DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. [1] [2]

ID: G0079
Version: 1.0

Techniques Used

EnterpriseT1187Forced AuthenticationDarkHydrus used Template Injection to launch an authentication window for users to enter their credentials.[3]
EnterpriseT1086PowerShellDarkHydrus leveraged PowerShell to download and execute additional scripts for execution.[1][2]
EnterpriseT1193Spearphishing AttachmentDarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the “attachedTemplate” technique to load a template from a remote server.[1][3][2]
EnterpriseT1221Template InjectionDarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication.[3]
EnterpriseT1204User ExecutionDarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.[1][2]


S0154Cobalt Strike[1][2]Access Token Manipulation, BITS Jobs, Bypass User Account Control, Command-Line Interface, Commonly Used Port, Connection Proxy, Credential Dumping, Custom Command and Control Protocol, Data from Local System, Distributed Component Object Model, Execution through API, Exploitation for Privilege Escalation, Indicator Removal from Tools, Input Capture, Man in the Browser, Multiband Communication, Network Service Scanning, Network Share Discovery, New Service, Pass the Hash, PowerShell, Process Discovery, Process Hollowing, Process Injection, Remote Desktop Protocol, Remote Services, Remote System Discovery, Scheduled Transfer, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Timestomp, Valid Accounts, Windows Admin Shares, Windows Management Instrumentation, Windows Remote Management
S0002Mimikatz[1][2]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0270RogueRobin[1][4]Command-Line Interface, Custom Command and Control Protocol, Data Obfuscation, Deobfuscate/Decode Files or Information, Obfuscated Files or Information, PowerShell, Process Discovery, Registry Run Keys / Startup Folder, Regsvr32, Remote File Copy, Screen Capture, Scripting, Security Software Discovery, Shortcut Modification, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Virtualization/Sandbox Evasion, Web Service, Windows Management Instrumentation