Malware researchers analyzed the Zebrocy kit determined that the operators run commands manually to collect information of interest from infected systems. This includes attractive data that ranges from documents and pictures to databases stored by web browsers and email clients. Victims include embassies, ministries of foreign affairs, and diplomats from countries in the Middle East and Central Asia. The number of supported commands has increased over time, with the latest version of the backdoor having more than thirty. The operators retrieve these files on the machine using the DOWNLOAD_LIST command. Another custom backdoor, which is executed using the command “CMD_EXECUTE:”””
Source: https://www.bleepingcomputer.com/news/security/zebrocy-operators-also-look-for-browser-and-email-databases/