A journey to Zebrocy land

A journey to Zebrocy land

ESET sheds light on commands used by the favorite backdoor of the Sednit group



What happens when a victim is compromised by a backdoor and the operator is controlling it? It’s a difficult question that is not possible to answer entirely by reverse engineering the code. In this article we will analyze commands sent by the operator to their targets.


The Sednit group – also known as APT28, Fancy Bear, Sofacy or STRONTIUM – has been operating since at least 2004 and has made headlines frequently in past years.


Recently, we unveiled the existence of a UEFI ..