Seduploader is a trojan primarily used by the advanced persistent threat (APT) group APT28, also known as Fancy Bear, Tsar Team, Group 74, Sednit, and Sofacy, a cyber espionage group likely associated with the Russian military agency, GRU. It is a first-stage malware deployed for conducting reconnaissance on a network before dropping a second-stage malware. The trojan profiles the victim by pulling host information. Seduploader is often delivered to users via malicious email attachments in spear-phishing emails.

In May 2017, APT28 sent targeted phishing emails leading up to the French election referencing "Trump's attack on Syria" with an attached document that, when opened, exploited two zero-day vulnerabilities, one in Microsoft Word and one in Windows, to drop Seduploader. In October 2017, APT28 was noted targeting cybersecurity professionals, specifically registrants for the upcoming CyCon U.S. conference, with the Seduploader trojan. In November 2017, APT28 sent phishing emails referencing the recent New York City terrorist attack with malicious documents that, when opened, leveraged the Dynamic Data Exchange (DDE) feature in Microsoft Office to infect unsuspecting victims with Seduploader.


  • May 2017: Sednit Adds Two Zero-Day Exploits Using 'Trump's Attack on Syria' as a Decoy. (ESET)
  • October 2017: Latest Sofacy Campaign Targeting Security Researchers. (Threatpost)
  • November 2017: Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. (McAfee)

Technical Information

  • ESET provides technical details on the Seduploader here.