Security researchers analyzed a piece of malicious software called PoisonFrog that uses a technique called "DNS tunneling" to talk to its handlers. This allows the malware to hide its communications inside everyday internet traffic that usually goes unmonitored.

Who was behind the attack?

The attack is linked to a group known as OilRig (also called APT34). This group is a well-known threat actor that typically focuses on high-value targets, often to steal information or spy on organizations.

What was the goal of the attack?

The main goal of PoisonFrog is to give attackers a "backdoor" into a computer system. Once inside, they can send commands, download additional files, or steal sensitive data from the infected machine.

How does the attack work in simple terms?

Imagine a spy sending secret messages by writing them in the margins of a public newspaper. PoisonFrog does something similar; it hides its stolen data inside "DNS requests," which are the standard messages computers send to find websites. Because these messages are necessary for the internet to work, many security systems let them pass through without checking them closely.

How can we stay protected?

Organizations should keep a close watch on their network traffic for unusual patterns, such as a computer sending thousands of small requests to an unknown website. Additionally, ensuring that computer systems are updated and that "task schedulers" are monitored can help catch the malware before it does significant damage.

Is this a widespread or targeted issue?

While the techniques used are common in many cyberattacks, the use of PoisonFrog is typically associated with targeted campaigns. It is designed to stay hidden for a long time on specific networks rather than spreading randomly to everyone on the internet.

Threats Feed|OilRig|Last Updated 06/02/2026|AuthorCertfa Radar|Publish Date18/09/2019

Unraveling PoisonFrog: DNS Tunneling Tactics of OilRig Explored

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Fileless malware
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

The IronNet Threat Research team explored PoisonFrog malware, revealing its DNS tunneling capabilities for covert communications. This PowerShell-based malware, linked to the OilRig/APT34 group, abuses DNS protocol to establish command and control channels, avoiding direct malicious infrastructure connections. PoisonFrog crafts DNS queries to register, receive tasks, and transmit data, leveraging recursion for seamless integration into victims' DNS infrastructures. Despite its sophisticated DNS usage, PoisonFrog includes an HTTP fallback for command and control, indicating preparedness for DNS communication failure.

Reference and Credit: IronNet - September 2019

DNS Tunneling Series, Part 1: Chirp of the PoisonFrog

Extracted IOCs

myleftheart[.]com
ata005g1128931b75fec6a357.myleftheart[.]com
477296cc6b85584f0706d2384f22b96e
11[.]24.237.110

download

Tip: 4 related IOCs (1 IP, 2 domain, 0 URL, 0 email, 1 file hash) to this threat have been found.

Overlaps

APT34Leaked Toolkit Exposes APT34’s Sophisticated Cyberattacks

Source: NSFOCUS - November 2019

Detection (one case): myleftheart[.]com

OilRigOilRig's Global Cyber Offensive: Credential Theft and Persistent Access

Source: Palo Alto Network - April 2019

Detection (one case): myleftheart[.]com

APT34APT34 Leak Exposes Espionage Tools and Tactics of Iranian Cyber Actors

Source: APT34 / OILRIG Leak, Quick Analysis - April 2019

Detection (one case): myleftheart[.]com

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Understanding the PoisonFrog Threat

: Security researchers analyzed a piece of malicious software called PoisonFrog that uses a technique called "DNS tunneling" to talk to its handlers. This allows the malware to hide its communications inside everyday internet traffic that usually goes unmonitored.
: The attack is linked to a group known as OilRig (also called APT34). This group is a well-known threat actor that typically focuses on high-value targets, often to steal information or spy on organizations.
: The main goal of PoisonFrog is to give attackers a "backdoor" into a computer system. Once inside, they can send commands, download additional files, or steal sensitive data from the infected machine.
: Imagine a spy sending secret messages by writing them in the margins of a public newspaper. PoisonFrog does something similar; it hides its stolen data inside "DNS requests," which are the standard messages computers send to find websites. Because these messages are necessary for the internet to work, many security systems let them pass through without checking them closely.
: Organizations should keep a close watch on their network traffic for unusual patterns, such as a computer sending thousands of small requests to an unknown website. Additionally, ensuring that computer systems are updated and that "task schedulers" are monitored can help catch the malware before it does significant damage.
: While the techniques used are common in many cyberattacks, the use of PoisonFrog is typically associated with targeted campaigns. It is designed to stay hidden for a long time on specific networks rather than spreading randomly to everyone on the internet.

About Affiliation

OilRig

Associate threats