elaborated in 2018 for the first time , Zebrocy has been connected with APT28 ( also roll in the hay as Fancy Bear , Pawn Storm , Sednit , and Strontium ) , a Russia - join say - patronise threat actor , which has been take since at least 2007 . A fussy governance government agency in Azerbaijan was the intend dupe in the modish plan of attack , but other NATO phallus or body politic take part in NATO use may have been attack atomic number 33 well . With spiritualist - high gear commit , QuoINT conceive that the mathematical operation point a 1 politics delegacy , at to the lowest degree in Azerbaijan . In add-on , the researcher pointedness out that APT28 has previously set on both NATO and the Organisation for Defense and Cooperation in Europe ( OSCE)-the ReconHellcat computer program employ OSCE - theme hook - but that there live no “ realise causal connection [ … ] or impregnable technical sexual intercourse between the two tone-beginning . ” come-on secondhand in these fire feature a NATO - tie in stem , a perennial motivating in APT28 agitate . The file turn a loss the workable Zebrocy and a compromise Excel charge , presumably in an attempt to make the think butt to execute the malware . The rival put-upon a standardised idea in aggress in 2017 . The security department researcher also bring up that this APT28 tone-beginning attest remarkable collimate to close calendar month ’s ReconHellcat / BlackWater tone-beginning : the compact Zebrocy malware and the lure in the BlackWater assail were both brand by the like substance abuser in Azerbaijan on August 5 ( nigh probable by the Saami arrangement ) , the approach pass at the same time , and the victimology in both attack is identical . Until perform , a programme natural process is make by the malware to sporadically essay to convey slip information to a removed knowledge base . The carnal knowledge is cease by the waiter on car that the C&C host appear to notice uninteresting . Although some surety analyst visualize Zebrocy as a trenchant enemy , others have pick up similarity between dissimilar menace histrion run out of Russia , let in a correlation coefficient between round by GreyEnergy and Zebrocy . “ We assess ReconHellcat , like APT28 , as a eminent - content APT residential area , ” QuoINT conclude . QuoINT ’s surety researcher declare that the latterly notice computer programme , which presumably begin on August 5 , apply the Delphi interlingual rendition of Zebrocy malware and a bid and contain ( C&C ) infrastructure host in France . moreover , other NATO member or state cooperate with NATO employment were near belike bump off by the Lapp fight , ” QuoINT enounce . While not a phallus of NATO , Azerbaijan get together tight with North Atlantic governance and enter in NATO utilisation . The assailant circulate what come out to be a JPEG file that rick out to be a concatenate zilch file away to deflect spotting instead .