Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 15:38:34 UTC
Home > List all groups > List all tools > List all groups using tool DNSExfitrator
 Tool: DNSExfitrator
Names DNSExfitrator
Category Malware
Type Exfiltration, Tunneling
Description
(Kasperksy) At the end of May, we observed that Oilrig had included the DNSExfitrator tool
in its toolset. It allows the threat actor to use the DNS over HTTPS (DoH) protocol. Use of the
DNS protocol for malware communications is a technique that Oilrig has been using for a long
time. The difference between DNS- and DoH-based requests is that, instead of plain text
requests to port 53, they would use port 443 in encrypted packets. Oilrig added the publicly
available DNSExfiltrator tool to its arsenal, which allows DoH queries to Google and
Cloudflare services. This time, the operators decided to use subdomains of a COVID-related
domain which are hardcoded in the DNSExfitrator detected samples.
Information Last change to this tool card: 30 July 2020
Download this tool card in JSON format
All groups using tool DNSExfitrator
Changed Name Country Observed
APT groups
 OilRig, APT 34, Helix Kitten, Chrysene 2014-Sep 2024
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=135f3617-9251-4daf-999e-3fa79a029b5d
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=135f3617-9251-4daf-999e-3fa79a029b5d
Page 1 of 1