Magic Hound is an Iranian-sponsored threat group operating primarily in the Middle East that dates back as early as 2014. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia.  
Associated Group Descriptions
|Rocket Kitten||Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the adversary group Rocket Kitten.  |
|Operation Saffron Rose||Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Saffron Rose. |
|Ajax Security Team||Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the group Ajax Security Team. |
|Operation Woolen-Goldfish||Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the campaign Operation Woolen-Goldfish. |
|Newscaster||Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).  |
|Cobalt Gypsy||Based on overlapping hash values in reporting, Magic Hound activity appears to overlap with activity conducted by the group known as Cobalt Gypsy. |
|Enterprise||T1059||Command-Line Interface||Magic Hound has used the command-line interface.|
|Enterprise||T1043||Commonly Used Port||Magic Hound malware has communicated with C2 servers over port 6667 (for IRC) and port 8080.|
|Enterprise||T1003||Credential Dumping||Magic Hound stole domain credentials from Microsoft Active Directory Domain Controller and leveraged Mimikatz.|
|Enterprise||T1002||Data Compressed||Magic Hound has used RAR to stage and compress local folders.|
|Enterprise||T1114||Email Collection||Magic Hound has collected .PST archives.|
|Enterprise||T1083||File and Directory Discovery||Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.|
|Enterprise||T1107||File Deletion||Magic Hound has deleted and overwrote files to cover tracks.|
|Enterprise||T1056||Input Capture||Magic Hound malware is capable of keylogging.|
|Enterprise||T1027||Obfuscated Files or Information||Magic Hound malware has used base64-encoded commands and files, and has also encrypted embedded strings with AES.|
|Enterprise||T1086||PowerShell||Magic Hound has used PowerShell for execution and privilege escalation.|
|Enterprise||T1057||Process Discovery||Magic Hound malware can list running processes.|
|Enterprise||T1060||Registry Run Keys / Startup Folder||Magic Hound malware has used Registry Run keys to establish persistence.|
|Enterprise||T1105||Remote File Copy||Magic Hound has downloaded additional code and files from servers onto victims.|
|Enterprise||T1113||Screen Capture||Magic Hound malware can take a screenshot and upload the file to its C2 server.|
|Enterprise||T1064||Scripting||Magic Hound malware has used .vbs scripts for execution.|
|Enterprise||T1193||Spearphishing Attachment||Magic Hound sent malicious attachments to victims over email, including an Excel spreadsheet containing macros to download Pupy.|
|Enterprise||T1192||Spearphishing Link||Magic Hound sent shortened URL links over email to victims. The URLs linked to Word documents with malicious macros that execute PowerShells scripts to download Pupy.|
|Enterprise||T1194||Spearphishing via Service||Magic Hound used various social media channels to spearphish victims.|
|Enterprise||T1071||Standard Application Layer Protocol||Magic Hound malware has used HTTP and IRC for C2.|
|Enterprise||T1082||System Information Discovery||Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.|
|Enterprise||T1016||System Network Configuration Discovery||Magic Hound malware gathers the victim's local IP address, MAC address, and external IP address.|
|Enterprise||T1033||System Owner/User Discovery||Magic Hound malware has obtained the victim username and sent it to the C2 server.|
|Enterprise||T1065||Uncommonly Used Port||Magic Hound malware has communicated with its C2 server over ports 4443 and 3543.|
|Enterprise||T1204||User Execution||Magic Hound has attempted to get users to execute malware via social media and spearphishing emails.|
|Enterprise||T1102||Web Service||Magic Hound malware can use a SOAP Web service to communicate with its C2 server.|
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
- Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.
- ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
- Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017.
- Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.