The Sofacy group continues to use variants of the Zebrocy payload in its attack campaigns.
The Sofacy group continued their global attack campaigns between October and November, primarily targeting NATO-aligned nation states and former USSR states and delivering Zebrocy or Cannon.
Unit 42’s continued look into Sofacy reveals global attacks and wheels out new ‘Cannon’ trojan.
Unit 42’s continued look at the Sofacy Group’s activity reveals the persistent targeting of government, diplomatic and other strategic organizations across North America and Europe.
The Sofacy threat group continues to use their DealersChoice framework to exploit Flash vulnerabilities in their attack campaigns. Read the latest from Unit 42
Unit 42 examines recent Sofacy group activities including multiple attacks to government entities.
Unit 42 explores how the Sofacy group uses malicious emails to target foreign affairs agencies and ministries in North America and Europe.
Unit 42 analyzes Sofacy’s XAgent macOS Tool.
Recently, Palo Alto Networks Unit 42 reported on a new exploitation platform that we called “DealersChoice” in use by the Sofacy group (AKA APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit). As outlined in our original posting, the DealersChoice exploitation platform generates malicious RTF documents which in turn use embedded OLE Word documents. These embedded OLE
Unit 42 has reported on various Sofacy group attacks over the last year, most recently with a post on Komplex, an OS X variant of a tool commonly used by the Sofacy group. In the same timeframe of the Komplex attacks, we collected several weaponized documents that use a tactic previously not observed in use
Unit 42 researchers identified a new OS X Trojan associated with the Sofacy group that we are now tracking with the ‘Komplex’ tag using the Palo Alto Networks AutoFocus threat intelligence platform. The Sofacy group, also known as APT28, Pawn Storm, Fancy Bear, and Sednit, continues to add to the variety of tools they use
As mentioned in our previous blog, we observed the Sofacy group using a new persistence mechanism that we call “Office Test” to load their Trojan each time the user opened Microsoft Office applications. Following the report, we received several questions regarding this persistence method, specifically how it works and which versions of Microsoft Office were
The Sofacy group, also known as APT28, is a well-known threat group that frequently conducts cyber espionage campaigns. Recently, Unit 42 identified a spear phishing e-mail from the Sofacy group that targeted the United States government. The e-mail was sent from a potentially compromised account belonging to the Ministry of Foreign Affairs of another government
Introduction The Sofacy group, also known as APT28 and Sednit, is a fairly well known cyber espionage group believed to have ties to Russia. Their targets have spanned all across the world, with a focus on government, defense organizations and various Eastern European governments. There have been numerous reports on their activities, to the extent