{
	"id": "4064333e-2860-469f-90ae-7564ecc54ba1",
	"created_at": "2026-04-06T00:17:49.186898Z",
	"updated_at": "2026-04-10T13:11:20.897643Z",
	"deleted_at": null,
	"sha1_hash": "40ed914916f507ad9a9ede3e05210da264cc46c1",
	"title": "Hellhounds: operation Lahat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 769150,
	"plain_text": "Hellhounds: operation Lahat\r\nBy Positive Technologies\r\nPublished: 2024-08-19 · Archived: 2026-04-05 18:48:21 UTC\r\nContents\r\nIntroduction\r\nFirst Stage (Decoy Dog Loader)\r\nSecond Stage (Decoy Dog)\r\nVictims\r\nConclusion\r\nVerdicts of our products\r\nPT Sandbox\r\nPT Network Attack Discovery\r\nIOCs\r\nFile indicators\r\nFile paths\r\nNetwork indicators\r\nFile signatures\r\nMITRE TTPs\r\nIntroduction\r\nIn 2023, our Positive Technologies Computer Security Incident Response Team (PT CSIRT) discovered that a certain power\r\ncompany was compromised by the Decoy Dog trojan. According to the PT CSIRT investigation, Decoy Dog has been\r\nactively used in cyberattacks on Russian companies and government organizations since at least September 2022. This\r\ntrojan was previously discussed by NCIRCC, Infoblox, CyberSquatting, and Solar 4RAYS.\r\nHowever, the sample we found on the victim’s host was a new modification of the trojan, which the adversaries altered\r\nin such a way as to make it harder to detect and analyze.\r\nAs far as we can tell, the APT group Hellhounds that uses Decoy Dog only targets organizations located in Russia.\r\nRemarkably, the attackers were using the command-and-control (C2) server maxpatrol[.]net to impersonate Positive\r\nTechnologies MaxPatrol products. Positive Technologies products contain all indicators of compromise mentioned in this\r\narticle in their databases.\r\nFirst Stage (Decoy Dog Loader)\r\nWhen investigating the incident, we found a 9 KB executable on path /usr/bin/dcrond. It was protected by a modified\r\nversion of the UPX packer, with the signature UPX! replaced with 37 13 03 00. At the moment of our investigation, only\r\none antivirus engine could detect the packer, while some malware samples were not detectable by any engine. The modified\r\nUPX can be detected by a public YARA rule from the JPCERT/CC research.\r\nFigure 1. Verdicts of antivirus engines\r\nUnlike the standard UPX tool, which unpacks the executable, this modification unpacks a shellcode that is written in the\r\nassembly language and uses only Linux system calls. The modified UPX header is followed by an encrypted configuration\r\nthat contains the path to the encrypted file with the main payload, and the configuration is followed by the compressed\r\nshellcode:\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat\r\nPage 1 of 11\n\nFigure 2. Fragment of the Decoy Dog loader\r\nThe loader operates in the system and disguises itself as the legitimate cron service. We also discovered samples\r\nmasquerading as the legitimate irqbalance service and lib7.so library.\r\n \r\n[Unit]\r\nDescription=Daemon to execute scheduled commands\r\nDocumentation=man:dcrond(8)\r\n \r\n[Service]\r\nType=forking\r\nExecStart=/usr/bin/dcrond\r\nRestart=always\r\n \r\nIn attacks in 2022, the original malware samples were disguised as the atd service and systemd-readahead-stop.service. The\r\nsamples were located in the /usr/bin/atd directory or the /usr/bin/container directory:\r\n \r\n[Unit]\r\nDescription=Deferred execution scheduler\r\nDocumentation=man:atd(8)\r\n \r\n[Service]\r\nType=forking\r\nExecStart=/usr/bin/atd\r\nRestart=always\r\n \r\n[Install]\r\nWantedBy=multi-user.target\r\n \r\n \r\n[Unit]\r\nDescription= systemd-redhead is a service that collects disk usage patterns at boot time. systemd-readahead-st\r\n[Service]\r\nType=forking\r\nExecStart=/usr/bin/container\r\nRestart=always\r\n[Install]\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat\r\nPage 2 of 11\n\nWantedBy=multi-user.target\r\n \r\nThe loader first checks whether it is being debugged. For this, it reads /proc/self/status and checks that the value\r\nof TracerPid is 0. If the TracerPid value is different from 0, the loader replaces itself with /bin/sh using the execve system\r\ncall.\r\nAfter ensuring that it is not being debugged, the loader attempts to read each of the following files containing the\r\ncompromised host’s identifiers and calculates an MD5 hash of the first file existing in the file system:\r\n/etc/machine-id\r\n/var/lib/dbus/machine-id\r\n/var/db/dbus/machine-id\r\n/usr/local/etc/machine-id\r\n/sys/class/dmi/id/product_uuid\r\n/sys/class/dmi/id/board_serial\r\n/etc/hostid\r\n/proc/self/cgroup\r\nThe loader uses the obtained MD5 hash as a key to decrypt the configuration and then the main payload, which are\r\nencrypted using the 128-bit CLEFIA algorithm.\r\nAt this stage of our research, it became clear that this malware sample was designed to target a specific host and that the\r\nadversaries had previously accessed that host to get the identifier and add it to the configuration.\r\nSecond Stage (Decoy Dog)\r\nThe main payload of the analyzed malware sample is stored in the file system at /usr/share/misc/pcie.cache. The decrypted\r\npayload is a modified version of Pupy RAT known as Decoy Dog.\r\nPupy RAT is a cross-platform multifunctional backdoor and an open-source post-exploitation tool, mostly written in Python.\r\nPupy supports Windows and Linux and partially supports Android and macOS. It features an all-in-memory execution\r\nguideline and leaves a minimal footprint. Pupy RAT can maintain a connection to the C2 server using multiple transports,\r\nmigrate into processes by leveraging the reflective injection technique, and remotely load Python (.py, .pyc) packets and\r\ncompiled Python C (.pyd, .so extensions) from memory.\r\nWhile the development of Pupy RAT stopped two years ago, Decoy Dog is actively being developed. The key improvements\r\nin Decoy Dog as compared to Pupy RAT are:\r\nThe client was upgraded from Python 2.7 to Python 3.8, which means all code was rewritten under Python 3.8. This\r\nexplains why the number of modules was reduced, leaving only those modules that are actually used.\r\nNew features for injecting code into Java virtual machines were added.\r\nThe following new transports were added:\r\n— BOSH (Bidirectional-streams Over Synchronous HTTP), with combination with ECPV and RC4—instead\r\nof HTTP transport\r\n— lc4 (combination of ECPV and RC4 used for a local client or server over TCP)\r\n— lws4 (combination of ECPV and RC4 used for a local client or server over WebSockets)\r\n— ws4 (the same as the original ws, but the RSA and AES combination is replaced by ECPV and RC4)\r\n— dfws4 (the same as the original dfws, but the RSA and AES combination is replaced by ECPV and RC4)\r\nA new feature was added to enable encrypted dynamic configuration files to be downloaded and saved to the disk.\r\nA new launcher called \"special\" was added (it establishes a local connection using the IP address and port or file\r\nsocket).\r\nFault tolerance was increased by means of backup C2 servers with specific domains defined and the use of DGA.\r\nThe analyzed sample used the C2 server z-uid.lez2yae2.dynamic-dns[.]net, which was specified in the configuration\r\nincluded in the executable. Here is a fragment of the configuration:\r\nFigure 3. Fragment of the Decoy Dog RAT configuration\r\nThe trojan also gets the dynamic (current) configuration from the /var/lib/misc/mpci.bin file. The file is encrypted with the\r\n128-bit AES algorithm in Counter (CTR) mode (the 128-bit key is also encrypted using the elliptic curve brainpoolP384r1)\r\nand contains new C2 servers:\r\nm-srv.daily-share.ns3[.]name;\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat\r\nPage 3 of 11\n\nf-share.duckdns[.]org.\r\nThe public key used to decrypt the AES key is stored in the configuration inside the executable.\r\nThe configuration of the analyzed sample also contains a scriptlet called \"telemetry\" which is started each time the backdoor\r\nis launched. This scriptlet is used to send telemetry data (information about the infected system) to mindly.social (social\r\nmedia powered by the open-source engine Mastodon) via the service API. Here are the contents of the telemetry data:\r\n \r\n{\r\n 'cid': \u003cbackdoor ID from the configuration\u003e,\r\n 'user': \u003cusername\u003e,\r\n 'hostname': \u003chost name\u003e,\r\n 'node': \u003cMAC address as a 48-bit number\u003e,\r\n 'platform': \u003cplatform\u003e,\r\n 'node': \u003cMAC address as a 48-bit number\u003e,\r\n 'pid': \u003cbackdoor process ID\u003e,\r\n 'ppid': \u003cbackdoor parent process ID\u003e,\r\n 'cwd': \u003cwork directory\u003e,\r\n 'proc_arch': \u003carchitecture of the running backdoor process\u003e,\r\n 'exec_path': \u003cpath to the running backdoor process\u003e,\r\n 'uac_lvl': \u003cUAC protection level\u003e,\r\n 'intgty_lvl': \u003cbackdoor process integrity level\u003e,\r\n 'machine_key': \u003cMD5 hash of the system ID\u003e,\r\n 'proxy': \u003cdefault proxy server connection string\u003e,\r\n 'external_ip': \u003cexternal IP address as a 32-bit number\u003e,\r\n 'internal_ip': \u003cinternal IP address as a 32-bit number\u003e,\r\n 'boottime': \u003csystem boot date and time (Unix time)\u003e\r\n}\r\n \r\nThe transmitted data is encrypted in the same way as the dynamic configuration file and with the same public key. This\r\nmeans that, even if the data is intercepted, it is impossible to decrypt it without knowing the private key.\r\nThe data is transmitted using an API key stored in the code in cleartext. However, the adversaries restricted access to the\r\nAPI key by making it read-only. In other words, obtaining the API key will not allow you to read any data.\r\nFigure 4. Fragment of the Decoy Dog RAT code\r\nNonetheless, we managed to find out that the telemetry data of the infected hosts is sent to the account with the username\r\n@lahat, which is where our research got its name.\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat\r\nPage 4 of 11\n\nFigure 5. Profile of the user @lahat in mindly.social\r\nApart from being the primary C2 channel, the analyzed sample also functioned as a server using an additional local channel\r\nto read data from the file socket /var/run/ctl.socket.\r\nDecoy Dog supports a domain generation algorithm (DGA) that generates domain names (DGA domains) when the\r\nconnection over the primary C2 channel is lost.\r\nIf the bootstrap-domains option is enabled in the configuration, one of the main domains is used for name generation.\r\nOtherwise, the malware generates either a subdomain for one of the top-level domains specified in the configuration\r\nor a domain under one of the specified zones (the top-level domain dynamic-dns.net is used by default). In the configuration\r\nof the analyzed sample, the duckdns.org and dynamic-dns.net domains are selected.\r\nA backup domain is generated as the first half of the hexadecimal representation of the MD5 hash calculated from the string\r\nwith the current date in format and the public key used for encrypting communication with the C2 server.\r\nThen, an MD5 hash is calculated from the generated domain (or one of the main domains if the bootstrap-domains option\r\nis enabled), after which two characters from the first half of the hexadecimal representation are appended to the left of the\r\ndomain name. This results in a set of nine domains to which the malware attempts to connect. For example, for the domain\r\nm-srv.daily-share.ns3[.]name, the following eight domains will be generated:\r\n6cm-srv.daily-share.ns3[.]name\r\n78m-srv.daily-share.ns3[.]name\r\n7fm-srv.daily-share.ns3[.]name\r\nb1m-srv.daily-share.ns3[.]name\r\n98m-srv.daily-share.ns3[.]name\r\nd5m-srv.daily-share.ns3[.]name\r\n2fm-srv.daily-share.ns3[.]name\r\n08m-srv.daily-share.ns3[.]name\r\nThis is the code that generates domains:\r\n \r\nimport datetime, hashlib\r\nWELL_KNOWN_ZONES = ('dynamic-dns.net', )\r\ndef make_emergency_related_domains(domain):\r\n domain_bytes = domain\r\n if isinstance(domain_bytes, bytes):\r\n domain = domain.decode()\r\n else:\r\n domain_bytes = domain.encode()\r\n prefix_hash = hashlib.md5(domain_bytes).hexdigest()[:16]\r\n for x in range(len(prefix_hash) // 2):\r\n yield prefix_hash[x * 2:x * 2 + 2] + domain\r\nclass EmergencyDomains(object):\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat\r\nPage 5 of 11\n\n__slots__ = ('key', 'zones', 'beacon_domains', '_zone_id', '_emergency_loop')\r\n def __init__(self, key, beacon_domains=None, zones=None):\r\n self.key = key\r\n self.zones = zones or WELL_KNOWN_ZONES\r\n if not isinstance(self.zones, (list, tuple, set)):\r\n self.zones = tuple((self.zones,))\r\n self.beacon_domains = beacon_domains\r\n self._zone_id = 0\r\n self._emergency_loop = self._emergency_loop_generator()\r\n def _emergency_loop_generator(self):\r\n if self.beacon_domains:\r\n for domain in self.beacon_domains:\r\n yield domain\r\n yield self._domain_of_the_day()\r\n def iterate(self):\r\n try:\r\n while True:\r\n yield next(self._emergency_loop)\r\n except StopIteration:\r\n self._emergency_loop = self._emergency_loop_generator()\r\n def _domain_of_the_day(self):\r\n now = datetime.datetime.utcnow()\r\n ts_formatted = now.strftime('%Y%m%d')\r\n if not isinstance(ts_formatted, bytes):\r\n ts_formatted = ts_formatted.encode()\r\n formatted_key = self.key\r\n if not isinstance(formatted_key, bytes):\r\n formatted_key = formatted_key.encode()\r\n domain_hash = hashlib.md5()\r\n domain_hash.update(ts_formatted)\r\n domain_hash.update(formatted_key)\r\n domain_part = domain_hash.hexdigest()[:16]\r\n zone = self.zones[self._zone_id]\r\n self._zone_id = (self._zone_id + 1) % len(self.zones)\r\n return domain_part + '.' + zone\r\n \r\nHere is a detailed chart showing how Decoy Dog works:\r\nFigure 6. Decoy Dog flowchart\r\nVictims\r\nAccording to our data, at least 20 organizations located in Russia were compromised using Decoy Dog. The breakdown\r\nof the victims by industry looks as follows:\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat\r\nPage 6 of 11\n\nGovernment Information technology Space industry Energy sector Construction Education\r\nTransport and logistics Retail Security Telecommunication\r\n© Positive Technologies\r\nFigure 7. Victims by industry\r\nAt present, the APT group Hellhounds that uses the malware is actively targeting organizations in Russia, so our research\r\ncontinues. We still don't know the ultimate goals of these threat actors but in one incident they used Decoy Dog to attack\r\na telecom operator in Russia and managed to put some of its services out of operation. This was reported by Solar 4RAYS\r\nresearchers as part of their presentation \"Thanos' blip for the telecom operator\" at SOC-Forum 2023.\r\nConclusion\r\nAfter materials on the first version of Decoy Dog were published, the malware authors went to a lot of effort to hamper its\r\ndetection and analysis both in traffic and in the file system.\r\nA significant number of victims proves once again that Linux systems are often underprotected. When working on incident\r\ninvestigation projects, we rarely see additional monitoring systems (auditd) and antivirus tools on hosts running on Linux.\r\nAuthors: Stanislav Pyzhov, Aleksandr Grigorian (Positive Technologies)\r\nThe authors would like to thank the incident response and threat intelligence teams of the PT Expert Security Center for\r\ntheir help in preparing this article.\r\nVerdicts of our products\r\nPT Sandbox\r\napt_linux_ZZ_DecoyDog__Trojan__FirstStage\r\napt_linux_ZZ_DecoyDog__Backdoor__Pupy\r\napt_linux_ZZ_DecoyDog__Backdoor__EncryptedPayload\r\napt_mem_ZZ_DecoyDog__Backdoor\r\nPT Network Attack Discovery\r\nSUSPICIOUS [PTsecurity] Possible DecoyDog DNS Tunneling sid: 10010052\r\nSUSPICIOUS [PTsecurity] Possible DecoyDog DNS Tunneling sid: 10010053\r\nIOCs\r\nFile indicators\r\nName MD5 SHA-256\r\nDecoy Dog Loader\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat\r\nPage 7 of 11\n\n_lib7.so 8292f151b40308b31277165ea37541a9 57ed4aa89eb7f04eb1d88c038d2eb979d5082872fb41b4ea1c8bb0ca3ee97c4e\r\n.lib7.so 6685ea769026e8831b67e4d8f0606e65 d73889d26fa37deee733a871dbd39dd54d6079ef286172699af585583025fb45\r\n- 1fd1d550b549c9c14031080380b4b0b7 8130de2602bfba78875dec200282dde736aa0558369bff8fd8797f8846e30be8\r\ndcrond b83dffed692e165ad0274b63a6c7f1cb e218ab7b3ab64e93373661558f9093d7f2a344e6d4fdd245b3556ad93c0bea02\r\ncontainer 9671607c162cd3037da08508d2d3f3a3 2f44da49c7deb865312265c17004b7ee1744e8af4667219b276b2a65afedf821\r\nsystemd-inputd 7974a843acdf22b32a13256ba7f56baa 4c0b3dd3de24099be2685e8fe19f80599fb9596ec0bafcf29f1cf5d051ebc223\r\nsmartmond bcbf98042bf9796e50f16e68c4255f85 dc6bdfb15624adce5c9e4978d1a38e98e539d0f73304692bea4e70e4e04a7aaa\r\nepel-modular-update.solvx\r\n2e272a6d04e6f28145f5d07f97bb51a7 4750aef958598d156c47fa48bb2dea707dec8586a9fc7ae3b448348f4fa9a66a\r\nirqballanced 536be89b71cd273db8a79b0bc2074ce6 0b43038fd6c46427d2bf0964aab3bb96f42de504fbda5071031fecb120abc59f\r\nDecoy Dog RAT (version\r\n1)\r\n- bb04bac638e35775b93ddfa30f0a3b09 4996180b2fa1045aab5d36f46983e91dadeebfd4f765d69fa50eba4edf310acf\r\n- 5e55d48b930b75ac3df3d2b3f9db1b07 a1704832392c67a0a2c79fd52422226b5d9df0e40cf537304495496910d1b744\r\n- c4d377c3fcd231adcc2d7b5e7e701fc9 0375f4b3fe011b35e6575133539441009d015ebecbee78b578c3ed04e0f22568\r\nJniAccelCsv.Linux.amd64 ff09a325e7e739cfc8ed0bac0838581a ec01b358f82ad43e04b80ae6e1366516b4e62718da64d68a832433860ad312ad\r\nJniAccelCsv.Linux.amd64 917836dc595074bf57f14e3d9cc4f766 4d3814f0ce7537756b1dd3096773bc57a7b22f61ab5262f8d6f6a74a84c61900\r\natd d8ce9e4b5d4443b368ab226913af87f9 6c8f413111f1abfee788dad4ee7cca37e0c2597cca66d155af958c535faf55cc\r\natd e7e7ff7450d9655d71d281fbb5d59f6f e6b88a0710d74330c31590718ad563f4788760c8607c414765aa73b5bb402760\r\n- ee09f7610b5213ed5e3b85c7457858c3 637d602d5b6cf33f5c7236f335245df02e535c76ff6e0014839c557546cfe073\r\n_bareos.cfg 58b1c162d66194b26d7d462a0f80e28d d189e0150f42d2a2e40fefcec6973fcbc4a8b1a1757a358d13df3519ef275412\r\n- fa8443fdde409b830f77f18c0ef5a44d 6a06619b21f20094a77bfc9af3fc4dbecfacdbe038f017604399ce86d5f38362\r\n- 4c999714034ae431adb2776cd930b518 a1c116042e81280e408e859ab8eba8237bb1f31cad00814d6a406fc45444ae97\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat\r\nPage 8 of 11\n\nDecoy Dog RAT (version\r\n2)\r\npcie.cache 8147c66144990691e2d9d870fb921475 4f9ff5ec62bba44d18f18323ef674e49515da976011c33049bce1d1f9a3f6e46\r\npcie.cache a9675ccc238c2de8c673879a63975d80 5d7866865554afa00ce44db77bf419a21bead64b5ed3394aa23f79aa2b5b00c4\r\npcie.cache de81b0ebc983d4a23395a35c759fc84e c13b1a591561800163154b72415cfb3283eae253772fed1ca2bd4f0a2644cfbd\r\npcie.cache 7aafa110d681067787d5382a6cc55e48 10f7fc4a3dbb07de3a73124cc02469d2123824960da02c51f9c5304dd82c9464\r\ncontainerd 2ccc492a1a977e694bd5ced7cee35a8d d67e2641d7f423e868b2ca62f809ccad83f87081aa1e9aa62d9c68b83138e181\r\n.mem_cache 6323e21d0cd0787c52fc71e7a3420e28 5f9c971b77f69d6337ed591aa50ef271757456038a1aad1a6f3d16b331c4166f\r\nFile paths\r\n/usr/bin/atd\r\n/usr/bin/container\r\n/usr/bin/dcrond\r\n/usr/sbin/containerd\r\n/usr/sbin/smartmond\r\n/usr/share/misc/hwrng.cache\r\n/usr/share/misc/pcie.cache\r\n/var/lib/misc/mpci.bin\r\n/var/lib/misc/sata.bin\r\n/var/lib/polkit-1/localauthority/.cache\r\n/var/run/ctl.socket\r\nNetwork indicators\r\nacrm-11331.com\r\nads-tm-glb.click\r\nallowlisted.net\r\ncbox4.ignorelist.com\r\nf-share.duckdns.org\r\nmaxpatrol.net\r\nm-srv.daily-share.ns3.name\r\nvcs.dns04.com\r\nz-uid.lez2yae2.dynamic-dns.net\r\nmindly.social (legitimate social media)\r\nertelecom.org\r\nwebrtc.foo\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat\r\nPage 9 of 11\n\natlas-upd.com\r\nhsdps.cc\r\n194.87.68.65\r\n185.126.239.60\r\n185.22.152.227\r\nFile signatures\r\n \r\nrule PTESC_apt_linux_ZZ_DecoyDog__Trojan__FirstStage{\r\n strings:\r\n $f1 = \"mmap failed\"\r\n $s1 = \"/etc/machine-id\"\r\n $s2 = \"/product_uu=bo\"\r\n condition:\r\n uint32be ( 0 ) == 0x7F454C46 and all of ( $f* ) and any of ( $s* ) and filesize \u003c 100\r\n}\r\nrule PTESC_apt_linux_ZZ_DecoyDog__Backdoor__Pupy__v1{\r\n strings:\r\n $x1 = \"reflectively inject a dll into a process.\" fullword ascii\r\n $x2 = \"ld_preload_inject_dll(cmdline, dll_buffer, hook_exit) -\u003e pid\" fullword ascii\r\n $x3 = \"LD_PRELOAD=%s HOOK_EXIT=%d CLEANUP=%d exec %s 1\u003e/dev/null 2\u003e/dev/null\" fullwor\r\n $x4 = \"reflective_inject_dll\" fullword ascii\r\n $x5 = \"ld_preload_inject_dll\" fullword ascii\r\n $x6 = \"get_pupy_config() -\u003e string\" fullword ascii\r\n $x7 = \"[INJECT] inject_dll. OpenProcess failed.\" fullword ascii\r\n $x8 = \"reflective_inject_dll\" fullword ascii\r\n $x9 = \"reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)\" fullword ascii\r\n $x10 = \"linux_inject_main\" fullword ascii\r\n $j1 = \"jvm.PreferredClassLoader\" fullword ascii\r\n $j2 = \"jvm.JNIEnv capsule is invalid\" fullword ascii\r\n $j3 = \"JVM was not loaded yet\" fullword ascii\r\n $j4 = \"Info about parent JVM\" fullword ascii\r\n condition:\r\n uint32be ( 0 ) == 0x7F454C46 and ( 2 of ( $x* ) and any of ( $j* ) ) and filesize \u003c 5\r\n}\r\nrule PTESC_apt_linux_ZZ_DecoyDog__Backdoor__EncryptedPayload{\r\n strings:\r\n $signature = { C8 01 00 00 9A 00 00 00 08 00 00 01 }\r\n condition:\r\n $signature at 0 and filesize \u003e 3MB and filesize \u003c 5MB\r\n}\r\n \r\n \r\nMITRE TTPs\r\nID Name Description\r\nInitial Access\r\nT1190\r\nExploit Public-Facing\r\nApplication\r\nAdversaries compromise publicly available web services\r\nT1199 Trusted Relationship Adversaries move across related systems\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat\r\nPage 10 of 11\n\nT1078 Valid Accounts Adversaries use legitimate accounts to log in via SSH\r\nT1021.004 Remote Services: SSH Adversaries connect to a compromised host over SSH\r\nPersistence\r\nT1543.002\r\nCreate or Modify System\r\nProcess: Systemd Service\r\nDecoy Dog gained a foothold on the system using\r\ndcrond.service or atd.service\r\nDefense Evasion\r\nT1480.001\r\nExecution Guardrails:\r\nEnvironmental Keying\r\nThe adversaries used machine-id of the victim's host\r\nto encrypt the main payload and configuration file\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nThe APT group encrypted its components using CLEFIA\r\nto protect them from discovery and analysis\r\nT1027.002\r\nObfuscated Files or Information:\r\nSoftware Packing\r\nThe APT group used a modified UPX algorithm to protect the\r\nmalware from discovery and analysis\r\nDiscovery\r\nT1082 System Information Discovery\r\nThe adversaries obtained machine-id of the infected host\r\nto compile samples of the Decoy Dog loader, which will only\r\nwork on that host\r\nCommand\r\nand Control\r\nT1568.002\r\nDynamic Resolution: Domain\r\nGeneration Algorithms\r\nThe APT group developed a domain generation algorithm\r\n(DGA)\r\nT1568.001\r\nDynamic Resolution: Fast Flux\r\nDNS\r\nThe APT group used DDNS services\r\nT1071.004\r\nApplication Layer Protocol:\r\nDNS\r\nDNS tunneling is the main method for communication\r\nbetween Decoy Dog RAT and the C2 server\r\nImpact\r\nT1485 Data Destruction\r\nThe APT group destroyed the Linux and Windows\r\ninfrastructure in the incident at the telecom company\r\nSource: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat"
	],
	"report_names": [
		"hellhounds-operation-lahat"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2603d977-6e3a-4269-ba49-b5a85c943641",
			"created_at": "2024-06-26T02:00:04.847439Z",
			"updated_at": "2026-04-10T02:00:03.666442Z",
			"deleted_at": null,
			"main_name": "HellHounds",
			"aliases": [],
			"source_name": "MISPGALAXY:HellHounds",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434669,
	"ts_updated_at": 1775826680,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/40ed914916f507ad9a9ede3e05210da264cc46c1.pdf",
		"text": "https://archive.orkl.eu/40ed914916f507ad9a9ede3e05210da264cc46c1.txt",
		"img": "https://archive.orkl.eu/40ed914916f507ad9a9ede3e05210da264cc46c1.jpg"
	}
}