This article is more than 1 year old

The Russians are at it again: Zebrocy backdoor malware is evolving, Uncle Sam warns close to eve of presidential election

Yep, it's the artists occasionally known as APT28

The US government, in full pre-presidential election high alert, has issued a warning about an evolved strain of backdoor malware from a Russian offensive cyber unit.

The Zebrocy backdoor, warned the CISA infosec agency, has evolved – and while the agency didn't explicitly link it to Russia, previous research from the private sector made it abundantly clear who the malware's operators are.

"Two Windows executables identified as a new variant of the Zebrocy backdoor were submitted for analysis. The file is designed to allow a remote operator to perform various functions on the compromised system," said the CISA in an advisory published overnight.

The EXEs spotted doing the rounds are "designed to encrypt future communication" using AES-128 and could be used by malicious people, such as Russia's GRU spy agency, for purposes including file enumeration, screenshotting and creating scheduled tasks for achieving persistence on a target system or network.

ESET researcher Alexis Dorais-Joncas told The Register: "The CISA warning is a good and accurate summary of the malware's capabilities attributed to the Zebrocy toolset. The two files mentioned in the advisory were used in attacks that took place in summer 2019 against usual targets in Eastern European and Central Asian countries."

In its latest threat intel report ESET said Zebrocy's operators "took inspiration" from a NATO event to devise a new lure for "one of their downloaders written in [the programming language] Nim". It added: "This campaign is similar to their usual modus operandi, a phishing email with an archive attached. Luring the victim to expect a benign document, the attackers provide an executable with a PDF icon, but which is actually a malicious downloader leading to a potential backdoor as the final stage."

Previous ESET research published in September last year showed how the Kremlin-backed APT28 hacking crew, more precisely identified by the British and US governments as including GRU unit 74455, went into detail about Zebrocy's lures and functionality.

Despite numerous government-level attribution campaigns, Russian state-backed hackers simply won't stop. While criminal charges have been laid against some individuals the deterrent effect appears to be minimal – meaning this won't be the last public warning about the crew's activities. ®

More about

More about

More about


Send us news

Other stories you might like