{ "id": "958034bc-8971-42d3-b15b-c96c950294b2", "created_at": "2026-04-06T00:16:23.522377Z", "updated_at": "2026-04-10T03:33:51.347757Z", "deleted_at": null, "sha1_hash": "213b485bf2afb0c4aa43b50e7cdc81bab4ad701d", "title": "DarkHydrus Uses Phishery to Harvest Credentials in the Middle East", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 672404, "plain_text": "DarkHydrus Uses Phishery to Harvest Credentials in the Middle\r\nEast\r\nBy Robert Falcone\r\nPublished: 2018-08-07 · Archived: 2026-04-05 16:39:11 UTC\r\nLast week, Unit 42 released a blog on a newly named threat group called DarkHydrus that we observed targeting\r\ngovernment entities in the Middle East. The attack that we discussed in our previous publication involved spear-phishing to deliver a PowerShell payload we call RogueRobin; however, we are aware of DarkHydrus carrying\r\nout a credential harvesting attack in June 2018. It also appears that this an ongoing campaign, as we have evidence\r\nof previous credential harvesting attempts using the same infrastructure dating back to the Fall of 2017. These\r\nattacks were targeting government entities and educational institutions in the Middle East.\r\nThe credential harvesting attacks used spear-phishing emails that contained malicious Microsoft Office documents\r\nthat leveraged the “attachedTemplate” technique to load a template from a remote server. When attempting to load\r\nthis remote template, Microsoft Office will display an authentication dialog box to ask the user to provide login\r\ncredentials. When entered, these credentials are then sent to the C2 server, which allows DarkHydrus to collect the\r\nuser account credentials.\r\nBased on Unit 42’s analysis, DarkHydrus used the open-source Phishery tool to create two of the known Word\r\ndocuments used in these credential harvesting attacks. As discussed in our previous blog, this further strengthens\r\nDarkHydrus’ use of the open source for their attack tools.\r\nA phishing attack to steal credentials like this is not new: US-CERT warned of the same technique by a different\r\nthreat group in 2017. What is noteworthy is DarkHydrus’ use of an open-source tool to carry out targeted attacks\r\nagainst these entities in the Middle East, which is fitting of their reliance of open source tools and these attacks are\r\nconsistent in terms of targeting with what we reported last week. Based on this, we can reasonably presume this\r\ngroup will continue to carry out attacks against these kinds of targets in the Middle East in the near-future.\r\nCredential Harvesting Attack\r\nOn June 24, 2018, Unit 42 observed DarkHydrus carrying out a credential harvesting attack on an educational\r\ninstitution in the Middle East. The attack involved a spear-phishing email with a subject of “Project Offer” and a\r\nmalicious Word document (SHA256:\r\nd393349a4ad00902e3d415b622cf27987a0170a786ca3a1f991a521bff645318) as an attachment. When opened, the\r\nmalicious Word document displays a dialog box that asks the user for their credentials, as seen in Figure 1.\r\nhttps://researchcenter.paloaltonetworks.com/2018/08/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/\r\nPage 1 of 7\n\nFigure 1. Authentication dialog box presented to the user when opening document\r\nAs you can see in Figure 1, the authentication prompt says “Connecting to \u003credacted\u003e. 0utl00k[.]net”, which is a\r\nDarkHydrus C2 server. If the user enters their credentials in this dialog box and presses ‘Ok’, the credentials are\r\nsent to the C2 server via the URL https://\u003credacted\u003e.0utl00k[.]net/download/template.docx. With the\r\nauthentication dialog box gone, Word displays the contents of the document, which in this specific case was an\r\nempty document. While this document was empty, the authentication prompt may have made the targeted user\r\nmore likely to enter their credentials, thinking it’s necessary to view the contents of the document.\r\nDarkHydrus also created their C2 domain carefully in an attempt to further trick the targeted user to enter their\r\ncredentials. Firstly, the redacted subdomain was the domain of the targeted educational institution. Also, the\r\n0utl00k[.]net domain resembles Microsoft’s legitimate \"outlook.com” domain that provides free email services,\r\nwhich also make the user less suspicious and more likely to enter their credentials. Some users may not even\r\nnotice what domain the dialog states they are connecting to and habitually type their Windows credentials.\r\nWe found two additional Word documents using the 0utl00k[.]net domain to harvest credentials, seen in Table 1.\r\nWe first saw these related Word documents in September and November 2017, which suggests that DarkHydrus\r\nhas been carrying out this credential harvesting campaign for almost a year.\r\nFirst Seen SHA256 Filename Remote Template\r\n11/12/2017 9eac37a5c6.. PasswordHandoverForm.docx https://0utl00k[.]net/docs\r\n09/18/2017 0b1d5e1744.. استطالع.docx https://0utl00k[.]net/docs\r\nTable 1. Additional DarkHydrus Word documents used to steal credentials\r\nBoth of these related documents use the attachedTemplate technique to steal credentials by sending them to a URL\r\nhttps://0utl00k[.]net/docs. Unlike the June 2018 document that displayed no content after credential theft, both of\r\nhttps://researchcenter.paloaltonetworks.com/2018/08/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/\r\nPage 2 of 7\n\nthese documents displayed content that appears pertinent to the targeted organization. The September 2017\r\ndocument displays an employee survey, which can be seen in Figure 2.\r\nFigure 2. Employee survey displayed after credential theft\r\nThe November 2017 document displays a password handover document after credential theft occurs, as seen in\r\nFigure 3. We were unable to find the displayed document via open source research, which may suggest that the\r\nactor gathered this password handover form from a prior operation.\r\nhttps://researchcenter.paloaltonetworks.com/2018/08/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/\r\nPage 3 of 7\n\nFigure 3. Password handover form displayed after credential theft\r\nThe infrastructure used in these credential harvesting attacks used the domain 0utl00k[.]net, which at the time of\r\nthe attacks resolved to 107.175.150[.]113 and 195.154.41[.]150. This same infrastructure was discussed in the\r\nCampaign Analysis of our previous blog.\r\nPhishery Tool\r\nWhile analyzing the three malicious Word documents, we determined that two of the documents were created\r\nusing an open source tool called Phishery. The Phishery tool is capable of the following:\r\n1. Creating malicious Word documents by injecting a remote template URL\r\n2. Hosting a C2 server to gather credentials entered into authentication dialog boxes displayed when\r\nattempting to obtain the remote template\r\nWe were able to confirm that DarkHydrus used Phishery to create these Word documents by using the open source\r\ntool to create a document and host a C2 ourselves. The DarkHydrus document used in the June 2018 attacks had a\r\nremote template URL added, as seen in Figure 4.\r\nhttps://researchcenter.paloaltonetworks.com/2018/08/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/\r\nPage 4 of 7\n\nFigure 4. Remote template URL seen in the DarkHydrus document from June 2018\r\nWe were able to replicate the remote template path seen in Figure 4 by using Phishery to create a weaponized\r\ndelivery document. Figure 5 shows Phishery’s output to the command that injects a URL into a file named\r\n“good_test.docx”, which it will save the resulting file to “bad_test.docx”.\r\nFigure 5. Phishery command used to create a document that has same remote template URL as DarkHydrus\r\nTo confirm, we used Phishery’s C2 server and opened DarkHydrus’ Word document from the June 2018 attacks.\r\nWhen presented with the authentication dialog box, we entered “fakename” and “fakepass” as credentials, as seen\r\nin Figure 6 and pressed enter.\r\nhttps://researchcenter.paloaltonetworks.com/2018/08/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/\r\nPage 5 of 7\n\nFigure 6. Authentication dialog box with fake credentials entered\r\nOn the C2 server, we observed Phishery receiving the inbound request and capturing the credentials, as seen in\r\nFigure 7. The C2 server was able to obtain the “fakename” and “fakepass” credentials entered into the\r\nauthentication dialog box displayed when opening DarkHydrus’ Word document.\r\nFigure 7. Output of Phishery C2 showing captured credentials\r\nConclusion\r\nDarkHydrus is a threat group carrying out attack campaigns targeting organizations in the Middle East. We\r\ndiscovered DarkHydrus carrying out credential harvesting attacks that use weaponized Word documents, which\r\nthey delivered via spear-phishing emails to entities within government and educational institutions. This threat\r\ngroup not only used the Phishery tool to create these malicious Word documents, but also to host the C2 server to\r\nharvest credentials. The use of Phishery further shows Dark Hydrus’ reliance on open source tools to conduct their\r\noperations.\r\nPalo Alto Networks customers are protected from Dark Hydrus by:\r\nThe C2 server 0utl00k[.]net is classified as Malware\r\nAll Phishery documents created by DarkHydrus have malicious verdicts in WildFire\r\nAutoFocus customers can monitor this threat group’s activity via the DarkHydrus tag\r\nhttps://researchcenter.paloaltonetworks.com/2018/08/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/\r\nPage 6 of 7\n\nIndicators of Compromise\r\nSamples\r\nd393349a4ad00902e3d415b622cf27987a0170a786ca3a1f991a521bff645318\r\n9eac37a5c675cd1750cd50b01fc05085ce0092a19ba97026292a60b11b45bf49\r\n0b1d5e17443f0896c959d22fa15dadcae5ab083a35b3ff6cb48c7f967649ec82\r\nInfrastructure\r\n0utl00k[.]net\r\n107.175.150[.]113\r\n195.154.41[.]150\r\nSource: https://researchcenter.paloaltonetworks.com/2018/08/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/\r\nhttps://researchcenter.paloaltonetworks.com/2018/08/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://researchcenter.paloaltonetworks.com/2018/08/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/" ], "report_names": [ "unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east" ], "threat_actors": [ { "id": "6efb28db-4d91-46cb-8ab7-fe9e8449ccfc", "created_at": "2023-01-06T13:46:38.772861Z", "updated_at": "2026-04-10T02:00:03.095095Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "LazyMeerkat", "G0079", "Obscure Serpens" ], "source_name": "MISPGALAXY:DarkHydrus", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b04780e-7b64-4e62-b776-c6749ff7dec8", "created_at": "2022-10-25T16:07:23.531741Z", "updated_at": "2026-04-10T02:00:04.643562Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "ATK 77", "DarkHydrus", "G0079", "LazyMeerkat", "Obscure Serpens" ], "source_name": "ETDA:DarkHydrus", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Mimikatz", "Phishery", "RogueRobin", "RogueRobinNET", "Trojan.Phisherly", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4fe925e8-95e5-4a63-9f96-4d0f9bedac08", "created_at": "2022-10-25T15:50:23.469077Z", "updated_at": "2026-04-10T02:00:05.384299Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "DarkHydrus" ], "source_name": "MITRE:DarkHydrus", "tools": [ "Mimikatz", "RogueRobin", "Cobalt Strike" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434583, "ts_updated_at": 1775792031, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/213b485bf2afb0c4aa43b50e7cdc81bab4ad701d.pdf", "text": "https://archive.orkl.eu/213b485bf2afb0c4aa43b50e7cdc81bab4ad701d.txt", "img": "https://archive.orkl.eu/213b485bf2afb0c4aa43b50e7cdc81bab4ad701d.jpg" } }