Threats Feed
- Public
RogueRobin DNS Tunneling: A Look at DarkHydrus' Cyber Espionage Tactics
The RogueRobin malware, developed by the DarkHydrus group, employs DNS tunneling for covert communications in cyberattacks targeting government and educational institutions. The malware appears in two variants: a PowerShell and a .NET executable, both facilitating commands and control operations via encoded DNS queries. This series explores differences in their operation, emphasizing persistence methods and anti-analysis tactics. The technical nuances of RogueRobin, including its innovative DNS record types, highlight its role in sophisticated cyber espionage campaigns.
read more about RogueRobin DNS Tunneling: A Look at DarkHydrus' Cyber Espionage Tactics - Public
DarkHydrus Resurfaces with New Trojan Leveraging Google Drive for C2 Activities
DarkHydrus, an adversary group operating primarily in the Middle East, has resumed activities with new tactics, tools, and procedures (TTPs). Recently analyzed by security researchers, the group has been deploying a new variant of the RogueRobin trojan, which now utilizes Google Drive API for command and control (C2) communications. This shift to using legitimate cloud services for C2 indicates an evolution in their operational tactics. The trojan, delivered through macro-enabled Excel documents, exhibits sophisticated evasion techniques, including environment checks and dynamic DNS to mask its C2 communications. The analysis revealed the use of typosquatting and open-source penetration testing tools, underscoring the group’s persistent and evolving threat landscape.
read more about DarkHydrus Resurfaces with New Trojan Leveraging Google Drive for C2 Activities