DarkHydrus

DarkHydrus, an Iranian threat group also known as Obscure Serpens, is a significant cybersecurity concern. Notable for its malicious activities, DarkHydrus has targeted government agencies and educational institutions in the Middle East since 2016, employing sophisticated techniques such as DNS tunneling. This method, also used by other infamous campaigns like SUNBURST, OilRig, xHunt, and Decoy Dog, allows command and control (C2) communications to be concealed within regular internet traffic, making detection significantly more challenging. The group has been particularly innovative in its use of trojans, specifically the RogueRobin variant. Our research has uncovered three instances of DarkHydrus delivery documents installing this new trojan type. What sets RogueRobin apart is its ability to exploit Google Drive for C2 communications, demonstrating DarkHydrus's shift towards exploiting legitimate cloud services for their operations. This technique presents a new level of complexity in combating such cyber threats, as it involves the misuse of commonly used and trusted platforms. Furthermore, our investigations show that DarkHydrus actors have transitioned their previous PowerShell-based RogueRobin code to an executable variant. This behavior aligns with patterns observed in other adversary groups operating in the Middle East, such as OilRig, indicating a regional trend towards more robust and elusive methods. As DarkHydrus continues to evolve its tactics, maintaining vigilance and advancing cybersecurity measures remains paramount.