SYMBOLCOMMON_NAMEaka. SYNONYMS
win.zebrocy (Back to overview)

Zebrocy

aka: Zekapab

Actor(s): APT28

VTCollection    

According to brandefense, Zebrocy is malware that falls into the Trojan category, which the threat actor group APT28/Sofacy has used since 2015. Zebrocy malware consists of 3 main components; Backdoor, Downloader, and Dropper. The Downloader and Dropper take responsibility for discovery processes and downloading the main malware on the systems. At the same time, Backdoor undertakes the duties such as persistence in the system, espionage, and data extraction.

This malware, which is not considered new, has variants in many languages from the past to the present. These include programming languages such as Delphi, C#, Visual C++, VB.net, and Golang. Furthermore, we know advanced threat actors and groups revise their malicious software among their toolkits at certain time intervals using different languages and technologies.

References
2022-12-27Palo Alto Networks Unit 42Bob Jung, Daniel Raygoza, Esmid Idrizovic, Sean Hughes
Navigating the Vast Ocean of Sandbox Evasions
TrickBot Zebrocy
2022-12-09cocomelonccocomelonc
Malware development: persistence - part 20. UserInitMprLogonScript (Logon Script). Simple C++ example.
Attor Zebrocy
2022-07-18Palo Alto Networks Unit 42Unit 42
Fighting Ursa
Cannon Zebrocy APT28
2022-04-10BrandefenseBrandefense
Zebrocy Malware Technical Analysis Report
Zebrocy
2021-10-26KasperskyKaspersky Lab ICS CERT
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy
2021-07-27BlackberryBlackBerry Research & Intelligence Team
Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy
2021-05-20Github (microsoft)Microsoft
Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares
STRRAT OceanLotus BabyShark Elise Revenge RAT WastedLocker Zebrocy
2021-02-25IntezerIntezer
Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy
2020-12-09IntezerJoakim Kennedy
A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy
Zebrocy
2020-10-29US-CERTUS-CERT
Malware Analysis Report (AR20-303B): ZEBROCY Backdoor
Zebrocy
2020-10-23360360 Threat Intelligence Center
APT28携小众压缩包诱饵对北约、中亚目标的定向攻击分析
Zebrocy
2020-09-22QuoScientQuoIntelligence
APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure
Zebrocy APT28
2020-09-22Bleeping ComputerAx Sharma
Russian hackers use fake NATO training docs to breach govt networks
Zebrocy APT28
2020-07-01360360 Threat Intelligence Center
游走在东欧和中亚的奇幻熊
Zebrocy
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-01SecureworksSecureWorks
IRON TWILIGHT
X-Agent X-Agent X-Agent Computrace HideDRV Sedreco Seduploader X-Agent XTunnel Zebrocy Zebrocy (AutoIT)
2019-10-24MeltX0R SecurityMeltX0R
10/24/2019 - APT28: Targeted attacks against mining corporations in Kazakhstan
Zebrocy
2019-09-24ESET ResearchESET Research
No summer vacations for Zebrocy
Zebrocy
2019-08-01Kaspersky LabsGReAT
APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2019-06-03Kaspersky LabsGReAT
Zebrocy’s Multilanguage Malware Salad
Zebrocy
2019-05-22ESET ResearchESET Research
A journey to Zebrocy land
Zebrocy
2019-05-20Check PointBen Herzog
Malware Against the C Monoculture
AdWind jRAT GhostMiner Zebrocy
2019-04-01Macnica NetworksMacnica Networks
Trends in Cyber ​​Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy
2019-01-24Kaspersky LabsKaspersky Lab ICS CERT
GreyEnergy’s overlap with Zebrocy
GreyEnergy Zebrocy
2019-01-11Kaspersky LabsGReAT
A Zebrocy Go Downloader
Zebrocy
2018-12-21Vitali Kremez
Let's Learn: In-Depth on APT28/Sofacy Zebrocy Golang Loader
Zebrocy
2018-12-18paloalto Networks Unit 42Robert Falcone
Sofacy Creates New ‘Go’ Variant of Zebrocy Tool
Zebrocy
2018-12-10Vitali Kremez BlogVitali Kremez
Let's Learn: Reviewing Sofacy's "Zebrocy" C++ Loader: Advanced Insight
Zebrocy
2018-11-29AccentureMichael Yip
Snakemackerel delivers Zekapab malware
Zebrocy APT28
2018-11-20ESET ResearchESET Research
Sednit: What’s going on with Zebrocy?
Zebrocy
2018-10-04SymantecCritical Attack Discovery and Intelligence Team
APT28: New Espionage Operations Target Military and Government Organizations
LoJax Seduploader X-Agent XTunnel Zebrocy APT28
2018-06-06Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
Sofacy Group’s Parallel Attacks
Koadic Zebrocy
2018-04-24ESET ResearchESET Research
Sednit update: Analysis of Zebrocy
Zebrocy Zebrocy (AutoIT)
2018-02-20Kaspersky LabsGReAT
A Slice of 2017 Sofacy Activity
X-Agent Seduploader X-Agent Zebrocy Zebrocy (AutoIT) APT28
Yara Rules
[TLP:WHITE] win_zebrocy_auto (20260504 | Detects win.zebrocy.)
rule win_zebrocy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.zebrocy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bf3 e8???????? c645fc00 837dd410 720c 8b4dc0 51 }
            // n = 7, score = 100
            //   8bf3                 | mov                 esi, ebx
            //   e8????????           |                     
            //   c645fc00             | mov                 byte ptr [ebp - 4], 0
            //   837dd410             | cmp                 dword ptr [ebp - 0x2c], 0x10
            //   720c                 | jb                  0xe
            //   8b4dc0               | mov                 ecx, dword ptr [ebp - 0x40]
            //   51                   | push                ecx

        $sequence_1 = { 56 53 83ec0c 837d0800 7e3a }
            // n = 5, score = 100
            //   56                   | push                esi
            //   53                   | push                ebx
            //   83ec0c               | sub                 esp, 0xc
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7e3a                 | jle                 0x3c

        $sequence_2 = { 55 ba???????? b9???????? 89e5 83ec08 e8???????? }
            // n = 6, score = 100
            //   55                   | push                ebp
            //   ba????????           |                     
            //   b9????????           |                     
            //   89e5                 | mov                 ebp, esp
            //   83ec08               | sub                 esp, 8
            //   e8????????           |                     

        $sequence_3 = { 8bf3 c745fc01000000 e8???????? 837db010 0f8291020000 8b459c }
            // n = 6, score = 100
            //   8bf3                 | mov                 esi, ebx
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1
            //   e8????????           |                     
            //   837db010             | cmp                 dword ptr [ebp - 0x50], 0x10
            //   0f8291020000         | jb                  0x297
            //   8b459c               | mov                 eax, dword ptr [ebp - 0x64]

        $sequence_4 = { 66891478 8bc6 5f c3 8bff }
            // n = 5, score = 100
            //   66891478             | mov                 word ptr [eax + edi*2], dx
            //   8bc6                 | mov                 eax, esi
            //   5f                   | pop                 edi
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi

        $sequence_5 = { c705????????50c34100 c705????????43f74000 c705????????02000000 c605????????02 }
            // n = 4, score = 100
            //   c705????????50c34100     |     
            //   c705????????43f74000     |     
            //   c705????????02000000     |     
            //   c605????????02       |                     

        $sequence_6 = { 8b55ec 33ff 897c1820 897c1824 }
            // n = 4, score = 100
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   33ff                 | xor                 edi, edi
            //   897c1820             | mov                 dword ptr [eax + ebx + 0x20], edi
            //   897c1824             | mov                 dword ptr [eax + ebx + 0x24], edi

        $sequence_7 = { 884dc8 8a4c3b0a 83c703 8975b4 c1ee02 884db8 }
            // n = 6, score = 100
            //   884dc8               | mov                 byte ptr [ebp - 0x38], cl
            //   8a4c3b0a             | mov                 cl, byte ptr [ebx + edi + 0xa]
            //   83c703               | add                 edi, 3
            //   8975b4               | mov                 dword ptr [ebp - 0x4c], esi
            //   c1ee02               | shr                 esi, 2
            //   884db8               | mov                 byte ptr [ebp - 0x48], cl

        $sequence_8 = { 897e10 897e14 837dd410 720c }
            // n = 4, score = 100
            //   897e10               | mov                 dword ptr [esi + 0x10], edi
            //   897e14               | mov                 dword ptr [esi + 0x14], edi
            //   837dd410             | cmp                 dword ptr [ebp - 0x2c], 0x10
            //   720c                 | jb                  0xe

        $sequence_9 = { 8b4a04 8b55ec 03cb 85d2 7420 8b410c }
            // n = 6, score = 100
            //   8b4a04               | mov                 ecx, dword ptr [edx + 4]
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   03cb                 | add                 ecx, ebx
            //   85d2                 | test                edx, edx
            //   7420                 | je                  0x22
            //   8b410c               | mov                 eax, dword ptr [ecx + 0xc]

        $sequence_10 = { c705????????04000000 c605????????16 c705????????a4c34100 c605????????02 c705????????01000000 }
            // n = 5, score = 100
            //   c705????????04000000     |     
            //   c605????????16       |                     
            //   c705????????a4c34100     |     
            //   c605????????02       |                     
            //   c705????????01000000     |     

        $sequence_11 = { 83e13f 8a89e8f64000 884c100b 8b4de0 394ddc 7e08 }
            // n = 6, score = 100
            //   83e13f               | and                 ecx, 0x3f
            //   8a89e8f64000         | mov                 cl, byte ptr [ecx + 0x40f6e8]
            //   884c100b             | mov                 byte ptr [eax + edx + 0xb], cl
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   394ddc               | cmp                 dword ptr [ebp - 0x24], ecx
            //   7e08                 | jle                 0xa

        $sequence_12 = { 7409 c745e400000000 eb53 31d2 }
            // n = 4, score = 100
            //   7409                 | je                  0xb
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   eb53                 | jmp                 0x55
            //   31d2                 | xor                 edx, edx

        $sequence_13 = { 8d8508f7ffff 8a1c38 8db598f6ffff e8???????? }
            // n = 4, score = 100
            //   8d8508f7ffff         | lea                 eax, [ebp - 0x8f8]
            //   8a1c38               | mov                 bl, byte ptr [eax + edi]
            //   8db598f6ffff         | lea                 esi, [ebp - 0x968]
            //   e8????????           |                     

        $sequence_14 = { 83e71f c1e706 8b0485c0a84200 8d44380c 50 ff15???????? 8b45e4 }
            // n = 7, score = 100
            //   83e71f               | and                 edi, 0x1f
            //   c1e706               | shl                 edi, 6
            //   8b0485c0a84200       | mov                 eax, dword ptr [eax*4 + 0x42a8c0]
            //   8d44380c             | lea                 eax, [eax + edi + 0xc]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_15 = { 31db 84d2 742f 39c3 0f9ec2 7f21 }
            // n = 6, score = 100
            //   31db                 | xor                 ebx, ebx
            //   84d2                 | test                dl, dl
            //   742f                 | je                  0x31
            //   39c3                 | cmp                 ebx, eax
            //   0f9ec2               | setle               dl
            //   7f21                 | jg                  0x23

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules