{
	"id": "db45e07d-95f7-40f8-a19c-95f4e6336d13",
	"created_at": "2026-04-06T00:06:54.834896Z",
	"updated_at": "2026-04-10T03:33:11.076285Z",
	"deleted_at": null,
	"sha1_hash": "456552cce8cdecd6aaccd6ddb9283fa3e07880c5",
	"title": "Shamoon Collaborator Greenbug Adopts New Communication Tool",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 36625,
	"plain_text": "Shamoon Collaborator Greenbug Adopts New Communication\r\nTool\r\nBy Tom Spring\r\nPublished: 2017-05-02 · Archived: 2026-04-05 14:21:22 UTC\r\nNew clues surface on Shamoon’s ability steal credentials ahead of attacks.\r\nResearchers have identified a possible new collaborator in the continued Shamoon attacks against Saudi\r\norganizations. Called Greenbug, this group is believed to be instrumental in helping Shamoon steal user\r\ncredentials of targets ahead of Shamoon’s destructive attacks.\r\nHowever, researchers know about as much about Greenbug as they do Shamoon; which isn’t much. But, that’s\r\nslowly changing.\r\nOn Tuesday, Arbor Networks said that it has new leads on a credential stealing remote access Trojan (RAT) called\r\nIsmdoor, possibly used by Greenbug to steal credentials on Shamoon’s behalf.\r\n“With our latest research we now see how Greenbug has shifted away from HTTP-based C2 communication with\r\nIsmdoor. It’s now relying on a new DNS-based attack technique to better cloak command and control\r\ncommunications between Greenbug and the malware,” said Dennis Schwarz, research analyst on Arbor’s ASERT\r\nTeam, in an interview with Threatpost.\r\nHe said Greenbug is using DNS TXT record queries and responses to create a bidirectional command and control\r\nchannel.\r\n“One major change in recent versions (of Ismdoor) has been the replacement of the old HTTP based command\r\nand control functionality with a custom covert channel using AAAA DNS queries for IPv6 addresses,” Schwarz\r\nwrote in a technical analysis of the malware posted Monday.\r\nUsing the DNS attack technique, adversaries can use DNS communications to submit commands to be run on\r\nsystems infected with the Ismdoor RAT. Schwarz said using this technique, data is also be exfiltrated from the\r\nmachines as well. “This is an extremely rare and covert way to administer a RAT,” he said.\r\nDNS tunneling takes advantage of the TXT transport layer within the DNS protocol used by top- and second-level\r\ndomain name system servers. A maximum of 255 bytes of data can be transported via DNS requests between\r\nendpoint and a DNS server using the TXT layer. For attackers that have already gained a foothold on targeted\r\nsystems, the DNS tunneling of commands and DNS tunneling used to remove data is extremely slow, but well\r\nsuited for long term APT campaigns.\r\n“All data sent between the bot and the C2 is done using AAAA DNS UDP queries. Data to the C2 is via specially\r\ncrafted query names and data from the C2 is returned via IPv6 addresses. The bot side of the connection drives all\r\ncommunications,” according  to Schwarz’s analysis.\r\nhttps://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/\r\nPage 1 of 2\n\nUse of DNS-based message attacks has been used in similar attacks documented by Cisco Talos where adversaries\r\nuse DNS queries to carry out malicious PowerShell commands on compromised computers. Last year, Palo Alto\r\nNetworks reported a shift in malware tactics used by the APT group Wekby that utilized the DNS TXT transport\r\nlayer. Cisco calls these types of attacks DNSMessenger attacks. Palo Alto Networks calls them DNS tunneling\r\nattacks.\r\nIn the context of the Ismdoor RAT, the DNS attack technique is used primarily by Greenbug for stealing\r\ncredentials. To do this, it employs a number of specific commands via DNSMessenger. One is “CreateMimi1Bat”;\r\nwhich likely executes Mimikatz (executes PowerShell scripts: ccd61.ps1 and Invoke-bypassuac), according to\r\nArbor. Another command is “ExecuteKL”; which likely executes a keylogger (executes Winit.exe and sends “Start\r\nKeylog Done” message back to the C2), according to Arbor.\r\n“The threat group that could be behind the original Shamoon attacks is still alive and well. They are definitely\r\nadvancing the malware. While this DNS form of communication is not new, it’s far from a copy-and-paste type\r\nattack. This type of attack takes a dedicated programmer to think it through and put it together,” Schwarz said.\r\nSource: https://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/\r\nhttps://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/"
	],
	"report_names": [
		"125383"
	],
	"threat_actors": [
		{
			"id": "17b92337-ca5f-48bb-926b-c93b5e5678a4",
			"created_at": "2022-10-25T16:07:23.333316Z",
			"updated_at": "2026-04-10T02:00:04.546474Z",
			"deleted_at": null,
			"main_name": "APT 18",
			"aliases": [
				"APT 18",
				"Dynamite Panda",
				"G0026",
				"Red Wraith",
				"SILVERVIPER",
				"Satin Typhoon",
				"Scandium",
				"TG-0416",
				"Wekby"
			],
			"source_name": "ETDA:APT 18",
			"tools": [
				"AngryRebel",
				"AtNow",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HTTPBrowser",
				"HttpBrowser RAT",
				"HttpDump",
				"Moudour",
				"Mydoor",
				"PCRat",
				"Pisloader",
				"QUICKBALL",
				"Roseam",
				"StickyFingers",
				"Token Control",
				"TokenControl",
				"hcdLoader"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e58deb93-aff1-4be5-8deb-37fe8af0b7ed",
			"created_at": "2022-10-25T16:07:23.918534Z",
			"updated_at": "2026-04-10T02:00:04.789509Z",
			"deleted_at": null,
			"main_name": "Greenbug",
			"aliases": [
				"Greenbug",
				"Volatile Kitten"
			],
			"source_name": "ETDA:Greenbug",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c8aefee7-fb57-409b-857e-23e986cb4a56",
			"created_at": "2023-01-06T13:46:38.285223Z",
			"updated_at": "2026-04-10T02:00:02.910756Z",
			"deleted_at": null,
			"main_name": "APT18",
			"aliases": [
				"SCANDIUM",
				"PLA Navy",
				"Wekby",
				"G0026",
				"Satin Typhoon",
				"DYNAMITE PANDA",
				"TG-0416"
			],
			"source_name": "MISPGALAXY:APT18",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "25896473-161f-411f-b76a-f11bb26c96bd",
			"created_at": "2023-01-06T13:46:38.75749Z",
			"updated_at": "2026-04-10T02:00:03.090307Z",
			"deleted_at": null,
			"main_name": "CHRYSENE",
			"aliases": [
				"Greenbug"
			],
			"source_name": "MISPGALAXY:CHRYSENE",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6bba8e81-73af-4010-86dc-d43c408ca342",
			"created_at": "2023-01-06T13:46:38.553459Z",
			"updated_at": "2026-04-10T02:00:03.021597Z",
			"deleted_at": null,
			"main_name": "Greenbug",
			"aliases": [],
			"source_name": "MISPGALAXY:Greenbug",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434014,
	"ts_updated_at": 1775791991,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/456552cce8cdecd6aaccd6ddb9283fa3e07880c5.pdf",
		"text": "https://archive.orkl.eu/456552cce8cdecd6aaccd6ddb9283fa3e07880c5.txt",
		"img": "https://archive.orkl.eu/456552cce8cdecd6aaccd6ddb9283fa3e07880c5.jpg"
	}
}