{ "id": "535edb21-570d-416d-93b1-b50056d7a05e", "created_at": "2026-04-06T00:10:38.863011Z", "updated_at": "2026-04-10T13:12:50.492794Z", "deleted_at": null, "sha1_hash": "b2cc82adeb5fbea915cb1624d009fcd6512b6dac", "title": "Lyceum .NET DNS Backdoor | Zscaler", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1224422, "plain_text": "Lyceum .NET DNS Backdoor | Zscaler\r\nBy Niraj Shivtarkar, Avinash Kumar\r\nPublished: 2022-06-09 · Archived: 2026-04-05 16:40:26 UTC\r\nActive since 2017, Lyceum group is a state-sponsored Iranian APT group that is known for targeting Middle\r\nEastern organizations in the energy and telecommunication sectors and mostly relying on .NET based malwares. \r\nZscaler ThreatLabz recently observed a new campaign where the Lyceum Group was utilizing a newly developed\r\nand customized .NET based malware targeting the Middle East by copying the underlying code from an open\r\nsource tool.\r\nKey Features of this attack:\r\n1. The new malware is a .NET based DNS Backdoor which is a customized version of the open source tool\r\n“DIG.net”\r\n2. The malware leverages a DNS attack technique called \"DNS Hijacking\" in which an attacker- controlled\r\nDNS server manipulates the response of DNS queries and resolve them as per their malicious\r\nrequirements.\r\n3. The malware employs the DNS protocol for command and control (C2) communication which increases\r\nstealth and keeps the malware communication probes under the radar to evade detection.\r\n4. Comprises functionalities like Upload/Download Files and execution of system commands on the infected\r\nmachine by abusing DNS records, including TXT records for incoming commands and A records for data\r\nexfiltration. \r\nDelivery mechanism\r\nDuring this campaign, the macro-enabled Word document (File name: ir_drones.docm) shown below is\r\ndownloaded from the domain “http[:]//news-spot.live” disguising itself as a news report related to military affairs\r\nin Iran. The text of the document is copied from the following original report here:\r\nhttps[:]//www[.]rferl[.]org/a/iran-drone-program-threats-interests/31660048.html\r\nFig 1. Attached Macro-enabled Word Document\r\nOnce the user enables the macro content, the following AutoOpen() function is executed which increases picture\r\nbrightness using “PictureFormat.Brightness = 0.5” revealing content with the headline, “Iran Deploys Drones To\r\nhttps://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor\r\nPage 1 of 13\n\nTarget Internal Threat, Protect External Interests.”\r\n \r\nFig 2. AutoOpen() function revealing content to lure the victims\r\nThe threat actor then leverages the AutoClose() function to drop the DNS backdoor onto the system. Upon closing\r\nthe document the AutoClose() function is executed, reading a PE file from the text box present on the 7th page of\r\nthe word document and parsing it further into the required format as shown below with the “MZ” header as the\r\ninitial two bytes of the byte stream.\r\nFig 3. AutoClose() function reading the PE File\r\nThis PE file is then further written into the Startup folder in order to maintain persistence via the macro code as\r\nshown below in the screenshot. With this tactic, whenever the system is restarted, the DNS Backdoor is executed. \r\nhttps://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor\r\nPage 2 of 13\n\nFig 4. DNS Backdoor dropped in the Startup folder\r\nThe dropped binary is a .NET based DNS Backdoor named “DnsSystem” which allows the threat actors to\r\nexecute system commands remotely and upload/download data on the infected machine.\r\nBelow, we analyze the dropped .NET based DNS Backdoor and its inner workings.\r\nThe Lyceum Group has developed a .NET based DNS Backdoor which has been widely used in the wild in their\r\nrecent campaigns. As discussed earlier, the backdoor was dropped in the Startup folder of the infected system from\r\na Macro Enabled Word document.\r\nmd5: 8199f14502e80581000bd5b3bda250ee\r\nFilename: DnsSystem.exe\r\nAttack Chain Analysis\r\nThe .NET based DNS Backdoor is a customized version of the Open source tool DIG.net (DnsDig) found here:\r\nDNS.NET Resolver (C#) - CodeProject. DIG.net is an open source DNS Resolver which can be leveraged to\r\nperform DNS queries onto the DNS Server and then parse the response. The threat actors have customized and\r\nappended code that allows them to perform DNS queries for various records onto the custom DNS Server, parse\r\nthe response of the query in order to execute system commands remotely, and upload/download files from the\r\nCommand \u0026 Control server by leveraging the DNS protocol.\r\nInitially the malware sets up an attacker controlled DNS server by acquiring the IP Address of the domain name\r\n“cyberclub[.]one” = 85[.]206[.]175[.]199 using Dns.GetHostAddresses() for the DIG Resolver function, which in\r\nturn triggers an DNS request to cyberclub[.]one for resolving the IP address. Now this IP is associated as the\r\ncustom attacker controlled DNS Server for all the further DNS queries initiated by the malware. \r\nhttps://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor\r\nPage 3 of 13\n\nFig 5. Initialize Attacker-Controlled DNS Server\r\nNext, the Form Load function generates a unique BotID depending on the current Windows username. It converts\r\nthe username into its MD5 equivalent using the CreateMD5() function, and parses the first 8 bytes of the MD5 as\r\nthe BotID for the identification of the user and system infected by the malware.\r\nFig 6. Generation of BotID using the Windows username\r\nNow, the backdoor needs to receive commands from the C2 server in order to perform tasks.  The backdoor sends\r\nacross an initial DNS query to “trailers.apple.com” wherein the domain name “trailers.apple.com” is\r\nconcatenated with the previously generated BotID before initiation of the DNS request. The DNS query is then\r\nsent to the DNS server in order to fetch the “TXT” records for the provided domain name by passing three\r\narguments to the BeginDigIt() function: \r\nName: Target Domain name - EF58DF5Ftrailers.apple.com \r\nqType: Records to be queried - TXT\r\nqClass: Dns class value - IN (default)\r\nhttps://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor\r\nPage 4 of 13\n\nFig 7. Setup of DNS Query parameters before execution of BeginDigIt() Function\r\nThe BeginDigIt function then executes the main DNS resolver function “DigIt.” This sends across the DNS query\r\nin order to fetch the DNS record for the provided target domain name to the DNS server, and parses the response\r\nas seen in the code snippet below.\r\nFig 8. DNS Query DigIt Function \r\nComparing the Digit Resolver Code DigIt() function strings with the Dig.Net tool output from the screenshot\r\nshown below provides us further assurance that the Dig.Net tool has been customized by the Lyceum Group to\r\ndevelop the following .Net based DNS backdoor.    .\r\nhttps://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor\r\nPage 5 of 13\n\nFig 9. Original Dig.net GUI Output \r\nThe malware utilizes a DNS attack technique known as “DNS Hijacking” where in the DNS server is being\r\ncontrolled by the attackers which would allow them to manipulate the response to the DNS queries. Now let's\r\nanalyze the DNS Hijacking routine below.\r\nAs discussed earlier, the backdoor performs initial DNS queries in order to fetch the TXT records for the domain\r\nEF58DF5trailers.apple.com. EF58DF5 is the BotID generated based on the Windows user to receive commands\r\nfrom the C2 server.\r\nhttps://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor\r\nPage 6 of 13\n\nFig 10. DNS query to attacker-controlled DNS server to fetch TXT records.\r\nAs can be seen in the above screenshot, a DNS query is performed to fetch the TXT records for the domain name:\r\nEF58DF5trailers.apple.com to the DNS Server: 85[.]206[.]175[.]199 which is the attacker-controlled DNS server\r\npreviously initialized.\r\nHere’s where the DNS hijacking happens: As the malware sends across a DNS query to fetch the TXT records to\r\nthe attacker-controlled DNS server, the attacker controlled DNS server responds with an incorrect response\r\nconsisting of the commands to be executed by the backdoor such as ipconfig,whoami,uploaddd etc as shown in\r\nthe screenshot below.\r\nFig 11. Ipconfig command returned as the TXT record from the attacker controlled DNS server\r\nFollowing is the DIG.Net DNS response received by the backdoor and then further parsed in order to execute\r\ncommands on the infected machine.\r\nhttps://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor\r\nPage 7 of 13\n\nFig 12. DIG.net output received by the backdoor\r\nThe above screenshot consists of the DNS query performed to the attacker controlled DNS server along with the\r\ntarget domain name EF58DF5trailers.apple.com. The Answer section consists of the query response, which\r\nincludes the target Domain name and the response to the TXT record with two values, “ipconfig” - command to\r\nbe executed and “1291” - Communication ID\r\nNext, the Dig.net response is parsed using multiple pattern regex code routines which parse out the TXT record\r\nvalues—the aforementioned command and communication ID—from the complete response received by the\r\nmalware. \r\nFig 13. Parsing of TXT Records\r\nNext, depending on the command received in the TXT record from the C2 server, there are three functions which\r\ncan be performed by the Lyceum backdoor:\r\nhttps://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor\r\nPage 8 of 13\n\nDownload Files - If the command received from the DNS query consists of a string: “downloaddd” it\r\ninitiates the download routine and downloads the file from the URL using DownloadFileAsync(). The URL\r\nwould be the first 11 bytes of the TXT record response value, and stores that downloaded file in the\r\nDownloads folder as shown below in the code snippet. This functionality can be leveraged to drop\r\nadditional malware on the infected machine.\r\nFig 14. Backdoor Download Routine\r\nUpload Files - If the command received from the DNS query consists of a string: “uploaddd”, it uploads\r\nthe local file on the disk using UploadFileAsync() function to an External URL after parsing the TXT\r\nrecord response value into two variables: uriString (external URL) and filename (Local File). This\r\nfunctionality can be leveraged to exfiltrate data.\r\nFig 14.  Backdoor Upload Routine\r\nCommand Execution - If none of the above strings match the TXT record response then the response is\r\npassed on to the Command execution routine. There, the response to the txt record is executed as a\r\ncommand on the infected machine using “cmd.exe /c ” and the command output is sent across to the C2\r\nserver in the form of DNS A Records.\r\nhttps://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor\r\nPage 9 of 13\n\nFig 15. Backdoor Command Execution Routine\r\nIn this case, the TXT record response we received for the DNS query performed against the attacker controlled\r\nDNS server is “ipconfig”. This response initiates the Command execution routine of the backdoor and thus the\r\ncommand “ipconfig” would be executed on the infected machine - cmd.exe /c ipconfig\r\nFurther, the command output is exfiltrated to the C2 server, encoded in Base64 and then concatenated with the\r\nCommunication ID and the previously generated BotUID using “$” as the separator.\r\n \r\nFig 16. Command Output exfiltration Pattern setup \r\n        \r\n  Data Exfil Pattern: [base64encoded_command_output]$[communication_id]$[Bot_ID]\r\nhttps://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor\r\nPage 10 of 13\n\nOnce the command output is encoded in the above mentioned pattern, the DNS backdoor then sends across the\r\noutput to the C2 server via DNS query in the form of A records in multiple blocks of queries, where the A record\r\nvalues consists of the encoded command output. Once the command output is transmitted completely, an\r\n“Enddd” command is sent across in a Base64-encoded data exfil pattern to notify the end of the command output\r\nas shown below in the screenshot.\r\nFig 17. Exfiltration of Encoded Command Output via A records queries on the attacker controlled DNS server\r\n \r\nDecoded A Records:\r\nIPConfig Command Output -\r\n \r\nEncoded A record =\r\nICAgSVB2NCBBZGRyZXNzLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDogMTkyLjE2OC4.yLjEw$929$5686BB2F\r\nDecoded A record =\r\nIPv4 Address. . . . . . . . . . . : 192.168.2.10 $ ComID: 929 $ UID: 5686BB2F\r\nEnd Command - \r\nEncoded A record = RW5kZGQ=$1291$$EF58DF5F \r\nDecoded A record = Enddd $ ComID: 1291 $ UID: EF58DF5F\r\nCloud Sandbox detection\r\nhttps://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor\r\nPage 11 of 13\n\nFig 18: The Zscaler Cloud Sandbox successfully detected the malware.\r\nConclusion\r\nAPT threat actors are continuously evolving their tactics and malware to successfully carry out attacks against\r\ntheir targets. Attackers continuously embrace new anti-analysis tricks to evade security solutions; re-packaging of\r\nmalware makes static analysis even more challenging. The Zscaler ThreatLabz team will continue to monitor\r\nthese attacks to help keep our customers safe.\r\nMITRE ATT\u0026CK mapping:\r\nT1059 Command and Scripting Interpreter\r\nT1055 Process Injection\r\nT1562 Disable or Modify Tools\r\nT1010 Application Window Discovery\r\nT1018 Remote System Discovery\r\nT1057 Process Discovery\r\nT1518 Security Software Discovery\r\nT1071 Application Layer Protocol\r\nIOC:\r\nDocm Hash:\r\nhttps://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor\r\nPage 12 of 13\n\n13814a190f61b36aff24d6aa1de56fe2\r\nExe Hash:\r\n8199f14502e80581000bd5b3bda250ee\r\nDomain and URL's:\r\ncyberclub[.]one\r\nhxxp://news-spot[.]live/Reports/1/?id=1111\u0026pid=a52\r\nhxxp://news-spot[.]live/Reports/1/?id=1111\u0026pid=a28\r\nhxxp://news-spot[.]live/Reports/1/?id=1111\u0026pid=a40\r\nhxxp://news-spot[.]live/Reports/1/45/DnsSystem[.]exe\r\nAbout ThreatLabz\r\nThreatLabz is the security research arm of Zscaler. This world-class team is responsible for hunting new threats\r\nand ensuring that the thousands of organizations using the global Zscaler platform are always protected. In\r\naddition to malware research and behavioral analysis, team members are involved in the research and\r\ndevelopment of new prototype modules for advanced threat protection on the Zscaler platform, and regularly\r\nconduct internal security audits to ensure that Zscaler products and infrastructure meet security compliance\r\nstandards. ThreatLabz regularly publishes in-depth analyses of new and emerging threats on its portal,\r\nresearch.zscaler.com.\r\nStay updated on ThreatLabz research by subscribing to our Trust Issues newsletter today.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor\r\nhttps://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor" ], "report_names": [ "lyceum-net-dns-backdoor" ], "threat_actors": [ { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "fb8f3a5f-01a9-498e-9396-52f844424c33", "created_at": "2023-01-06T13:46:39.045338Z", "updated_at": "2026-04-10T02:00:03.195743Z", "deleted_at": null, "main_name": "LYCEUM", "aliases": [ "Spirlin", "MYSTICDOME", "siamesekitten", "Chrono Kitten", "Storm-0133", "COBALT LYCEUM", "UNC1530" ], "source_name": "MISPGALAXY:LYCEUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434238, "ts_updated_at": 1775826770, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b2cc82adeb5fbea915cb1624d009fcd6512b6dac.pdf", "text": "https://archive.orkl.eu/b2cc82adeb5fbea915cb1624d009fcd6512b6dac.txt", "img": "https://archive.orkl.eu/b2cc82adeb5fbea915cb1624d009fcd6512b6dac.jpg" } }