Sofacy

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Sofacy is a threat actor group that has been observed using multiple languages to create variants of the Zebrocy Trojan and Cannon. In one campaign, they relied heavily on filenames to lure victims into launching weaponized documents. The group packed only Delphi variants in an attempt to increase evasion, and it has been speculated that this was done due to the known and widely analyzed nature of the Delphi variant of Zebrocy. The Sofacy group has been known to use IP-based command-and-control servers, and examining the infrastructure did not reveal significant overlap or relationships with previous Zebrocy or Sofacy infrastructure. Their presence in the DNC network alongside APT29 brought attention to their activities in 2016, and they later targeted the Olympics and the World Anti-Doping Agency and Court of Arbitration for Sports by compromising individuals and servers via phishing attacks. To protect against Sofacy's activities, it is recommended to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two-factor authentication for services like email and VPN access. However, Palo Alto Networks customers are already protected from the threat posed by Sofacy's Zebrocy and Cannon campaigns.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT28
5
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
Sednit
4
Sednit, also known as APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy, and BlueDelta, is a threat actor associated with Russia's military intelligence. Active since at least 2007, the group has targeted governments, militaries, and security organizations worldwide. ESET has shed lig
Pawn Storm
2
Pawn Storm, also known as APT28, Fancy Bear, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor that has been active since at least 2007. This group is notorious for targeting governments, militaries, and security organizations worldwide. In recent years, the methods employed by Pawn
STRONTIUM
2
Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other aliases, is a Russia-linked threat actor that has been active since at least 2007. This group, believed to be associated with the Russian General Staff Main Intelligence Directorate (GRU), has targeted governments, milita
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Windows
Vulnerability
Implant
Loader
Bitcoin
Malware
Phishing
Encryption
Decoy
exploitation
Linux
Macos
russian
Sandbox
Kaspersky
Koadic
State Sponso...
Exploit
Trojan
Payload
Backdoor
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OctopusUnspecified
2
Octopus is a malware, a harmful program designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for
KomplexUnspecified
1
Komplex is a form of malware believed to be used by the Sofacy group, a cyber espionage group. This backdoor Trojan targets macOS systems and shares similarities with XAgentOSX, another tool supposedly developed by the same actor. The authors of this malware have named it Komplex, which was discover
CannonUnspecified
1
The Cannon malware is a sophisticated and harmful program designed to infiltrate computer systems, often through suspicious downloads, emails, or websites. The actor initiates the attack by sending an email to a specific address with a unique system identifier as the subject and a file path for the
ZebrocyUnspecified
1
Zebrocy is a well-documented Trojan malware that infiltrates systems to gather specific system information. Once installed, it sends the collected data to its Command and Control (C2) server via an HTTP POST request. The Zebrocy variant also captures a screenshot of the victim's host and transmits i
XAgentOSXUnspecified
1
XAgentOSX, also known as Sofacy's XAgent macOS Tool, is a malicious software (malware) developed by the same actor who created the Komplex tool, according to research conducted by PaloAlto Networks. This malware operates by exploiting and damaging computer systems, often infiltrating them through su
FysbisUnspecified
1
Fysbis is a modular Linux trojan/backdoor malware identified in late 2014, designed to exploit and damage computer systems. It's associated with Sofacy, an advanced persistent threat group, and is capable of installing itself onto a victim's system with or without root privileges. This malicious sof
CORESHELLUnspecified
1
Coreshell is a variant of Sofacy malware used by threat actors to compromise systems and steal sensitive information. Malware, like Coreshell, can infect computer systems through suspicious downloads, emails, or websites. Once inside, it can disrupt operations, steal personal information, or hold da
SplmUnspecified
1
SPLM, also known as XAgent or CHOPSTICK, is a sophisticated malware variant deployed by the Sofacy group. The group, notorious for its cyber espionage campaigns, expanded its arsenal in 2013, adding SPLM among other backdoors and tools such as CORESHELL, JHUHUGIT, AZZY, and more. These campaigns hav
MiniDukeUnspecified
1
Miniduke is a type of malware that was first observed in 2011-2012 as a relatively tiny implant known as “Sofacy” or SOURFACE. This malware was used by an Advanced Persistent Threat (APT) group that has also been responsible for other attacks such as CozyDuke, MiniDuke, and CosmicDuke. The Miniduke
USBStealerUnspecified
1
None
ADVSTORESHELLUnspecified
1
None
MosquitoUnspecified
1
The "Mosquito" malware is a harmful software designed to exploit and damage computer systems or devices. It operates covertly, infiltrating systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it has the capability to steal personal information, disr
StrongPityUnspecified
1
StrongPity is a malicious software (malware) that infiltrates computer systems, typically through suspicious downloads, emails, or websites. The malware has been active for over a decade and is possibly linked to the Turkish government. It's designed to exploit and damage systems, steal personal inf
XagentUnspecified
1
XAgent is a sophisticated malware developed by the Sofacy group, also known as APT28 or Fancy Bear. This malicious software was added to the group's arsenal in 2013, alongside other backdoors and tools such as CORESHELL, SPLM (also known as Xagent or CHOPSTICK), JHUHUGIT, AZZY, and others. XAgent is
CarberpUnspecified
1
Carberp is a notable malware that has been widely used and modified by various threat actors. Its source code, which was leaked in 2013, has become the basis for a multitude of other malicious software due to its sophisticated design and capabilities. The malware can infiltrate systems through dubio
XTunnelUnspecified
1
XTunnel is a type of malware used by threat groups to gain secure access to compromised environments through a back connection created by the malware to a command and control (C2) server. IRON TWILIGHT, a known threat group, installed XTunnel as a Coreshell child process on an already compromised sy
JHUHUGITUnspecified
1
Jhuhugit is a type of malware that was used in Sofacy attacks as a first-stage implant. It became relatively popular and was also used with a Java zero-day in July 2015. The Sofacy group, which utilized jhuhugit, expanded their arsenal in 2013 by adding more backdoors and tools, including CORESHELL,
AzzyUnspecified
1
Azzy is a malware implant developed by the Sofacy group, known for its malicious activities aimed at exploiting and damaging computer systems. Earlier this year, we identified a new release of the Azzy implant that was largely undetected by anti-malware products at the time. This version first appea
DealersChoiceUnspecified
1
DealersChoice is a malicious software (malware) used by the Sofacy threat group, initially deployed as malware via an attachment to a spearphishing email. The malware was first utilized in late 2016, often targeting military or military-technology and manufacturing related entities, with a particula
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Fancy BearUnspecified
3
Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy Be
Nomadic OctopusUnspecified
1
Nomadic Octopus, a suspected Russian Advanced Persistent Threat (APT) group, has been engaged in a cyber-espionage campaign known as Paperbug since 2020. The group infiltrated a Tajikistani carrier to spy on government officials and public service infrastructures, compromising government networks, i
CozyDukeUnspecified
1
CozyDuke, also known as Cozy Bear or APT29, is a prominent threat actor recognized for its malicious activities against Western government organizations and a variety of industries. The group has successfully infiltrated the unclassified networks of several high-profile entities, including the White
TurlaUnspecified
1
Turla, also known as Pensive Ursa, is a sophisticated threat actor linked to Russia that has been active for many years. The group is known for its advanced cyber-espionage capabilities and has been associated with numerous high-profile breaches. According to the MITRE ATT&CK and MITRE Ingenuity dat
DustSquadUnspecified
1
DustSquad, also known as Nomadic Octopus, is a notable threat actor that has been implicated in several cyber-espionage campaigns. Throughout 2018, DustSquad, along with other actors like IndigoZebra and Sofacy, targeted political entities in Central Asia using the Octopus malware. This was revealed
Tsar TeamUnspecified
1
None
IRON TWILIGHTUnspecified
1
IRON TWILIGHT is a threat actor believed to be associated with the GRU, Russia's military intelligence agency. This association has been suggested by various researchers, including those from CrowdStrike and CTU, based on the characteristics of the group's activities. The group became particularly a
APT29Unspecified
1
APT29, also known as Cozy Bear, SVR group, BlueBravo, Nobelium, Midnight Blizzard, and The Dukes, is a threat actor linked to Russia. This group is notorious for its malicious activities in the cybersecurity realm, executing actions with harmful intent. It has been associated with several high-profi
SwallowtailUnspecified
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2017-0262Unspecified
1
None
CVE-2017-0263Unspecified
1
None
CVE-2015-2590Unspecified
1
None
Source Document References
Information about the Sofacy Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
a year ago
APT28 hacked Roundcube email servers of Ukrainian entities
CERT-EU
a year ago
Chinese Hacker Group 'Flea' Targets American Ministries with Graphican Backdoor
MITRE
a year ago
Russia-Linked Hackers Target Diplomatic Entities in Central Asia
MITRE
a year ago
XAgentOSX: Sofacy’s XAgent macOS Tool
MITRE
a year ago
Octopus-infested seas of Central Asia
MITRE
a year ago
APT trends report Q1 2020
MITRE
a year ago
APT Trends report Q1 2018
MITRE
a year ago
Our Work with the DNC: Setting the record straight
MITRE
a year ago
Introducing WhiteBear
MITRE
a year ago
Sofacy Uses DealersChoice to Target European Government Agency
MITRE
a year ago
Sofacy APT hits high profile targets with updated toolset
MITRE
a year ago
IRON TWILIGHT Supports Active Measures
MITRE
a year ago
Sofacy Group’s Parallel Attacks
MITRE
a year ago
A Slice of 2017 Sofacy Activity
MITRE
a year ago
APT Trends report Q2 2017
MITRE
a year ago
Mac Malware of 2017
MITRE
a year ago
A Look Into Fysbis: Sofacy’s Linux Backdoor
MITRE
a year ago
Sofacy Attacks Multiple Government Entities
MITRE
a year ago
Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan
MITRE
a year ago
Dear Joohn: The Sofacy Group’s Global Campaign