{ "id": "73e4c736-13bd-4982-9fce-84b33120e1fb", "created_at": "2026-04-06T00:07:53.172731Z", "updated_at": "2026-04-10T13:12:24.618779Z", "deleted_at": null, "sha1_hash": "2d1d157b02bc3568650079731c970e1c980d624b", "title": "DarkHydrus delivers new Trojan that can use Google Drive for C2 communications", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 567434, "plain_text": "DarkHydrus delivers new Trojan that can use Google Drive for C2\r\ncommunications\r\nBy Robert Falcone, Bryan Lee\r\nPublished: 2019-01-18 · Archived: 2026-04-05 14:27:26 UTC\r\nIn the summer of 2018, Unit 42 released reporting regarding activity in the Middle East surrounding a cluster of activity\r\nusing similar tactics, tools, and procedures (TTPs) in which we named the adversary group DarkHydrus. This group was\r\nobserved using tactics such as registering typosquatting domains for security or technology vendors, abusing open-source\r\npenetration testing tools, and leveraging novel file types as anti-analysis techniques.\r\nSince that initial reporting, we had not observed new activity from DarkHydrus until recently, when 360TIC published a\r\ntweet and subsequent research discussing delivery documents that appeared to be attributed to DarkHydrus. In the process of\r\nanalyzing the delivery documents, we were able to collect additional associated samples, uncover additional functionality of\r\nthe payloads including the use of Google Drive API, and confirm the strong likelihood of attribution to DarkHydrus. We\r\nhave notified Google of our findings.\r\nDelivery Document\r\nWe collected a total of three DarkHydrus delivery documents installing a new variant of the RogueRobin trojan. These three\r\ndocuments were extremely similar to each other and are all macro enabled Excel documents with .xlsm file extensions.\r\nNone of the known documents contain a lure image or message to instruct the recipient to click the Enable Content button\r\nnecessary to run the macro, as seen in Figure 1. While we cannot confirm the delivery mechanism, it is likely that the\r\ninstructions to click the Enable Content button were provided during delivery, such as in the body of a spear-phishing email.\r\n    \r\nFigure 1 DarkHydrus' delivery document does not have a lure image or message\r\nWithout the delivery mechanism we cannot confirm the exact time these delivery documents were used in an attack;\r\nhowever, the observed timestamps within these three delivery documents gives us an idea when the DarkHydrus actors\r\ncreated them. While the creation times were timestomped to a default time of 2006-09-16 00:00:00Z commonly observed in\r\nmalicious documents, the Last Modified times were still available and suggest that DarkHydrus created these documents in\r\nDecember 2018 and January 2019. Table 1 shows the breakdown of timestamps and their associated sample hashes.\r\nSHA256 Last Modified\r\ne068c6536bf353abe249ad0464c58fb85d7de25223442dd220d64116dbf1e022 2018-12-15T05:14:32Z\r\n4e40f80114e5bd44a762f6066a3e56ccdc0d01ab2a18397ea12e0bc5508215b8     2018-12-23T05:45:43Z\r\n513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8 2019-01-08T06:51:21Z\r\nTable 1 Timestamps of delivery documents\r\nThe macro executes immediately after pressing the Enable Content button thanks to the  Workbook_Open sub-function,\r\nwhich will call the actor created New_Macro function. The New_Macro function starts by concatenating several strings to\r\ncreate a PowerShell script that it will write to the file %TEMP%\\WINDOWSTEMP.ps1. The function builds the contents of\r\na second file by concatenating several strings together, but this second file is a .sct file that the function will write to a file\r\nhttps://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/\r\nPage 1 of 10\n\n%TEMP%\\12-B-366.txt. While .sct files are used by a multitude of applications, in this instance it is being used as a\r\nWindows Script Component file. The function then uses the built-in Shell function to run the following command, which\r\neffectively executes the .sct file stored in 12-B-366.txt:\r\nregsvr32.exe /s /n /u /i:%TEMP%\\12-B-366.txt scrobj.dll\r\nThe use of the legitimate regsvr32.exe application to run a .sct file is an AppLocker bypass technique originally discovered\r\nby Casey Smith (@subtee), which eventually resulted in a Metasploit module. The WINDOWSTEMP.ps1 script is a dropper\r\nthat decodes an embedded executable using base64 and decompresses it with the System.IO.Compression.GzipStream\r\nobject. The script saves the decoded and decompressed executable to\r\n%APPDATA%\\Microsoft\\Windows\\Templates\\WindowsTemplate.exe and creates an LNK shortcut at\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\OneDrive.lnk to persistently run WindowsTemplate.exe\r\neach time Windows starts up. The WindowsTemplate.exe executable is a new variant of RogueRobin written in C#.\r\nRogueRobin .NET Payload\r\nIn our original blog on DarkHydrus, we analyzed a PowerShell-based payload we named RogueRobin. While performing\r\nthe analysis on the delivery documents using the .sct file AppLocker bypass, we noticed the C# payload was functionally\r\nsimilar to the original RogueRobin payload. The similarities between the PowerShell and C# variants of RogueRobin\r\nsuggests that the DarkHydrus group ported their code to a compiled variant.\r\nThe C# variant of RogueRobin attempts to detect if it is executing in a sandbox environment using the same commands as in\r\nthe PowerShell variant of RogueRobin. The series of commands, as seen in Table 2, include checks for virtualized\r\nenvironments, low memory, and processor counts, in addition to checks for common analysis tools running on the system.\r\nThe Trojan also checks to see if a debugger is attached to its processes and will exit if it detects the presence of a debugger.\r\nPowerShell command Description\r\n‘gwmi -query \"select * from win32_BIOS where\r\nSMBIOSBIOSVERSION LIKE '%VBOX%'\"\r\nQuery attempts to detect VirtualBox environment from\r\nthe win32_BIOS WMI class\r\ngwmi -query \"select * from win32_BIOS where\r\nSMBIOSBIOSVERSION LIKE '%bochs%'\"\r\nQuery attempts to detect Bochs environment from the\r\nwin32_BIOS WMI class\r\ngwmi -query \"select * from win32_BIOS where\r\nSMBIOSBIOSVERSION LIKE '%qemu%'\"\r\nQuery attempts to detect QEMU environment from the\r\nwin32_BIOS WMI class\r\ngwmi -query \"select * from win32_BIOS where\r\nSMBIOSBIOSVERSION LIKE '%VirtualBox%'\"\r\nQuery attempts to detect VirtualBox environment from\r\nthe win32_BIOS WMI class\r\ngwmi -query \"select * from win32_BIOS where\r\nSMBIOSBIOSVERSION LIKE '%VM%'\"\r\nQuery attempts to detect VMWare environment from\r\nthe win32_BIOS WMI class\r\ngwmi -query \"Select * from win32_BIOS where\r\nManufacturer LIKE '%XEN%'\"\r\nQuery attempts to detect Xen environment from the\r\nwin32_BIOS WMI class\r\ngwmi win32_computersystem\r\nUses this query to check the system information for the\r\nstring “VMware”.\r\ngwmi -query \"Select TotalPhysicalMemory from\r\nWin32_ComputerSystem\"\r\nUses this query to check to see if the total physical\r\nmemory is less than 2,900,000,000 bytes.\r\ngwmi -Class win32_Processor | select NumberOfCores\r\nUses this query to check to see if the total number of\r\nCPU cores is less than 1.\r\nGet-Process | select Company\r\nChecks to see if any running processes have\r\n\"Wireshark\" or \"Sysinternals\" as the company name.\r\nTable 2 Sandbox evasion checks in the C# variant of RogueRobin\r\nLike the original version, the C# variant of RogueRobin uses DNS tunneling to communicate with its C2 server using a\r\nvariety of different DNS query types. Just like in the sandbox checks, the Trojan checks for an attached debugger each time\r\nit issues a DNS query; if it does detect a debugger it will issue a DNS query to resolve 676f6f646c75636b.gogle[.]co. The\r\nhttps://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/\r\nPage 2 of 10\n\ndomain is legitimate and owned by Google. The subdomain 676f6f646c75636b is a hex encoded string which decodes to\r\ngoodluck. This DNS query likely exists as a note to researchers or possibly as an anti-analysis measure, as it will only\r\ntrigger if the researcher has already patched the initial debugger check to move onto the C2 function. Figure 2 shows the\r\ncode responsible for detecting the attached debugger and issuing the corresponding DNS request.\r\nFigure 2 Code that issues DNS query to gogle.co if a debugger is detected\r\nAll DNS requests issued by RogueRobin use the built in nslookup.exe application to communicate to the C2 server and the\r\nTrojan will use a variety of regular expressions to extract data from the DNS response. Firstly, the Trojan will use the\r\nfollowing regular expression to determine if the C2 server wishes to cancel the C2 communications:\r\n216.58.192.174|2a00:1450:4001:81a::200e|2200::|download.microsoft.com|ntservicepack.microsoft.com|windowsupdate.microsoft.com|updat\r\nAdditionally, the RogueRobin Trojan uses the regular expressions in Table 3 to confirm that the DNS response contains the\r\nappropriate data for it to extract information from.\r\nRegular Expressions\r\n([^r-v\\\\s])[r-v]([\\\\w\\\\d+\\\\/=]+)-\\\\w+.(\u003cdomainList[0]\u003e|\u003cdomainList[1]\u003e|\u003cdomainList[n]\u003e)\r\nAddress:\\\\s+(([a-fA-F0-9]{0,4}:{1,4}[\\\\w|:]+){1,8})\r\nAddress:\\\\s+(([a-fA-F0-9]{0,4}:{1,2}){1,8})\r\n([^r-v\\\\s]+)[r-v]([\\\\w\\\\d+\\\\/=]+).(\u003cdomainList[0]\u003e|\u003cdomainList[1]\u003e|\u003cdomainList[n]\u003e)\r\n(\\\\w+).(\u003cdomainList[0]\u003e|\u003cdomainList[1]\u003e|\u003cdomainList[n]\u003e)\r\nAddress:\\\\s+(\\\\d+.\\\\d+.\\\\d+.\\\\d+)\r\nTable 3 Regular expressions used by RogueRobin\r\nThe C# variant, like its PowerShell relative, will issue DNS queries to determine which query types can successfully\r\ncommunicate with its C2 servers. Figure 3 shows the RogueRobin payload issuing DNS requests to resolve custom crafted\r\nsubdomains of its C2 domains using TXT, SOA, MX, CNAME, SRV, A and AAAA query types.\r\nFigure 3 RogueRobin testing various DNS query types\r\nhttps://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/\r\nPage 3 of 10\n\nThe domains in the test queries, such as aqhpc.akdns[.]live have subdomains that are generated by substituting the digits in\r\nthe Trojan’s process ID with characters seen in Table 4 (for example qhp for the PID 908) and surrounding these characters\r\nwith the static characters a and c. The C2 server can respond to any of the query types to provide a unique identifier value\r\nthat the Trojan will store in a variable and use in future DNS requests.\r\nCharacter Digit\r\nh 0\r\ni 1\r\nj 2\r\nk 3\r\nl 4\r\nm 5\r\nn 6\r\no 7\r\np 8\r\nq 9\r\nTable 4 Character substitution used in RogueRobin\r\nThe Trojan will use future DNS requests to retrieve jobs from the C2 server, which the Trojan will handle as commands. To\r\nobtain a job, the Trojan builds a subdomain that has the following structure and issues a DNS query to the C2 server:\r\nc\u003cunique identifier\u003e\u003cjob identifier padded with ‘0’ to make three digits\u003e\u003csequence number\u003ec\r\nThe generated subdomain is then subjected to a number-to-character substitution function that is the inverse of the Table 4,\r\nwhich effectively converts all the digits in the subdomain into characters. The Trojan checks the response to this query using\r\nthe regular expressions in Table 3. If it received a non-cancelling response, the Trojan will extract data from the DNS\r\nresponses and treat it as commands. Table 5 shows the commands that the C# variant of RogueRobin can handle, which is\r\nextremely similar to the previously analyzed PowerShell variant.\r\nRegex  Description\r\n^kill Kills a thread running in Trojan based on a provided thread name\r\n^\\$fileDownload Uploads a file to the C2 server via the DNS tunnel\r\n^\\$importModule Runs a provided PowerShell command and adds it to a list called 'modules'\r\n^\\$x_mode\r\nTurns on the alternative mode of 'x_mode' on to use the alternative C2 channel. If preceded by\r\n\"OFF\", it turns 'x_mode' off, otherwise the command is newline delimited with settings to use this\r\nalternative C2 functionality.\r\n^\\$ClearModules Clears the previously run 'modules' list\r\n^\\$fileUpload\r\nThis command should be followed by a string that will be used as a path to save a new file to the\r\nsystem. This command will then reach out to the C2 server to obtain the data to save to this file\r\npath.\r\n^testmode\r\nRuns the test function to determine which DNS query types can successfully communicate with the\r\nC2\r\n^showconfig\r\nCreates a pipe delimited (\"|\") string that contains the sample's settings, including the list of C2\r\ndomains and available DNS query types.\r\n^changeConfig\r\nAllows the C2 to set values within the Trojan's configuration via pipe delimited (\"|\") string. The\r\nstring is formatted as \"\u003cdomain list\u003e|\u003cminimum query size\u003e|\u003cmaximum query size\u003e|\r\n\u003chasGarbage\u003e|\u003csleepPerRequest\u003e|\u003cmaximum requests\u003e|\u003cquery types\u003e|\u003chibridMode\u003e|\u003ccurrent\r\nquery mode\u003e\"\r\nhttps://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/\r\nPage 4 of 10\n\n^slp Sets the sleep and jitter values\r\n^exit Exits the Trojan\r\nTable 5 Commands available within the C# variant of RogueRobin\r\nUsing Google Drive for C2\r\nA command that was not available in the original PowerShell variant of RogueRobin but is available with the new C#\r\nvariant is the x_mode. This command is particularly interesting as it enables an alternative command and control channel\r\nthat uses the Google Drive API. The x_mode command is disabled by default, but when enabled via a command received\r\nfrom the DNS tunneling channel, it allows RogueRobin to receive a unique identifier and to get jobs by using Google Drive\r\nAPI requests.\r\nIn x_mode, RogueRobin uploads a file to the Google Drive account and continually checks the file's modification time to\r\nsee if the actor has made any changes to it. The actor will first modify the file to include a unique identifier that the Trojan\r\nwill use for future communications. The Trojan will treat all subsequent changes to the file made by the actor as jobs and\r\nwill treat them as commands, which it will handle with the same command handler seen in Table 5.\r\nTo use Google Drive, the x_mode command received from the C2 server via DNS tunneling will be followed by a newline-delimited list of settings needed to interact with the Google Drive account. Figure 4 shows the code in RogueRobin that\r\nhandles the x_mode command, specifically splitting the command data on newlines and using the resulting array to set\r\nvariables used as x_mode settings.\r\nFigure 4 x_mode command and new line delimited settings\r\nAs seen in Figure 4, the settings are stored in variables seen in Table 6, which are used to authenticate to the actor-controlled\r\nGoogle account before uploading and downloading files from Google Drive.\r\nVariable Name Description\r\ngdu Google Drive URL for downloading files to the Google Drive account\r\ngduu Google Drive URL for uploading files to the Google Drive account\r\ngdue Google Drive URL for updating a file on the Google Drive account\r\ngdo2t Google Drive URL used to get the OAUTH access_token\r\nclient_id The client_id for the OAUTH application\r\ncs The client_secret for OAUTH\r\nr_t The refresh_token for OAUTH\r\nTable 6 Variables used to store settings needed to use Google Drive as a C2\r\nhttps://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/\r\nPage 5 of 10\n\nTo obtain an OAUTH access token to authenticate to the actor provided Google account, the Trojan sends an HTTP POST\r\nrequest to a URL stored in the gdo2t variable with grant_type, client_id, client_secret, and refresh_token fields added to the\r\nHTTP header and in the POST data. As seen in Figure 5, the values for these fields are set to variables initially set upon\r\nissuing of the x_mode command.\r\nFigure 5 HTTP POST request to obtain an OAUTH access token\r\nFigure 5 shows that the Trojan then uses the following regular expression to obtain the access token from the HTTP\r\nresponse:\r\n\\\"access_token\\\":(.*)\r\nOnce authenticated with a valid access token, the Trojan will attempt to upload a file to the Google Drive account. To upload\r\na file, the Trojan first creates an HTTP POST request to the URL stored in gduu to send the following JSON data to the\r\nGoogle Drive account:\r\n{ \"name\" : “\u003cprocess ID of Trojan\u003e.txt” }\r\nGoogle Drive will respond to this request with an HTTP response whose header contains a Location field. This field\r\ncontains a URL that the Trojan will use to upload the contents of the \u003cprocess ID of Trojan\u003e.txt file, which will be\r\nstructured as \u003cprocess ID of Trojan\u003e.\u003cC2 domain\u003e where the process ID is encoded with the same character substitution\r\nfunction as seen previously in Table 4. The Trojan will then use the following regular expression to check the HTTP\r\nresponse to the content upload request for the file identifier value:\r\n\\\"id\\\":(.*)\r\nThe Trojan will use this file identifier value to monitor for changes made to the file by the actor by checking for changes to\r\nthe modification time of the \u003cprocess ID of Trojan\u003e.txt file. The Trojan checks the modified time of the file by creating an\r\nHTTP request to a URL structured as follows:\r\n\u003cGoogle Drive URL in ‘gdu’\u003e + \u003cfile identifier\u003e + \"?supportTeamDrives=true\u0026fields=modifiedTime\"\r\nThe Trojan then uses the following regular expression to obtain the modified time of the file from the HTTP response, which\r\nis saved to the variable named modification_time:\r\n\\\"modifiedTime\\\":(.*)\r\nThe Trojan then uploads a second file to the Google Drive, the purpose of which is to allow the Trojan to continually write\r\nto this file as it waits for the actor to modify the first file uploaded. The Trojan will write \u003cprocess ID of Trojan\u003e to a second\r\nfile stored on the Google Drive instance named \u003cprocess ID of Trojan\u003e-U.txt. In each iteration of the communications loop,\r\nthe Trojan will check to see if the modification time of the first file changed, and if it is not updated the Trojan will update\r\nthe second file by writing the string b\u003cunique identifier\u003ec\u003c5 random lowercase characters\u003e.\u003cC2 domain\u003e to the file by\r\ncreating an HTTP POST request to a URL structured as follows:\r\n\u003cGoogle Drive URL in ‘gdue’\u003e + \u003csecond file identifier\u003e + \"?\r\nsupportsTeamDrive=true\u0026uploadType=resumable\u0026fields=kind,id,name,mimeType,parents\"\r\nIn one RogueRobin sample (SHA256: f1b2bc0831...), the author did not use the Google Drive URL provided by the actor\r\nwhen issuing the x_mode command, and instead included a  hardcoded Google Drive URL, as seen in Figure 6. This is the\r\nonly instance we observed where a hardcoded Google Drive URL was included in RogueRobin, which may suggest that the\r\nauthor may have overlooked this during testing.\r\nhttps://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/\r\nPage 6 of 10\n\nFigure 6 Hardcoded Google Drive URL used in RogueRobin sample\r\nWhen the modification_time for the first file changes, the Trojan downloads the contents from the first file uploaded to the\r\nGoogle Drive. The Trojan downloads the contents of this file by crafting an HTTP request to a URL structured as follows:\r\n\u003cGoogle Drive URL in ‘gdu’\u003e + \u003cfirst file identifier\u003e + \"?alt=media\"\r\nWith the contents of the file downloaded, the Trojan sets the modification_time variable to the current modification time so\r\nthe Trojan knows when the actor makes further changes to the file. The Trojan processes the downloaded data the same way\r\nit would for a unique identifier as if the data was obtained via the DNS tunneling protocol using the TXT query mode,\r\nspecifically by searching the data using the following regular expression:\r\n\\\"(\\\\w+).(\u003cdomainList[0]\u003e|\u003cdomainList[1]\u003e|\u003cdomainList[n]\u003e).\\\"\r\nWith the unique identifier value obtained from the file on Google Drive, the Trojan will attempt to obtain jobs using the\r\nGoogle Drive communications channel. To get a job from the Google Drive account, the Trojan starts by creating a string\r\nthat has the following structure with each element within the subdomain subjected to the number to character substitution\r\nfrom Table 4:\r\nc\u003cunique identifier\u003e\u003cjob identifier padded with ‘0’ to make three digits\u003e\u003csequence number\u003ec.\u003cC2 domain\u003e\r\nThe Trojan will then obtain an OAUTH access token to the Google Drive in the same manner as before when obtaining the\r\nunique identifier. The Trojan uses the access token to write the string above to the first file uploaded to Google drive whose\r\nfilename is \u003cprocess ID of Trojan\u003e.txt. After writing to this file, the Trojan will enter a loop to continually to check for\r\nchanges to the modification time of this file, effectively waiting for the actor to make modifications to the file. When the\r\nactor modifies the file and changes the modification_time, the Trojan downloads the contents from the file by creating an\r\nHTTP request to a URL structured as follows:\r\n\u003cGoogle Drive URL in ‘gdu’\u003e + \u003cfile identifier in 'f_id'\u003e + \"?alt=media\"\r\nThe Trojan processes the downloaded data within the file the same way it would to obtain a job from data received from the\r\nDNS tunneling channel using the TXT query mode, specifically by searching the data using the following regular\r\nexpression:\r\n([^r-v\\\\s]+)[r-v]([\\\\w\\\\d+\\\\/=]+).(\u003cdomainList[0]\u003e|\u003cdomainList[1]\u003e|\u003cdomainList[n]\u003e)\r\nThe Trojan function splits the matching data, specifically the subdomain on a separator that is a character between r and v\r\nand uses the data before the separator to get the sequence number and a Boolean value (0 or 1) if more data is expected. It\r\nwill use the data after the separator as the string that it will subject to the command handler seen in Table 5.\r\nInfrastructure\r\nThe initial list of C2 domains released by 360TIC associated with 513813af15... appeared thematically very similar to\r\nprevious DarkHydrus activity, using domain names visually similar to well-known technology vendors or service providers.\r\nThis list was further expanded upon by ClearSky Security (here, here and here) in a series of tweets that provided additional\r\nsimilar domain names also likely linked to DarkHydrus. To better understand how these domains are related to DarkHydrus,\r\nwe began visually mapping the relationships between the list of domains, which can be seen in Figure 7. The diagram shows\r\nthe DarkHydrus group using a consistent naming schema and structure in their infrastructure. They register a multitude of\r\ndomains and set up nameservers to use as their primary DNS for their C2 domains.\r\nhttps://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/\r\nPage 7 of 10\n\nFigure 7 Relational diagram of DarkHydrus infrastructure\r\nFor this campaign, we are able to cluster the adversary infrastructure via the specific nameservers that were deployed for\r\nC2s. The brackets in Figure 7 shows the distinct clustering of infrastructure into three groups. We were able to retrieve live\r\npayloads associated with two of the clusters. A third cluster was also shared by ClearSky Security, but we were unable to\r\nassociate a live payload to them. Although the third cluster does not appear to have any direct relationships to the other two\r\nclusters, it is still highly probable that this cluster is related to the two other clusters via the structuring of domains with\r\ncustom nameservers. In addition, the domain names themselves were extremely similar, with some examples being exactly\r\nthe same but on a different top level domain.\r\nThe two sets of nameservers we were able to associate with the retrieved payloads were tbs1/tbs2.microsoftonline.services\r\nand tvs1/tvs2.trafficmanager.live. The distribution of C2 domains and their nameservers can be seen in Table 7.\r\nSample(s)\r\nf1b2bc0831445903c0d51b390b1987597009cc0fade009e07d792e8d455f6db0\r\n5cc62ad6baf572dbae925f701526310778f032bb4a54b205bada78b1eb8c479c\r\nDNS tbs1/tbs2.microsoftonline.services\r\nDomains 0ffice365[.]agency\r\n0ffice365[.]life\r\n0ffice365[.]services\r\n0nedrive[.]agency\r\ncorewindows[.]agency\r\nmicrosoftonline[.]agency\r\nonedrive[.]agency\r\nsharepoint[.]agency\r\nskydrive[.]agency\r\nhttps://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/\r\nPage 8 of 10\n\nskydrive[.]services\r\nSample eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97\r\nDNS tvs1/tvs2.trafficmanager.live\r\nDomains akamaiedge[.]live\r\n  akamaized[.]live\r\n  akdns[.]live\r\n  edgekey[.]live\r\nTable 7: Sample and Domain Associations\r\nThe third cluster of domains had six different nameservers associated with them, but unlike the other two clusters, were all\r\ndirectly tied to each other. Each of the domains appeared to have rotated through the six nameservers but oddly, one of the\r\nnameservers that several of the domains had rotated through did not appear to be currently registered. Examining historical\r\nIP resolutions revealed a common IP between the active nameservers, 107.175.75[.]123. This IP is of particular interest as\r\nhistorical domain resolutions of this IP revealed that it had resolved to the domain hotmai1l[.]com in the past as well, which\r\nwas a domain we had previously identified as having a high likelihood of association with DarkHydrus infrastructure. This\r\nIP also belongs to the same service provider and class B network range as another IP we had associated with DarkHydrus,\r\n107.175.150[.]113 which specifically resolved to a domain name containing a victim organization’s name.\r\nConclusion\r\nThe DarkHydrus group continues their operations and adds new techniques to their playbook. Recent DarkHydrus delivery\r\ndocuments revealed the group abusing open-source penetration testing techniques such as the AppLocker bypass. The\r\npayloads installed by these delivery documents show that the DarkHydrus actors ported their previous PowerShell-based\r\nRogueRobin code to an executable variant, which is behavior that has been commonly observed with other adversary groups\r\noperating in the Middle East, such as OilRig. Lastly, the new variant of RogueRobin is capable of using the Google Drive\r\ncloud service for its C2 channel, suggesting that DarkHydrus may be shifting to abusing legitimate cloud services for their\r\ninfrastructure.\r\nPalo Alto Networks customers are already be protected via:\r\nAll samples in this report have a malicious verdict in WildFire\r\nDomains have been classified as malicious\r\nAutoFocus tags are available for additional context: DarkHydrus and RogueRobin\r\nIndicators of Compromise\r\nDelivery Document SHA256\r\n513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8\r\ne068c6536bf353abe249ad0464c58fb85d7de25223442dd220d64116dbf1e022\r\n4e40f80114e5bd44a762f6066a3e56ccdc0d01ab2a18397ea12e0bc5508215b8\r\nRogueRobin SHA256\r\neb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97\r\nf1b2bc0831445903c0d51b390b1987597009cc0fade009e07d792e8d455f6db0\r\n5cc62ad6baf572dbae925f701526310778f032bb4a54b205bada78b1eb8c479c\r\nRogueRobin C2s\r\nakdns[.]live\r\nakamaiedge[.]live\r\nedgekey[.]live\r\nhttps://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/\r\nPage 9 of 10\n\nakamaized[.]live\r\n0ffice365[.]agency\r\n0nedrive[.]agency\r\ncorewindows[.]agency\r\nmicrosoftonline[.]agency\r\nonedrive[.]agency\r\nsharepoint[.]agency\r\nskydrive[.]agency\r\n0ffice365[.]life\r\n0ffice365[.]services\r\nskydrive[.]services\r\nskydrive[.]agency\r\nNameservers\r\ntvs1.trafficmanager[.]live\r\ntvs2.trafficmanager[.]live\r\ntbs1.microsoftonline[.]services\r\ntbs2.microsoftonline[.]services\r\nbrit.ns.cloudfronts[.]services\r\ndns.cloudfronts[.]services\r\nns2.akadns[.]services\r\nbritns.akadns[.]services\r\nbritns.akadns[.]live\r\nns2.akadns[.]live\r\nRelated Domains\r\niecvlist-microsoft[.]live\r\ndata-microsoft[.]services\r\nasimov-win-microsoft[.]services\r\nonecs-live[.]services\r\nakamaiedge[.]services\r\nphicdn[.]world\r\nazureedge[.]today\r\nnsatc[.]agency\r\nAkamai[.]agency\r\nt-msedge[.]world\r\nSource: https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/\r\nhttps://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/" ], "report_names": [ "darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications" ], "threat_actors": [ { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "6efb28db-4d91-46cb-8ab7-fe9e8449ccfc", "created_at": "2023-01-06T13:46:38.772861Z", "updated_at": "2026-04-10T02:00:03.095095Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "LazyMeerkat", "G0079", "Obscure Serpens" ], "source_name": "MISPGALAXY:DarkHydrus", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b04780e-7b64-4e62-b776-c6749ff7dec8", "created_at": "2022-10-25T16:07:23.531741Z", "updated_at": "2026-04-10T02:00:04.643562Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "ATK 77", "DarkHydrus", "G0079", "LazyMeerkat", "Obscure Serpens" ], "source_name": "ETDA:DarkHydrus", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Mimikatz", "Phishery", "RogueRobin", "RogueRobinNET", "Trojan.Phisherly", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fe925e8-95e5-4a63-9f96-4d0f9bedac08", "created_at": "2022-10-25T15:50:23.469077Z", "updated_at": "2026-04-10T02:00:05.384299Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "DarkHydrus" ], "source_name": "MITRE:DarkHydrus", "tools": [ "Mimikatz", "RogueRobin", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434073, "ts_updated_at": 1775826744, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2d1d157b02bc3568650079731c970e1c980d624b.pdf", "text": "https://archive.orkl.eu/2d1d157b02bc3568650079731c970e1c980d624b.txt", "img": "https://archive.orkl.eu/2d1d157b02bc3568650079731c970e1c980d624b.jpg" } }