter.com/cyb3rops/status/1129653190444703744}, language = {English}, urldate = {2020-01-10} } Tweet on YARA and APT28
PocoDown
2019-04-18YoroiZLAB-Yoroi
@online{zlabyoroi:20190418:apt28:709f72a, author = {ZLAB-Yoroi}, title = {{APT28 and Upcoming Elections: Evidence of Possible Interference (Part II)}}, date = {2019-04-18}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals-part-ii/}, language = {English}, urldate = {2020-01-06} } APT28 and Upcoming Elections: Evidence of Possible Interference (Part II)
Downrage
2019-02-20Washington PostElizabeth Dwoskin, Craig Timberg
@online{dwoskin:20190220:microsoft:9d4cb73, author = {Elizabeth Dwoskin and Craig Timberg}, title = {{Microsoft says it has found another Russian operation targeting prominent think tanks}}, date = {2019-02-20}, organization = {Washington Post}, url = {https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae}, language = {English}, urldate = {2019-11-29} } Microsoft says it has found another Russian operation targeting prominent think tanks
Sofacy
2019-02-13Accenture SecurityAccenture Security
@techreport{security:20190213:snakemackerel:17add25, author = {Accenture Security}, title = {{SNAKEMACKEREL: Threat Campaign Likely Targeting NATO Members, Defense and Military Outlets}}, date = {2019-02-13}, institution = {Accenture Security}, url = {https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf}, language = {English}, urldate = {2019-12-18} } SNAKEMACKEREL: Threat Campaign Likely Targeting NATO Members, Defense and Military Outlets
Sofacy
2019-01-24Kaspersky LabsKaspersky Lab ICS CERT
@online{cert:20190124:greyenergys:523e803, author = {Kaspersky Lab ICS CERT}, title = {{GreyEnergy’s overlap with Zebrocy}}, date = {2019-01-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/greyenergys-overlap-with-zebrocy/89506/}, language = {English}, urldate = {2019-12-20} } GreyEnergy’s overlap with Zebrocy
GreyEnergy Zebrocy
2019-01-11Kaspersky LabsGReAT
@online{great:20190111:zebrocy:671fed1, author = {GReAT}, title = {{A Zebrocy Go Downloader}}, date = {2019-01-11}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-zebrocy-go-downloader/89419/}, language = {English}, urldate = {2019-12-20} } A Zebrocy Go Downloader
Zebrocy
2019MITREMITRE ATT&CK
@online{attck:2019:apt28:f03c2bd, author = {MITRE ATT&CK}, title = {{Group description: APT28}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0007/}, language = {English}, urldate = {2019-12-20} } Group description: APT28
Sofacy
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:28:7c5afdd, author = {Cyber Operations Tracker}, title = {{APT 28}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/apt-28}, language = {English}, urldate = {2019-12-20} } APT 28
Sofacy
2018-12-21Emanuele De Lucia
@online{lucia:20181221:apt28:466f390, author = {Emanuele De Lucia}, title = {{APT28 / Sofacy – SedUploader under the Christmas tree}}, date = {2018-12-21}, url = {https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/}, language = {English}, urldate = {2020-03-30} } APT28 / Sofacy – SedUploader under the Christmas tree
Seduploader
2018-12-21Vitali Kremez
@online{kremez:20181221:lets:46e594a, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth on APT28/Sofacy Zebrocy Golang Loader}}, date = {2018-12-21}, url = {https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html}, language = {English}, urldate = {2019-12-24} } Let's Learn: In-Depth on APT28/Sofacy Zebrocy Golang Loader
Zebrocy
2018-12-18paloalto Networks Unit 42Robert Falcone
@online{falcone:20181218:sofacy:3573b82, author = {Robert Falcone}, title = {{Sofacy Creates New ‘Go’ Variant of Zebrocy Tool}}, date = {2018-12-18}, organization = {paloalto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/}, language = {English}, urldate = {2020-01-07} } Sofacy Creates New ‘Go’ Variant of Zebrocy Tool
Zebrocy
2018-12-12Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20181212:dear:0d9a44e, author = {Bryan Lee and Robert Falcone}, title = {{Dear Joohn: The Sofacy Group’s Global Campaign}}, date = {2018-12-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/}, language = {English}, urldate = {2020-01-08} } Dear Joohn: The Sofacy Group’s Global Campaign
Sofacy
2018-12-10Vitali Kremez BlogVitali Kremez
@online{kremez:20181210:lets:f947fb1, author = {Vitali Kremez}, title = {{Let's Learn: Reviewing Sofacy's "Zebrocy" C++ Loader: Advanced Insight}}, date = {2018-12-10}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html}, language = {English}, urldate = {2020-01-09} } Let's Learn: Reviewing Sofacy's "Zebrocy" C++ Loader: Advanced Insight
Zebrocy
2018-11-29AccentureMichael Yip
@online{yip:20181129:snakemackerel:aa02eba, author = {Michael Yip}, title = {{Snakemackerel delivers Zekapab malware}}, date = {2018-11-29}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware}, language = {English}, urldate = {2019-12-10} } Snakemackerel delivers Zekapab malware
Zebrocy Sofacy
2018-11-27Vitali Kremez BlogVitali Kremez
@online{kremez:20181127:lets:e9928d7, author = {Vitali Kremez}, title = {{Let's Learn: In-Depth on Sofacy Cannon Loader/Backdoor Review}}, date = {2018-11-27}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2018/11/lets-learn-in-depth-on-sofacy-canon.html}, language = {English}, urldate = {2020-01-13} } Let's Learn: In-Depth on Sofacy Cannon Loader/Backdoor Review
Cannon
2018-11-20ESET ResearchESET Research
@online{research:20181120:sednit:caedbdb, author = {ESET Research}, title = {{Sednit: What’s going on with Zebrocy?}}, date = {2018-11-20}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/}, language = {English}, urldate = {2019-11-14} } Sednit: What’s going on with Zebrocy?
Zebrocy
2018-11-20Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20181120:sofacy:b1ef88a, author = {Robert Falcone and Bryan Lee}, title = {{Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan}}, date = {2018-11-20}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/}, language = {English}, urldate = {2019-12-20} } Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan
Cannon
2018-11-20Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20181120:sofacy:bb4fd84, author = {Robert Falcone and Bryan Lee}, title = {{Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan}}, date = {2018-11-20}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/}, language = {English}, urldate = {2020-01-08} } Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan
Sofacy
2018-11-05Youtube (MSRC)Jean-Ian Boutin, Frédéric Vachon
@online{boutin:20181105:bluehat:65f6d65, author = {Jean-Ian Boutin and Frédéric Vachon}, title = {{BlueHat v18 || First STRONTIUM UEFI Rootkit Unveiled}}, date = {2018-11-05}, organization = {Youtube (MSRC)}, url = {https://www.youtube.com/watch?v=VeoXT0nEcFU}, language = {English}, urldate = {2019-12-17} } BlueHat v18 || First STRONTIUM UEFI Rootkit Unveiled
LoJax
2018-10-04NCSC UKNCSC UK
@online{uk:20181004:indicators:65560f3, author = {NCSC UK}, title = {{Indicators of Compromise for Malware used by APT28}}, date = {2018-10-04}, organization = {NCSC UK}, url = {https://www.ncsc.gov.uk/alerts/indicators-compromise-malware-used-apt28}, language = {English}, urldate = {2020-01-07} } Indicators of Compromise for Malware used by APT28
X-Tunnel (.NET)
2018-10-04SymantecSecurity Response Attack Investigation Team
@online{team:20181004:apt28:f5e15cf, author = {Security Response Attack Investigation Team}, title = {{APT28: New Espionage Operations Target Military and Government Organizations}}, date = {2018-10-04}, organization = {Symantec}, url = {https://www.symantec.com/blogs/election-security/apt28-espionage-military-government}, language = {English}, urldate = {2019-11-23} } APT28: New Espionage Operations Target Military and Government Organizations
XTunnel Sofacy
2018-10-04SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181004:apt28:97a1356, author = {Critical Attack Discovery and Intelligence Team}, title = {{APT28: New Espionage Operations Target Military and Government Organizations}}, date = {2018-10-04}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government}, language = {English}, urldate = {2020-04-21} } APT28: New Espionage Operations Target Military and Government Organizations
LoJax Seduploader X-Agent XTunnel Zebrocy Sofacy
2018-10-04NCSC UKNCSC UK
@techreport{uk:20181004:indicators:af0d14a, author = {NCSC UK}, title = {{Indicators of Compromise for Malware used by APT28}}, date = {2018-10-04}, institution = {NCSC UK}, url = {https://www.thecssc.com/wp-content/uploads/2018/10/4OctoberIOC-APT28-malware-advisory.pdf}, language = {English}, urldate = {2019-11-29} } Indicators of Compromise for Malware used by APT28
X-Agent
2018-10-04UnknownMSN News
@online{news:20181004:russian:92336c6, author = {MSN News}, title = {{Russian hackers accused of targeting UN chemical weapons watchdog, MH17 files}}, date = {2018-10-04}, organization = {Unknown}, url = {https://www.msn.com/en-nz/news/world/russian-hackers-accused-of-targeting-un-chemical-weapons-watchdog-mh17-files/ar-BBNV2ny}, language = {English}, urldate = {2020-04-06} } Russian hackers accused of targeting UN chemical weapons watchdog, MH17 files
Sofacy
2018-09-27ESET ResearchESET Research
@online{research:20180927:lojax:5351e6c, author = {ESET Research}, title = {{LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group}}, date = {2018-09-27}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/}, language = {English}, urldate = {2020-01-10} } LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group
Sofacy
2018-09-27Bleeping ComputerIonut Ilascu
@online{ilascu:20180927:apt28:12917be, author = {Ionut Ilascu}, title = {{APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild}}, date = {2018-09-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/}, language = {English}, urldate = {2019-12-20} } APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild
Sofacy
2018-09ESET Research
@techreport{research:201809:lojax:747e1e3, author = {ESET Research}, title = {{LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group}}, date = {2018-09}, institution = {}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf}, language = {English}, urldate = {2019-12-17} } LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group
LoJax
2018-08-26SecJuiceSecJuice
@online{secjuice:20180826:remember:d5f1006, author = {SecJuice}, title = {{Remember Fancy Bear?}}, date = {2018-08-26}, organization = {SecJuice}, url = {https://www.secjuice.com/fancy-bear-review/}, language = {English}, urldate = {2020-01-06} } Remember Fancy Bear?
OLDBAIT
2018-08-21Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180821:microsoft:bc5c2f0, author = {Catalin Cimpanu}, title = {{Microsoft Disrupts APT28 Hacking Campaign Aimed at US Midterm Elections}}, date = {2018-08-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/}, language = {English}, urldate = {2019-12-20} } Microsoft Disrupts APT28 Hacking Campaign Aimed at US Midterm Elections
Sofacy
2018-08-21BBCBBC News
@online{news:20180821:microsoft:f0674db, author = {BBC News}, title = {{Microsoft claims win over 'Russian political hackers'}}, date = {2018-08-21}, organization = {BBC}, url = {https://www.bbc.co.uk/news/technology-45257081}, language = {English}, urldate = {2019-10-30} } Microsoft claims win over 'Russian political hackers'
Sofacy
2018-08-20MicrosoftBrad Smith
@online{smith:20180820:we:2a387d2, author = {Brad Smith}, title = {{We are taking new steps against broadening threats to democracy}}, date = {2018-08-20}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/}, language = {English}, urldate = {2020-01-06} } We are taking new steps against broadening threats to democracy
Sofacy
2018-06-06Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
@online{lee:20180606:sofacy:6d3e723, author = {Bryan Lee and Robert Falcone}, title = {{Sofacy Group’s Parallel Attacks}}, date = {2018-06-06}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/}, language = {English}, urldate = {2019-12-20} } Sofacy Group’s Parallel Attacks
Koadic Zebrocy
2018-05-23Department of JusticeOffice of Public Affairs
@online{affairs:20180523:justice:806d785, author = {Office of Public Affairs}, title = {{Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices}}, date = {2018-05-23}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected}, language = {English}, urldate = {2020-01-06} } Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices
elf.vpnfilter Sofacy
2018-05-15ReutersSimon Johnson, Olof Swahnberg, Niklas Pollard, Hugh Lawson
@online{johnson:20180515:swedish:47c0265, author = {Simon Johnson and Olof Swahnberg and Niklas Pollard and Hugh Lawson}, title = {{Swedish sports body says anti-doping unit hit by hacking attack}}, date = {2018-05-15}, organization = {Reuters}, url = {https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN}, language = {English}, urldate = {2019-12-10} } Swedish sports body says anti-doping unit hit by hacking attack
Sofacy
2018-05-08AP NewsRaphael Satter
@online{satter:20180508:russian:8731568, author = {Raphael Satter}, title = {{Russian hackers posed as IS to threaten military wives}}, date = {2018-05-08}, organization = {AP News}, url = {https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f}, language = {English}, urldate = {2020-01-07} } Russian hackers posed as IS to threaten military wives
Sofacy
2018-05-01NetScoutASERT Team
@online{team:20180501:lojack:244d59b, author = {ASERT Team}, title = {{Lojack Becomes a Double-Agent}}, date = {2018-05-01}, organization = {NetScout}, url = {https://asert.arbornetworks.com/lojack-becomes-a-double-agent/}, language = {English}, urldate = {2019-10-23} } Lojack Becomes a Double-Agent
Computrace
2018-04-24ESET ResearchESET Research
@online{research:20180424:sednit:ab398cd, author = {ESET Research}, title = {{Sednit update: Analysis of Zebrocy}}, date = {2018-04-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/}, language = {English}, urldate = {2019-11-14} } Sednit update: Analysis of Zebrocy
Zebrocy Zebrocy (AutoIT)
2018-03-09Kaspersky LabsGReAT
@online{great:20180309:masha:636eab4, author = {GReAT}, title = {{Masha and these Bears - 2018 Sofacy Activity}}, date = {2018-03-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/masha-and-these-bears/84311/}, language = {English}, urldate = {2020-08-28} } Masha and these Bears - 2018 Sofacy Activity
Sofacy
2018-02-28Palo Alto Networks Unit 42Bryan Lee, Mike Harbison, Robert Falcone
@online{lee:20180228:sofacy:04fead3, author = {Bryan Lee and Mike Harbison and Robert Falcone}, title = {{Sofacy Attacks Multiple Government Entities}}, date = {2018-02-28}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/}, language = {English}, urldate = {2020-01-06} } Sofacy Attacks Multiple Government Entities
Sofacy
2018-02-20Kaspersky LabsGReAT
@online{great:20180220:slice:0f910f7, author = {GReAT}, title = {{A Slice of 2017 Sofacy Activity}}, date = {2018-02-20}, organization = {Kaspersky Labs}, url = {https://securelist.com/a-slice-of-2017-sofacy-activity/83930/}, language = {English}, urldate = {2019-12-20} } A Slice of 2017 Sofacy Activity
Downrage Sofacy
2018-01-10WiredLouise Matsakis
@online{matsakis:20180110:hack:73c4c38, author = {Louise Matsakis}, title = {{Hack Brief: Russian Hackers Release Apparent IOC Emails in Wake of Olympic Ban}}, date = {2018-01-10}, organization = {Wired}, url = {https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/}, language = {English}, urldate = {2020-01-13} } Hack Brief: Russian Hackers Release Apparent IOC Emails in Wake of Olympic Ban
Sofacy
2018Accenture SecurityAccenture Security
@techreport{security:2018:snakemackerel:fa2c552, author = {Accenture Security}, title = {{SNAKEMACKEREL - A BREXIT-themed lure document that delivers ZEKAPAB malware}}, date = {2018}, institution = {Accenture Security}, url = {https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf}, language = {English}, urldate = {2019-10-15} } SNAKEMACKEREL - A BREXIT-themed lure document that delivers ZEKAPAB malware
Sofacy
2017-12-21ESET ResearchESET Research
@online{research:20171221:sednit:630ff7c, author = {ESET Research}, title = {{Sednit update: How Fancy Bear Spent the Year}}, date = {2017-12-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/}, language = {English}, urldate = {2019-11-14} } Sednit update: How Fancy Bear Spent the Year
Seduploader X-Agent
2017-10-22CiscoWarren Mercer, Paul Rascagnères, Vitor Ventura
@online{mercer:20171022:cyber:b26ac86, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{“Cyber Conflict” Decoy Document Used In Real Cyber Conflict}}, date = {2017-10-22}, organization = {Cisco}, url = {http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html}, language = {English}, urldate = {2020-01-07} } “Cyber Conflict” Decoy Document Used In Real Cyber Conflict
Seduploader
2017-10-19ProofpointKafeine, Pierre T
@online{kafeine:20171019:apt28:927b889, author = {Kafeine and Pierre T}, title = {{APT28 racing to exploit CVE-2017-11292 Flash vulnerability before patches are deployed}}, date = {2017-10-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed}, language = {English}, urldate = {2019-12-20} } APT28 racing to exploit CVE-2017-11292 Flash vulnerability before patches are deployed
Seduploader
2017-08-13Adam Chester
@online{chester:20170813:analysis:11db4f8, author = {Adam Chester}, title = {{Analysis of APT28 hospitality malware (Part 2)}}, date = {2017-08-13}, url = {https://blog.xpnsec.com/apt28-hospitality-malware-part-2/}, language = {English}, urldate = {2020-01-08} } Analysis of APT28 hospitality malware (Part 2)
Seduploader
2017-08-11FireEyeLindsay Smith, Ben Read
@online{smith:20170811:apt28:a39510a, author = {Lindsay Smith and Ben Read}, title = {{APT28 Targets Hospitality Sector, Presents Threat to Travelers}}, date = {2017-08-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html}, language = {English}, urldate = {2019-12-20} } APT28 Targets Hospitality Sector, Presents Threat to Travelers
Seduploader
2017-05-09ESET ResearchESET Research
@online{research:20170509:sednit:dde92c1, author = {ESET Research}, title = {{Sednit adds two zero‑day exploits using ‘Trump’s attack on Syria’ as a decoy}}, date = {2017-05-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/}, language = {English}, urldate = {2019-12-20} } Sednit adds two zero‑day exploits using ‘Trump’s attack on Syria’ as a decoy
Seduploader
2017-04-26HandelsblattDaniel Tost
@online{tost:20170426:russialinked:9fd1d9d, author = {Daniel Tost}, title = {{Russia-linked Hackers Target German Political Foundations}}, date = {2017-04-26}, organization = {Handelsblatt}, url = {https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1}, language = {English}, urldate = {2020-01-09} } Russia-linked Hackers Target German Political Foundations
Sofacy
2017-04-03VOAVOA
@online{voa:20170403:iaaf:0b4dd3b, author = {VOA}, title = {{IAAF Says It Has Been Hacked, Athlete Medical Info Accessed}}, date = {2017-04-03}, organization = {VOA}, url = {https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html}, language = {English}, urldate = {2020-01-07} } IAAF Says It Has Been Hacked, Athlete Medical Info Accessed
Sofacy
2017-03-23Twitter (PhysicalDrive0)PhysicalDrive0
@online{physicaldrive0:20170323:xagent:74f4c95, author = {PhysicalDrive0}, title = {{Tweet on XAgent for macOS}}, date = {2017-03-23}, organization = {Twitter (PhysicalDrive0)}, url = {https://twitter.com/PhysicalDrive0/status/845009226388918273}, language = {English}, urldate = {2019-12-17} } Tweet on XAgent for macOS
X-Agent
2017-03-02Laboratory of Cryptography and System SecurityBoldizsar Bencsath
@online{bencsath:20170302:update:0e03ee6, author = {Boldizsar Bencsath}, title = {{Update on the Fancy Bear Android malware (poprd30.apk)}}, date = {2017-03-02}, organization = {Laboratory of Cryptography and System Security}, url = {http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/}, language = {English}, urldate = {2019-10-13} } Update on the Fancy Bear Android malware (poprd30.apk)
X-Agent
2017-02-21BitdefenderBitdefender
@techreport{bitdefender:20170221:dissecting:eec4e1f, author = {Bitdefender}, title = {{Dissecting the APT28 Mac OS X Payload}}, date = {2017-02-21}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf}, language = {English}, urldate = {2020-01-10} } Dissecting the APT28 Mac OS X Payload
X-Agent
2017-02-20Contagio DumpMila Parkour
@online{parkour:20170220:part:c54b5de, author = {Mila Parkour}, title = {{Part I. Russian APT - APT28 collection of samples including OSX XAgent}}, date = {2017-02-20}, organization = {Contagio Dump}, url = {https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html}, language = {English}, urldate = {2019-11-26} } Part I. Russian APT - APT28 collection of samples including OSX XAgent
X-Agent Komplex Coreshell Downdelph HideDRV SEADADDY Sedreco Seduploader X-Agent XTunnel
2017-02-14Palo Alto Networks Unit 42Robert Falcone
@online{falcone:20170214:xagentosx:33ef060, author = {Robert Falcone}, title = {{XAgentOSX: Sofacy’s XAgent macOS Tool}}, date = {2017-02-14}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/}, language = {English}, urldate = {2019-12-20} } XAgentOSX: Sofacy’s XAgent macOS Tool
X-Agent
2017-02-04de VolkskrantHuib Modderkolk
@online{modderkolk:20170204:russen:2dcb3d1, author = {Huib Modderkolk}, title = {{Russen faalden bij hackpogingen ambtenaren op Nederlandse ministeries}}, date = {2017-02-04}, organization = {de Volkskrant}, url = {https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/}, language = {Dutch}, urldate = {2019-12-19} } Russen faalden bij hackpogingen ambtenaren op Nederlandse ministeries
Sofacy
2017-01-03CrySyS LabBoldizsar Bencsath
@online{bencsath:20170103:technical:1c2e81e, author = {Boldizsar Bencsath}, title = {{Technical details on the Fancy Bear Android malware (poprd30.apk)}}, date = {2017-01-03}, organization = {CrySyS Lab}, url = {http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/}, language = {English}, urldate = {2020-01-09} } Technical details on the Fancy Bear Android malware (poprd30.apk)
X-Agent
2017-01-01Objective-SeePatrick Wardle
@online{wardle:20170101:mac:8c2d52b, author = {Patrick Wardle}, title = {{Mac Malware of 2016}}, date = {2017-01-01}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x16.html}, language = {English}, urldate = {2020-01-09} } Mac Malware of 2016
KeRanger Keydnap Komplex Laoshu MacInstaller MacVX Mokes WireLurker XSLCmd
2016-12-15Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20161215:let:d1d1011, author = {Robert Falcone and Bryan Lee}, title = {{Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue}}, date = {2016-12-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/}, language = {English}, urldate = {2020-01-07} } Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue
Sofacy
2016-10-20ESET ResearchESET Research
@techreport{research:20161020:en:e2e6603, author = {ESET Research}, title = {{En Route with Sednit Part 2: Observing the Comings and Goings}}, date = {2016-10-20}, institution = {ESET Research}, url = {http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf}, language = {English}, urldate = {2019-10-25} } En Route with Sednit Part 2: Observing the Comings and Goings
X-Agent Sedreco X-Agent XTunnel
2016-10-17Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20161017:dealerschoice:14aaca9, author = {Robert Falcone and Bryan Lee}, title = {{‘DealersChoice’ is Sofacy’s Flash Player Exploit Platform}}, date = {2016-10-17}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/}, language = {English}, urldate = {2019-12-20} } ‘DealersChoice’ is Sofacy’s Flash Player Exploit Platform
Sofacy
2016-10-10BBCGordon Corera
@online{corera:20161010:how:29d38b3, author = {Gordon Corera}, title = {{How France's TV5 was almost destroyed by 'Russian hackers'}}, date = {2016-10-10}, organization = {BBC}, url = {https://www.bbc.com/news/technology-37590375}, language = {English}, urldate = {2020-01-09} } How France's TV5 was almost destroyed by 'Russian hackers'
Sofacy
2016-09-27MalwarebytesThomas Reed
@online{reed:20160927:komplex:0cd401d, author = {Thomas Reed}, title = {{Komplex Mac backdoor answers old questions}}, date = {2016-09-27}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/}, language = {English}, urldate = {2019-12-20} } Komplex Mac backdoor answers old questions
Komplex
2016-09-26Palo Alto Networks Unit 42Dani Creus, Tyler Halfpop, Robert Falcone
@online{creus:20160926:sofacys:6ddbb81, author = {Dani Creus and Tyler Halfpop and Robert Falcone}, title = {{Sofacy’s ‘Komplex’ OS X Trojan}}, date = {2016-09-26}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/}, language = {English}, urldate = {2020-01-13} } Sofacy’s ‘Komplex’ OS X Trojan
Sofacy
2016-09-26Palo Alto Networks Unit 42Dani Creus, Tyler Halfpop, Robert Falcone
@online{creus:20160926:sofacys:2c11dc9, author = {Dani Creus and Tyler Halfpop and Robert Falcone}, title = {{Sofacy’s ‘Komplex’ OS X Trojan}}, date = {2016-09-26}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/}, language = {English}, urldate = {2019-12-20} } Sofacy’s ‘Komplex’ OS X Trojan
Komplex
2016-09-20Deutsche Welleipj, kl
@online{ipj:20160920:hackers:fae1710, author = {ipj and kl}, title = {{Hackers lurking, parliamentarians told}}, date = {2016-09-20}, organization = {Deutsche Welle}, url = {https://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630}, language = {English}, urldate = {2020-09-15} } Hackers lurking, parliamentarians told
Sofacy
2016-09-20Deutsche WelleDeutsche Welle
@online{welle:20160920:hackers:4c3ea9c, author = {Deutsche Welle}, title = {{Hackers lurking, parliamentarians told}}, date = {2016-09-20}, organization = {Deutsche Welle}, url = {http://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630}, language = {English}, urldate = {2020-01-13} } Hackers lurking, parliamentarians told
Sofacy
2016-09-11ESET ResearchESET Research
@techreport{research:20160911:en:28dbd06, author = {ESET Research}, title = {{En Route with Sednit - Part 3: A Mysterious Downloader}}, date = {2016-09-11}, institution = {ESET Research}, url = {http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf}, language = {English}, urldate = {2019-10-12} } En Route with Sednit - Part 3: A Mysterious Downloader
Downdelph
2016-08-23International Business TimesHyacinth Mascarenhas
@online{mascarenhas:20160823:russian:9531f82, author = {Hyacinth Mascarenhas}, title = {{Russian hackers 'Fancy Bear' likely breached Olympic drug-testing agency and DNC, experts say}}, date = {2016-08-23}, organization = {International Business Times}, url = {https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508}, language = {English}, urldate = {2020-09-15} } Russian hackers 'Fancy Bear' likely breached Olympic drug-testing agency and DNC, experts say
Sofacy
2016-08-23International Business TimesHyacinth Mascarenhas
@online{mascarenhas:20160823:russian:17f62ab, author = {Hyacinth Mascarenhas}, title = {{Russian hackers 'Fancy Bear' likely breached Olympic drug-testing agency and DNC, experts say}}, date = {2016-08-23}, organization = {International Business Times}, url = {http://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508}, language = {English}, urldate = {2020-01-08} } Russian hackers 'Fancy Bear' likely breached Olympic drug-testing agency and DNC, experts say
Sofacy
2016-08ESET ResearchESET Research
@techreport{research:201608:en:0617083, author = {ESET Research}, title = {{En Route with Sednit - Part 1: Approaching the Target}}, date = {2016-08}, institution = {ESET Research}, url = {http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf}, language = {English}, urldate = {2019-12-10} } En Route with Sednit - Part 1: Approaching the Target
Komplex Seduploader
2016-06-15CrowdStrikeDmitri Alperovitch
@online{alperovitch:20160615:bears:604c1d9, author = {Dmitri Alperovitch}, title = {{Bears in the Midst: Intrusion into the Democratic National Committee}}, date = {2016-06-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/}, language = {English}, urldate = {2019-12-20} } Bears in the Midst: Intrusion into the Democratic National Committee
X-Agent ATI-Agent Downrage SEADADDY X-Agent XTunnel Sofacy
2016-06-14Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20160614:new:b51d1ab, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2020-09-15} } New Sofacy Attacks Against US Government Agency
Seduploader Sofacy
2016-06-14Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20160614:new:1ba80fd, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2019-12-20} } New Sofacy Attacks Against US Government Agency
Sofacy
2016-06-14Palo Alto Networks Unit 42Robert Falcone, Bryan Lee
@online{falcone:20160614:new:0c98099, author = {Robert Falcone and Bryan Lee}, title = {{New Sofacy Attacks Against US Government Agency}}, date = {2016-06-14}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/}, language = {English}, urldate = {2019-10-29} } New Sofacy Attacks Against US Government Agency
Sofacy
2016-02-12Palo Alto Networks Unit 42Bryan Lee, Rob Downs
@online{lee:20160212:look:1483b5a, author = {Bryan Lee and Rob Downs}, title = {{A Look Into Fysbis: Sofacy’s Linux Backdoor}}, date = {2016-02-12}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/}, language = {English}, urldate = {2020-01-13} } A Look Into Fysbis: Sofacy’s Linux Backdoor
X-Agent
2016-02-12Palo Alto Networks Unit 42Bryan Lee, Rob Downs
@online{lee:20160212:look:4113ea1, author = {Bryan Lee and Rob Downs}, title = {{A Look Into Fysbis: Sofacy’s Linux Backdoor}}, date = {2016-02-12}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/}, language = {English}, urldate = {2019-12-20} } A Look Into Fysbis: Sofacy’s Linux Backdoor
X-Agent
2016-01FireEyeMichael Bailey
@techreport{bailey:201601:matryoshka:3c7753f, author = {Michael Bailey}, title = {{MATRYOSHKA MINING}}, date = {2016-01}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf}, language = {English}, urldate = {2019-11-27} } MATRYOSHKA MINING
Sofacy
2015-12-17BitdefenderBitdefender
@techreport{bitdefender:20151217:apt28:fca586f, author = {Bitdefender}, title = {{APT28 Under the Scope: A Journey into Exfiltrating Intelligence and Government Information}}, date = {2015-12-17}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf}, language = {English}, urldate = {2020-01-09} } APT28 Under the Scope: A Journey into Exfiltrating Intelligence and Government Information
X-Agent XP PrivEsc (CVE-2014-4076)
2015-12-04Kaspersky LabsGReAT
@online{great:20151204:sofacy:b437b35, author = {GReAT}, title = {{Sofacy APT hits high profile targets with updated toolset}}, date = {2015-12-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/}, language = {English}, urldate = {2020-08-30} } Sofacy APT hits high profile targets with updated toolset
Coreshell Sedreco Seduploader X-Agent Sofacy
2015-12-04Kaspersky LabsGReAT
@online{great:20151204:sofacy:664b5a8, author = {GReAT}, title = {{Sofacy APT hits high profile targets with updated toolset}}, date = {2015-12-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/}, language = {English}, urldate = {2019-12-20} } Sofacy APT hits high profile targets with updated toolset
Sedreco
2015-11-20MicrosoftMicrosoft
@techreport{microsoft:20151120:microsoft:d41c5ad, author = {Microsoft}, title = {{Microsoft Security Intelligence Report Volume 19}}, date = {2015-11-20}, institution = {Microsoft}, url = {http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf}, language = {English}, urldate = {2020-01-13} } Microsoft Security Intelligence Report Volume 19
XTunnel
2015-10-22Trend MicroFeike Hacquebord
@online{hacquebord:20151022:pawn:8231722, author = {Feike Hacquebord}, title = {{Pawn Storm Targets MH17 Investigation Team}}, date = {2015-10-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/}, language = {English}, urldate = {2020-01-10} } Pawn Storm Targets MH17 Investigation Team
Sofacy
2015-10-13Trend MicroBrooks Li, Feike Hacquebord, Peter Pi
@online{li:20151013:new:34dc6b1, author = {Brooks Li and Feike Hacquebord and Peter Pi}, title = {{New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries}}, date = {2015-10-13}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/}, language = {English}, urldate = {2019-10-15} } New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries
Seduploader
2015-10-13Trend MicroBrooks Li, Feike Hacquebord, Peter Pi
@online{li:20151013:new:f451b34, author = {Brooks Li and Feike Hacquebord and Peter Pi}, title = {{New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries}}, date = {2015-10-13}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/}, language = {English}, urldate = {2019-12-19} } New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries
Sofacy
2015-09-01WikipediaVarious
@online{various:20150901:fancy:3ed81e7, author = {Various}, title = {{Fancy Bear}}, date = {2015-09-01}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Sofacy_Group}, language = {English}, urldate = {2020-01-13} } Fancy Bear
Sofacy
2015-09-01WikipediaVarious
@online{various:20150901:fancy:d2f6475, author = {Various}, title = {{Fancy Bear}}, date = {2015-09-01}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Fancy_Bear}, language = {English}, urldate = {2020-01-06} } Fancy Bear
Sofacy
2015-08-27Electronic Frontier FoundationCooper Quintin
@online{quintin:20150827:new:b79e5c0, author = {Cooper Quintin}, title = {{New Spear Phishing Campaign Pretends to be EFF}}, date = {2015-08-27}, organization = {Electronic Frontier Foundation}, url = {https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff}, language = {English}, urldate = {2020-01-06} } New Spear Phishing Campaign Pretends to be EFF
Sofacy
2015-08root9broot9b
@techreport{root9b:201508:technical:fff6a0b, author = {root9b}, title = {{TECHNICAL FOLLOW UP - APT28}}, date = {2015-08}, institution = {root9b}, url = {https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf}, language = {English}, urldate = {2020-01-08} } TECHNICAL FOLLOW UP - APT28
XTunnel
2015-06-19Netzpolitik.orgClaudio Guarnieri
@online{guarnieri:20150619:digital:6c1a11b, author = {Claudio Guarnieri}, title = {{Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag}}, date = {2015-06-19}, organization = {Netzpolitik.org}, url = {https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/}, language = {English}, urldate = {2020-01-10} } Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag
XTunnel Sofacy
2015-06-19London South EastLondon South East
@online{east:20150619:russian:fe2f7aa, author = {London South East}, title = {{Russian Hackers Suspected In Cyberattack On German Parliament}}, date = {2015-06-19}, organization = {London South East}, url = {http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament}, language = {English}, urldate = {2020-01-05} } Russian Hackers Suspected In Cyberattack On German Parliament
Sofacy
2015-06-19London South EastAlliance News
@online{news:20150619:russian:7295c92, author = {Alliance News}, title = {{Russian Hackers Suspected In Cyberattack On German Parliament}}, date = {2015-06-19}, organization = {London South East}, url = {https://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament}, language = {English}, urldate = {2020-09-15} } Russian Hackers Suspected In Cyberattack On German Parliament
Sofacy
2015-04-18FireEyeDan Caselden, Yasir Khalid, James “Tom” Bennett, Genwei Jiang, Corbin Souffrant, Joshua Homan, Jonathan Wrolstad, Chris Phillips, Darien Kin
@online{caselden:20150418:operation:f2f3cba, author = {Dan Caselden and Yasir Khalid and James “Tom” Bennett and Genwei Jiang and Corbin Souffrant and Joshua Homan and Jonathan Wrolstad and Chris Phillips and Darien Kin}, title = {{Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack}}, date = {2015-04-18}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html}, language = {English}, urldate = {2019-10-16} } Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack
Sofacy
2015-02-04Trend MicroLambert Sun, Brooks Hong, Feike Hacquebord
@online{sun:20150204:pawn:58d080c, author = {Lambert Sun and Brooks Hong and Feike Hacquebord}, title = {{Pawn Storm Update: iOS Espionage App Found}}, date = {2015-02-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/}, language = {English}, urldate = {2020-05-18} } Pawn Storm Update: iOS Espionage App Found
X-Agent
2014-11-10Blaze's Security BlogBartBlaze
@online{bartblaze:20141110:thoughts:d7d0d68, author = {BartBlaze}, title = {{Thoughts on Absolute Computrace}}, date = {2014-11-10}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html}, language = {English}, urldate = {2019-11-26} } Thoughts on Absolute Computrace
Computrace
2014-10-27Trend MicroLoucif Kharouni, Feike Hacquebord, Numaan Huq, Jim Gogolinski, Fernando Mercês, Alfred Remorin, Douglas Otis
@techreport{kharouni:20141027:operation:1b13f15, author = {Loucif Kharouni and Feike Hacquebord and Numaan Huq and Jim Gogolinski and Fernando Mercês and Alfred Remorin and Douglas Otis}, title = {{Operation Pawn Storm: Using Decoys to Evade Detection}}, date = {2014-10-27}, institution = {Trend Micro}, url = {https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf}, language = {English}, urldate = {2020-09-15} } Operation Pawn Storm: Using Decoys to Evade Detection
Sedreco Seduploader Sofacy
2014-10Trend MicroLoucif Kharouni, Feike Hacquebord, Numaan Huq, Jim Gogolinski, Fernando Mercês, Alfred Remorin, Douglas Otis
@techreport{kharouni:201410:operation:f1d1705, author = {Loucif Kharouni and Feike Hacquebord and Numaan Huq and Jim Gogolinski and Fernando Mercês and Alfred Remorin and Douglas Otis}, title = {{Operation Pawn Storm: Using Decoys to Evade Detection}}, date = {2014-10}, institution = {Trend Micro}, url = {http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf}, language = {English}, urldate = {2019-11-28} } Operation Pawn Storm: Using Decoys to Evade Detection
Sofacy
2014-09-05GoogleNeel Mehta, Billy Leonard, Shane Huntiey
@techreport{mehta:20140905:peering:8ce5720, author = {Neel Mehta and Billy Leonard and Shane Huntiey}, title = {{Peering Into the Aquarium: Analysis of a Sophisticated Multi-Stage Malware Family}}, date = {2014-09-05}, institution = {Google}, url = {https://assets.documentcloud.org/documents/3461560/Google-Aquarium-Clean.pdf}, language = {English}, urldate = {2020-07-30} } Peering Into the Aquarium: Analysis of a Sophisticated Multi-Stage Malware Family
X-Agent
2014-08-11Prevenity
@online{prevenity:20140811:mht:d828ead, author = {Prevenity}, title = {{mht, MS12-27 and * malware * .info}}, date = {2014-08-11}, url = {http://malware.prevenity.com/2014/08/malware-info.html}, language = {Polish}, urldate = {2019-11-28} } mht, MS12-27 and * malware * .info
Coreshell
2014FireEyeFireEye
@techreport{fireeye:2014:apt28:277f9ab, author = {FireEye}, title = {{APT28: A Windows into Russia's Cyber Espionage Operations?}}, date = {2014}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf}, language = {English}, urldate = {2019-12-04} } APT28: A Windows into Russia's Cyber Espionage Operations?
OLDBAIT
2014FireEyeFireEye
@techreport{fireeye:2014:apt28:27799d1, author = {FireEye}, title = {{APT28}}, date = {2014}, institution = {FireEye}, url = {http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf}, language = {English}, urldate = {2020-01-08} } APT28
Coreshell Sedreco X-Agent
2014FireEyeFireEye
@techreport{fireeye:2014:operation:2160679, author = {FireEye}, title = {{Operation Quantum Entanglement}}, date = {2014}, institution = {FireEye}, url = {http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf}, language = {English}, urldate = {2020-01-12} } Operation Quantum Entanglement
X-Agent
2012-12-15Malware Reversing BlogR136a1
@online{r136a1:20121215:disclosure:c36a5a8, author = {R136a1}, title = {{Disclosure of another 0day malware - Initial Dropper and Downloader (Part 1)}}, date = {2012-12-15}, organization = {Malware Reversing Blog}, url = {http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html}, language = {English}, urldate = {2020-01-06} } Disclosure of another 0day malware - Initial Dropper and Downloader (Part 1)
Coreshell
2012-12-15R136a1
@online{r136a1:20121215:disclosure:fdfe8f2, author = {R136a1}, title = {{Disclosure of another 0day malware - Analysis of 2nd Dropper and 3rd Dropper (Part 2)}}, date = {2012-12-15}, url = {http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_15.html}, language = {English}, urldate = {2019-12-31} } Disclosure of another 0day malware - Analysis of 2nd Dropper and 3rd Dropper (Part 2)
Sedreco
2010-05-31Trend MicroJoseph Cepe
@techreport{cepe:20100531:sasfis:c0eab28, author = {Joseph Cepe}, title = {{SASFIS Malware Uses a New Trick}}, date = {2010-05-31}, institution = {Trend Micro}, url = {https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf}, language = {English}, urldate = {2020-01-08} } SASFIS Malware Uses a New Trick
Sofacy
Credits: MISP Project