{ "id": "9874eb04-9bf3-4794-9607-6a9a2bd7d9e0", "created_at": "2026-04-06T00:14:42.507379Z", "updated_at": "2026-04-10T03:33:07.291058Z", "deleted_at": null, "sha1_hash": "5012e28208fde3db2af57d74907b9c1f8f0dc176", "title": "Translating Saitama's DNS tunneling messages - SANS ISC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 113343, "plain_text": "Translating Saitama's DNS tunneling messages - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 14:47:24 UTC\r\nSaitama is a backdoor that uses the DNS protocol to encapsulate its command and control (C2) messages - a\r\ntechnique known as DNS Tunneling (MITRE ATT\u0026CK T1071). Spotted and documented by MalwareBytes in\r\ntwo articles posted last month (How the Saitama backdoor uses DNS tunneling and APT34 targets Jordan\r\nGovernment using new Saitama backdoor), Saitama was used in a phishing e-mail targeted to a government\r\nofficial from Jordan’s foreign ministry on an attack attributed to the Iranian group APT34.\r\nSaitama caught my attention for two reasons: the stealth way the C2 messages are hidden in DNS protocol and the\r\nease of access to malware implementation details by simply decompiling the .Net binary. Those points may\r\nincrease the potential for other groups to use similar DNS tunneling techniques.\r\nSaitama's DNS tunneling stealth strategy\r\nCommand and control (C2) over DNS is not new. It is common for a Victim \u003c-\u003e C2 communication occurs in the\r\nfollowing way: data can be exfiltrated or answered from the victim to a C2 encoded in the hostname portion of the\r\nFQDN (i.e., oxn009lc7n5887k96c4zfckes6uif.rootdomain.com). In the other rand, commands or additional\r\npayloads can be downloaded from the C2 by the victim by querying TXT records to the attacker's controlled DNS\r\nserver.\r\nSaitama's implementation differs by not using TXT or other records able to store large data to encapsulate orders\r\nfrom the C2 to the victim. Instead, the orders are encapsulated in the IPV4 addresses themselves. For example, to\r\nissue the command 'whoami', the server will answer two IP addresses: 70.119.104.111 and 97.109.105.49. The\r\nfirst octet (70) has a special meaning to the Saitama (a command will be issued), and the following octets are the\r\nASCII code of the 'whoami' characters: w=119, h=104, o=111, and so on until i=105. The remaining octet is\r\ndiscarded. Look at the image below the communication between a victim and the C2 by issuing the command\r\n'whoami':\r\nhttps://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738\r\nPage 1 of 3\n\nSaitama Translator\r\nAfter analyzing Saitama's code, we developed a simple tool (available at\r\nhttps://github.com/morphuslabs/saitama_translator) capable of translating/decrypting the messages issued by the\r\ninfected victim to the C2 server (the DNS queries). It may be helpful for those who face Saimanta or variants\r\nmessages and need to try to discover what data is being sent to the C2.\r\nUsage examples:\r\n1. Passing one FQDN. In this case, the first response from Saitama do C2 after executing the command 'ver' on the\r\ninfected system:\r\n$ python translate.py vy5xxxxvzz650coacbsf03f2jkviwui9.joexpediagroup.com\r\nagent_id: 114, msg_type: 1, msg_offset:0, msg_size:43, msg_content:b'9Microsoft W', reque\r\n2. Passing multiple FQDN at once. In this case, all the responses from Saitama to C2 after executing 'ver'\r\ncommand:\r\n$ python translate.py vy5xxxxvzz650coacbsf03f2jkviwui9.joexpediagroup.com oxn009lc7n5887k96c4zfckes6u\r\nagent_id: 114, msg_type: 1, msg_offset:0, msg_size:43, msg_content:b'9Microsoft W', reque\r\nagent_id: 114, msg_type: 1, msg_offset:12, msg_size:None, msg_content:b'indows [Vers', reque\r\nhttps://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738\r\nPage 2 of 3\n\nagent_id: 114, msg_type: 1, msg_offset:24, msg_size:None, msg_content:b'ion 10.0.183', reque\r\nagent_id: 114, msg_type: 1, msg_offset:36, msg_size:None, msg_content:b'63.418]', request:w7irw\r\nNotice that the string \"Microsoft Windows [Version 10.0.18363.418]\" was sent to the C2 server in four requests.\r\nSaitama sample\r\ne0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d\r\nReferences\r\nhttps://attack.mitre.org/techniques/T1071/004\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/how-the-saitama-backdoor-uses-dns-tunnelling/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/\r\n--\r\nRenato Marinho\r\nMorphus Labs| LinkedIn|Twitter\r\nSource: https://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738\r\nhttps://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738" ], "report_names": [ "28738" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434482, "ts_updated_at": 1775791987, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5012e28208fde3db2af57d74907b9c1f8f0dc176.pdf", "text": "https://archive.orkl.eu/5012e28208fde3db2af57d74907b9c1f8f0dc176.txt", "img": "https://archive.orkl.eu/5012e28208fde3db2af57d74907b9c1f8f0dc176.jpg" } }