APT-C-20, also known as (APT28, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, STIONTIUM, etc.), is an APT organization with a military intelligence agency background. The organization’s main targets are government agencies, diplomatic agencies, and scientific research institutions in North America, Central Asia, and Europe. APT28 has used zebrocy downloader many times in historical attacks. Zebrocy downloader includes delphi version, nim version, autolt version, VB.NET version, Visual C++ version, C# version and go version. The main function of zebrocy downloader is to collect information on the target computer. After the target is confirmed, the next stage of attack components is implanted. In a suspected attack on NATO targets, APT28 used the nim version of zebrocy downlaoder to attack. The decoy in the form of a compressed package attachment is still used, but this attack uses a niche compressed package format in ARJ format. The compressed package contains a nim zebrocy downloader and decoy files. Multiple test versions of nim zebrocy downloader of APT28 were also discovered in July and August. Nim zebrocy downloader is similar in function to delphi zebrocy downloader, mainly to obtain the information of the target computer, and to obtain screenshot information, and send the data to C2. Mainly after obtaining user information and uploading it to C2, the function of executing system commands is performed. After the sample is launched, it is judged whether the file name contains 2020. If it does, downloader is copied to C:\Users\purple\AppData\Roaming\Controller\scrssl.exe, and then executed. When the file hit does not contain 2020, a scheduled task named Windows\Component\ModuleUpd will be created and run every three minutes to achieve persistence.