The sub-techniques beta is now live! Read the release blog post for more info.


DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. [1] [2]

ID: G0079
Version: 1.1
Created: 17 October 2018
Last Modified: 11 October 2019

Techniques Used

Domain ID Name Use
Enterprise T1187 Forced Authentication

DarkHydrus used Template Injection to launch an authentication window for users to enter their credentials.[3]

Enterprise T1143 Hidden Window

DarkHydrus has used -WindowStyle Hidden to conceal PowerShell windows.[1]

Enterprise T1086 PowerShell

DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.[1][2]

Enterprise T1193 Spearphishing Attachment

DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the "attachedTemplate" technique to load a template from a remote server.[1][3][2]

Enterprise T1221 Template Injection

DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication.[3]

Enterprise T1204 User Execution

DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.[1][2]


ID Name References Techniques
S0154 Cobalt Strike [1] [2] Access Token Manipulation, BITS Jobs, Bypass User Account Control, Command-Line Interface, Commonly Used Port, Component Object Model and Distributed COM, Connection Proxy, Credential Dumping, Custom Command and Control Protocol, Data from Local System, Execution through API, Exploitation for Privilege Escalation, Indicator Removal from Tools, Input Capture, Man in the Browser, Multiband Communication, Network Service Scanning, Network Share Discovery, New Service, Parent PID Spoofing, Pass the Hash, PowerShell, Process Discovery, Process Hollowing, Process Injection, Remote Desktop Protocol, Remote Services, Remote System Discovery, Scheduled Transfer, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Timestomp, Valid Accounts, Windows Admin Shares, Windows Management Instrumentation, Windows Remote Management
S0002 Mimikatz [1] [2] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0270 RogueRobin [1] [4] Command-Line Interface, Custom Command and Control Protocol, Data Obfuscation, Deobfuscate/Decode Files or Information, Obfuscated Files or Information, PowerShell, Process Discovery, Registry Run Keys / Startup Folder, Regsvr32, Remote File Copy, Screen Capture, Scripting, Security Software Discovery, Shortcut Modification, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Virtualization/Sandbox Evasion, Web Service, Windows Management Instrumentation