Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Russian Hackers Use Fake NATO Training Docs to Breach Govt Networks

Russian Hackers Use Fake NATO Training Docs to Breach Govt Networks


A Russian hacker group known by names, APT28, Fancy Bear, Sofacy, Sednit, and STRONTIUM, is behind a targeted attack campaign aimed at government bodies.

The group delivered a hard-to-detect strand of Zebrocy Delphi malware under the pretense of providing NATO training materials.

Researchers further inspected the files containing the payload and discovered these impersonated JPG files showing NATO images when opened on a computer.

Impersonates NATO training materials

In August this year, Qi’anxin Red Raindrops team reported discovering an APT28 campaign which delivered Zebrocy malware disguised as NATO training course materials.

Also Read: Management Training PDF for Effective Managers and Leaders

However, threat intelligence company QuoIntelligence had alerted its customers in the government sector of this campaign as early as August 8th, before information on this campaign was made public.

QuoIntelligence researchers have provided BleepingComputer with further analysis and deduced with medium-high confidence that the campaign targeted at least one Middle Eastern country Azerbaijan, among other NATO countries.

“Although Azerbaijan is not a NATO member, it closely cooperates with the North-Atlantic organizations and participates in NATO exercises. Further, the same campaign very likely targeted other NATO members or countries cooperating with NATO exercises,” stated the company.

On discovering the malicious activity, QuoIntelligence had reported their findings to the French law enforcement bodies.

More than an image, dangerously so

The malicious file distributed by APT28 is titled, “Course 5 – 16 October 2020.zipx” 

Naturally, to an unsuspecting user, this would appear to be a ZIP bundle containing course materials. 

In our test, BleepingComputer further noticed when renamed to “.jpg,” the ZIP archive behaves almost like a legitimate image file. 

This is because, as QuoIntelligence researchers have explained, the file comprises a legitimate JPG image with a ZIP archive appended to it.

APT28 malwar
When renamed to a JPG, the ZIP archive behaves entirely as an image
Source: BleepingComputer

The file metadata and properties also show an “image/jpeg” MIME type with references to “JPEG image data.”

“This technique works because JPEG files are parsed from the beginning of the file and some Zip implementations parse Zip files from the end of the file (since the index is located there) without looking at the signature in the front,” the researchers explain.

At the time of analyses by both Qi’anxin Red Raindrops team and QuoIntelligence, the malware sample had a very low detection rate of 3/61 on VirusTotal.

Even today, less than half of the known antivirus engines are flagging the infection on VirusTotal, as observed by BleepingComputer:

apt28 malware detection low
Even today the malware sample showed a 24/60 detection rate on VirusTotal
Source: BleepingComputer

“The technique is also used by threat actors to evade AVs, or other filtering systems since they might mistake the file for a JPEG and skip it.”

When extracted the ZIP contains a corrupted Excel (.xls) file and another file with the same name “Course 5 – 16 October 2020” but an EXE extension.

On Windows systems, the “Course 5 – 16 October 2020.exe” file shows a PDF icon (executables allow usage of custom file icons on Windows).

QuoIntelligence researchers hypothesize this might be an intentional tactic employed by the hacking group, and similar techniques to bypass email gateways have been seen in the past.

By providing course materials in a ZIP file that has a deliberately corrupted XLS file may tempt the user into double-clicking what looks like a PDF—the EXE file.

Steals and uploads private data to the server

Zebrocy, used by this campaign, is a persistent malware infection and a backdoor known to carry multiple capabilities, such as system reconnaissance, file creation/modification, taking screenshots on the infected machine, arbitrary command execution, and creating Windows scheduled tasks.

The sample is also known to drop multiple files on an infected system making it “quite loud” as in, its activities raise alarms of leading security products.

In this case, Zebrocy payload (present in “Course 5 – 16 October 2020.exe”) works by replicating itself into “%AppData%\Roaming\Service\12345678\sqlservice.exe” and further adds a randomized 160-byte blob to the newly generated file. The padded data makes hash-based detection by signature-based antivirus engines hard by altering the resulting file’s checksum.

Further, the malware created a Windows scheduled task which runs every minute posting stolen data to the Command & Control (C2) server, state the researchers:

“The task runs regularly and tries to POST stolen data (e.g. screenshots) to hxxp://194.32.78[.]245/protect/get-upd-id[.]php”

The data transmitted by the malware appeared to have obfuscated and encrypted bytes but a numerical ID (12345678 in this example) remained constant between requests.

Request showing data transferred by the malware
Request showing data transferred by the malware
Source: QuoIntelligence

The researchers suspect this is a unique identifier of the infected machine included in every request by the malware.

Suspicion: Azerbaijan government targeted

QuoIntelligence suspects this malware targeted Azerbaijan government bodies based on a previous ReconHellcat campaign analyzed by the company.

The three similarities between these samples provide medium-high confidence to the researchers that this attack was aimed at a specific government organization, at least in Azerbaijan: 

  • Both the compressed Zebrocy malware and the OSCE-themed lure used to drop the BlackWater backdoor were uploaded the same day, on 5 August.
  • Both samples were uploaded by the same user in Azerbaijan and are highly likely by the same organization.
  • Both attacks happened in the same timeframe.

A complete list of Indicators of Compromise (IOCs),  IDS detection rule(s), and detailed research findings have been provided by QuoIntelligence.

Also Read: Personal Data Websites: 3 Things That You Must Be Informed



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us