CHOPSTICK
X-Agent, also referred to in the provided content as CHOPSTICK, Chopstick, SPLM, XAgent, X-Agent, WebHP, and Backdoor.SofacyX, is a modular backdoor/RAT closely associated with APT28 (also tracked as Fancy Bear, Sofacy, and Sednit) and attributed in the content to Russia’s GRU. The malware has been used in long-running cyber-espionage operations against political, governmental, military, diplomatic, and security-related targets, including Democratic Party networks in 2016, NATO-related entities, and broader campaigns against Eastern European governments and other strategic organizations. Reported infection vectors include spear-phishing and deployment through APT28 tooling such as SOURFACE and EVILTOSS.
The content describes X-Agent/CHOPSTICK as a flexible espionage implant that supports remote command execution, file transfer and exfiltration, keylogging, screenshot capture, monitoring of network activity, access to the Windows Registry for information gathering, and access to victim file systems and network resources. It has used HTTP and HTTPS for command and control depending on module configuration, and CHOPSTICK C2 traffic is described as encrypted with TLS. The content also states that APT28 used relay infrastructure and compromised machines to proxy or obscure communications between CHOPSTICK and its servers. Anti-analysis behavior is also noted: CHOPSTICK includes runtime checks to detect analysis environments and avoid execution.
The content further indicates that X-Agent existed in multiple platform variants, including Windows, Linux, iOS, Android, and later macOS. It is described as APT28’s flagship or signature implant during the 2010s. Related tooling and lineage mentioned in the content include X-Tunnel for exfiltration and SlimAgent, which researchers assessed as having direct code lineage from or being an evolution of the X-Agent keylogger module. High-confidence capabilities explicitly mentioned include remote command execution, keylogging, screenshotting, file transmission/exfiltration, registry access, TLS-encrypted C2, HTTP/HTTPS-based C2, and anti-analysis checks.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
IoCs Table 2 lists a lure document (World War3.docx; SHA-1 7aada8bcc0d1ab8ffb1f0fae4757789c6f5546a3) detected as SWF/Exploit.CVE-2017-11292.A; the report notes DealersChoice generates malicious documents with embedded Adobe Flash Player exploits.
IoCs Table 2 lists a phishing document (f3805382ae2e23ff1147301d131a06e00e4ff75f) detected as Win32/Exploit.CVE-2016-4117.A; the report describes Sednit’s DealersChoice platform embedding Adobe Flash Player exploits in malicious Office documents.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This may indicate the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemitry blindspot in many enterprises, as is with Penquin Turla and APT28’s Linux XAgent variant.
Another unit mate, Capt. Nikolay Kozachek, allegedly crafted the X-Agent malware used to hack the Democratic Congressional Campaign Committee and DNC networks in April 2016.
...their involvement in the development of Unit 26165’s X-Agent malware
...their involvement in the development of Unit 26165’s X-Agent malware
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques
Initial Access
They also send emails purportedly containing links to news items, but instead linking to malware drop sites that install toolkits onto the target's computer.
Spear-phishing (T1566) — Targeted emails lured key staff into clicking malicious links or downloading attachments.
Execution
2 techniques
Execution
Together with the help of above mentioned tools, the group gained access to the file system and registry; enumerate network resources; create processes... | It used a downloader tool that FireEye dubbed " SOURFACE ", a backdoor labelled " EVILTOSS " that gives hackers remote access and a flexible modular implant called " CHOPSTICK " to enhance functionality of the espionage software.
Persistence
1 technique
Persistence
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.
Stealth
4 techniques
Stealth
The threat group implements counter-analysis techniques to obfuscate their code. They add junk data to encoded strings, making decoding difficult without the junk removal algorithm.
APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe "C:\Windows\twain_64.dll".
Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.
CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it. Hancitor has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads. Operation Spalax threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host.
Defense Impairment
1 technique
Defense Impairment
The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.
Credential Access
3 techniques
Credential Access
Consistent with GRU techniques and 'methods of persistence' identified by computer forensic investigators in other intrusions, the hackers again used X-Agent to log keystrokes, take screenshots, and gather system data; used a lateral-movement tool called RemCom; and used Mimikatz, a credential-harvesting tool.
Discovery
6 techniques
Discovery
The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
Together with the help of above mentioned tools, the group gained access to the file system and registry; enumerate network resources...
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.
CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it. Hancitor has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads. Operation Spalax threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host.
Lateral Movement
1 technique
Lateral Movement
Collection
2 techniques
Collection
Command and Control
7 techniques
Command and Control
These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets.
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
The Xagent backdoor can communicate with its C&C server over email with a custom protocol... MailChannel... SMTP to send emails and POP3 to receive emails (over TLS)
APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.
APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.
Exfiltration
1 technique
Exfiltration
The Xagent backdoor can communicate with its C&C server over email with a custom protocol... messages are sent and received as attachments to emails... Sedreco core threads store the output generated by a command execution in the outbound file... periodically transmitted in bulk to the server.
IOCs tracked for this family
36 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
81 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A custom-built remote access trojan used to establish access, monitor victim networks, execute commands remotely, and transfer files to and from command-and-control servers.
APT28’s long-running signature implant, referenced here as the code ancestor of Slimagent.
APT28的标志性植入程序,与Slimagent存在直接代码渊源。
A long-running APT28 backdoor used in high-profile intrusions for surveillance functions including keylogging and screenshot capture.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.