Originally identified by QuoIntelligence, APT 28 has been distributing Zebrocy malware to NATO members using NATO course themed lures. This campaign ran on August 5th, and arrived on the system as a jpg file with a zip file appended to the end of it, to fool email threat scanners that look at the first few bytes of file attachments into mis-identifying the attachment as a simple JPEG image. The file was then given the extension “.zipx”, allowing WinRAR to open the zip file and decompress it, effectively ignoring the JPEG image at the start of the file. Dropped by the zip file are two malware files, “16 October 2020.exe” and “16 October 2020.xls”. The EXE file used a PDF icon, which could make it particularly convincing if extensions are hidden. Additionally, the xls file is corrupted, but contains unconfirmed data about the military mission “African Union Mission for Somalia”.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in