DarkHydrus Resurfaces with New Trojan Leveraging Google Drive for C2 Activities
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Backdoor,Dropper,Malicious Macro,Trojan,Spear Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/Low Probability
Threat Overview
DarkHydrus, an adversary group operating primarily in the Middle East, has resumed activities with new tactics, tools, and procedures (TTPs). Recently analyzed by security researchers, the group has been deploying a new variant of the RogueRobin trojan, which now utilizes Google Drive API for command and control (C2) communications. This shift to using legitimate cloud services for C2 indicates an evolution in their operational tactics. The trojan, delivered through macro-enabled Excel documents, exhibits sophisticated evasion techniques, including environment checks and dynamic DNS to mask its C2 communications. The analysis revealed the use of typosquatting and open-source penetration testing tools, underscoring the group’s persistent and evolving threat landscape.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Government Agencies and Services | Medium |
| Region | Middle East Countries | Verified |
Extracted IOCs
- 0ffice365[.]agency
- 0ffice365[.]life
- 0ffice365[.]services
- 0nedrive[.]agency
- akamai[.]agency
- akamaiedge[.]live
- akamaiedge[.]services
- akamaized[.]live
- akdns[.]live
- asimov-win-microsoft[.]services
- azureedge[.]today
- corewindows[.]agency
- data-microsoft[.]services
- edgekey[.]live
- iecvlist-microsoft[.]live
- microsoftonline[.]agency
- nsatc[.]agency
- onecs-live[.]services
- onedrive[.]agency
- phicdn[.]world
- sharepoint[.]agency
- skydrive[.]agency
- skydrive[.]services
- t-msedge[.]world
- britns.akadns[.]live
- britns.akadns[.]services
- brit.ns.cloudfronts[.]services
- dns.cloudfronts[.]services
- ns2.akadns[.]live
- ns2.akadns[.]services
- tbs1.microsoftonline[.]services
- tbs2.microsoftonline[.]services
- tvs1.trafficmanager[.]live
- tvs2.trafficmanager[.]live
- 4e40f80114e5bd44a762f6066a3e56ccdc0d01ab2a18397ea12e0bc5508215b8
- 513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8
- 5cc62ad6baf572dbae925f701526310778f032bb4a54b205bada78b1eb8c479c
- e068c6536bf353abe249ad0464c58fb85d7de25223442dd220d64116dbf1e022
- eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97
- f1b2bc0831445903c0d51b390b1987597009cc0fade009e07d792e8d455f6db0
- 107[.]175.75.123
Tip: 41 related IOCs (1 IP, 34 domain, 0 URL, 0 email, 6 file hash) to this threat have been found.
FAQs
Understanding the DarkHydrus RogueRobin Update
A threat group known as DarkHydrus created a new version of their malicious software (RogueRobin), which can secretly communicate through Google Drive to control infected systems.
The attackers are attributed to DarkHydrus, a group previously observed targeting organizations in the Middle East. They specialize in using phishing and advanced techniques to compromise networks.
The main objectives were to establish long-term access to victim systems, avoid detection, and allow remote control to gather data or perform further malicious actions.
While the report did not list specific victims, prior DarkHydrus campaigns have focused on Middle Eastern government and technology sectors.
They likely sent targeted phishing emails containing malicious Excel files. When recipients enabled macros, the files executed scripts that installed the trojan.
The trojan can use Google Drive as a hidden communication channel to receive commands. This helps attackers blend in with normal cloud service traffic.
It is primarily targeted, focusing on specific organizations of interest rather than broad consumer attacks.
Companies should educate users about phishing risks, enforce strict macro policies, monitor DNS and cloud service usage for anomalies, and apply security controls that detect script-based threats.