{
	"id": "76357bc5-12cf-4642-9809-c91763af53f0",
	"created_at": "2026-04-06T00:11:51.081061Z",
	"updated_at": "2026-04-10T03:31:46.492745Z",
	"deleted_at": null,
	"sha1_hash": "89aa08b14165d2bc693a21cd2d36209831f1a367",
	"title": "Tag: DNSpionage",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 25562,
	"plain_text": "Tag: DNSpionage\r\nArchived: 2026-04-05 15:23:42 UTC\r\nIf you’re running a business online, few things can be as disruptive or destructive to your brand as someone\r\nstealing your company’s domain name and doing whatever they wish with it. Even so, most major Web site\r\nowners aren’t taking full advantage of the security tools available to protect their domains from being hijacked.\r\nHere’s the story of one recent victim who was doing almost everything possible to avoid such a situation and still\r\nhad a key domain stolen by scammers.\r\nThe U.S. government — along with a number of leading security companies — recently warned about a series of\r\nhighly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email\r\npasswords and other sensitive data from multiple governments and private companies. But to date, the specifics of\r\nexactly how that attack went down and who was hit have remained shrouded in secrecy.\r\nThis post seeks to document the extent of those attacks, and traces the origins of this overwhelmingly successful\r\ncyber espionage campaign back to a cascading series of breaches at key Internet infrastructure providers.\r\nSource: https://krebsonsecurity.com/tag/dnspionage/\r\nhttps://krebsonsecurity.com/tag/dnspionage/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://krebsonsecurity.com/tag/dnspionage/"
	],
	"report_names": [
		"dnspionage"
	],
	"threat_actors": [
		{
			"id": "8d76e350-dfb5-4733-800d-876de41f690d",
			"created_at": "2023-01-06T13:46:38.841887Z",
			"updated_at": "2026-04-10T02:00:03.119083Z",
			"deleted_at": null,
			"main_name": "DNSpionage",
			"aliases": [
				"COBALT EDGEWATER"
			],
			"source_name": "MISPGALAXY:DNSpionage",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4632103e-8035-4a83-9ecb-c1e12e21288c",
			"created_at": "2022-10-25T16:07:23.542255Z",
			"updated_at": "2026-04-10T02:00:04.64888Z",
			"deleted_at": null,
			"main_name": "DNSpionage",
			"aliases": [],
			"source_name": "ETDA:DNSpionage",
			"tools": [
				"Agent Drable",
				"AgentDrable",
				"CACTUSPIPE",
				"DNSpionage",
				"DropperBackdoor",
				"Karkoff",
				"MailDropper",
				"OILYFACE"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b",
			"created_at": "2025-08-07T02:03:24.722093Z",
			"updated_at": "2026-04-10T02:00:03.681914Z",
			"deleted_at": null,
			"main_name": "COBALT EDGEWATER",
			"aliases": [
				"APT34 ",
				"Cold River ",
				"DNSpionage "
			],
			"source_name": "Secureworks:COBALT EDGEWATER",
			"tools": [
				"AgentDrable",
				"DNSpionage",
				"Karkoff",
				"MailDropper",
				"SideTwist",
				"TWOTONE"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434311,
	"ts_updated_at": 1775791906,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/89aa08b14165d2bc693a21cd2d36209831f1a367.pdf",
		"text": "https://archive.orkl.eu/89aa08b14165d2bc693a21cd2d36209831f1a367.txt",
		"img": "https://archive.orkl.eu/89aa08b14165d2bc693a21cd2d36209831f1a367.jpg"
	}
}