IndigoZebra

IndigoZebra is a threat actor, or Advanced Persistent Threat (APT) group, suspected of originating from China and known for its cyber-espionage operations. The group first gained attention in August 2017 when Kaspersky detailed a covert operation targeting former Soviet Republics, deploying a wide range of malware including Meterpreter, Poison Ivy RAT, xDown, and a previously undocumented piece of malware called xCaon. This operation was notable for its extensive reach and the diversity of its malicious tools, indicating a high level of sophistication and planning. The group's activities have not been limited to these initial targets. Over time, IndigoZebra's campaigns have expanded, with new toolsets being used against new targets in the region. The group has been observed preparing intelligence for high-level summits in Middle Asia, suggesting that their objectives are strategic and possibly state-sponsored. Furthermore, the Israeli cybersecurity firm Check Point Research has attributed intrusions in other central-Asian countries, including Kyrgyzstan and Uzbekistan, to IndigoZebra, further demonstrating the group's broad geographic focus. The connection between the BoxCaon malware and IndigoZebra was established through similarities shared by this malware with xCaon, which is known to be used by the APT group. This link, along with the references found in the Kaspersky 2017 APT trends report, strengthens the attribution of the IndigoZebra group to these ongoing cyber-espionage operations. The continued activity of IndigoZebra underscores the persistent nature of this threat actor and the significant cybersecurity risks it poses.