Security researchers discovered a new piece of malicious software (malware) called "Saitama" hidden inside a weaponized document. This malware is designed to secretly communicate with attackers by hiding its messages inside DNS traffic, the standard protocol computers use to look up website addresses, making it very difficult to spot.

Who was behind the attack?

The report does not name a specific hacker group but notes that the attack was likely targeted toward the government of Jordan. The threat actors are sophisticated enough to write custom malware that specifically avoids common detection methods.

What is the goal of this attack?

The primary goal is to establish a covert "Command and Control" channel. This allows the attackers to send instructions to an infected computer and receive data back (stealing information) without triggering security alarms that usually watch for suspicious web traffic.

How was the attack carried out?

The malware hides data inside "random-looking" web addresses (subdomains) that it requests. To stay hidden, it doesn't send data quickly; instead, it sleeps for random periods (between 40 and 80 seconds) between every message. This slow speed makes it look like normal background noise on a network.

Why is this attractive to attackers?

DNS traffic is almost never blocked because it is essential for the internet to work. By using this open lane for their data, attackers can bypass many firewalls. Additionally, the randomization and slow speed make it hard for security software to recognize the pattern as malicious.

What actions should organizations take?

Organizations should tune their network security tools (like Suricata or SIEMs) to look for specific patterns of "random" DNS queries that happen in slow bursts. Security teams should also "allow-list" known safe domains to make it easier to spot the strange, random ones used by this malware.

Is this a widespread issue?

The report describes DNS tunneling as a "relatively rare technique," and this specific malware appears to be a targeted tool rather than a mass-market virus. However, because it is so stealthy, it is important for high-value targets (like governments or large enterprises) to be aware of it.

Threats Feed|APT34|Last Updated 05/02/2026|AuthorCertfa Radar|Publish Date11/08/2022

Saitama Malware Uses DNS for Stealthy C2 Communications

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Malware,Phishing
Attack Complexity: Medium
Threat Risk: High Impact/Low Probability

Threat Overview

The Saitama implant, uncovered by Malwarebytes, uses DNS for Command and Control (C2) communications. Targeting the Jordan government, this malware employs domain randomization and long sleep times to evade detection. It encodes data using a shared key and a pseudo-random number generator, making detection challenging. The implant’s hardcoded sleep values and unique DNS queries ensure stealth, though the data transfer rate is slow.

Reference and Credit: Fox-IT - August 2022

Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study

Detected Targets

Type	Description	Confidence
Sector	Government Agencies and Services	Verified
Region	Jordan	Verified

FAQs

Understanding the Saitama DNS Malware

: Security researchers discovered a new piece of malicious software (malware) called "Saitama" hidden inside a weaponized document. This malware is designed to secretly communicate with attackers by hiding its messages inside DNS traffic, the standard protocol computers use to look up website addresses, making it very difficult to spot.
: The report does not name a specific hacker group but notes that the attack was likely targeted toward the government of Jordan. The threat actors are sophisticated enough to write custom malware that specifically avoids common detection methods.
: The primary goal is to establish a covert "Command and Control" channel. This allows the attackers to send instructions to an infected computer and receive data back (stealing information) without triggering security alarms that usually watch for suspicious web traffic.
: The malware hides data inside "random-looking" web addresses (subdomains) that it requests. To stay hidden, it doesn't send data quickly; instead, it sleeps for random periods (between 40 and 80 seconds) between every message. This slow speed makes it look like normal background noise on a network.
: DNS traffic is almost never blocked because it is essential for the internet to work. By using this open lane for their data, attackers can bypass many firewalls. Additionally, the randomization and slow speed make it hard for security software to recognize the pattern as malicious.
: Organizations should tune their network security tools (like Suricata or SIEMs) to look for specific patterns of "random" DNS queries that happen in slow bursts. Security teams should also "allow-list" known safe domains to make it easier to spot the strange, random ones used by this malware.
: The report describes DNS tunneling as a "relatively rare technique," and this specific malware appears to be a targeted tool rather than a mass-market virus. However, because it is so stealthy, it is important for high-value targets (like governments or large enterprises) to be aware of it.

About Affiliation

APT34

Associate threats