VERY IMPORTANT

The Sednit group – also known as APT28, Fancy Bear, Sofacy or STRONTIUM – is a group of attackers operating since 2004, if not earlier, and whose main objective is to steal confidential information from specific targets. Toward the end of 2015, we started seeing a new component deployed by the group; a downloader for the main Sednit backdoor, Xagent. Kaspersky mentioned this component for the first time in 2017 in their APT trend report and recently wrote an article where they quickly described it under the name Zebrocy. This new component is a family of malware, comprising downloaders and backdoors written in Delphi and AutoIt. These components play the same role in the Sednit ecosystem as Seduploader; that of first-stage malware.