Press Center

Malware and antivirus software


Dissection of Sednit espionage group

Created: 2016-10-20 08:03:20

ESET researchers announce the staggered release of their extensive 3-part research paper “En-Route with Sednit” today. This infamous group of cyber-attackers— also known as APT28, Fancy Bear and Sofacy, has been operating since 2004; its main objective, stealing confidential information from specific targets.

  • Part 1: “En Route with Sednit: Approaching the Target” focuses on whom its phishing campaigns are aimed, the attack methods used and the first-stage malware we call SEDUPLOADER, composed of a dropper and its associated payload.
  • Part 2: “En Route with Sednit: Observing the Comings and Goings” covers Sednit’s activities since 2014 and looks at its espionage toolkit, used for the long-term monitoring of compromised computers via two spying backdoors SEDRECO and XAGENT, plus the network tool XTUNNEL.
  • Part 3: “En Route with Sednit: A Mysterious Downloader” describes the first-stage software named DOWNDELPH, which, according to our telemetry data has only been deployed seven times. Of note, some of these deployments employed advanced persistence methods: Windows bootkit and a Windows rootkit.
“ESET’s ongoing interest in these malevolent activities was born from the detection of an impressive number of custom software deployed by the Sednit group over the last two years,” said Alexis Dorais-Joncas, the ESET Security Intelligence team lead dedicated to exploring the mystery behind Sednit group. “Sednit's arsenal is in constant development; the group deploys brand-new software and techniques on a regular basis, while their flagship malware has also evolved significantly over the last years.”

According to ESET researchers, data collected from Sednit phishing campaigns show that more than 1,000 high-profile individuals involved in Eastern European politics were attacked. “Moreover, Sednit group, unlike any other espionage group before, developed its own exploit kit and deployed a surprisingly high number of 0-day exploits,” concluded Dorais-Joncas.

Over the past several years, the group’s high-profile activities have invited the considerable interest of many researchers in this field. Hence, the intended contribution of this document is to provide a readable technical description, with tightly grouped indicators of compromise (IOCs), available for immediate leverage by both researchers and defenders alike tasked with analyzing Sednit detections.

The whole 3-part paper is extensively backed-up on ESET’s GitHub account.

For further information, please visit ESET’s news portal, read introductory blogpost for Part 1, Part 2 & Part 3 or dive-deep into all 3-parts of the whitepaper:

Part 2: “En Route with Sednit: Observing the Comings and Goings”
Part 3: “En Route with Sednit: A Mysterious Downloader”
ESET will as well issue a digest from all three parts on its news portal


About ESET
ESET®, the pioneer of proactive protection and the maker of the award-winning ESET NOD32® technology, is a global provider of security solutions for businesses and consumers. For over 26 years, the Company continues to lead the industry in proactive threat detection. By obtaining the 80th VB100 award in June 2013, ESET NOD32 technology holds the record number of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. In addition, ESET NOD32 technology holds the longest consecutive string of the VB100 awards of any AV vendor. ESET has also received a number of accolades from AV-Comparatives, AV-TEST and other testing organisations and reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET Cyber Security® (solution for Mac), ESET® Mobile Security and IT Security for Business are trusted by millions of global users and are among the most recommended security solutions in the world.

ESET recently updated its two-factor authentication (2FA) application, adding a secure validation to weak and static user passwords. This updated version of ESET’s 2FA application provides flexibility and deeper integration of 2FA into bespoke applications, making it the best cost-effective solutions for SMBs everywhere.

The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Jena (Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries. For more information visit or follow us on Facebook.


About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. Headquartered in Hong Kong, the Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

For more information, please visit or call (65) 6296-4268.


ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.