{
	"id": "ff97d014-5b2e-408c-8e46-f136f17fb027",
	"created_at": "2026-04-06T00:11:09.716957Z",
	"updated_at": "2026-04-10T03:34:27.705081Z",
	"deleted_at": null,
	"sha1_hash": "9f61b2eea8633be112b151ed9f694ec6924361d4",
	"title": "Hellhounds: Operation Lahat. Part 2",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 849582,
	"plain_text": "Hellhounds: Operation Lahat. Part 2\r\nBy Positive Technologies\r\nPublished: 2024-08-19 · Archived: 2026-04-02 10:34:30 UTC\r\nIntroduction\r\nIn November 2023, the team at the Positive Technologies Expert Security Center (PT ESC) released their first research\r\nreport on attacks by the hitherto-unknown group Hellhounds on Russian companies' infrastructure: Operation Lahat. The\r\nreport focused on the group's attacks on Linux hosts that relied on a new backdoor known as Decoy Dog. Hellhounds carried\r\non attacks on organizations located in Russia, scoring at least 48 confirmed victims by Q2 2024.\r\nAs the PT ESC CSIRT team responded to an incident at a transportation company, they detected previously unreported\r\nattacks on Windows-based infrastructure, besides already-known TTPs (Tactics, Techniques, and Procedures) and attacks\r\non Linux hosts. The new investigation also found that Hellhounds had been successfully hitting Russian companies since\r\nat least 2021. It is a known fact that development of the malware began at least as early as 2019.\r\nThe Hellhounds group compromises organizations they select and gain a foothold on their networks, remaining undetected\r\nfor years. In doing so, the group leverages primary compromise vectors, from vulnerable web services to trusted\r\nrelationships. The malicious actor presumably penetrated the infrastructures by using supply chain attacks.\r\nIt would often disguise its tools as legitimate software processes including Positive Technologies products.\r\nThe report describes previously unknown parts of the group's toolkit, their obfuscation methods, and lists indicators\r\nof compromise and malware sample detection signatures.\r\nAn extended version of the research report was first presented at the international information security cyberfestival Positive\r\nHack Days 2.\r\nFirst Stage (Decoy Dog Loader for Windows)\r\nAfter successfully compromising a Linux infrastructure, an event we described in detail last year, the malicious actor made\r\na successful attempt to compromise mission-critical hosts running Windows. Having gained access to the system, the\r\nattackers installed a service named \"Microsoft Account Service\" or \"Microsoft Viewer Service\", which ran the PE\r\nexecutable AccSrvX64__STABLE__2016-11-10.exe or R_TARIF.VIEWS_X86.EXE. Below is an example of the services.\r\n \r\n{\r\n\"Name\": \"Microsoft Account Service\",\r\n\"Caption\": \"Microsoft Account Service\",\r\n\"Description\": \"\",\r\n\"DisplayName\": \"Microsoft Account Service\",\r\n\"PathName\": \"C:\\\\[REDACTED]\\\\accounts64\\\\AccSrvX64__STABLE__2016-11-10.exe\",\r\n\"ProcessId\": 5092,\r\n\"Started\": true,\r\n\"State\": \"Running\",\r\n\"SystemName\": \"[REDACTED]\",\r\n\"TimeLine\": \"2024-01-02T21:14:53.132165Z\",\r\n\"ModuleName\": \"Win32_Service\"\r\n}\r\n \r\n{\r\n\"Name\": \"Microsoft Viewer Service\",\r\n\"Caption\": \"Microsoft Viewer Service\",\r\n\"Description\": \"\",\r\n\"DisplayName\": \"Microsoft Viewer Service\",\r\n\"PathName\": \"C:\\\\[REDACTED] \\\\R_TARIF.VIEWS_X86.EXE\",\r\n\"ProcessId\": 5548,\r\n\"Started\": true,\r\n\"State\": \"Running\",\r\n\"SystemName\": \"[REDACTED]\",\r\n\"TimeLine\": \"2024-01-03T22:04:30.5586058Z\",\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/\r\nPage 1 of 11\n\n\"ModuleName\": \"Win32_Service\"\r\n}\r\nInterestingly, the malicious actor's activity in the compromised organization's Windows-based infrastructure began amid the\r\nNew Year's holiday season on January 2 and 3.\r\nThe executable file size is 17 KB. After the service is started successfully, the sample decrypts a list of domains inside the\r\n.rdata section and then attempts to resolve the resulting domain names.\r\nEach encrypted domain begins with an FF byte. Encryption uses a simple algorithm based on two operations: xor and\r\nsubtract. Decryption involves the number of the character in the row and the row number; row character numbers start\r\nat zero.\r\nFigure 1. Encryption algorithm\r\nThe domains have the following format:\r\nThe \"-\" option means the domain does not have to be resolved. If it could not be resolved, the loader moves on to the next\r\ndomain on the list. The \"!\" option is only used together with the \"-\" to show the number of resolve attempts that were made\r\nbefore the domain was skipped. The number of resolve attempts is calculated as 2^n, where n is the number of consecutive\r\n\"!\" options. If the option is missing, only one resolve attempt is made.\r\nDomains in the configuration are used when obtaining a part of the key for payload decryption. They also can be used for\r\ngenerating legitimate-looking traffic and getting around sandboxes.\r\nA superficial dynamic analysis may suggest that domains used at this stage are C2 servers. However, a detailed analysis\r\nshows that both domains and subsequently obtained IP addresses are used for key generation only and possibly, for\r\ndisguising as legitimate utilities. Besides, the malware is notable for its ability to use non-existent subdomains located\r\nin valid domains, such as mp0.ptsecurity.com. While this may create a semblance of legitimacy, the domain is certain not\r\nto be resolved.\r\nA domain with a \"-\" option is used for generating traffic but not a key. A domain like that must not be resolved,\r\nor alternatively, it is resolved after the right domain. One of the domains must be resolved and have a static IP address—this\r\nis what will be used for generating a key. The malicious actor notably used this feature as a kill switch to shut down the\r\nmalware in a target system.\r\nAfter all domains in the configuration are decrypted and resolved, the loader proceeds to decrypting the next block.\r\nFigure 2. Block in the .rdata section\r\nThe block has a fixed size of 256 bytes, and it is encrypted with the CLEFIA algorithm in CBC mode. It contains the path\r\nto the main backdoor. The key is generated as follows: the name of the executable file minus the final zero is uppercased,\r\nand the byte-coded IP address is appended to it. The resulting byte string is hashed with SHA-3 to produce a 256 byte\r\noutput. The first 16 bytes are used as the key, and bytes 5 through 20, as the initialization vector. Example of key generation.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/\r\nPage 2 of 11\n\nFigure 3. Second Stage (Decoy Dog for Windows) path decryption algorithm\r\nAfter decrypting the path to the backdoor, the loader reads and decrypts it in the same manner, by using the same key and\r\ninitialization vector, and then passes control to its entry point. Interestingly, unlike the Linux sample, the Windows malware\r\ndoes not check the integrity of decrypted data.\r\nThe backdoor has the MZ signature replaced with HE, and the PE signature, overwritten as a random 4-byte sequence.\r\nFigure 4. Fragment of Decoy Dog\r\nThe malicious actor invested a lot of effort in disguising its activity on the hosts that it compromised. To do this, they\r\nimitated MaxPatrol SIEM and Microsoft services.\r\nFigure 5. Information about the Decoy Dog Loader files for Windows\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/\r\nPage 3 of 11\n\nTellingly, the Linux samples were virtually unusable unless they passed a machine-id check, that is, the malware could not\r\nbe run without a valid identifier. The Windows samples do not contain a check like that, although they do check the\r\nexecutable name, which never matches the original filename in the metadata, a weaker check. If the IP address changes, the\r\nresearchers can use PDNS (Passive DNS) services.\r\nSecond Stage (Decoy Dog for Windows)\r\nThe decrypted payload is all but identical to the Decoy Dog version for Linux examined earlier. The backdoor is based\r\non the open-source project Pupy RAT.\r\nAll of the samples we managed to discover used the C2 server net-sensors[.]net and the DGA domain dynamic-dns[.]net.\r\nNeither of the samples had a dynamic configuration.\r\nConfiguration example:\r\n \r\n{'debug': False, 'launcher': 'dnscnc', 'launcher_args': ['--domain', 'net-sensors.net', '-E', 'dynamic-dns.net\r\nBelow is a detailed chart showing how Decoy Dog works on Windows hosts.\r\nFigure 6. Detailed chart showing how Decoy Dog for Windows works\r\nIn the course of our research, we detected samples targeting Windows, the oldest of these compiled on 29.11.2019, and the\r\nnewest one, on January 3, 2024. Besides Decoy Dog, the malicious actor made use of the well-known Sliver framework\r\nwith the C2 server 31.184.204[.]42 (ns2.maxpatrol[.]net). Similar samples are examined in detail in \"Sliver Implants under\r\na Lens: Extracting the Configuration and Other Useful Data\". The table below shows all of the Windows samples\r\nwe obtained.\r\nDate Description SHA-256 Name Pay\r\n29.11.2019\r\nFirst Stage\r\n(Decoy Dog\r\nLoader for\r\nWindows):\r\ntest version\r\n9a977571296ae1548c32df94be75eec2a414798bee7064b0bf44859e886a0cfa testvec.exe −\r\n14.07.2022\r\nFirst Stage\r\n(Decoy Dog\r\nLoader for\r\nWindows)\r\n4d30fd05c3bdac792e0a011892e2cad02818436484e81b6de6a02928149bc92d MaxPatrol SIEM Agent.exe fwt\r\n30.11.2022\r\nFirst Stage\r\n(Decoy Dog\r\nLoader for\r\nWindows)\r\ne27d1bab901c1bb414d0849c5c132faa8c7c6a61357d9627a7d2785270034793 Microsoft.exe exm\r\n29.01.2023 First Stage\r\n(Decoy Dog\r\n31b21de71f2162e8da1be8483f3a5d019b0c817832bc11a9f307b6b36821ca54 − −\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/\r\nPage 4 of 11\n\nDate Description SHA-256 Name Pay\r\nLoader for\r\nWindows)\r\n16.04.2023\r\nFirst Stage\r\n(Decoy Dog\r\nLoader for\r\nWindows)\r\n18d4a3a92b24b2ad75115a44fe2727081316eca346499a4aa00aa13713cf00cb − −\r\n06.05.2023\r\nFirst Stage\r\n(Decoy Dog\r\nLoader for\r\nWindows)\r\n9a96c7b0595f628027c4f4caeece475ef742c420adf2fde8df934c6ce6481fb5 − −\r\n16.08.2023\r\nFirst Stage\r\n(Decoy Dog\r\nLoader for\r\nWindows)\r\nd9a8151aff9d1c061826a9812ed9a6600805c74a519df333513fd4a79d2d4e61 NtpService.exe C:\\\r\n06.11.2023\r\nFirst Stage\r\n(Decoy Dog\r\nLoader for\r\nWindows)\r\n07fe71b256c1c913b0f3e3fa67e53d21a3d1f499beb4e550597f5743797a77c4 Apache ActiveMQ.exe −\r\n08.11.2023\r\nSecond\r\nStage\r\n(Decoy Dog\r\nfor\r\nWindows)\r\ne19dc185e99cfdc0c25f18fb34ffabff2a4877d6d5843e4c67c05ce182f9780e NPipeX64_32.dll −\r\n08.11.2023\r\nSecond\r\nStage\r\n(Decoy Dog\r\nfor\r\nWindows)\r\n106436a4fafe00112b19b1374456c1746b988950b71d700680088d74494e4936 r_tarif.dll2Qur −\r\n27.12.2023 Sliver 510da6d88ae4dd51d62796023a18b39db08a016ee4ee7178b1afdc91c58f9e1e − −\r\n27.12.2023 Sliver 6cb2979aa1fddd42df2ba596f705ce9bbdb2ec246649218d598d779769857c21 − −\r\n02.01.2024\r\nFirst Stage\r\n(Decoy Dog\r\nLoader for\r\nWindows)\r\n1b8b4be020d3350d025c7a245eb0d7166ff2c329dc92af175ef0499cba583071\r\nAccSrvX64__STABLE__2016-\r\n11-10.exe\r\nC:\\\r\n[RE\r\n03.01.2024\r\nFirst Stage\r\n(Decoy Dog\r\nLoader for\r\nWindows)\r\na03e2ca143e867a99e2bc73bd4e5c2dd078a9f671aa0a4ce9611a8bc39a769e2 R_TARIF.VIEWS_X86.EXE C:\\\r\nMost of the samples contain the domain dns.msftncsi.com in their configurations, a test server for the Windows Network\r\nConnectivity Status Indicator, NCSI.\r\nAfter examining the configurations of all samples we obtained during the research, we identified SSL certificates that the\r\nbackdoor used to encrypt its connections with remote hosts. The certificates contained the earliest notBefore option at the\r\nend of 2021 (12/26/2021 at 21:51:52), and the latest option, on 11/8/2023 at 13:48:36. This places the campaign start at the\r\nend of 2021. Certificates were issued for one and three years from the time the images were generated. This certificate\r\ngeneration algorithm is implemented in the public Pupy RAT project.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/\r\nPage 5 of 11\n\nFigure 7. Examples of certificates\r\nAfter analyzing all of the samples we found, we compared their features, the issue dates of the certificates in the\r\nconfiguration, and the VirusTotal upload dates. The relevant feature set appeared in between these dates—this time range\r\nis marked dull blue in the image. This data can be used to tentatively distinguish two versions of Decoy Dog. Compared\r\nwith Pupy RAT, the project migrated to Python 3.8, added new transports, and received a DGA mechanism. The second\r\nversion, created between April 2022 and February 2023, gets a telemetry scriptlet described in detail in the previous article,\r\na dynamic configuration, and a Special launcher to run as a server on the local machine.\r\nFigure 8. Timeline of new features\r\nThe earliest Decoy Dog loader sample, compiled at the end of 2019 (11/29/2019), deserves special attention. The sample\r\nis the original version of the loader whose code contains several debugging strings. This suggests that the development\r\nof the Decoy Dog loader began in 2019.\r\nFigure 9. Generating a log path\r\nFigure 10. Downloading a payload\r\n3snake\r\nThe malicious actor used a modified open-source 3snake utility to obtain credentials on hosts running Linux. To reduce\r\nexcess functionality and evade signature detection, the command-line start option was disabled in the utility, which left just\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/\r\nPage 6 of 11\n\ndemon mode. Additionally, the utility ignores \"-o\" values, instead using the hardcoded path /var/log/apt/term.log.gz for\r\noutputting compromised credentials.\r\nUnlike the original utility, the path to the file in the sample and intercepted data are encrypted with the RC4 algorithm. The\r\nutility can intercept SIGINT, SIGQUIT, SIGHUP, SIGPIPE, SIGTERM, SIGSEGV, SIGBUS, SIGILL, and SIGCHLD\r\nsystem-call interrupts. It also adds intercept_openldap to the already-available intercept_ssh, intercept_sudo, intercept_su,\r\nintercept_ssh_client, and intercept_passwd functions. This is how the malicious actor stole a number of credentials for\r\nfurther movement across the network.\r\nFigure 11. Intercept functions in 3snake\r\nFigure 12. Main function in the modified 3snake utility\r\nInitial Access\r\nIn two incidents, the attackers managed to penetrate the victims' infrastructure via a contractor. By compromising SSH login\r\ncredentials, the malicious actor got in and installed the Decoy Dog backdoor.\r\nWe also managed to obtain content from the C2 server net-sensor[.]net and discovered that the malicious actor disguised\r\nDecoy Dog as ISO images for the iMind online meeting, video conferencing, and webinar service. Unfortunately, we could\r\nnot find out under what pretext and how exactly the malicious actor made the victims run one of the ISOs. Note that\r\nin September 2023, the National Computer Incident Response and Coordination Center issued a notice about an increased\r\nfrequency of computer incidents associated with exploiting a vulnerability in the iMind video conferencing service and\r\nrecommended updating iMind to version 3.19.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/\r\nPage 7 of 11\n\nFigure 13. C2 folder listing\r\nFigure 14. Contents of the imind folder, ISO images containing Decoy Dog\r\nVictims\r\nAs a result of the research into the group's activities, we detected a number of previously unknown attacks on organizations\r\nlocated in Russia: the number of confirmed victims more than doubled, reaching 48. At the time of preparing part one of the\r\nresearch report, we were aware of 20 Hellhounds victims. An analysis of the new attacks suggests that, in addition\r\nto focusing on the public sector, the attackers have been harassing Russian IT companies, most of these being contractors for\r\ncritical organizations. These companies were presumably targeted for trusted relationship attacks. The up-to-date victim\r\nbreakdown by industry looks as follows:\r\nInformation Technology Government Space industry Telecommunication Education Energy sector\r\nSecurity Developer sector Transport and logistics Medical Mining industry Retail\r\n© Positive Technologies\r\nFigure 15. Victims by industry\r\nConclusion\r\nThe Hellhounds group has continued to attack Russian organizations into 2024. Our investigations show that the malicious\r\nactor uses a variety of techniques for compromising and gaining control over company infrastructures, and that it began\r\ndeveloping its toolkit at least as early as 2019.\r\nThe attackers have long been able to maintain their presence inside critical organizations located in Russia. Although\r\nvirtually all of the Hellhounds toolkit is based on open-source projects, the attackers have done a fairly good job modifying\r\nit to bypass malware defenses and ensure prolonged covert presence inside compromised organizations.\r\nAuthors: Aleksandr Grigorian and Stanislav Pyzhov at Positive Technologies\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/\r\nPage 8 of 11\n\nThe authors would like to thank the Incident Response and Threat Intelligence teams at the PT Expert Security Center for\r\ntheir help in preparing this article.\r\nThe sections below contain information about all of the samples we obtained and the up-to-date TTPs.\r\nName MD5 SHA-1 SHA-256\r\nFirst Stage (Decoy Dog Loader for Windows)\r\ntestvec.exe 7e0c85852b2cd932626fcf284ca72978 c8ccf6e20cde537f3da64aebd1f80b144a4c8e0a 9a977571296ae1548\r\nMaxPatrol SIEM Agent.exe 2c016c91181d4182a16845725bf0b315 2be016b6b0dd9d57f2985a6ad0df85f5538d9623 4d30fd05c3bdac792\r\nMicrosoft.exe 4479cc492fa443af1461ebd768dcd1c3 5ebf1dbcd5e16bcd4695777a7931ff4dc13d586a e27d1bab901c1bb4\r\n− ef6c7eb5518d58bc0b921d37265b0db4 c0fd9928b1755c047529a0b91517882bf74bc5e4 31b21de71f2162e8d\r\n− 3dc4391eb6170c26336938839246022f c4ef4c518c44eda803200b8f9d080c0f1ff3ed15 18d4a3a92b24b2ad7\r\n− 321e4b64bcedc76a89cca86853d30c09 b1fceda9a56d17fd1520105a6d52fdf868c4cead 9a96c7b0595f62802\r\nNtpService.exe 9200c356b485ca61ec88258f0800657a dc76c7586e1946ac120111d3a35937526a7cf140 d9a8151aff9d1c061\r\nApache ActiveMQ.exe b8932033b53ca08967100c58e12126be 6f30131181d81129c2f59d050214f47a6eedabbe 07fe71b256c1c913b\r\nAccSrvX64__STABLE__2016-\r\n11-10.exe\r\n8d6e4cd33145ae084aa184fd0875c8f6 fc5936e0e290f2f41a46eb14c05500a4236ac0c7 1b8b4be020d3350d\r\nR_TARIF.VIEWS_X86.EXE e908da6041ae249f478bb22ac05e4b18 83c8168f7706148a6f28145872a7f3bf01037239 a03e2ca143e867a99\r\nSecond Stage (Decoy Dog for Windows)\r\nNPipeX64_32.dll 10be9ca61ef86589951ddcfddc3d9672 b3a6f0d8daf0347f56e95bf56cb60a7ea6f711cb e19dc185e99cfdc0c\r\nr_tarif.dll2Qur 914f932feb7e08f3e0396e40b8ea46e7 54984e656f2bf1ed874b8b281d5abacdd517e51b 106436a4fafe00112\r\nDecoy Dog for Linux\r\nsystemd-inputd c89d431abb6b5cc28c86196fbf898684 06335756b2a9afcf4147af25b06e30f63e5d52b9 bca6da159bbf6af3b\r\n− 2a9137f615fa56f9ae11fa7c17963dad a1790420cb2f546a79ddaeefacfd3b3a3b781e7c 9d9097e76b04b8e4\r\nsalt-slave 485ad3a834d81e63be6c03e94371c007 be428ac644a1cd1173f9c2a8b5db3c5fb38f795b 299a7888e960b7be5\r\nsnapmount 5e672d6d5c2fc6190bd670409b987dfd ee7ce10b16d4052cf15c897d98a9e286ab63c30b 75bf7d3aae0ed409c\r\nplymouthd 04fcea4bf75070e47f5f3e7e6958995f cb883f4ea73eef125d9ba2b945ed1797a679ca7e 8184a41a1275751c0\r\ncrond b28b70b981a3b8e98874d23b24fc7dbd c3669cc6fcc8a4eed8c3cad540a8f5402e4ddb79 83a29477939ba8e70\r\nmysqlrestore 15ebf623c05744403a163bd958522511 b7724bfa0041c0ae9882d880669751e290f6e88e e67c5731bed1e4d8c\r\nmd5sum.pm bf27f6608cea8343c287b355244762e9 e46c422e5336c499b852ca77b4ab97b2607e54bf 04241c476f7ff0b86\r\ndtmf bc0200af1ac2e44cdeefcb9907f4d1d3 24e7b9e904e90bfc9a9aadd8e347512ccbc895f6 2c726b0bee65f2290\r\natd adac1dc0ec3dcf28157ab09d35d0cfcc dd053b9cb14429cd4eec1b36e1a87f0a47289193 07dfb5b3e66640046\r\n− 5be93fc5c858c3474bbfbc2555843966 3ab8a4e40f91febfdc2e6d69e162e3efc8b8b448 5264dcb00fd0e7261\r\nUPDATE.SH 885fa41b7e8e7d033cd01ee2e224cca2 a864cf53550d6daf38149d345d4563b65dd8580a e42e43e01e2ca9656\r\natd 9f29794effd56e4075bb9f6e28b14678 01e71387a3ab05d73caed5435a8437faa8b66198 025d91fa1609138b3\r\natd f19890d3f004cb9ae23398a006e358f5 ac0fe4a4a400265a7d6a68a558443dfe77e0dfb4 d53fe08be9391ed66\r\natd b8b11cfde33f285402ac17c50e89ce5e 8107ca980e32c8c905aa86c81c20fe799181bef8 9517212c7f840355e\r\ndcrond 6f40bc303944be1e322dcf5c40e3cde8 286dc3e3a055e37f47ceef45cf0fa55a6ab10111 dd83e7b5788588d3\r\ndcrond 8816c53603205717e5f1269385841784 b79b0fba2e698ef78747fb412cfbab3364fe3125 f11afd0d02e936e56\r\nTNTb f09c0d5883a221d2e5f762480e946a78 506386147d393cef81019dda55ac85125914c6be 0eb2c98d14fce41db\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/\r\nPage 9 of 11\n\nName MD5 SHA-1 SHA-256\r\n− 5f721ea01a017832be0bc4ed60f73f9d 39a54217868490ce71d6d0eaf6b9b2a2d747b3ca 30617ff59db71da76\r\nucs-25.1.1034-debian10.tar 6f18d4f75e0cb13dbb868ce7c6fe8ab8 b86ac0e9c1d0ef17c9f7ec406d51d4b2ed08ff67 f1aa7cb84e515e6d4\r\ncrond 639826f50120006342e23a409ff6fa70 b0827b53e4d2a3d53f3ab467157f17377a243eaf 30fd37421f35748b2\r\nnmbtrapd 250af8e186b4d72b70036f090e9aee25 98c4d06e1c09907c3a4734668fef1ccd2a5ffcbb 5ab7025a477fba688\r\nnmbd 67aee8a9d41240c462ee7d7023977d84 eaf5fc2f0d9a84ff77008f805be4025df1085c20 66b7ce1c90ade1556\r\ndtmf cd10a6c402c6ccc870afa0001409c27f 943918176f941b162d668ea9642ba63d51450ff9 cb1993e26580d51a6\r\nmd5sum.pm 9fb96e93ba9962919b261ae7dfe2b120 8f943b9f82892292162eb7964da3c9168df28116 d89671386dd79499\r\nnmbtrapd bc7b5aa2a7f1e178fa8997c8d76ef041 f4c1f2882e20792463638cb75c4bb64e7aaf0401 e38dcc222f770a4d1\r\nrpc_lan.so 093f35facc67cee3a8c2cca8be8b2d6a 2c568ee8524a72cee2ae3002039f846988bea670 f466ecd2edc548185\r\nnmbd b2538dbf30dc3acb95930394e0ff3498 50105c6e64ccf058d604cdcf9123ed8bf163c41b fd7298c3be42560f7\r\naptitude-common 0e22f3587c519c1f0e4fc57a04d66edb d7f31bbb9a7cbe911f5ae3253e650b1fa7cc4b4c b3538ce6d66a8a104\r\nUPDATE.SH 537b8e319ef65435740b3e0c28722925 226d3a29149e36690b50b93beabed4481b1a48e6 c67f28a2b85b0b242\r\n− 4f2529e5be66a80e44acaeaa418b575c 15a6fdc79f0724d4c3b18742e5f1d73fc6839ac4 6da74c7e2bf3d77ac\r\ndcrond e35199eacd0bbc06cfb2c72e14f7a659 67006e298844b578cce9888c243640f7e1f2e7c7 00625fe8a6573f177\r\ndcrond 453833594493c5064eeff8210d571224 fb0f1226903dde243ef08c26ec0c5d7880e9c291 7f55c71e064c00090\r\ndcrond f28c7c354b9e27e8908dd0b8dc7da01b 444a7b477e6f7bd0d9be7add79b3e0415566169c d59fcb3e138b9eea0\r\natd 74ed22250182d13df4e1ad4b4f91d519 7c440e9421c26fe7b73ae8e213ef58b3b615ed6f 25ff8d416a4158c74\r\natd 6218ad1e81b1cd9364bbe0059b99bc9a 27fedf90846efe5357e11c53d87612fbf6c421d4 82746a68612661c6\r\natd e1a93ced3a55b34a54b5ac0dd095da59 2ba1a6808db393296a08968c220b193fae42c21b ee8dd2626a4465f49\r\nsmartmond d80b3ff086aed177bb87c317188b92c2 2b1b5b4c7f9d4a963b0ec92a5eb2e28cb6cdc0b7 ae6c7656a973c797a\r\ndcrond cc7a6656832b6929722b1c38cc14b550 4450d904f695dd51eaea24e4e449707707c7852e b21e9a3581497eafb\r\natd b514157f9b8cbb08d476e838171050d8 e3ce85ababbc7b8b4291551abb9f0928caeb2646 121ab168fd3d59f83\r\ndcrond 33f3dd60e87aafd96adf62fcb5af725f 685ecfba19ad58f81acbb62a3fc9010128bf2000 64af32f631c4ace66\r\natd 5da97bbd438a030b0427a15c69af0037 8daf7589f2e417363e3cfbc714fc9b299f54a36e 834d7a3ccd82dd51e\r\ndcrond 84f2fa4d139ac10124f915584dda6476 26199b999facada1d6dafe78524321e575621d73 33e9020a2d6e6604a\r\nhtop 6ee38226efedabbf794a37d0c972702c 3ca21bde29ff0744edacd611d82b50d297bb447a 494c857b3abe11ab6\r\nsystemd-crgoupsd 26e10db16c4b00c9d4afa1d3f2c5f080 4811d92b307a2929b25b39638b35f3e5692f4451 49cda974e0f9fdf1a9\r\nSliver\r\nAzimuthF.exe_ b0b2176187e24710ad9b4fbbb38573b1 db3ea044e32773c12d67a49588f5a12aae09e257 510da6d88ae4dd51d\r\nAzimuthF_2.exe_ fd13efb096377f8bbf8b754874c40262 480c2a12dfc1900ab9bad635caf6c507a300623c 6cb2979aa1fddd42d\r\n3Snake\r\ndb-healthmon 18417672efbe00f3ecdd700c442137fd ac469df608ef049708ba6efe72f4493ac20cdfd0 1b7d26b2547ceb7f4\r\nISO Images\r\nmind-live_3.12.30+23.06.23.01.30.iso\r\n8a1834e81ffb4ded5b818db7db8e543b 9206f83e69c53c4460a30cc4046e59f50e25a1ad 0d6d89023c7e4d72\r\nmind-live_3.12.30+23.06.23.01.40.iso\r\n8a1834e81ffb4ded5b818db7db8e543b 9206f83e69c53c4460a30cc4046e59f50e25a1ad 0d6d89023c7e4d72\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/\r\nPage 10 of 11\n\nName MD5 SHA-1 SHA-256\r\nmind-live_3.12.30+23.06.23.01.50.iso\r\n6703e425619a766ab521109885b51248 1d3ab04ace6895b042beb2d7ccfcd6c6cf5e620c c620742a863ab20ad\r\nmind-live_3.12.30+23.06.23.01.61.iso\r\n6703e425619a766ab521109885b51248 1d3ab04ace6895b042beb2d7ccfcd6c6cf5e620c c620742a863ab20ad\r\nmind-live_3.12.30+23.06.23.01.62.iso\r\n6703e425619a766ab521109885b51248 1d3ab04ace6895b042beb2d7ccfcd6c6cf5e620c c620742a863ab20ad\r\nmind-live_3.12.30+23.06.23.01.63.iso\r\n6703e425619a766ab521109885b51248 1d3ab04ace6895b042beb2d7ccfcd6c6cf5e620c c620742a863ab20ad\r\nmind-live_3.12.30+23.06.23.01.70.iso\r\n6703e425619a766ab521109885b51248 1d3ab04ace6895b042beb2d7ccfcd6c6cf5e620c c620742a863ab20ad\r\nmind-live_3.12.30+23.06.23.01.80.iso\r\n6703e425619a766ab521109885b51248 1d3ab04ace6895b042beb2d7ccfcd6c6cf5e620c c620742a863ab20ad\r\nmind-live_3.12.30+23.06.23.01.90.iso\r\n6703e425619a766ab521109885b51248 1d3ab04ace6895b042beb2d7ccfcd6c6cf5e620c c620742a863ab20ad\r\nmind-live_3.12.30+23.06.23.01.95.iso\r\n6703e425619a766ab521109885b51248 1d3ab04ace6895b042beb2d7ccfcd6c6cf5e620c c620742a863ab20ad\r\nmind-live_3.12.31+23.07.23.01.30.iso\r\n6703e425619a766ab521109885b51248 1d3ab04ace6895b042beb2d7ccfcd6c6cf5e620c c620742a863ab20ad\r\nSource: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/"
	],
	"report_names": [
		"hellhounds-operation-lahat-part-2"
	],
	"threat_actors": [
		{
			"id": "2603d977-6e3a-4269-ba49-b5a85c943641",
			"created_at": "2024-06-26T02:00:04.847439Z",
			"updated_at": "2026-04-10T02:00:03.666442Z",
			"deleted_at": null,
			"main_name": "HellHounds",
			"aliases": [],
			"source_name": "MISPGALAXY:HellHounds",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434269,
	"ts_updated_at": 1775792067,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9f61b2eea8633be112b151ed9f694ec6924361d4.pdf",
		"text": "https://archive.orkl.eu/9f61b2eea8633be112b151ed9f694ec6924361d4.txt",
		"img": "https://archive.orkl.eu/9f61b2eea8633be112b151ed9f694ec6924361d4.jpg"
	}
}