Zebrocy Malware Laced Phishing Email Threat Intel Advisory

CloudSEK threat intelligence advisory on Zebrocy, group that supports APT groups like Sofacy, masquerades as the latest research on COVID-19.
Updated on
April 19, 2023
Published on
December 18, 2020
Subscribe to the latest industry news, threats and resources.
Malware Intelligence
Threat Actor 
APT28  Sofacy, Sednit, Fancy Bear, STRONTIUM 
Target Platform
  APT28 (also known as Fancy Bear, Sofacy, Sednit, STRONTIUM) was discovered using the malware Zebrocy as part of their new COVID-19 campaign targeting Government agencies and commercial organization of the following nations:
  • Afghanistan
  • Azerbaijan
  • Zimbabwe
  • China
  • Japan
  • Kazakhstan
  • Egypt
  • Georgia
  • Iran
  • Korea
  • Kyrgyzstan
  • Mongolia
  • Russia
  • Saudi Arabia
  • Serbia
  • Switzerland
  • Tajikistan
  • Turkey
  • Turkmenistan
  • Ukraine
  • Uruguay
  • Bosnia and Herzegovina
Zebrocy is a sub-group that helps APT groups like Sofacy with victim profiling and access. The malware that the group delivers, dubbed Zebrocy, initiates the campaign by sending out phishing emails with malicious attachments, masquerading as the latest research by Sinopharm International Corporation on COVID-19. The actors also pose as officials from Directorate General of Civil Aviation, India.


[caption id="attachment_9098" align="alignnone" width="797"]Trojanized DGCA Documents in VHD Trojanized DGCA Documents in VHD[/caption] The malicious email usually contains a Virtual Hard Disk (VHD), which can only be accessed in Windows 10. The VHD includes the following files: 
  • PDF of Sinopharm International Corporation’s latest research on COVID-19
  • Word document that contains the Zebrocy malware
[caption id="attachment_9099" align="alignnone" width="902"]Trojanized Sinopharm Document in VHD Trojanized Sinopharm Document in VHD[/caption] The malware launches a backdoor and a downloader. Zebrocy is armed with these functionalities :
  • Collect system information and send them to the C&C server.
  • Manipulate files
  • Take screenshots of the user environment
  • Drive enumeration 
  • Persistence via scheduled task 
The enumerated data is sent to the C2, awaiting further commands.


Technical Impact
  • Persistence in the infected system.
  • This malware can create, edit, or delete any file in the system.
  • Capable of discovering all the connected devices.
  • Expose personal data of the victims.
Business Impact
  • Compromise all devices that are connected to the infected device
  • Possibilities of business data leaks

Indicators of Compromise

  • hxxps://support-cloud[.]life/managment/cb-secure/technology.php
VHD files
  • d5d9210ef49c6780016536b0863cc50f6de03f73e70c2af46cc3cff0e2bf9353  30-1868.vhd
  • 43c65d87d690aea7c515fe84317af40b7e64b350304b0fc958a51d62826feade  30-22-243.vhd
  • d444fde5885ec1241041d04b3001be17162523d2058ab1a7f88aac50a6059bc0  No.243.CB3-EVACUATION LETTER.vhd
  • f36a0ee7f4ec23765bb28fbfa734e402042278864e246a54b8c4db6f58275662  243_BIO_SINOPHARM.exe
  • 61c2e524dcc25a59d7f2fe7eff269865a3ed14d6b40e4fea33b3cd3f58c14f19  243.CB3.EVACUATION LETTER.exe
  • 6449d0cb1396d6feba7fb9e25fb20e9a0a5ef3e8623332844458d73057cf04a1  30-1868 20.10.2020.exe


  • Users should practice cyber hygiene
  • Keep the system up to date 
  • Update EDR with the latest signature
  • Deploy effective IDPS in the network
  • Disable file and printer sharing services
  • Use of complex passwords and periodic password rotation
  • Proper account and privilege audits

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations