X-Agent, also referred to as “Sofacy,” is a remote access toolkit that works against the Android operating system and Apple’s iOS. This malware is known for its association to the state-sponsored hacker group “FANCY BEAR,” also known as “Sofacy” or “APT28,” a group tied to Russian Military Intelligence (GRU).  X-Agent targeted only iOS devices when it was first discovered in early 2015. The spyware was active in “Operation Pawn Storm,” an economic and political cyber-espionage campaign targeting military, governments, defense industries, and the media. It infected devices when it was downloaded as an application. The app could activate the microphone and record audio and collect the following information: Text messages, Contact lists, Photos, Geo-location data, List of installed apps, List of processes, and WiFi status.

In December 2016, X-Agent was discovered targeting both iOS and Android devices. The variant targeting the Android platform was distributed on Ukrainian Military forums within a legitimate Android app developed to enable artillery forces to simplify and more rapidly process targeting data, reducing targeting time from minutes to 15 seconds. Over 9,000 artillery personnel in the Ukrainian military use the app. The malware has enabled reconnaissance against Ukrainian troops and collection of tactical data, further supporting FANCY BEAR’s connection to the GRU.

In February 2017, a Mac malware version of X-Agent, XAgentOSX, was first identified, used in targeted and politically motivated attacks by APT28 – a Russian cyber-espionage group. According to Palo Alto, APT28 uses the Komplex malware to infect Mac systems then installs the XAgentOSX trojan. It is similar to the Windows counterpart; it reports to the C2 server and waits for instructions ranging from searching the local system for certain files to downloading and executing additional malware. One of the trojan’s main features is to search and steal iPhone backups. It is a modular trojan; the actors can send new modules to each infected victim and support new features, such as: collect hardware/software info, search files, delete files, download new files, take screenshots, dump browser passwords, and upload stolen data to an FTP server.


  • February 2015: iOS Espionage App Found. (TrendMicro)
  • December 2016: FANCY BEAR Android malware tracks Ukrainian field artillery units. (CrowdStrike)
  • February 2017: Researchers discover Mac version of the X-Agent trojan, XAgentOSX. (Palo Alto Networks)
  • July 2018: US Charges 12 Russian Intelligence Officers for Hacking DNC, Running DCLeaks (Bleeping Computer)

Technical Details

  • Details on the X-agent malware are provided by CrowdStrike and can be found here.
One example of the X-Agent variant. Image Source: Trend Micro

One example of the X-Agent variant. Image Source: Trend Micro

Trojan VariantsNJCCICX-Agent