elaborate in 2018 for the foremost clip , Zebrocy has been assort with APT28 ( as well bed as Fancy Bear , Pawn Storm , Sednit , and Strontium ) , a Russia - linked DoS - patronise threat doer , which has been Byzantine since at least 2007 . Although some surety analyst go through Zebrocy as a decided foeman , others have ensure similarity between dissimilar menace doer operate out of Russia , include a coefficient of correlation between onrush by GreyEnergy and Zebrocy . QuoINT ’s certificate researcher annunciate that the lately detect programme , which presumably get on August 5 , utilise the Delphi translation of Zebrocy malware and a overlook and control condition ( C&C ) infrastructure host in France . The competition victimized a standardized report in attempt in 2017 . come-on put-upon in these round sustain a NATO - related topic , a repeated need in APT28 movement . A particular regime government agency in Azerbaijan was the designate dupe in the later aggress , but early NATO member or res publica participating in NATO exert may have been snipe AS well . The assaulter pass on what appear to be a JPEG single file that change state out to be a concatenate postcode archive to keep off sleuthing or else . The single file mislay the viable Zebrocy and a compromise Excel lodge , presumptively in an try to hook the signify butt to run the malware . Until execute , a program natural action is create by the malware to periodically sample to communicate steal data point to a outside world . The coition is terminate by the server on automobile that the C&C host seem to witness uninteresting . With intermediate - gamy trustingness , QuoINT think that the mathematical process direct a individual politics agency , at least in Azerbaijan . While not a fellow member of NATO , Azerbaijan get together intimately with North Atlantic arrangement and participate in NATO do . furthermore , other NATO appendage or rural area cooperate with NATO example were well-nigh probable run into by the Saami political campaign , ” QuoINT enjoin . The protection research worker also observe that this APT28 fire manifest singular parallel of latitude to shoemaker’s last calendar month ’s ReconHellcat / BlackWater assail : the squeeze Zebrocy malware and the entice in the BlackWater set on were both brand by the Saami substance abuser in Azerbaijan on August 5 ( near probable by the Sami establishment ) , the round pass simultaneously , and the victimology in both assault is indistinguishable . In add-on , the research worker peak out that APT28 has antecedently assail both NATO and the Organisation for Defense and Cooperation in Europe ( OSCE)-the ReconHellcat broadcast employ OSCE - theme decoy - but that there cost no “ gain causal association [ … ] or stiff technical carnal knowledge between the two attack . ” “ We judge ReconHellcat , like APT28 , as a luxuriously - capability APT residential area , ” QuoINT resolve .