Jun 5, 2026
C2 Hosts: 142
Zebrocy
Also known as: Zekapab
According to brandefense, Zebrocy is malware that falls into the Trojan category, which the threat actor group APT28/Sofacy has used since 2015. Zebrocy malware consists of 3 main components; Backdoor, Downloader, and Dropper. The Downloader and Dropper take responsibility for discovery processes and downloading the main malware on the systems. At the same time, Backdoor undertakes the duties such as persistence in the system, espionage, and data extraction.
This malware, which is not considered new, has variants in many languages from the past to the present. These include programming languages such as Delphi, C#, Visual C++, VB.net, and Golang. Furthermore, we know advanced threat actors and groups revise their malicious software among their toolkits at certain time intervals using different languages and technologies.
Linked Threat Actors
APT28
C2 Infrastructure
ISP/Residential 87%
Hosting/VPS 12%
Unknown 1%
Last 7 days
| Date | C2 Hosts |
|---|---|
| Jun 5, 2026 | 142 |
Further Reading
brandefense.io opens in a new tab
brandefense.io
cocomelonc.github.io opens in a new tab
cocomelonc.github.io
github.com opens in a new tab
github.com
ics-cert.kaspersky.com opens in a new tab
ics-cert.kaspersky.com
meltx0r.github.io opens in a new tab
meltx0r.github.io
mp.weixin.qq.com opens in a new tab
mp.weixin.qq.com
mp.weixin.qq.com opens in a new tab
mp.weixin.qq.com
quointelligence.eu opens in a new tab
quointelligence.eu
research.checkpoint.com opens in a new tab
research.checkpoint.com
researchcenter.paloaltonetworks.com opens in a new tab
researchcenter.paloaltonetworks.com
securelist.com opens in a new tab
securelist.com
securelist.com opens in a new tab
securelist.com
securelist.com opens in a new tab
securelist.com
securelist.com opens in a new tab
securelist.com
securelist.com opens in a new tab
securelist.com
symantec-blogs.broadcom.com opens in a new tab
symantec-blogs.broadcom.com
ti.qianxin.com opens in a new tab
ti.qianxin.com
unit42.paloaltonetworks.com opens in a new tab
unit42.paloaltonetworks.com
unit42.paloaltonetworks.com opens in a new tab
unit42.paloaltonetworks.com
unit42.paloaltonetworks.com opens in a new tab
unit42.paloaltonetworks.com
us-cert.cisa.gov opens in a new tab
us-cert.cisa.gov
accenture.com opens in a new tab
accenture.com
blackberry.com opens in a new tab
blackberry.com
bleepingcomputer.com opens in a new tab
bleepingcomputer.com
intezer.com opens in a new tab
intezer.com
intezer.com opens in a new tab
intezer.com
macnica.net opens in a new tab
macnica.net
secureworks.com opens in a new tab
secureworks.com
vkremez.com opens in a new tab
vkremez.com
vkremez.com opens in a new tab
vkremez.com
welivesecurity.com opens in a new tab
welivesecurity.com
welivesecurity.com opens in a new tab
welivesecurity.com
welivesecurity.com opens in a new tab
welivesecurity.com
welivesecurity.com opens in a new tab
welivesecurity.com