{ "id": "af7c69ca-5130-4e31-b5e6-116f44e2c93e", "created_at": "2026-04-06T00:16:13.134053Z", "updated_at": "2026-04-10T03:37:36.939112Z", "deleted_at": null, "sha1_hash": "8583824bdb9c5acf4ee1e243825303d62486bcf3", "title": "DNSpionage brings out the Karkoff", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1188133, "plain_text": "DNSpionage brings out the Karkoff\r\nBy Warren Mercer\r\nPublished: 2019-04-23 · Archived: 2026-04-02 12:42:18 UTC\r\nTuesday, April 23, 2019 13:00\r\nUpdate 4/24: The C2 section below now includes details around the XOR element of the C2 communication\r\nsystem.\r\nExecutive summary\r\nIn November 2018, Cisco Talos discovered an attack campaign, called DNSpionage, in which threat actors created\r\na new remote administrative tool that supports HTTP and DNS communication with the attackers' command and\r\ncontrol(C2). Since then, there have been several other public reports of additional DNSpionage attacks, and in\r\nJanuary, the U.S. Department of Homeland Security issued an alert warning users about this threat activity.\r\nIn addition to increased reports of threat activity, we have also discovered new evidence that the threat actors\r\nbehind the DNSpionage campaign continue to change their tactics, likely in an attempt to improve the efficacy of\r\ntheir operations. In February, we discovered some changes to the actors' tactics, techniques and procedures\r\n(TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with\r\nmalware. In April 2019, we also discovered the actors using a new malware, which we are calling \"Karkoff.\"\r\nThis post will cover the aforementioned DNSpionage updates, the discovery of the Karkoff malware and an\r\nanalysis of the recent Oilrig malware toolset leak — and how it could be connected to these two attacks.\r\nhttps://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html\r\nPage 1 of 12\n\nDNSpionage update\r\nNew infection document, same macro\r\nIn our previous post concerning DNSpionage, we showed that the malware author used malicious macros\r\nembedded in a Microsoft Word document. In the new sample from Lebanon identified at the end of February, the\r\nattacker used an Excel document with a similar macro:\r\nInstead of using the .oracleServices directory, which we had previously observed, the attacker uses a .msdonedrive\r\ndirectory and renames the malware \"taskwin32.exe.\" The scheduled task was also renamed to \"onedrive updater\r\nv10.12.5.\"\r\nPayload\r\nOverview\r\nThis new sample is similar to the previous version disclosed in our previous post. The malware supports HTTP\r\nand DNS communication to the C2 server. The HTTP communication is hidden in the comments in the HTML\r\ncode. This time, however, the C2 server mimics the GitHub platform instead of Wikipedia. While the DNS\r\ncommunication follows the same method we described in our previous article, the developer added some new\r\nfeatures in this latest version and, this time, the actor removed the debug mode.\r\nWe also discovered that the actor added a reconnaissance phase, likely in response to the significant amount of\r\ninterest in the campaign. This new phase, which is discussed in greater detail below, ensures that the payload is\r\nbeing dropped on specific targets rather than indiscriminately downloaded on every machine. This new tactic\r\nindicates an improved level of actor sophistication.\r\nhttps://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html\r\nPage 2 of 12\n\nNew reconnaissance phase\r\nOn the initial execution, the malware drops a Windows batch file (a.bat) in order to execute a WMI command and\r\nobtain all the running processes on the victim's machine:\r\nwmic process list\r\nThe malware also identifies the username and computer name of the infected system. Finally, it uses the\r\nNetWkstaGetInfo() API with the level 100 to retrieve additional info on the system (this is the 64th number, hex\r\n64 is 100 decimal).\r\nThis level returns information about the workstation environment, including platform-specific information, the\r\nname of the domain and the local computer, and information concerning the operating system. This information is\r\nkey to helping the malware select the victims only and attempts to avoid researchers or sandboxes. Again, it shows\r\nthe actor's improved abilities, as they now fingerprint the victim.\r\nAPI and strings obfuscation\r\nIn this latest version, the developer split some strings into two parts. The actor attempts to use this technique to\r\n\"hide\" API call and internal strings. This would prevent static string analysis processes.\r\nBelow is an example of an API call split. It is in reverse order starting with \"rNameA,\" followed by \"GetUse,\" and\r\nthe offset is also named incorrectly \"aRnamea\" and \"aGetuse\" (GetUserNameA()):\r\nhttps://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html\r\nPage 3 of 12\n\nBelow is an example of an internal string split (.\\\\Configure.txt):\r\nThis approach is not particularly sophisticated compared to what we usually observe. However, it is enough to\r\nbreak a Yara rule based on these strings. For example, the following rule would no longer alert due to a failed\r\npattern match:\r\nrule DNSpionage { strings: $conf=\"Configure.txt\" condition: All of them }\r\nLet's check your anti-virus\r\nThe malware searches for two specific anti-virus platforms: Avira and Avast.\r\nhttps://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html\r\nPage 4 of 12\n\nIf one of these security products is installed on the system and identified during the reconnaissance phase, a\r\nspecific flag will be set and some options from the configuration file will be ignored.\r\nDNSpionage Excel maldoc\r\nThis new sample of DNSpionage has some oddities which we believe might be the actor's attempt to taunt or poke\r\nfun at the research community. We occasionally see this in cases where actors are disclosed by researchers or\r\nvendors. In DNSpionage, upon opening the Excel document, users are greeted with the insult, \"haha you are\r\ndonkey [sic].\" The broken English suggests the actor is unlikely a native English speaker.\r\nhttps://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html\r\nPage 5 of 12\n\nThe domain used for the C2 is also bizarre. The previous version of DNSpionage attempted to use legitimate-looking domains in an attempt to remain undetected. However, this newer version uses the domain\r\n\"coldfart[.]com,\" which would be easier to spot than other APT campaigns which generally try to blend in with\r\ntraffic more suitable to enterprise environments. The domain was also hosted in the U.S., which is unusual for any\r\nespionage-style attack. This type of behavior will likely continue to distinguish this actor from more concerning\r\ncampaigns like Sea Turtle, a separate DNS hijacking campaign we wrote about last week.\r\nAlong comes a Karkoff\r\nPayload analysis\r\nIn April, Cisco Talos identified an undocumented malware developed in .NET. On the analyzed samples, the\r\nmalware author left two different internal names in plain text: \"DropperBackdoor\" and \"Karkoff.\" We decided to\r\nuse the second name as the malware's moniker, as it is less generic. The malware is lightweight compared to other\r\nmalware due to its small size and allows remote code execution from the C2 server. There is no obfuscation and\r\nthe code can be easily disassembled. The malware is a Windows service named \"MSExchangeClient:\"\r\nhttps://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html\r\nPage 6 of 12\n\nFrom an incident response point of view, it's interesting to note that the malware generates a log file:\r\nC:\\\\Windows\\\\Temp\\\\MSEx_log.txt. The executed commands are stored in this file (xored with 'M') with a\r\ntimestamp. This log file can be easily used to create a timeline of the command execution which can be extremely\r\nuseful when responding to this type of threat. With this in mind, an organisation compromised with this malware\r\nwould have the opportunity to review the log file and identify the commands carried out against them.\r\nC2 communication\r\nThe C2 servers are hardcoded in the analyzed samples:\r\nThe malware uses the domain or the IP address. Karkoff supports HTTP and HTTPS communications.\r\nKarkoff uses base64 encoding to initially obfuscate the C2 communications. This is then further obfuscated by\r\ncarrying out a XOR function, with a XOR key 70 (decimal).\r\nhttps://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html\r\nPage 7 of 12\n\nThis is derived from the “DropperBackdoor.constants” value “Constants.k__BackingField = 70;”.\r\nThe JSON .NET library is embedded in the malware. This library is used to handle messages from the C2 server.\r\nThe answer is first decoded (base64) and the commands match the following pattern:\r\n[{\"ID\": \"123\", \"Data\": \"filename.exe|base64PEContent\", \"Type\": \"101\"}, {\"ID\": \"124\", \"Data\": \"filename.exe\r\narg1 arg2\", \"Type\": \"102\"}].\r\nThe command type 101 means that the data will be a base64 encoded file. The file will be stored with the filename\r\nhttps://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html\r\nPage 8 of 12\n\nplaced before the pipe (filename.exe in our example). The command type 102 is the command line to be executed\r\nis stored in the data field.\r\nLinks between DNSpionage and Karkoff\r\nWe identified infrastructure overlaps in the DNSpionage and the Karkoff cases. One of the Karkoff C2 servers is\r\nrimrun[.]com. Here is the history of the IPs behind this domain:\r\n108.62.141[.]247 -\u003e from 12/19/18 to 4/13/19\r\n209.141.38[.]71 -\u003e on 12/26/18\r\n107.161.23[.]204 -\u003e on 12/26/18\r\n192.161.187[.]200 -\u003e on 12/26/18\r\nThe following IPs have links to our original DNSpionage blog post:\r\n107.161.23[.]204 was used by 0ffice36o[.]com on 9/21/18\r\n209.141.38[.]71 was used by hr-wipro[.]com on 9/26/18\r\n192.161.187[.]200 was used by 0ffice36o[.]com on 9/21/18\r\nThese dates also match the timeline of observed attacks during the DNSpionage campaign. Based on these\r\noverlaps in IP usage during the same time period, we have high confidence the same actor uses the Karkoff and\r\nDNSpionage samples.\r\nAlleged Oilrig leak links\r\nAn alleged Oilrig leak appeared online on April 18. Information from the leak provides a weak link between\r\nOilrig and the DNSpionage actors based on similar URL fields. While not definitive, it is an interesting data point\r\nto share with the research community.\r\nThe leak contains a webmask_dnspionage repository. This repository contains scripts used to perform man-in-the-middle attacks, but nothing about the DNSpionage or Karkoff C2 panels. However, the screenshots showed a URL\r\nthat attracted our attention:\r\nhttps://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html\r\nPage 9 of 12\n\nWe identified the C2 panel as \"Scarecrow,\" but we did not identify references to this panel in the leak. The victims\r\nin this screenshot are mainly from Lebanon, which is one of the areas targeted by DNSpionage and Karkoff. The\r\nURL provides some other relevant information:\r\nThe URL contains the /Th!swasP@NEl directory. After our first publication, LastLine published a blog post\r\nexplaining that the actor made some mistakes in their Django configuration:\r\nYou can see the content of the PANEL_PATH variable of the DNSpionage C2 server: /Th!sIsP@NeL. The panel\r\npath of the leak and Django internal variables of the DNSpionage C2 server are very similar: /Th!swasP@NEl and\r\n/Th!sIsP@NeL. While this single panel path is not enough to draw firm conclusions, it is worth highlighting for\r\nthe security research community as we all continue to investigate these events.\r\nhttps://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html\r\nPage 10 of 12\n\nConclusion\r\nThe threat actor's ongoing development of DNSpionage malware shows that the attacker continues to find new\r\nways to avoid detection. The oddities we mentioned are certainly not normal, but the payload was clearly updated\r\nto attempt to remain more elusive. DNS tunneling is a popular method of exfiltration for some actors and recent\r\nexamples of DNSpionage show that we must ensure DNS is monitored as closely as an organization's normal\r\nproxy or weblogs. DNS is essentially the phonebook of the internet, and when it is tampered with, it becomes\r\ndifficult for anyone to discern whether what they are seeing online is legitimate. The discovery of Karkoff also\r\nshows the actor is pivoting and is increasingly attempting to avoid detection while remaining very focused on the\r\nMiddle Eastern region. Cisco Talos will continue to monitor for activity from this actor and ensure our protection\r\nand detection capabilities continue to prevent such advanced attacks on our customers.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors. Below is a screenshot showing how AMP can protect customers from this threat.\r\nhttps://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html\r\nPage 11 of 12\n\nCisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such asNext-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of Compromise (IOCs)\r\nThe following IOCs are associated to this campaign:\r\nDNSpionage XLS document\r\n2fa19292f353b4078a9bf398f8837d991e383c99e147727eaa6a03ce0259b3c5 (SHA256)\r\nDNSpionage sample\r\ne398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8 (SHA256)\r\nKarkoff samples\r\n5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c\r\n6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11\r\nb017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04\r\ncd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5\r\nC2 server\r\ncoldfart[.]com\r\nrimrun[.]com\r\nkuternull[.]com\r\nSource: https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html\r\nhttps://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" ], "report_names": [ "dnspionage-brings-out-karkoff.html" ], "threat_actors": [ { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434573, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8583824bdb9c5acf4ee1e243825303d62486bcf3.pdf", "text": "https://archive.orkl.eu/8583824bdb9c5acf4ee1e243825303d62486bcf3.txt", "img": "https://archive.orkl.eu/8583824bdb9c5acf4ee1e243825303d62486bcf3.jpg" } }