A malware family known as RogueRobin, used by the DarkHydrus threat group, was discovered using DNS tunneling to covertly communicate with attackers and steal data.

Who is behind the attack?

The DarkHydrus group, linked to Iranian state interests, is believed to be responsible. They are known for targeting government and educational institutions.

What was the purpose of the malware?

RogueRobin is designed to establish a secret communication channel through DNS queries, allowing attackers to issue commands and extract information from infected machines.

The malware primarily targeted government agencies and academic institutions, likely aiming to collect sensitive information or credentials.

How does the attack work?

It begins with the malware being delivered (likely via phishing), followed by stealthy communication over DNS using encoded data in fake queries. It then receives commands and sends back results without triggering traditional security alerts.

Why is this method dangerous?

DNS traffic is often overlooked in many networks. By hiding malicious communications within seemingly normal DNS queries, the attackers can operate undetected.

What can organizations do to protect themselves?

Organizations should monitor and filter DNS traffic, restrict the use of command-line tools, and inspect unusual registry and startup behaviors.

Is this a widespread threat?

This campaign appears to be targeted rather than widespread. However, the techniques used are advanced and could be adopted by other threat actors.

Threats Feed|DarkHydrus|Last Updated 10/07/2025|AuthorCertfa Radar|Publish Date06/02/2020

RogueRobin DNS Tunneling: A Look at DarkHydrus' Cyber Espionage Tactics

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Malware,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/Low Probability

Threat Overview

The RogueRobin malware, developed by the DarkHydrus group, employs DNS tunneling for covert communications in cyberattacks targeting government and educational institutions. The malware appears in two variants: a PowerShell and a .NET executable, both facilitating commands and control operations via encoded DNS queries. This series explores differences in their operation, emphasizing persistence methods and anti-analysis tactics. The technical nuances of RogueRobin, including its innovative DNS record types, highlight its role in sophisticated cyber espionage campaigns.

Reference and Credit: IronNet - February 2020

DNS tunneling series, part 3: The siren song of RogueRobin

Detected Targets

Type	Description	Confidence
Sector	Government Agencies and Services	Verified
Sector	Education	Verified

Extracted IOCs

akamaiedge[.]live
akamaized[.]live
akdns[.]live
anyconnect[.]stream
bigip[.]stream
edgekey[.]live
fortiweb[.]download
kaspersky[.]science
microtik[.]stream
owa365[.]bid
symanteclive[.]download
windowsdefender[.]win
e795ba49aaf09119a2e95795857a62c0

download

Tip: 13 related IOCs (0 IP, 12 domain, 0 URL, 0 email, 1 file hash) to this threat have been found.

FAQs

Understanding RogueRobin and DNS Tunneling Threats

: A malware family known as RogueRobin, used by the DarkHydrus threat group, was discovered using DNS tunneling to covertly communicate with attackers and steal data.
: The DarkHydrus group, linked to Iranian state interests, is believed to be responsible. They are known for targeting government and educational institutions.
: RogueRobin is designed to establish a secret communication channel through DNS queries, allowing attackers to issue commands and extract information from infected machines.
: The malware primarily targeted government agencies and academic institutions, likely aiming to collect sensitive information or credentials.
: It begins with the malware being delivered (likely via phishing), followed by stealthy communication over DNS using encoded data in fake queries. It then receives commands and sends back results without triggering traditional security alerts.
: DNS traffic is often overlooked in many networks. By hiding malicious communications within seemingly normal DNS queries, the attackers can operate undetected.
: Organizations should monitor and filter DNS traffic, restrict the use of command-line tools, and inspect unusual registry and startup behaviors.
: This campaign appears to be targeted rather than widespread. However, the techniques used are advanced and could be adopted by other threat actors.

About Affiliation

DarkHydrus

Associate threats

DarkHydrus Resurfaces with New Trojan Leveraging Google Drive for C2 Activities