S0251: Zebrocy
Analyst context for executives and security teams
Zebrocy matters because ATT&CK describes it as a Windows Trojan used by APT28 since at least November 2015, with multiple language variants. For leaders, the defensive value is not the malware name alone; it is the behavior cluster around discovery, persistence, command execution, collection, command-and-control, and exfiltration. If an organization cannot see registry queries, WMI or command-shell execution, scheduled tasks or logon-script persistence, local staging, and web or mail protocol C2 patterns on Windows endpoints, it may struggle to investigate this family of activity or produce credible incident and audit evidence.
Executive priority
Prioritize Zebrocy as a validation case for Windows endpoint visibility, SOC readiness, and incident response evidence quality. The ATT&CK relationships show behaviors that can support credential access, persistence, data collection, and exfiltration over C2 channels, so the business question is whether security teams can rapidly prove scope: which host executed suspicious commands, what persistence was created, what data may have been staged, and what external communications occurred. This is especially relevant for control investment decisions around EDR, centralized Windows logging, network monitoring, and response playbooks.
Technical view
ATT&CK provides no official detection text for Zebrocy, so defenders should build coverage around the related techniques rather than a single signature. Validate Windows telemetry for Query Registry, WMI, Windows Command Shell, Scheduled Task, Windows logon script persistence, process and system discovery, file and directory enumeration, screen capture, local data staging, file deletion, ingress tool transfer, and C2 over web or mail protocols. Because the malware is described as having C++, Delphi, AutoIt, C#, VB.NET, and Golang variants, detection engineering should avoid relying only on static file indicators and should emphasize behavioral correlations across execution, persistence, discovery, collection, and outbound communications.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows Registry access and modification events, especially persistence-relevant keys
- WMI activity logs and process ancestry involving WMI execution
- Scheduled task creation, modification, and execution records
- Logon script configuration and execution evidence
Detection direction
- Correlate discovery-heavy activity with subsequent persistence, staging, and outbound C2 rather than alerting on common administrative commands in isolation.
- Tune for unusual WMI, cmd.exe, scheduled task, and registry activity by user, host role, parent process, and execution context to reduce false positives from normal administration.
- Confirm whether endpoint tooling records enough command-line, file, registry, and network context to reconstruct an incident timeline after file deletion or tool transfer.
- Review direct mail protocol use from endpoints; in many environments this is uncommon and may be higher signal, but exceptions must be baselined.
- Treat packed or variant binaries as a blind spot for static detection and validate memory/behavioral analytics where available.
Mitigation priorities
- Start with visibility: ensure Windows endpoints, network egress points, and identity-relevant systems produce centralized, retained telemetry for the behaviors listed in the ATT&CK relationships.
- Harden and monitor persistence paths including scheduled tasks and Windows logon scripts, with change control for legitimate administrative use.
- Restrict and monitor high-risk execution paths such as WMI and command shell usage where business operations allow.
- Apply least privilege and administrative separation so discovery and persistence attempts from standard user contexts are easier to detect and contain.
- Control outbound communications by enforcing proxying, DNS logging, and egress rules for web and mail protocols instead of allowing unrestricted endpoint connections.
Analyst notes and limits
This take is based on the supplied ATT&CK malware object, external references, and relationship context. The most decision-useful context is that Zebrocy is a Windows Trojan associated in ATT&CK with APT28 use and a broad set of related techniques spanning discovery, execution, persistence, collection, C2, exfiltration, and stealth. The object does not provide official detection guidance, so recommendations are framed as validation directions derived from related ATT&CK techniques, not as confirmed detections for every Zebrocy variant.
The supplied object lists Windows as the malware platform and does not specify tactics directly. Several related techniques have broader platform listings, but this take does not expand Zebrocy beyond Windows. No active exploitation status, customer exposure, specific indicators of compromise, campaign targeting, or guaranteed detection coverage is provided in the supplied fields. Local baselines, logging configuration, and environment-specific use of administrative tools are required to judge alert fidelity.
Zebrocy
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1124 | System Time Discovery | Zebrocy gathers the current time zone and date information from the system.CitationESET Zebrocy Nov 2018CitationCISA Zebrocy Oct 2020 |
| Enterprise | T1057 | Process Discovery | Zebrocy uses the |
| Enterprise | T1047 | Windows Management Instrumentation | One variant of Zebrocy uses WMI queries to gather information.CitationUnit42 Sofacy Dec 2018 |
| Enterprise | T1049 | System Network Connections Discovery | Zebrocy uses |
| Enterprise | T1105 | Ingress Tool Transfer | Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.CitationPalo Alto Sofacy 06-2018CitationUnit42 Cannon Nov 2018CitationESET Zebrocy May 2019CitationAccenture SNAKEMACKEREL Nov 2018 |
| Enterprise | T1113 | Screen Capture | A variant of Zebrocy captures screenshots of the victim’s machine in JPEG and BMP format.CitationUnit42 Cannon Nov 2018CitationESET Zebrocy Nov 2018CitationUnit42 Sofacy Dec 2018CitationESET Zebrocy May 2019CitationAccenture SNAKEMACKEREL Nov 2018CitationCISA Zebrocy Oct 2020 |
| Enterprise | T1120 | Peripheral Device Discovery | Zebrocy enumerates information about connected storage devices.CitationUnit42 Cannon Nov 2018 |
| Enterprise | T1033 | System Owner/User Discovery | Zebrocy gets the username from the system.CitationESET Zebrocy Nov 2018CitationCISA Zebrocy Oct 2020 |
| Enterprise | T1056.004 | Credential API Hooking Sub-technique | Zebrocy installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method.CitationSecurelist Sofacy Feb 2018 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Zebrocy has exfiltrated data to the designated C2 server using HTTP POST requests.CitationAccenture SNAKEMACKEREL Nov 2018CitationCISA Zebrocy Oct 2020 |
| Enterprise | T1082 | System Information Discovery | Zebrocy collects the OS version and computer name. Zebrocy also runs the |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | Zebrocy uses SMTP and POP3 for C2.CitationPalo Alto Sofacy 06-2018CitationUnit42 Cannon Nov 2018CitationESET Zebrocy Nov 2018CitationUnit42 Sofacy Dec 2018CitationESET Zebrocy May 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Zebrocy uses HTTP for C2.CitationPalo Alto Sofacy 06-2018CitationUnit42 Cannon Nov 2018CitationESET Zebrocy Nov 2018CitationUnit42 Sofacy Dec 2018CitationESET Zebrocy May 2019CitationAccenture SNAKEMACKEREL Nov 2018 |
| Enterprise | T1016 | System Network Configuration Discovery | Zebrocy runs the |
| Enterprise | T1083 | File and Directory Discovery | Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Zebrocy creates an entry in a Registry Run key for the malware to execute on startup.CitationESET Zebrocy Nov 2018CitationESET Zebrocy May 2019CitationAccenture SNAKEMACKEREL Nov 2018 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Zebrocy's Delphi variant was packed with UPX.CitationUnit42 Sofacy Dec 2018CitationAccenture SNAKEMACKEREL Nov 2018 |
| Enterprise | T1680 | Local Storage Discovery | Zebrocy collects the serial number for the storage volume C:\.CitationPalo Alto Sofacy 06-2018CitationUnit42 Cannon Nov 2018CitationESET Zebrocy Nov 2018CitationUnit42 Sofacy Dec 2018CitationESET Zebrocy May 2019CitationAccenture SNAKEMACKEREL Nov 2018CitationCISA Zebrocy Oct 2020 |
| Enterprise | T1560 | Archive Collected Data | Zebrocy has used a method similar to RC4 as well as AES for encryption and hexadecimal for encoding data before exfiltration. CitationSecurelist Sofacy Feb 2018CitationESET Zebrocy Nov 2018CitationCISA Zebrocy Oct 2020 |
| Enterprise | T1037.001 | Logon Script (Windows) Sub-technique | Zebrocy performs persistence with a logon script via adding to the Registry key |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Zebrocy uses cmd.exe to execute commands on the system.CitationESET Zebrocy May 2019CitationCISA Zebrocy Oct 2020 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Zebrocy uses SSL and AES ECB for encrypting C2 communications.CitationESET Zebrocy Nov 2018CitationESET Zebrocy May 2019CitationCISA Zebrocy Oct 2020 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Zebrocy stores all collected information in a single file before exfiltration.CitationESET Zebrocy Nov 2018 |
| Enterprise | T1012 | Query Registry | Zebrocy executes the |
| Enterprise | T1070.004 | File Deletion Sub-technique | Zebrocy has a command to delete files and directories.CitationESET Zebrocy Nov 2018CitationESET Zebrocy May 2019CitationCISA Zebrocy Oct 2020 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Zebrocy has used URL/Percent Encoding on data exfiltrated via HTTP POST requests.CitationAccenture SNAKEMACKEREL Nov 2018 |
| Enterprise | T1135 | Network Share Discovery | Zebrocy identifies network drives when they are added to victim systems.CitationSecurelist Sofacy Feb 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1119 | Automated Collection | Zebrocy scans the system and automatically collects files with the following extensions: .doc, .docx, ,.xls, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .jpeg, .bmp, .tiff, .kum, .tlg, .sbx, .cr, .hse, .hsf, and .lhz.CitationESET Zebrocy Nov 2018CitationESET Zebrocy May 2019 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Zebrocy has a command to create a scheduled task for persistence.CitationCISA Zebrocy Oct 2020 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Zebrocy has the capability to upload dumper tools that extract credentials from web browsers and store them in database files.CitationESET Zebrocy May 2019 |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.1 | Current bundle | 82f36f10b4ed… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto Sofacy 06-2018
Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
Open source URL -
[2]
Unit42 Cannon Nov 2018
Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
Open source URL -
[3]
Unit42 Sofacy Dec 2018
Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
Open source URL -
[4]
CISA Zebrocy Oct 2020
CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
Open source URL -
[5]
Accenture SNAKEMACKEREL Nov 2018
Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
Open source URL -
[6]
CyberScoop APT28 Nov 2018
Shoorbajee, Z. (2018, November 29). Accenture: Russian hackers using Brexit talks to disguise phishing lures. Retrieved July 16, 2019.
Open source URL -
[7]
Zebrocy
(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)
-
[8]
Zekapab
(Citation: CyberScoop APT28 Nov 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)
-
[9]
mitre-attack S0251Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.