Threat Group Cards: A Threat Actor Encyclopedia Archived: 2026-04-05 19:06:13 UTC Home > List all groups > List all tools > List all groups using tool DNSpionage Tool: DNSpionage Names DNSpionage Agent Drable AgentDrable Category Malware Type Backdoor Description (Talos) Based on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling 'DNSpionage,' supports HTTP and DNS communication with the attackers. In a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful. Information Malpedia https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3b9f0a41-e890-4c2e-aacb-fab6def66f87 Page 1 of 2 AlienVault OTX Last change to this tool card: 29 December 2022 Download this tool card in JSON format All groups using tool DNSpionage Changed Name Country Observed APT groups   Cold River 2019-Jan 2025   DNSpionage 2019-Apr 2019     OilRig, APT 34, Helix Kitten, Chrysene 2014-Sep 2024 3 groups listed (3 APT, 0 other, 0 unknown) Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3b9f0a41-e890-4c2e-aacb-fab6def66f87 https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=3b9f0a41-e890-4c2e-aacb-fab6def66f87 Page 2 of 2