DUBNIUM

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Dubnium is a threat actor known for its execution of actions with malicious intent, primarily through the use of malware. Their operations were notably highlighted in December when they launched a campaign exploiting Adobe Flash Player. This exploit was used to distribute various samples of Dubnium's malware, one of which included a zero-day exploit that specifically targeted Adobe Flash. The malware utilized by Dubnium is committed to disguising itself, typically appearing as a Secure Shell (SSH) tool. Despite this, the initial payload of Dubnium's malware is not particularly advanced in its functionality. The Dubnium threat actor has developed sophisticated techniques to hide its internal operations and evade detection. For example, it encodes every single string related to its malicious code, and then takes an additional step to further obscure its activities. Furthermore, the Dubnium binary extensively checks the running environment, including daily-use programs and security applications that can be used to profile its targets. It also screens for various program analysis tools such as Pin and DynamoRIO. One notable characteristic of Dubnium's methodology involves the use of highly organized exploit code with broad support for different operating system flavors. After spawning the mshta.exe process with the URL to download, the malware waits before opening the mshta.exe process and searching open file handles for a handle associated with the downloaded content. This level of meticulousness underlines the threat posed by Dubnium, despite the relatively unadvanced nature of their first-stage payload.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Darkhotel
2
DarkHotel, also known as DUBNIUM, is a cyber threat actor that has been active since at least 2018. This group has been observed primarily targeting Japanese organizations and has recently been linked to a campaign utilizing unique Tactics, Techniques, and Procedures (TTPs). The campaign involved a
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Adobe
Apt
Exploit
Payload
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the DUBNIUM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Reverse-engineering DUBNIUM’s Flash-targeting exploit - Microsoft Security Blog
MITRE
a year ago
Reverse-engineering DUBNIUM - Microsoft Security Blog
MITRE
a year ago
Analysis of Ramsay components of Darkhotel's infiltration and isolation network - Programmer Sought
Trend Micro
a year ago
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns