Sofacy Group

Threat Actor Profile Updated a month ago
Download STIX
Preview STIX
The Sofacy Group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, BlueDelta, and STRONTIUM, is a significant threat actor in the global cybersecurity landscape. Active since at least 2007, this group has targeted governments, militaries, and security organizations worldwide. The group's activities demonstrate a sophisticated understanding of cyber warfare tactics, including the development and deployment of various malicious tools designed to compromise system security and steal valuable data. The group has developed a number of unique tools to aid their campaigns, including Komplex, a Trojan used to compromise OS X devices. Additionally, they have been observed using a new Trojan called Cannon, which utilizes a novel email-based C2 communication channel. This Trojan had not been previously associated with the Sofacy group, highlighting their ongoing evolution and adaptation. They have also created new AZZY backdoors with side-DLL for command and control (C&C), and have deployed a new set of data-theft modules against their victims. The Sofacy group continues to enhance their toolset and conduct attack campaigns on multiple platforms. Their use of consistent hosting services for their infrastructure suggests an established operational base. Notably, CrowdStrike linked the group to the attack on the Democratic National Committee, further underscoring their capability to target high-profile entities. As such, the Sofacy group remains a potent threat in the cybersecurity realm, necessitating continued vigilance and robust security measures from potential targets.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT28
3
APT28, also known as Fancy Bear, is a threat actor believed to be linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This group has been implicated in several high-profile cyber-espionage activities. Notably, they were behind a large-scale malwar
Pawn Storm
2
Pawn Storm, also known as APT28, Fancy Bear, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor that has been active since at least 2007. This group is notorious for targeting governments, militaries, and security organizations worldwide. In recent years, the methods employed by Pawn
Sednit
2
Sednit, also known as APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy, and BlueDelta, is a threat actor associated with Russia's military intelligence. Active since at least 2007, the group has targeted governments, militaries, and security organizations worldwide. ESET has shed lig
STRONTIUM
1
Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other aliases, is a Russia-linked threat actor that has been active since at least 2007. This group, believed to be associated with the Russian General Staff Main Intelligence Directorate (GRU), has targeted governments, milita
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
State Sponso...
Trojan
Espionage
Windows
Beacon
Exploits
Malware
Phishing
Decoy
Exploit
Macos
Payload
Zero Day
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
XagentUnspecified
1
XAgent is a sophisticated malware developed by the Sofacy group, also known as APT28 or Fancy Bear. This malicious software was added to the group's arsenal in 2013, alongside other backdoors and tools such as CORESHELL, SPLM (also known as Xagent or CHOPSTICK), JHUHUGIT, AZZY, and others. XAgent is
ZebrocyUnspecified
1
Zebrocy is a well-documented Trojan malware that infiltrates systems to gather specific system information. Once installed, it sends the collected data to its Command and Control (C2) server via an HTTP POST request. The Zebrocy variant also captures a screenshot of the victim's host and transmits i
CORESHELLUnspecified
1
Coreshell is a variant of Sofacy malware used by threat actors to compromise systems and steal sensitive information. Malware, like Coreshell, can infect computer systems through suspicious downloads, emails, or websites. Once inside, it can disrupt operations, steal personal information, or hold da
ADVSTORESHELLUnspecified
1
None
SplmUnspecified
1
SPLM, also known as XAgent or CHOPSTICK, is a sophisticated malware variant deployed by the Sofacy group. The group, notorious for its cyber espionage campaigns, expanded its arsenal in 2013, adding SPLM among other backdoors and tools such as CORESHELL, JHUHUGIT, AZZY, and more. These campaigns hav
KomplexUnspecified
1
Komplex is a form of malware believed to be used by the Sofacy group, a cyber espionage group. This backdoor Trojan targets macOS systems and shares similarities with XAgentOSX, another tool supposedly developed by the same actor. The authors of this malware have named it Komplex, which was discover
CannonUnspecified
1
The Cannon malware is a sophisticated and harmful program designed to infiltrate computer systems, often through suspicious downloads, emails, or websites. The actor initiates the attack by sending an email to a specific address with a unique system identifier as the subject and a file path for the
JHUHUGITUnspecified
1
Jhuhugit is a type of malware that was used in Sofacy attacks as a first-stage implant. It became relatively popular and was also used with a Java zero-day in July 2015. The Sofacy group, which utilized jhuhugit, expanded their arsenal in 2013 by adding more backdoors and tools, including CORESHELL,
DealersChoiceUnspecified
1
DealersChoice is a malicious software (malware) used by the Sofacy threat group, initially deployed as malware via an attachment to a spearphishing email. The malware was first utilized in late 2016, often targeting military or military-technology and manufacturing related entities, with a particula
CarberpUnspecified
1
Carberp is a notable malware that has been widely used and modified by various threat actors. Its source code, which was leaked in 2013, has become the basis for a multitude of other malicious software due to its sophisticated design and capabilities. The malware can infiltrate systems through dubio
AzzyUnspecified
1
Azzy is a malware implant developed by the Sofacy group, known for its malicious activities aimed at exploiting and damaging computer systems. Earlier this year, we identified a new release of the Azzy implant that was largely undetected by anti-malware products at the time. This version first appea
XTunnelUnspecified
1
XTunnel is a type of malware used by threat groups to gain secure access to compromised environments through a back connection created by the malware to a command and control (C2) server. IRON TWILIGHT, a known threat group, installed XTunnel as a Coreshell child process on an already compromised sy
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Forest BlizzardUnspecified
1
Forest Blizzard, also known as APT28, Fancy Bear, and Strontium, is a threat actor linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS). The group has been involved in persistent espionage campaigns against European countries, which
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Sofacy Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
a month ago
APT28 targets key networks in Europe with HeadLace malware
Securityaffairs
2 months ago
Russia-linked APT28 targets government Polish institutions
Securityaffairs
2 months ago
NATO and the EU formally condemned APT28 cyber espionage
Securityaffairs
3 months ago
Russia-linked APT28 used tool GooseEgg for to exploit Win bug
Securityaffairs
7 months ago
Russia's APT8 exploited Outlook 0day to target EU NATO members
Securityaffairs
7 months ago
Russia-linked APT28 group spotted exploiting Outlook flaw to hijack MS Exchange accounts
Securityaffairs
9 months ago
ANSSI warns of Russia-linked APT28 attacks on French entities
MITRE
a year ago
XAgentOSX: Sofacy’s XAgent macOS Tool
MITRE
a year ago
Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan
Securityaffairs
a year ago
APT28 hacked Roundcube email servers of Ukrainian entities
DARKReading
a year ago
Russian Fancy Bear APT Exploited Unpatched Cisco Routers to Hack US, EU Gov't Agencies
MITRE
a year ago
Sofacy’s ‘Komplex’ OS X Trojan
MITRE
a year ago
Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag
Securityaffairs
a year ago
APT28 uses fake Windows Update instructions to target Ukraine
MITRE
a year ago
A Slice of 2017 Sofacy Activity
MITRE
a year ago
Sofacy APT hits high profile targets with updated toolset
MITRE
a year ago
Sofacy Uses DealersChoice to Target European Government Agency
Securityaffairs
a year ago
US and UK agencies warn of Russia-linked APT28 exploiting Cisco router flaws
MITRE
a year ago
Sofacy Group’s Parallel Attacks
MITRE
a year ago
A Look Into Fysbis: Sofacy’s Linux Backdoor