Behind the Curtain: The DarkHydrus Playbook

Case Study: DarkHydrus (Threat Actor Group) 

DarkHydrus, also known by the synonyms G0079, LazyMeerkat, and Obscure Serpens, is a threat group that has been observed operating since as early as 2016 with its current playbook. Tracking DarkHydrus initiated after analyzing a targeted attack in July 2018. This group is notable for it  reliance on open-source tools and its consistent targeting of government entities and educational institutions in the Middle East. 

Operational History and Characteristics: 

• Aliases: DarkHydrus is also known as G0079, LazyMeerkat, and Obscure Serpens. 

• Operational Timeline: Unit 42’s telemetry suggests DarkHydrus has been active with its current methods since early 2016. Credential harvesting attempts using the same infrastructure date back to the Fall of 2017. 

• Targeting: The group primarily targets government agencies and educational institutions in the Middle East. 

• Tooling Philosophy: DarkHydrus frequently abuses open-source legitimate tools for malicious purposes, highlighting their reliance on such resources. 

Attack Methodologies: 

DarkHydrus employs spear-phishing as its primary initial access vector, using various file types and techniques to achieve its objectives: 

1. Spear-Phishing with Malicious Excel Web Query Files (.iqy): 

• Date: Observed in July 2018. 

• Delivery: Spear-phishing emails were sent to targeted organizations. 

• Attachments: These emails contained password-protected RAR archive attachments (e.g., credential.rar). The password (e.g., “123456”) was often included in the email body. 

• Payload Container: Inside the RAR archives were malicious Excel Web Query files (.iqy) (e.g., credential.iqy). 

• Execution Chain: 

1. When opened, Excel natively processes the .iqy file, which contains a URL (e.g., hxxp://micrrosoft[.]net/releasenotes.txt). 
2. Excel prompts the user for consent to enable data connection. 
3. Upon consent, Excel retrieves content from the URL, which contains a formula to run a PowerShell script via the command prompt. Excel again seeks user consent to launch the command prompt. 
4. This script then downloads and executes a second PowerShell script (e.g., hxxp://micrrosoft[.]net/winupdate.ps1). 

• Primary Payload: The main payload in this instance was a custom PowerShell-based script named RogueRobin. 

• Obfuscation: RogueRobin’s developer used the open-source Invoke-Obfuscation tool (specifically the COMPRESS technique). 

• Sandbox Evasion: Before executing its main functionality, RogueRobin performs checks for sandbox environments by querying BIOS version and manufacturer, physical memory, CPU core count, and looking for processes like “Wireshark” and “Sysinternals”. 

• Persistence: If no sandbox is detected, RogueRobin achieves persistence by creating a batch file (OneDrive.bat) and a modified copy of itself (OneDrive.ps1) in %APPDATA%, and then creating a Windows startup shortcut (OneDrive.lnk) to run the PowerShell script upon user login. 

• C2 Communication (DNS Tunneling): RogueRobin communicates with its command and control (C2) servers using a custom DNS tunneling protocol. It tests various DNS query types (A, AAAA, AC, CNAME, MX, TXT, SRV, SOA) to determine the most effective communication method. Information is base64 encoded and transmitted within subdomains of the C2 domain. 

• Available Commands: The payload supports commands such as $fileDownload (upload to C2), $importModule (add PowerShell module), $screenshot, $command (run PowerShell command), slp (set sleep interval), $testmode (determine DNS query types), $showconfig (upload configuration), slpx (set sleep interval for DNS requests), and $fileUpload (download from C2). 

2. Credential Harvesting Attacks with Malicious Microsoft Office Documents: 

• Date: Observed in June 2018, with evidence of similar attempts dating back to Fall 2017. 

• Delivery: Spear-phishing emails containing malicious Word documents (e.g., with subjects like “Project Offer”). 

• Technique: These documents leveraged the “attachedTemplate” technique to load a template from a remote server. 

• User Interaction: When attempting to load the remote template, Microsoft Office displays an authentication dialog box, prompting the user for login credentials. 

• Credential Theft: When credentials are entered, they are sent to the C2 server. 

• Deception: DarkHydrus designed its C2 domains to spoof legitimate services (e.g., using 0utl00k[.]net to resemble outlook.com), often incorporating the targeted organization’s subdomain to enhance legitimacy. After credential theft, some documents displayed seemingly pertinent content like an employee survey or a password handover form to further deceive the user. 

• Tool Used: DarkHydrus used the open-source Phishery tool to create these malicious Word documents and host the C2 server for credential harvesting. 

Associated Malware and Tools: DarkHydrus is known for leveraging a variety of legitimate and open-source tools: 

• RogueRobin: A custom PowerShell-based payload identified in the July 2018 attacks. 

• Phishery: An open-source tool used for creating malicious Word documents and hosting C2 servers for credential harvesting. 

• Cobalt Strike: A commercial penetration testing tool frequently abused by threat actors for malicious purposes. The sources include numerous recent reports (up to July 2025) detailing its use by various threat actors. 

• Meterpreter: An open-source payload that can be injected into a running process. 

• PowerShellEmpire: A post-exploitation framework. 

• Veil: A tool designed to generate Metasploit payloads that bypass common antivirus solutions. 

• Mimikatz: A tool for extracting plaintext passwords, hash, PIN code, and Kerberos tickets from memory. 

Command and Control (C2) Infrastructure and Domains: DarkHydrus uses C2 domains that often attempt to spoof legitimate technology or security vendors to appear trustworthy: 

• 0utl00k[.]net 

• micrrosoft[.]net 

• kaspersky[.]science 

• anyconnect[.]stream 

• bigip[.]stream 

• fortiweb[.]download 

• microtik[.]stream 

• owa365[.]bid 

• symanteclive[.]download 

• windowsdefender[.]win 

• cisc0[.]net 

• allexa[.]net 

• kaspersky[.]host (illegitimate) 

• hotmai1[.]com 

• 0utlook[.]bid 

Some of these C2 domains were found to resolve to IPs in China (e.g., 1.2.9.0/24). DarkHydrus reuses its C2 domains over extended periods, like micrrosoft[.]net being used in attacks from January 2017 to July 2017, and again in July 2018. 

Protection and Detection: Vendors like Palo Alto Networks, Microsoft defender ATP, CrowdStrike Falcon, SentinelOne etc offer protection against DarkHydrus activities through various mechanisms: 

• The C2 server 0utl00k[.]net is classified as Malware. 

• Phishery documents created by DarkHydrus receive malicious verdicts in WildFire. 

• The micrrosoft[.]net domain has been classified as malicious since March 2017. 

• All C2 domains associated with DarkHydrus payloads are classified as command and control. 

• Traps (an endpoint protection solution) can block Excel from creating a command prompt process, which is a key step in some DarkHydrus attacks. 

• AutoFocus customers can monitor the group’s activity using the DarkHydrus tag.