>samit_hota
Back to adversary profiles
G0136HighActive

IndigoZebra (G0136) Threat Profile: Persistent Cyber Espionage in Central Asia

Samit Hota·
Suspected Origin
China
Motivation
Espionage
Aliases
None documented
Target Sectors
Government
Associated Malware
xCaon, BoxCaon, Poison Ivy, Meterpreter, xDown
#threat-actor#g0136

Overview

IndigoZebra, tracked by MITRE ATT&CK as G0136, is a sophisticated and persistent cyber espionage group believed to be affiliated with the Chinese state. Active since at least 2014, this threat actor has consistently focused its efforts on governments within Central Asia. The primary objective of IndigoZebra’s operations is intelligence gathering, aiming to extract sensitive information from high-profile political entities. Initial reports pinpointed former Soviet republics, including Kyrgyzstan and Uzbekistan, as key targets, with recent activities confirming an expansion to include the Afghan government. The group demonstrates a calculated and evolving approach to its campaigns, adapting tools and tactics to maintain efficacy and evade detection.

Tactics & Techniques

IndigoZebra’s operational methodology often begins with highly tailored spearphishing campaigns. These emails frequently leverage “ministry-to-ministry” deception, impersonating high-ranking officials or administrative bodies within the targeted government to lend legitimacy to their malicious communications. The lures typically involve documents related to official government business, such as upcoming press conferences or policy modifications, designed to entice recipients into opening malicious attachments.

A common initial access technique involves delivering malware via password-protected RAR archives, a method that complicates analysis by some automated sandbox solutions. Once extracted and executed, the attached file, often disguised as an executable document, acts as a dropper. To minimize suspicion, this dropper will often open a legitimate-looking document already present on the victim’s desktop while simultaneously deploying the backdoor.

For command and control (C2), IndigoZebra employs a dual approach. Historically, they have utilized traditional HTTP-based communication, with malware searching for specific patterns in HTML responses to retrieve commands. More recently, the group has innovated by leveraging legitimate cloud services like Dropbox for C2 infrastructure. The BoxCaon backdoor, for example, creates unique folders within attacker-controlled Dropbox accounts for each compromised host, using these folders to exchange commands and exfiltrate stolen data. This tactic helps the group mask malicious traffic, as network activity appears to be legitimate Dropbox usage.

Beyond initial compromise, IndigoZebra performs victim fingerprinting, collecting MAC addresses and generating unique user IDs for reconnaissance. They are known to download and execute additional tools from their C2 servers, including open-source utilities like NBTscan for network reconnaissance and Windows built-in networking tools to map the victim’s environment. The group also exhibits defense evasion techniques beyond C2 masking, such as using obfuscation methods like “stackstrings” to hide malware functionality from static detections. They have established domains, some crafted to closely resemble official government domains, to further their operational deception.

Notable Campaigns

IndigoZebra has been consistently active since at least 2014. One of their earlier publicly detailed campaigns emerged in 2017 when Kaspersky reported on their covert operations against former Soviet republics, which involved a diverse set of malware.

A particularly well-documented campaign, brought to light by Check Point Research in July 2021, targeted the Afghan National Security Council (NSC). This operation epitomized their “ministry-to-ministry” deception tactic, with lure emails impersonating the Administrative Office of the President of Afghanistan. The malicious attachments, disguised as press conference documents, led to the deployment of the BoxCaon backdoor. This specific campaign also revealed continued targeting of Kyrgyzstan and Uzbekistan, indicating a persistent regional focus with an evolving toolset. The use of Dropbox for C2 in this campaign marked a significant adaptation in their operational security.

Associated Malware & Tools

IndigoZebra’s toolkit has evolved over time, yet it maintains a core set of preferred implants and utilities:

  • xCaon: This is a proprietary backdoor, with variants dating back to 2014. It primarily uses HTTP for command-and-control communications.
  • BoxCaon: An updated and more sophisticated variant of xCaon, BoxCaon distinguishes itself by leveraging the legitimate Dropbox cloud-storage service for C2 communications. It is capable of stealing confidential data, executing arbitrary commands, and exfiltrating results.
  • Poison Ivy RAT: A long-standing and widely used remote access Trojan that has been part of IndigoZebra’s arsenal.
  • Meterpreter: An advanced, dynamic payload within the Metasploit Framework, used for post-exploitation activities.
  • xDown: Another piece of malware identified in their earlier campaigns.
  • NBTscan: An open-source NetBIOS scanner, used for host discovery and reconnaissance within compromised networks.

Current Status

IndigoZebra remains an active and evolving threat actor. While the most detailed public reporting on their specific campaigns dates to July 2021, detailing ongoing attacks at that time, their MITRE ATT&CK profile (G0136) was last modified in April 2025. This continuous updating by threat intelligence organizations suggests that the group is still considered a relevant and active entity within the cyber threat landscape. Their demonstrated capacity for adapting tactics, such as shifting C2 to legitimate cloud services, underscores their persistence and the continued need for vigilance, particularly for governmental organizations in Central Asia. Infrastructure observations from 2019 noted a concentration of new infrastructure on ASN 20473 (CHOOPA), indicating continuous development and management of their operational assets.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call