CHOPSTICK
CHOPSTICK, also referred to as XAgent, SPLM, WebHP, and X-Agent, is a modular espionage backdoor associated with APT28/Sofacy/Sednit/Fancy Bear, which multiple sources link to Russian GRU operations. The malware has been used in long-running cyber espionage campaigns against government, military, defense, political, telecom, NATO-, OSCE-, and Eastern Europe-related targets, including activity tied to the 2016 compromises of the DCCC and DNC. Reported variants or builds exist for Windows, Linux, iOS, Android, and macOS, and samples are often specially compiled for specific targets with selected modules and communication channels enabled or disabled.
High-confidence capabilities described in the content include remote command execution, keystroke logging, file exfiltration, file-system and Windows Registry access, process creation, network resource enumeration, access to stored credentials, and anti-analysis runtime checks that prevent execution in analysis environments. The malware can use multiple command-and-control channels depending on module configuration, including HTTP, HTTPS, SMTP, POP3, IMAP, and email-based communications; C2 traffic has been reported as encrypted with TLS. The content also notes that CHOPSTICK/XAgent can use a domain generation algorithm for fallback C2, generating domains by concatenating words from lists, and that APT28 used relay/proxy infrastructure, including compromised machines, to obscure communications between CHOPSTICK and its servers.
The content further states that CHOPSTICK may store RC4-encrypted configuration data in the Windows Registry. FireEye described CHOPSTICK as a flexible modular implant used alongside SOURFACE and EVILTOSS to enhance APT28 espionage operations. ESET described XAgent as Sednit's flagship modular backdoor with spying functionality and noted a Python-based proxy server used to relay XAgent MailChannel traffic into HTTP requests. Additional reporting in the content links X-Agent to an infected Android artillery-targeting application used by Ukrainian officers and to later expansion of the malware family to macOS. Mentioned infrastructure and related indicators include Njalla.no being used to register SPLM and XTUNNEL C2 servers.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
IoCs Table 2 lists a lure document (World War3.docx; SHA-1 7aada8bcc0d1ab8ffb1f0fae4757789c6f5546a3) detected as SWF/Exploit.CVE-2017-11292.A; the report notes DealersChoice generates malicious documents with embedded Adobe Flash Player exploits.
IoCs Table 2 lists a phishing document (f3805382ae2e23ff1147301d131a06e00e4ff75f) detected as Win32/Exploit.CVE-2016-4117.A; the report describes Sednit’s DealersChoice platform embedding Adobe Flash Player exploits in malicious Office documents.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server.
Another unit mate, Capt. Nikolay Kozachek, allegedly crafted the X-Agent malware used to hack the Democratic Congressional Campaign Committee and DNC networks in April 2016.
...their involvement in the development of Unit 26165’s X-Agent malware
...their involvement in the development of Unit 26165’s X-Agent malware
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniquesThey also send emails purportedly containing links to news items, but instead linking to malware drop sites that install toolkits onto the target's computer.
Among other things, it uses zero-day exploits, spear phishing and malware to compromise targets.
Figure 2. Main attack methods and malware used by the Sednit group since 2014... Email attachments
The hackers used a spear phishing attack, directing emails to the false URL electronicfrontierfoundation.org.
Execution
2 techniquesTogether with the help of above mentioned tools, the group gained access to the file system and registry; enumerate network resources; create processes... | It used a downloader tool that FireEye dubbed " SOURFACE ", a backdoor labelled " EVILTOSS " that gives hackers remote access and a flexible modular implant called " CHOPSTICK " to enhance functionality of the espionage software.
RemoteShell 0x1302 Executes supplied commands in Linux command-line interpreter /bin/sh
Persistence
1 techniqueThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.
Stealth
5 techniquesThe threat group implements counter-analysis techniques to obfuscate their code. They add junk data to encoded strings, making decoding difficult without the junk removal algorithm.
Examples include: “ComRAT has encrypted and stored its orchestrator code in the Registry…”, “ShadowPad maintains a configuration block and virtual file system in the Registry.”, and “QakBot can store its configuration information…under HKCU\Software\Microsoft.”
APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe "C:\Windows\twain_64.dll".
Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.
CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it. Hancitor has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads. Operation Spalax threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host.
Defense Impairment
1 techniqueThe content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.
Credential Access
3 techniquesConsistent with GRU techniques and 'methods of persistence' identified by computer forensic investigators in other intrusions, the hackers again used X-Agent to log keystrokes, take screenshots, and gather system data; used a lateral-movement tool called RemCom; and used Mimikatz, a credential-harvesting tool.
Xagent is a modular backdoor with spying functionalities such as keystroke logging and file exfiltration... RemoteKeylogger 0x1002 Logs keystrokes
Together with the help of above mentioned tools... access stored credentials...
Discovery
6 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
Together with the help of above mentioned tools, the group gained access to the file system and registry; enumerate network resources...
5 List directories ... 22 List files and directories
Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.
CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it. Hancitor has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads. Operation Spalax threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host.
Lateral Movement
1 techniqueAn arrow representing the malicious fils moving laterally through the network. | The graphic indicates three methods of APT 29 tradecraft, including remote execution, file transmission, and keylogging
Collection
2 techniquesXagent is a modular backdoor with spying functionalities such as keystroke logging and file exfiltration... RemoteKeylogger 0x1002 Logs keystrokes
The GRU had used malware called 'X-Agent' to take screenshots and capture the key strokes of a DCCC employee who had authorization to access the DNC network.
Command and Control
7 techniquesThese actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets.
The source code contains two different channel implementations, one over HTTP and one over email... HttpChannel::getRawPacket() method is implemented as a HTTP GET request... sendRawPacket() is an HTTP POST request.
The Xagent backdoor can communicate with its C&C server over email with a custom protocol... MailChannel... SMTP to send emails and POP3 to receive emails (over TLS)
APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.
APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.
LOAD_NEW_MODULE Instantiates an IAgentModule object from the given data, and registers this new module with the kernel... LOAD_NEW_CHANNEL Instantiates an IAgentChannel object from the given data... Sedreco plugin comes as a Windows DLL... downloading and execution of those plugins can be requested by the C&C server with command number 1
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Exfiltration
1 techniqueThe Xagent backdoor can communicate with its C&C server over email with a custom protocol... messages are sent and received as attachments to emails... Sedreco core threads store the output generated by a command execution in the outbound file... periodically transmitted in bulk to the server.
IOCs tracked for this family
36 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
75 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malware package updated to expand from Windows, iOS, Android, and Linux to also target macOS systems.
Sednit’s flagship backdoor from the 2010s and the code base from which SlimAgent was derived.
Legacy APT28/Sednit tool referenced as the predecessor lineage for SlimAgent.
A long-used APT28 keylogger/espionage malware whose codebase appears to have been reused and adapted into SLIMAGENT.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.