Cannon is a trojan used by the advanced persistent threat (APT) group APT28, also known as Fancy Bear, Tsar Team, Group 74, Sednit, and Sofacy, a cyber-espionage group likely associated with the Russian military agency, GRU. Cannon was first detected by Unit 42 researchers at Palo Alto Networks in late October and early November 2018, and has been utilized by APT28 in targeted spear-phishing attacks against government organizations throughout North America, Europe, and in a former Soviet state. Cannon functions as a downloader and obtains instructions from a C2 server via email communication. The trojan is distributed via weaponized documents that contain malicious macros designed to use the AutoClose function to evade sandbox analysis. Cannon has been observed as a second stage payload, following an initial infection with the Zebrocy trojan. Its capabilities include adding persistence, generating a unique system identifier, collecting system details, taking a screenshot of the desktop, and gaining access to attachments by logging into POP3 email accounts.

Technical Details

  • Palo Alto Network’s Unit 42 provides technical analysis on Cannon, here.


Image Source: Palo Alto Networks

Trojan VariantsNJCCICCannon