Zebrocy (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.zebrocy (Back to overview)

Zebrocy

aka: Zekapab

Actor(s): APT28

VTCollection

According to brandefense, Zebrocy is malware that falls into the Trojan category, which the threat actor group APT28/Sofacy has used since 2015. Zebrocy malware consists of 3 main components; Backdoor, Downloader, and Dropper. The Downloader and Dropper take responsibility for discovery processes and downloading the main malware on the systems. At the same time, Backdoor undertakes the duties such as persistence in the system, espionage, and data extraction.

This malware, which is not considered new, has variants in many languages from the past to the present. These include programming languages such as Delphi, C#, Visual C++, VB.net, and Golang. Furthermore, we know advanced threat actors and groups revise their malicious software among their toolkits at certain time intervals using different languages and technologies.

References

2022-12-27 ⋅ Palo Alto Networks Unit 42 ⋅ Bob Jung, Daniel Raygoza, Esmid Idrizovic, Sean Hughes
Navigating the Vast Ocean of Sandbox Evasions
TrickBot Zebrocy

2022-12-09 ⋅ cocomelonc ⋅ cocomelonc
Malware development: persistence - part 20. UserInitMprLogonScript (Logon Script). Simple C++ example.
Attor Zebrocy

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Fighting Ursa
Cannon Zebrocy APT28

2022-04-10 ⋅ Brandefense ⋅ Brandefense
Zebrocy Malware Technical Analysis Report
Zebrocy

2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy

2021-07-27 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy

2021-05-20 ⋅ Github (microsoft) ⋅ Microsoft
Microsoft 365 Defender Hunting Queries for hunting multiple threat actors' TTPs and malwares
STRRAT OceanLotus BabyShark Elise Revenge RAT WastedLocker Zebrocy

2021-02-25 ⋅ Intezer ⋅ Intezer
Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy

2020-12-09 ⋅ Intezer ⋅ Joakim Kennedy
A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy
Zebrocy

2020-10-29 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR20-303B): ZEBROCY Backdoor
Zebrocy

2020-10-23 ⋅ ⋅ 360 ⋅ 360 Threat Intelligence Center
APT28携小众压缩包诱饵对北约、中亚目标的定向攻击分析
Zebrocy

2020-09-22 ⋅ QuoScient ⋅ QuoIntelligence
APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure
Zebrocy APT28

2020-09-22 ⋅ Bleeping Computer ⋅ Ax Sharma
Russian hackers use fake NATO training docs to breach govt networks
Zebrocy APT28

2020-07-01 ⋅ ⋅ 360 ⋅ 360 Threat Intelligence Center
游走在东欧和中亚的奇幻熊
Zebrocy

2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
IRON TWILIGHT
X-Agent X-Agent X-Agent Computrace HideDRV Sedreco Seduploader X-Agent XTunnel Zebrocy Zebrocy (AutoIT)

2019-10-24 ⋅ MeltX0R Security ⋅ MeltX0R
10/24/2019 - APT28: Targeted attacks against mining corporations in Kazakhstan
Zebrocy

2019-09-24 ⋅ ESET Research ⋅ ESET Research
No summer vacations for Zebrocy
Zebrocy

2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy

2019-06-03 ⋅ Kaspersky Labs ⋅ GReAT
Zebrocy’s Multilanguage Malware Salad
Zebrocy

2019-05-22 ⋅ ESET Research ⋅ ESET Research
A journey to Zebrocy land
Zebrocy

2019-05-20 ⋅ Check Point ⋅ Ben Herzog
Malware Against the C Monoculture
AdWind jRAT GhostMiner Zebrocy

2019-04-01 ⋅ ⋅ Macnica Networks ⋅ Macnica Networks
Trends in Cyber Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy

2019-01-24 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT
GreyEnergy’s overlap with Zebrocy
GreyEnergy Zebrocy

2019-01-11 ⋅ Kaspersky Labs ⋅ GReAT
A Zebrocy Go Downloader
Zebrocy

2018-12-21 ⋅ Vitali Kremez
Let's Learn: In-Depth on APT28/Sofacy Zebrocy Golang Loader
Zebrocy

2018-12-18 ⋅ paloalto Networks Unit 42 ⋅ Robert Falcone
Sofacy Creates New ‘Go’ Variant of Zebrocy Tool
Zebrocy

2018-12-10 ⋅ Vitali Kremez Blog ⋅ Vitali Kremez
Let's Learn: Reviewing Sofacy's "Zebrocy" C++ Loader: Advanced Insight
Zebrocy

2018-11-29 ⋅ Accenture ⋅ Michael Yip
Snakemackerel delivers Zekapab malware
Zebrocy APT28

2018-11-20 ⋅ ESET Research ⋅ ESET Research
Sednit: What’s going on with Zebrocy?
Zebrocy

2018-10-04 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
APT28: New Espionage Operations Target Military and Government Organizations
LoJax Seduploader X-Agent XTunnel Zebrocy APT28

2018-06-06 ⋅ Palo Alto Networks Unit 42 ⋅ Bryan Lee, Robert Falcone
Sofacy Group’s Parallel Attacks
Koadic Zebrocy

2018-04-24 ⋅ ESET Research ⋅ ESET Research
Sednit update: Analysis of Zebrocy
Zebrocy Zebrocy (AutoIT)

2018-02-20 ⋅ Kaspersky Labs ⋅ GReAT
A Slice of 2017 Sofacy Activity
X-Agent Seduploader X-Agent Zebrocy Zebrocy (AutoIT) APT28

Yara Rules

[TLP:WHITE] win_zebrocy_auto (20251219 | Detects win.zebrocy.)

rule win_zebrocy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.zebrocy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c605????????03 c705????????04000000 c605????????11 c705????????00000000 }
            // n = 4, score = 100
            //   c605????????03       |                     
            //   c705????????04000000     |     
            //   c605????????11       |                     
            //   c705????????00000000     |     

        $sequence_1 = { e8???????? 84c0 8b4de0 7507 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   7507                 | jne                 9

        $sequence_2 = { 50 8d45f4 64a300000000 6aff 33ff c745fc01000000 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   6aff                 | push                -1
            //   33ff                 | xor                 edi, edi
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1

        $sequence_3 = { 8be5 5d c21000 8b4d14 51 56 }
            // n = 6, score = 100
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c21000               | ret                 0x10
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   51                   | push                ecx
            //   56                   | push                esi

        $sequence_4 = { e8???????? 83c41c 83ec1c 8bcc 89a5f4f4ffff }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c
            //   83ec1c               | sub                 esp, 0x1c
            //   8bcc                 | mov                 ecx, esp
            //   89a5f4f4ffff         | mov                 dword ptr [ebp - 0xb0c], esp

        $sequence_5 = { ff25???????? ebb5 55 b9???????? 89e5 }
            // n = 5, score = 100
            //   ff25????????         |                     
            //   ebb5                 | jmp                 0xffffffb7
            //   55                   | push                ebp
            //   b9????????           |                     
            //   89e5                 | mov                 ebp, esp

        $sequence_6 = { f2ae 89c8 f7d0 8d5402ff }
            // n = 4, score = 100
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   89c8                 | mov                 eax, ecx
            //   f7d0                 | not                 eax
            //   8d5402ff             | lea                 edx, [edx + eax - 1]

        $sequence_7 = { 8bd8 3bc7 7e63 8d642400 6a02 }
            // n = 5, score = 100
            //   8bd8                 | mov                 ebx, eax
            //   3bc7                 | cmp                 eax, edi
            //   7e63                 | jle                 0x65
            //   8d642400             | lea                 esp, [esp]
            //   6a02                 | push                2

        $sequence_8 = { 397de0 7f57 8b03 85c0 }
            // n = 4, score = 100
            //   397de0               | cmp                 dword ptr [ebp - 0x20], edi
            //   7f57                 | jg                  0x59
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   85c0                 | test                eax, eax

        $sequence_9 = { 8d45f4 64a300000000 33db 897d90 895d94 6aff c745fc01000000 }
            // n = 7, score = 100
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   33db                 | xor                 ebx, ebx
            //   897d90               | mov                 dword ptr [ebp - 0x70], edi
            //   895d94               | mov                 dword ptr [ebp - 0x6c], ebx
            //   6aff                 | push                -1
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1

        $sequence_10 = { 89d8 e8???????? 8d9510fcffff 89c6 8d8500fcffff 89d7 }
            // n = 6, score = 100
            //   89d8                 | mov                 eax, ebx
            //   e8????????           |                     
            //   8d9510fcffff         | lea                 edx, [ebp - 0x3f0]
            //   89c6                 | mov                 esi, eax
            //   8d8500fcffff         | lea                 eax, [ebp - 0x400]
            //   89d7                 | mov                 edi, edx

        $sequence_11 = { 89c7 eb2f 89f2 89d9 e8???????? }
            // n = 5, score = 100
            //   89c7                 | mov                 edi, eax
            //   eb2f                 | jmp                 0x31
            //   89f2                 | mov                 edx, esi
            //   89d9                 | mov                 ecx, ebx
            //   e8????????           |                     

        $sequence_12 = { 325032 7032 7c32 9c 32a432ac32c432 d432 e8???????? }
            // n = 7, score = 100
            //   325032               | xor                 dl, byte ptr [eax + 0x32]
            //   7032                 | jo                  0x34
            //   7c32                 | jl                  0x34
            //   9c                   | pushfd              
            //   32a432ac32c432       | xor                 ah, byte ptr [edx + esi + 0x32c432ac]
            //   d432                 | aam                 0x32
            //   e8????????           |                     

        $sequence_13 = { 33c0 894e14 894710 894714 c645fc00 837de810 720c }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   894e14               | mov                 dword ptr [esi + 0x14], ecx
            //   894710               | mov                 dword ptr [edi + 0x10], eax
            //   894714               | mov                 dword ptr [edi + 0x14], eax
            //   c645fc00             | mov                 byte ptr [ebp - 4], 0
            //   837de810             | cmp                 dword ptr [ebp - 0x18], 0x10
            //   720c                 | jb                  0xe

        $sequence_14 = { 66c705????????6046 8915???????? ba???????? a3???????? e8???????? }
            // n = 5, score = 100
            //   66c705????????6046     |     
            //   8915????????         |                     
            //   ba????????           |                     
            //   a3????????           |                     
            //   e8????????           |                     

        $sequence_15 = { 89b5c4f7ffff 899dc0f7ffff 889db0f7ffff 39bd38f7ffff }
            // n = 4, score = 100
            //   89b5c4f7ffff         | mov                 dword ptr [ebp - 0x83c], esi
            //   899dc0f7ffff         | mov                 dword ptr [ebp - 0x840], ebx
            //   889db0f7ffff         | mov                 byte ptr [ebp - 0x850], bl
            //   39bd38f7ffff         | cmp                 dword ptr [ebp - 0x8c8], edi

    condition:
        7 of them and filesize < 393216
}

Download all Yara Rules

Zebrocy Propose Change

References

Yara Rules

Zebrocy