DarkHydrus

DarkHydrus is a notable threat actor known for executing malicious activities. The group has been associated with several well-known campaigns including DarkHydrus, OilRig, xHunt, SUNBURST, and Decoy Dog. These campaigns have leveraged DNS tunneling for Command and Control (C2) communications, a technique that allows covert extraction of data from compromised systems. Additionally, DarkHydrus has been observed to use Google Drive for C2 communications, highlighting an evolving strategy that involves the abuse of legitimate cloud services. Our research indicates that DarkHydrus recently developed a new variant of the RogueRobin trojan. This variant was discovered in three different delivery documents, suggesting a possible shift in the group's tactics. Notably, this new variant of RogueRobin can utilize Google Drive as its C2 channel, indicating that DarkHydrus is adapting its methods to exploit mainstream cloud services for their operations. Furthermore, these payloads demonstrate that DarkHydrus actors have ported their previous PowerShell-based RogueRobin code to an executable variant, a behavior commonly observed among other adversary groups operating in the Middle East, such as OilRig. The latest activities of DarkHydrus show a persistent evolution in their approach to cyber threats. Recent delivery documents revealed the group's adoption of open-source penetration testing techniques, such as the AppLocker bypass. This development suggests that DarkHydrus continues to enhance its playbook by incorporating new techniques, underscoring the need for ongoing vigilance and adaptive security measures against this active and evolving threat.